Upstream: Add google_project_service_identity resource

third_party/terraform/resources/resource_project_service_identity.go.erb

@@ -0,0 +1,93 @@
+<% autogen_exception -%>
+package google
+
+<% unless version == 'ga' -%>
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceProjectServiceIdentity() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceProjectServiceIdentityCreate,
+		Read:   resourceProjectServiceIdentityRead,
+		Delete: resourceProjectServiceIdentityDelete,
+
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(20 * time.Minute),
+			Read:   schema.DefaultTimeout(10 * time.Minute),
+			Delete: schema.DefaultTimeout(20 * time.Minute),
+		},
+
+		Schema: map[string]*schema.Schema{
+			"service": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"project": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceProjectServiceIdentityCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+
+	url, err := replaceVars(d, config, "{{ServiceUsageBasePath}}projects/{{project}}/services/{{service}}:generateServiceIdentity")
+	if err != nil {
+		return err
+	}
+
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	billingProject := project
+
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+
+	res, err := sendRequestWithTimeout(config, "POST", billingProject, url, nil, d.Timeout(schema.TimeoutCreate))
+	if err != nil {
+		return fmt.Errorf("Error creating Service Identity: %s", err)
+	}
+
+	err = serviceUsageOperationWaitTime(
+		config, res, project, "Creating Service Identity",
+		d.Timeout(schema.TimeoutCreate))
+
+	if err != nil {
+		return err
+	}
+
+	id, err := replaceVars(d, config, "projects/{{project}}/services/{{service}}")
+	if err != nil {
+		return fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	log.Printf("[DEBUG] Finished creating Service Identity %q: %#v", d.Id(), res)
+	return nil
+}
+
+// There is no read endpoint for this API.
+func resourceProjectServiceIdentityRead(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+
+// There is no delete endpoint for this API.
+func resourceProjectServiceIdentityDelete(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+<% end -%>

third_party/terraform/tests/resource_project_service_identity_test.go.erb

@@ -0,0 +1,40 @@
+<% autogen_exception -%>
+package google
+
+<% unless version == 'ga' -%>
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccProjectServiceIdentity_basic(t *testing.T) {
+	t.Parallel()
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleProjectServiceIdentity_basic(),
+			},
+		},
+	})
+}
+
+func testGoogleProjectServiceIdentity_basic() string {
+	return `
+data "google_project" "project" {}
+
+resource "google_project_service_identity" "hc_sa" {
+	project = data.google_project.project.project_id
+	service = "healthcare.googleapis.com"
+}
+
+resource "google_project_iam_member" "hc_sa_bq_jobuser" {
+	project = google_project_service_identity.hc_sa.project
+	role    = "roles/bigquery.jobUser"
+	member  = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+}`
+}
+<% end -%>

third_party/terraform/utils/provider.go.erb

@@ -385,6 +385,9 @@ end     # products.each do
 				"google_kms_crypto_key_iam_member":             ResourceIamMember(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater, CryptoIdParseFunc),
 				"google_kms_crypto_key_iam_policy":             ResourceIamPolicy(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater, CryptoIdParseFunc),
 				"google_monitoring_dashboard":                  resourceMonitoringDashboard(),
+				<% unless version == 'ga' -%>
+				"google_project_service_identity":              resourceProjectServiceIdentity(),
+				<% end -%>
 				"google_service_networking_connection":         resourceServiceNetworkingConnection(),
 				"google_spanner_instance_iam_binding":          ResourceIamBinding(IamSpannerInstanceSchema, NewSpannerInstanceIamUpdater, SpannerInstanceIdParseFunc),
 				"google_spanner_instance_iam_member":           ResourceIamMember(IamSpannerInstanceSchema, NewSpannerInstanceIamUpdater, SpannerInstanceIdParseFunc),

third_party/terraform/website/docs/r/project_service_identity.html.markdown

@@ -0,0 +1,69 @@
+---
+subcategory: "Cloud Platform"
+layout: "google"
+page_title: "Google: google_project_service_identity"
+sidebar_current: "docs-google-project-service-identity"
+description: |-
+ Generate service identity for a service.
+---
+
+# google\_project\_service\_identity
+
+~> **Warning:** These resources are in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+Generate service identity for a service.
+
+~> **Note**: Once created, this resource cannot be updated or destroyed. These
+actions are a no-op.
+
+To get more information about Service Identity, see:
+
+* [API documentation](https://cloud.google.com/service-usage/docs/reference/rest/v1beta1/services/generateServiceIdentity)
+
+## Example Usage - Service Identity Basic
+
+
+```hcl
+data "google_project" "project" {}
+
+resource "google_project_service_identity" "hc_sa" {
+  provider = google-beta
+
+  project = data.google_project.project.project_id
+  service = "healthcare.googleapis.com"
+}
+
+resource "google_project_iam_member" "hc_sa_bq_jobuser" {
+    project = google_project_service_identity.hc_sa.project
+    role    = "roles/bigquery.jobUser"
+    member  = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `service` -
+  (Required)
+  The service to generate identity for.
+
+
+- - -
+
+* `project` - (Optional) The ID of the project in which the resource belongs.
+    If it is not provided, the provider project is used.
+
+
+## Timeouts
+
+This resource provides the following
+[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).