storage bucket iam generation

api/resource/iam_policy.rb

@@ -39,10 +39,28 @@ class IamPolicy < Api::Object
       # others expect POST requests
       attr_reader :fetch_iam_policy_verb
 
+      # Last part of URL for fetching IAM policy.
+      attr_reader :fetch_iam_policy_method
+
+      # Some resources allow setting the IAM policy with POST requests,
+      # others expect PUT requests
+      attr_reader :set_iam_policy_verb
+
+      # Last part of URL for setting IAM policy.
+      attr_reader :set_iam_policy_method
+
+      # Whether the policy JSON is contained inside of a 'policy' object.
+      attr_reader :wrapped_policy_obj
+
       # Certain resources allow different sets of roles to be set with IAM policies
       # This is a role that is acceptable for the given IAM policy resource for use in tests
       attr_reader :allowed_iam_role
 
+      # This is a role that grants create/read/delete for the parent resource for use in tests.
+      # If set, the test runner will receive a binding to this role in _policy tests in order to
+      # avoid getting locked out of the resource.
+      attr_reader :admin_iam_role
+
       # Certain resources need an attribute other than "id" from their parent resource
       # Especially when a parent is not the same type as the IAM resource
       attr_reader :parent_resource_attribute
@@ -79,7 +97,12 @@ def validate
         check :method_name_separator, type: String, default: '/'
         check :parent_resource_type, type: String
         check :fetch_iam_policy_verb, type: Symbol, default: :GET, allowed: %i[GET POST]
+        check :fetch_iam_policy_method, type: String, default: 'getIamPolicy'
+        check :set_iam_policy_verb, type: Symbol, default: :POST, allowed: %i[POST PUT]
+        check :set_iam_policy_method, type: String, default: 'setIamPolicy'
+        check :wrapped_policy_obj, type: :boolean, default: true
         check :allowed_iam_role, type: String, default: 'roles/viewer'
+        check :admin_iam_role, type: String
         check :parent_resource_attribute, type: String, default: 'id'
         check :test_project_name, type: String
         check :iam_conditions_request_type, type: Symbol, allowed: %i[REQUEST_BODY QUERY_PARAM]

products/storage/terraform.yaml

@@ -14,7 +14,26 @@
 --- !ruby/object:Provider::Terraform::Config
 overrides: !ruby/object:Overrides::ResourceOverrides
   Bucket: !ruby/object:Overrides::Terraform::ResourceOverride
-    exclude: true
+    exclude_resource: true
+    import_format: ["{{name}}"]
+    iam_policy: !ruby/object:Api::Resource::IamPolicy
+      allowed_iam_role: 'roles/storage.objectViewer'
+      admin_iam_role: 'roles/storage.admin'
+      parent_resource_attribute: 'bucket'
+      base_url: 'b/{{name}}'
+      import_format: ['b/{{name}}', '{{name}}']
+      iam_conditions_request_type: :QUERY_PARAM
+      fetch_iam_policy_method: 'iam'
+      set_iam_policy_method: 'iam'
+      set_iam_policy_verb: :PUT
+      wrapped_policy_obj: false
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "storage_bucket_basic"
+        primary_resource_id: "default"
+        vars:
+          name: "my-bucket"
+        primary_resource_name: "fmt.Sprintf(\"my-bucket%s\", context[\"random_suffix\"])"
   BucketAccessControl: !ruby/object:Overrides::Terraform::ResourceOverride
     examples:
     - !ruby/object:Provider::Terraform::Examples

templates/terraform/examples/base_configs/iam_test_file.go.erb

@@ -108,6 +108,9 @@ func TestAcc<%= resource_name -%>IamPolicyGenerated(t *testing.T) {
 	t.Parallel()
 
 <%= lines(compile('templates/terraform/iam/iam_context.go.erb')) -%>
+<% unless object.iam_policy.admin_iam_role.nil? -%>
+	context["service_account"] = getTestServiceAccountFromEnv(t)
+<% end -%>
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -231,6 +234,9 @@ func TestAcc<%= resource_name -%>IamPolicyGenerated_withCondition(t *testing.T)
 	t.Parallel()
 
 <%= lines(compile('templates/terraform/iam/iam_context.go.erb')) -%>
+<% unless object.iam_policy.admin_iam_role.nil? -%>
+	context["service_account"] = getTestServiceAccountFromEnv(t)
+<% end -%>
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -271,6 +277,12 @@ data "google_iam_policy" "foo" {
     role = "%{role}"
     members = ["user:admin@hashicorptest.com"]
   }
+<% unless object.iam_policy.admin_iam_role.nil? -%>
+  binding {
+    role = "%{admin_role}"
+    members = ["serviceAccount:%{service_account}"]
+  }
+<% end -%>
 }
 
 resource "<%= resource_ns_iam -%>_policy" "foo" {
@@ -399,6 +411,12 @@ data "google_iam_policy" "foo" {
       expression  = "%{condition_expr}"
     }
   }
+<% unless object.iam_policy.admin_iam_role.nil? -%>
+  binding {
+    role = "%{admin_role}"
+    members = ["serviceAccount:%{service_account}"]
+  }
+<% end -%>
 }
 
 resource "<%= resource_ns_iam -%>_policy" "foo" {

templates/terraform/examples/storage_bucket_basic.tf.erb

@@ -0,0 +1,4 @@
+resource "google_storage_bucket" "<%= ctx[:primary_resource_id] %>" {
+  name               = "<%= ctx[:vars]['name'] %>"
+  bucket_policy_only = true
+}

templates/terraform/iam/iam_context.go.erb

@@ -1,6 +1,9 @@
 context := map[string]interface{}{
 	"random_suffix": acctest.RandString(10),
 	"role":          "<%= object.iam_policy.allowed_iam_role -%>",
+<% unless object.iam_policy.admin_iam_role.nil? -%>
+	"admin_role": "<%= object.iam_policy.admin_iam_role-%>",
+<% end -%>
 <% unless object.iam_policy.test_project_name.nil? -%>
 	"project_id" : fmt.Sprintf("<%= object.iam_policy.test_project_name -%>%s", acctest.RandString(10)),
 <% end -%>

templates/terraform/iam_policy.go.erb

@@ -166,7 +166,7 @@ func <%= resource_name -%>IdParseFunc(d *schema.ResourceData, config *Config) er
 }
 
 func (u *<%= resource_name -%>IamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
-	url, err := u.qualify<%= object.name -%>Url("getIamPolicy")
+	url, err := u.qualify<%= object.name -%>Url("<%= object.iam_policy.fetch_iam_policy_method -%>")
 	if err != nil {
 		return nil, err
 	}
@@ -213,22 +213,25 @@ func (u *<%= resource_name -%>IamUpdater) SetResourceIamPolicy(policy *cloudreso
 		return err
 	}
 
+<% if object.iam_policy.wrapped_policy_obj -%>
 	obj := make(map[string]interface{})
 	obj["policy"] = json
+<% else -%>
+	obj := json
+<% end -%>
 
-	url, err := u.qualify<%= object.name -%>Url("setIamPolicy")
+	url, err := u.qualify<%= object.name -%>Url("<%= object.iam_policy.set_iam_policy_method -%>")
 	if err != nil {
 		return err
 	}
-
 <% if resource_params.include?('project') -%>
 	project, err := getProject(u.d, u.Config)
 	if err != nil {
 		return err
 	}
 <% end -%>
 
-	_, err = sendRequestWithTimeout(u.Config, "POST", <% if resource_params.include?('project')  %>project<% else %>""<% end %>, url, obj, u.d.Timeout(schema.TimeoutCreate))
+	_, err = sendRequestWithTimeout(u.Config, "<%= object.iam_policy.set_iam_policy_verb.to_s.upcase -%>", <% if resource_params.include?('project')  %>project<% else %>""<% end %>, url, obj, u.d.Timeout(schema.TimeoutCreate))
 	if err != nil {
 		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)
 	}

templates/terraform/resource_iam.html.markdown.erb

@@ -86,7 +86,7 @@ end
 ```hcl
 data "google_iam_policy" "admin" {
   binding {
-    role = "<%= object.iam_policy.allowed_iam_role -%>"
+    role = "<%= object.iam_policy.admin_iam_role || object.iam_policy.allowed_iam_role -%>"
     members = [
       "user:jane@example.com",
     ]
@@ -105,7 +105,7 @@ With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_
 ```hcl
 data "google_iam_policy" "admin" {
   binding {
-    role = "<%= object.iam_policy.allowed_iam_role -%>"
+    role = "<%= object.iam_policy.admin_iam_role || object.iam_policy.allowed_iam_role -%>"
     members = [
       "user:jane@example.com",
     ]
@@ -129,7 +129,7 @@ resource "<%= resource_ns_iam -%>_policy" "editor" {
 ```hcl
 resource "<%= resource_ns_iam -%>_binding" "editor" {
 <%= lines(compile(object.iam_policy.example_config_body)) -%>
-  role = "<%= object.iam_policy.allowed_iam_role -%>"
+  role = "<%= object.iam_policy.admin_iam_role || object.iam_policy.allowed_iam_role -%>"
   members = [
     "user:jane@example.com",
   ]
@@ -142,7 +142,7 @@ With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_
 ```hcl
 resource "<%= resource_ns_iam -%>_binding" "editor" {
 <%= lines(compile(object.iam_policy.example_config_body)) -%>
-  role = "<%= object.iam_policy.allowed_iam_role -%>"
+  role = "<%= object.iam_policy.admin_iam_role || object.iam_policy.allowed_iam_role -%>"
   members = [
     "user:jane@example.com",
   ]
@@ -160,7 +160,7 @@ resource "<%= resource_ns_iam -%>_binding" "editor" {
 ```hcl
 resource "<%= resource_ns_iam -%>_member" "editor" {
 <%= lines(compile(object.iam_policy.example_config_body)) -%>
-  role = "<%= object.iam_policy.allowed_iam_role -%>"
+  role = "<%= object.iam_policy.admin_iam_role || object.iam_policy.allowed_iam_role -%>"
   member = "user:jane@example.com"
 }
 ```
@@ -171,7 +171,7 @@ With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_
 ```hcl
 resource "<%= resource_ns_iam -%>_member" "editor" {
 <%= lines(compile(object.iam_policy.example_config_body)) -%>
-  role = "<%= object.iam_policy.allowed_iam_role -%>"
+  role = "<%= object.iam_policy.admin_iam_role || object.iam_policy.allowed_iam_role -%>"
   member = "user:jane@example.com"
 
   condition {

third_party/terraform/resources/resource_iam_policy.go.erb

@@ -116,7 +116,11 @@ func ResourceIamPolicyDelete(newUpdaterFunc newResourceIamUpdaterFunc) schema.De
 		}
 
 		// Set an empty policy to delete the attached policy.
-		err = updater.SetResourceIamPolicy(&cloudresourcemanager.Policy{})
+		pol := &cloudresourcemanager.Policy{}
+		if v, ok := d.GetOk("etag"); ok {
+			pol.Etag = v.(string)
+		}
+		err = updater.SetResourceIamPolicy(pol)
 		if err != nil {
 			return err
 		}