diff --git a/mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml b/mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml new file mode 100644 index 000000000000..6144e231bb9c --- /dev/null +++ b/mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml @@ -0,0 +1,127 @@ +# Copyright 2023 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- !ruby/object:Api::Resource + name: 'AuthorizedOrgsDesc' + base_url: "" + create_url: "{{parent}}/authorizedOrgsDescs" + self_link: "{{name}}" + update_verb: :PATCH + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'gcloud docs': 'https://cloud.google.com/beyondcorp-enterprise/docs/cross-org-authorization' + api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.authorizedOrgsDescs' + description: | + An authorized organizations description describes a list of organizations + (1) that have been authorized to use certain asset (for example, device) data + owned by different organizations at the enforcement points, or (2) with certain + asset (for example, device) have been authorized to access the resources in + another organization at the enforcement points. + docs: !ruby/object:Provider::Terraform::Docs + warning: | + If you are using User ADCs (Application Default Credentials) with this resource, + you must specify a `billing_project` and set `user_project_override` to true + in the provider configuration. Otherwise the ACM API will return a 403 error. + Your account must have the `serviceusage.services.use` permission on the + `billing_project` you defined. + autogen_async: true + id_format: "{{name}}" + import_format: ["{{name}}"] + examples: + - !ruby/object:Provider::Terraform::Examples + name: "access_context_manager_authorized_orgs_desc_basic" + primary_resource_id: "authorized-orgs-desc" + skip_test: true + # Skipping the sweeper due to the non-standard base_url + skip_sweeper: true + custom_code: !ruby/object:Provider::Terraform::CustomCode + encoder: templates/terraform/encoders/access_level_never_send_parent.go.erb + pre_update: templates/terraform/update_mask.erb + post_create: templates/terraform/post_create/sleep_2_min.go.erb + custom_import: templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.erb + parameters: + - !ruby/object:Api::Type::String + name: parent + input: true + required: true + description: | + Required. Resource name for the access policy which owns this `AuthorizedOrgsDesc`. + ignore_read: true + - !ruby/object:Api::Type::String + name: name + input: true + required: true + description: | + Resource name for the `AuthorizedOrgsDesc`. Format: + `accessPolicies/{access_policy}/authorizedOrgsDescs/{authorized_orgs_desc}`. + The `authorized_orgs_desc` component must begin with a letter, followed by + alphanumeric characters or `_`. + After you create an `AuthorizedOrgsDesc`, you cannot change its `name`. + - !ruby/object:Api::Type::Array + name: orgs + description: | + The list of organization ids in this AuthorizedOrgsDesc. + Format: `organizations/` + Example: `organizations/123456` + item_type: Api::Type::String + - !ruby/object:Api::Type::Enum + name: assetType + input: true + description: | + The type of entities that need to use the authorization relationship during + evaluation, such as a device. Valid values are "ASSET_TYPE_DEVICE" and + "ASSET_TYPE_CREDENTIAL_STRENGTH". + values: + - :ASSET_TYPE_DEVICE + - :ASSET_TYPE_CREDENTIAL_STRENGTH + - !ruby/object:Api::Type::Enum + name: authorizationDirection + input: true + description: | + The direction of the authorization relationship between this organization + and the organizations listed in the "orgs" field. The valid values for this + field include the following: + + AUTHORIZATION_DIRECTION_FROM: Allows this organization to evaluate traffic + in the organizations listed in the `orgs` field. + + AUTHORIZATION_DIRECTION_TO: Allows the organizations listed in the `orgs` + field to evaluate the traffic in this organization. + + For the authorization relationship to take effect, all of the organizations + must authorize and specify the appropriate relationship direction. For + example, if organization A authorized organization B and C to evaluate its + traffic, by specifying "AUTHORIZATION_DIRECTION_TO" as the authorization + direction, organizations B and C must specify + "AUTHORIZATION_DIRECTION_FROM" as the authorization direction in their + "AuthorizedOrgsDesc" resource. + values: + - :AUTHORIZATION_DIRECTION_TO + - :AUTHORIZATION_DIRECTION_FROM + - !ruby/object:Api::Type::Enum + name: authorizationType + input: true + description: | + A granular control type for authorization levels. Valid value is "AUTHORIZATION_TYPE_TRUST". + values: + - :AUTHORIZATION_TYPE_TRUST + properties: + - !ruby/object:Api::Type::Time + name: 'createTime' + description: | + Time the AuthorizedOrgsDesc was created in UTC. + output: true + - !ruby/object:Api::Type::Time + name: 'updateTime' + description: | + Time the AuthorizedOrgsDesc was updated in UTC. + output: true diff --git a/mmv1/templates/terraform/examples/access_context_manager_authorized_orgs_desc_basic.tf.erb b/mmv1/templates/terraform/examples/access_context_manager_authorized_orgs_desc_basic.tf.erb new file mode 100644 index 000000000000..4158f7b60b00 --- /dev/null +++ b/mmv1/templates/terraform/examples/access_context_manager_authorized_orgs_desc_basic.tf.erb @@ -0,0 +1,13 @@ +resource "google_access_context_manager_authorized_orgs_desc" "<%= ctx[:primary_resource_id] %>" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName" + authorization_type = "AUTHORIZATION_TYPE_TRUST" + asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH" + authorization_direction = "AUTHORIZATION_DIRECTION_TO" + orgs = ["organizations/12345", "organizations/98765"] +} + +resource "google_access_context_manager_access_policy" "test-access" { + parent = "organizations/<%= ctx[:test_env_vars]['org_id'] %>" + title = "my policy" +} diff --git a/mmv1/templates/terraform/post_create/sleep_2_min.go.erb b/mmv1/templates/terraform/post_create/sleep_2_min.go.erb new file mode 100644 index 000000000000..df48ca805713 --- /dev/null +++ b/mmv1/templates/terraform/post_create/sleep_2_min.go.erb @@ -0,0 +1,4 @@ +// This is useful if the resource in question doesn't have a perfectly consistent API +// That is, the Operation for Create might return before the Get operation shows the +// completed state of the resource. +time.Sleep(2 * time.Minute) diff --git a/mmv1/third_party/terraform/tests/resource_access_context_manager_access_policy_test.go.erb b/mmv1/third_party/terraform/tests/resource_access_context_manager_access_policy_test.go.erb index c385eea8982d..37426deb9869 100644 --- a/mmv1/third_party/terraform/tests/resource_access_context_manager_access_policy_test.go.erb +++ b/mmv1/third_party/terraform/tests/resource_access_context_manager_access_policy_test.go.erb @@ -91,6 +91,7 @@ func TestAccAccessContextManager(t *testing.T) { "access_level_condition": testAccAccessContextManagerAccessLevelCondition_basicTest, "service_perimeters": testAccAccessContextManagerServicePerimeters_basicTest, "gcp_user_access_binding": testAccAccessContextManagerGcpUserAccessBinding_basicTest, + "authorized_orgs_desc": testAccAccessContextManagerAuthorizedOrgsDesc_basicTest, } for name, tc := range testCases { diff --git a/mmv1/third_party/terraform/tests/resource_access_context_manager_authorized_orgs_desc_test.go b/mmv1/third_party/terraform/tests/resource_access_context_manager_authorized_orgs_desc_test.go new file mode 100644 index 000000000000..38fbaff5699e --- /dev/null +++ b/mmv1/third_party/terraform/tests/resource_access_context_manager_authorized_orgs_desc_test.go @@ -0,0 +1,84 @@ +package google + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func testAccAccessContextManagerAuthorizedOrgsDesc_basicTest(t *testing.T) { + context := map[string]interface{}{ + "org_id": GetTestOrgFromEnv(t), + } + + VcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: TestAccProviders, + CheckDestroy: testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context), + }, + { + ResourceName: "google_access_context_manager_authorized_orgs_desc.authorized-orgs-desc", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"parent"}, + }, + }, + }) +} + +func testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_access_context_manager_authorized_orgs_desc" "authorized-orgs-desc" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName" + authorization_type = "AUTHORIZATION_TYPE_TRUST" + asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH" + authorization_direction = "AUTHORIZATION_DIRECTION_TO" + orgs = ["organizations/12345", "organizations/98765"] +} + +resource "google_access_context_manager_access_policy" "test-access" { + parent = "organizations/%{org_id}" + title = "my policy" +} +`, context) +} + +func testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t *testing.T) func(s *terraform.State) error { + return func(s *terraform.State) error { + for name, rs := range s.RootModule().Resources { + if rs.Type != "google_access_context_manager_authorized_orgs_desc" { + continue + } + if strings.HasPrefix(name, "data.") { + continue + } + + config := GoogleProviderConfig(t) + + url, err := replaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{name}}") + if err != nil { + return err + } + + billingProject := "" + + if config.BillingProject != "" { + billingProject = config.BillingProject + } + + _, err = SendRequest(config, "GET", billingProject, url, config.UserAgent, nil) + if err == nil { + return fmt.Errorf("AccessContextManagerAuthorizedOrgsDesc still exists at %s", url) + } + } + + return nil + } +}