Add support for IAM policies on Security Command Center sources (#6493)

* Add support for IAM policies on SCC sources * Add tests * rm beta
GoogleCloudPlatform · Oct 19, 2022 · d2f1cd3 · d2f1cd3
1 parent a07f43d
commit d2f1cd3
Show file tree

Hide file tree

Showing 2 changed files with 226 additions and 1 deletion.
diff --git a/mmv1/products/securitycenter/api.yaml b/mmv1/products/securitycenter/api.yaml
@@ -36,7 +36,13 @@ objects:
       guides:
         'Official Documentation':
           'https://cloud.google.com/security-command-center/docs'
-      api: 'https://cloud.google.com/security-command-center/docs/reference/rest/v1beta1/organizations.sources'
+      api: 'https://cloud.google.com/security-command-center/docs/reference/rest/v1/organizations.sources'
+    iam_policy: !ruby/object:Api::Resource::IamPolicy
+      method_name_separator: ':'
+      fetch_iam_policy_verb: :POST
+      parent_resource_attribute: 'source'
+      base_url: organizations/{{organization}}/sources/{{source}}
+      import_format: ["organizations/{{organization}}/sources/{{source}}", "{{source}}"]
     parameters:
       - !ruby/object:Api::Type::String
         name: organization

diff --git a/mmv1/third_party/terraform/tests/iam_scc_source_test.go b/mmv1/third_party/terraform/tests/iam_scc_source_test.go
@@ -0,0 +1,219 @@
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccSecurityCenterSourceIamBinding(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": randString(t, 10),
+		"role":          "roles/securitycenter.sourcesViewer",
+		"org_id":        getTestOrgFromEnv(t),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSecurityCenterSourceIamBinding_basic(context),
+			},
+			{
+				ResourceName: "google_scc_source_iam_binding.foo",
+				ImportStateIdFunc: func(state *terraform.State) (string, error) {
+					// This has to be a function because sources only use numeric IDs
+					id := state.RootModule().Resources["google_scc_source.custom_source"].Primary.Attributes["id"]
+					return fmt.Sprintf("%s %s",
+						id,
+						context["role"],
+					), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Test Iam Binding update
+				Config: testAccSecurityCenterSourceIamBinding_update(context),
+			},
+			{
+				ResourceName: "google_scc_source_iam_binding.foo",
+				ImportStateIdFunc: func(state *terraform.State) (string, error) {
+					// This has to be a function because sources only use numeric IDs
+					id := state.RootModule().Resources["google_scc_source.custom_source"].Primary.Attributes["id"]
+					return fmt.Sprintf("%s %s",
+						id,
+						context["role"],
+					), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccSecurityCenterSourceIamMember(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": randString(t, 10),
+		"role":          "roles/securitycenter.sourcesViewer",
+		"org_id":        getTestOrgFromEnv(t),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				// Test Iam Member creation (no update for member, no need to test)
+				Config: testAccSecurityCenterSourceIamMember_basic(context),
+			},
+			{
+				ResourceName: "google_scc_source_iam_member.foo",
+				ImportStateIdFunc: func(state *terraform.State) (string, error) {
+					// This has to be a function because sources only use numeric IDs
+					id := state.RootModule().Resources["google_scc_source.custom_source"].Primary.Attributes["id"]
+					return fmt.Sprintf("%s %s user:admin@hashicorptest.com",
+						id,
+						context["role"],
+					), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccSecurityCenterSourceIamPolicy(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": randString(t, 10),
+		"role":          "roles/securitycenter.sourcesViewer",
+		"org_id":        getTestOrgFromEnv(t),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSecurityCenterSourceIamPolicy_basic(context),
+			},
+			{
+				ResourceName:      "google_scc_source_iam_policy.foo",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccSecurityCenterSourceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_scc_source_iam_policy.foo",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccSecurityCenterSourceIamMember_basic(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_scc_source" "custom_source" {
+  display_name = "tf-test-source%{random_suffix}"
+  organization = "%{org_id}"
+  description  = "My custom Cloud Security Command Center Finding Source"
+}
+
+resource "google_scc_source_iam_member" "foo" {
+  source       = google_scc_source.custom_source.id
+  organization = "%{org_id}"
+  role         = "%{role}"
+  member       = "user:admin@hashicorptest.com"
+}
+`, context)
+}
+
+func testAccSecurityCenterSourceIamPolicy_basic(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_scc_source" "custom_source" {
+  display_name = "tf-test-source%{random_suffix}"
+  organization = "%{org_id}"
+  description  = "My custom Cloud Security Command Center Finding Source"
+}
+
+data "google_iam_policy" "foo" {
+  binding {
+    role    = "%{role}"
+    members = ["user:admin@hashicorptest.com"]
+  }
+}
+
+resource "google_scc_source_iam_policy" "foo" {
+  source       = google_scc_source.custom_source.id
+  organization = "%{org_id}"
+  policy_data  = data.google_iam_policy.foo.policy_data
+}
+`, context)
+}
+
+func testAccSecurityCenterSourceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_scc_source" "custom_source" {
+  display_name = "tf-test-source%{random_suffix}"
+  organization = "%{org_id}"
+  description  = "My custom Cloud Security Command Center Finding Source"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_scc_source_iam_policy" "foo" {
+  source       = google_scc_source.custom_source.id
+  organization = "%{org_id}"
+  policy_data  = data.google_iam_policy.foo.policy_data
+}
+`, context)
+}
+
+func testAccSecurityCenterSourceIamBinding_basic(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_scc_source" "custom_source" {
+  display_name = "tf-test-source%{random_suffix}"
+  organization = "%{org_id}"
+  description  = "My custom Cloud Security Command Center Finding Source"
+}
+
+resource "google_scc_source_iam_binding" "foo" {
+  source       = google_scc_source.custom_source.id
+  organization = "%{org_id}"
+  role         = "%{role}"
+  members      = ["user:admin@hashicorptest.com"]
+}
+`, context)
+}
+
+func testAccSecurityCenterSourceIamBinding_update(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_scc_source" "custom_source" {
+  display_name = "tf-test-source%{random_suffix}"
+  organization = "%{org_id}"
+  description  = "My custom Cloud Security Command Center Finding Source"
+}
+
+resource "google_scc_source_iam_binding" "foo" {
+  source       = google_scc_source.custom_source.id
+  organization = "%{org_id}"
+  role         = "%{role}"
+  members      = ["user:admin@hashicorptest.com", "user:gterraformtest1@gmail.com"]
+}
+`, context)
+}