-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding AuthorizedOrgsDesc to AccessContextManager (#7178)
- Loading branch information
Showing
5 changed files
with
229 additions
and
0 deletions.
There are no files selected for viewing
127 changes: 127 additions & 0 deletions
127
mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
# Copyright 2023 Google Inc. | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
--- !ruby/object:Api::Resource | ||
name: 'AuthorizedOrgsDesc' | ||
base_url: "" | ||
create_url: "{{parent}}/authorizedOrgsDescs" | ||
self_link: "{{name}}" | ||
update_verb: :PATCH | ||
references: !ruby/object:Api::Resource::ReferenceLinks | ||
guides: | ||
'gcloud docs': 'https://cloud.google.com/beyondcorp-enterprise/docs/cross-org-authorization' | ||
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.authorizedOrgsDescs' | ||
description: | | ||
An authorized organizations description describes a list of organizations | ||
(1) that have been authorized to use certain asset (for example, device) data | ||
owned by different organizations at the enforcement points, or (2) with certain | ||
asset (for example, device) have been authorized to access the resources in | ||
another organization at the enforcement points. | ||
docs: !ruby/object:Provider::Terraform::Docs | ||
warning: | | ||
If you are using User ADCs (Application Default Credentials) with this resource, | ||
you must specify a `billing_project` and set `user_project_override` to true | ||
in the provider configuration. Otherwise the ACM API will return a 403 error. | ||
Your account must have the `serviceusage.services.use` permission on the | ||
`billing_project` you defined. | ||
autogen_async: true | ||
id_format: "{{name}}" | ||
import_format: ["{{name}}"] | ||
examples: | ||
- !ruby/object:Provider::Terraform::Examples | ||
name: "access_context_manager_authorized_orgs_desc_basic" | ||
primary_resource_id: "authorized-orgs-desc" | ||
skip_test: true | ||
# Skipping the sweeper due to the non-standard base_url | ||
skip_sweeper: true | ||
custom_code: !ruby/object:Provider::Terraform::CustomCode | ||
encoder: templates/terraform/encoders/access_level_never_send_parent.go.erb | ||
pre_update: templates/terraform/update_mask.erb | ||
post_create: templates/terraform/post_create/sleep_2_min.go.erb | ||
custom_import: templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.erb | ||
parameters: | ||
- !ruby/object:Api::Type::String | ||
name: parent | ||
input: true | ||
required: true | ||
description: | | ||
Required. Resource name for the access policy which owns this `AuthorizedOrgsDesc`. | ||
ignore_read: true | ||
- !ruby/object:Api::Type::String | ||
name: name | ||
input: true | ||
required: true | ||
description: | | ||
Resource name for the `AuthorizedOrgsDesc`. Format: | ||
`accessPolicies/{access_policy}/authorizedOrgsDescs/{authorized_orgs_desc}`. | ||
The `authorized_orgs_desc` component must begin with a letter, followed by | ||
alphanumeric characters or `_`. | ||
After you create an `AuthorizedOrgsDesc`, you cannot change its `name`. | ||
- !ruby/object:Api::Type::Array | ||
name: orgs | ||
description: | | ||
The list of organization ids in this AuthorizedOrgsDesc. | ||
Format: `organizations/<org_number>` | ||
Example: `organizations/123456` | ||
item_type: Api::Type::String | ||
- !ruby/object:Api::Type::Enum | ||
name: assetType | ||
input: true | ||
description: | | ||
The type of entities that need to use the authorization relationship during | ||
evaluation, such as a device. Valid values are "ASSET_TYPE_DEVICE" and | ||
"ASSET_TYPE_CREDENTIAL_STRENGTH". | ||
values: | ||
- :ASSET_TYPE_DEVICE | ||
- :ASSET_TYPE_CREDENTIAL_STRENGTH | ||
- !ruby/object:Api::Type::Enum | ||
name: authorizationDirection | ||
input: true | ||
description: | | ||
The direction of the authorization relationship between this organization | ||
and the organizations listed in the "orgs" field. The valid values for this | ||
field include the following: | ||
AUTHORIZATION_DIRECTION_FROM: Allows this organization to evaluate traffic | ||
in the organizations listed in the `orgs` field. | ||
AUTHORIZATION_DIRECTION_TO: Allows the organizations listed in the `orgs` | ||
field to evaluate the traffic in this organization. | ||
For the authorization relationship to take effect, all of the organizations | ||
must authorize and specify the appropriate relationship direction. For | ||
example, if organization A authorized organization B and C to evaluate its | ||
traffic, by specifying "AUTHORIZATION_DIRECTION_TO" as the authorization | ||
direction, organizations B and C must specify | ||
"AUTHORIZATION_DIRECTION_FROM" as the authorization direction in their | ||
"AuthorizedOrgsDesc" resource. | ||
values: | ||
- :AUTHORIZATION_DIRECTION_TO | ||
- :AUTHORIZATION_DIRECTION_FROM | ||
- !ruby/object:Api::Type::Enum | ||
name: authorizationType | ||
input: true | ||
description: | | ||
A granular control type for authorization levels. Valid value is "AUTHORIZATION_TYPE_TRUST". | ||
values: | ||
- :AUTHORIZATION_TYPE_TRUST | ||
properties: | ||
- !ruby/object:Api::Type::Time | ||
name: 'createTime' | ||
description: | | ||
Time the AuthorizedOrgsDesc was created in UTC. | ||
output: true | ||
- !ruby/object:Api::Type::Time | ||
name: 'updateTime' | ||
description: | | ||
Time the AuthorizedOrgsDesc was updated in UTC. | ||
output: true |
13 changes: 13 additions & 0 deletions
13
mmv1/templates/terraform/examples/access_context_manager_authorized_orgs_desc_basic.tf.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
resource "google_access_context_manager_authorized_orgs_desc" "<%= ctx[:primary_resource_id] %>" { | ||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" | ||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName" | ||
authorization_type = "AUTHORIZATION_TYPE_TRUST" | ||
asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH" | ||
authorization_direction = "AUTHORIZATION_DIRECTION_TO" | ||
orgs = ["organizations/12345", "organizations/98765"] | ||
} | ||
|
||
resource "google_access_context_manager_access_policy" "test-access" { | ||
parent = "organizations/<%= ctx[:test_env_vars]['org_id'] %>" | ||
title = "my policy" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
// This is useful if the resource in question doesn't have a perfectly consistent API | ||
// That is, the Operation for Create might return before the Get operation shows the | ||
// completed state of the resource. | ||
time.Sleep(2 * time.Minute) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
.../third_party/terraform/tests/resource_access_context_manager_authorized_orgs_desc_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package google | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
"testing" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" | ||
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform" | ||
) | ||
|
||
func testAccAccessContextManagerAuthorizedOrgsDesc_basicTest(t *testing.T) { | ||
context := map[string]interface{}{ | ||
"org_id": GetTestOrgFromEnv(t), | ||
} | ||
|
||
VcrTest(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: TestAccProviders, | ||
CheckDestroy: testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t), | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context), | ||
}, | ||
{ | ||
ResourceName: "google_access_context_manager_authorized_orgs_desc.authorized-orgs-desc", | ||
ImportState: true, | ||
ImportStateVerify: true, | ||
ImportStateVerifyIgnore: []string{"parent"}, | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context map[string]interface{}) string { | ||
return Nprintf(` | ||
resource "google_access_context_manager_authorized_orgs_desc" "authorized-orgs-desc" { | ||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" | ||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName" | ||
authorization_type = "AUTHORIZATION_TYPE_TRUST" | ||
asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH" | ||
authorization_direction = "AUTHORIZATION_DIRECTION_TO" | ||
orgs = ["organizations/12345", "organizations/98765"] | ||
} | ||
resource "google_access_context_manager_access_policy" "test-access" { | ||
parent = "organizations/%{org_id}" | ||
title = "my policy" | ||
} | ||
`, context) | ||
} | ||
|
||
func testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t *testing.T) func(s *terraform.State) error { | ||
return func(s *terraform.State) error { | ||
for name, rs := range s.RootModule().Resources { | ||
if rs.Type != "google_access_context_manager_authorized_orgs_desc" { | ||
continue | ||
} | ||
if strings.HasPrefix(name, "data.") { | ||
continue | ||
} | ||
|
||
config := GoogleProviderConfig(t) | ||
|
||
url, err := replaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{name}}") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
billingProject := "" | ||
|
||
if config.BillingProject != "" { | ||
billingProject = config.BillingProject | ||
} | ||
|
||
_, err = SendRequest(config, "GET", billingProject, url, config.UserAgent, nil) | ||
if err == nil { | ||
return fmt.Errorf("AccessContextManagerAuthorizedOrgsDesc still exists at %s", url) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
} |