From 145a6969dcf2010cc4e7a0cd72fe555862a18a0b Mon Sep 17 00:00:00 2001 From: The Magician Date: Fri, 8 Jul 2022 14:51:27 -0700 Subject: [PATCH] iam workload identity pool - promote to ga (#6241) (#12065) Signed-off-by: Modular Magician --- .changelog/6241.txt | 6 + google/config.go | 4 + google/iam_beta_operation.go | 61 ++ google/provider.go | 15 +- google/resource_iam_workload_identity_pool.go | 456 ++++++++++ ...m_workload_identity_pool_generated_test.go | 126 +++ ...rce_iam_workload_identity_pool_provider.go | 797 ++++++++++++++++++ ...d_identity_pool_provider_generated_test.go | 248 ++++++ ...oad_identity_pool_provider_sweeper_test.go | 128 +++ ...iam_workload_identity_pool_sweeper_test.go | 128 +++ .../iam_workload_identity_pool.html.markdown | 6 +- ...kload_identity_pool_provider.html.markdown | 12 +- 12 files changed, 1969 insertions(+), 18 deletions(-) create mode 100644 .changelog/6241.txt create mode 100644 google/iam_beta_operation.go create mode 100644 google/resource_iam_workload_identity_pool.go create mode 100644 google/resource_iam_workload_identity_pool_generated_test.go create mode 100644 google/resource_iam_workload_identity_pool_provider.go create mode 100644 google/resource_iam_workload_identity_pool_provider_generated_test.go create mode 100644 google/resource_iam_workload_identity_pool_provider_sweeper_test.go create mode 100644 google/resource_iam_workload_identity_pool_sweeper_test.go diff --git a/.changelog/6241.txt b/.changelog/6241.txt new file mode 100644 index 00000000000..80009bc01d9 --- /dev/null +++ b/.changelog/6241.txt @@ -0,0 +1,6 @@ +```release-note:new-resource +`google_iam_workload_identity_pool` (ga only) +``` +```release-note:new-resource +`google_iam_workload_identity_pool_provider ` (ga only) +``` diff --git a/google/config.go b/google/config.go index 382b8d368be..8ebd182ad2b 100644 --- a/google/config.go +++ b/google/config.go @@ -202,6 +202,7 @@ type Config struct { GameServicesBasePath string GKEHubBasePath string HealthcareBasePath string + IAMBetaBasePath string IapBasePath string IdentityPlatformBasePath string KMSBasePath string @@ -294,6 +295,7 @@ const FirestoreBasePathKey = "Firestore" const GameServicesBasePathKey = "GameServices" const GKEHubBasePathKey = "GKEHub" const HealthcareBasePathKey = "Healthcare" +const IAMBetaBasePathKey = "IAMBeta" const IapBasePathKey = "Iap" const IdentityPlatformBasePathKey = "IdentityPlatform" const KMSBasePathKey = "KMS" @@ -380,6 +382,7 @@ var DefaultBasePaths = map[string]string{ GameServicesBasePathKey: "https://gameservices.googleapis.com/v1/", GKEHubBasePathKey: "https://gkehub.googleapis.com/v1/", HealthcareBasePathKey: "https://healthcare.googleapis.com/v1/", + IAMBetaBasePathKey: "https://iam.googleapis.com/v/", IapBasePathKey: "https://iap.googleapis.com/v1/", IdentityPlatformBasePathKey: "https://identitytoolkit.googleapis.com/v2/", KMSBasePathKey: "https://cloudkms.googleapis.com/v1/", @@ -1228,6 +1231,7 @@ func ConfigureBasePaths(c *Config) { c.GameServicesBasePath = DefaultBasePaths[GameServicesBasePathKey] c.GKEHubBasePath = DefaultBasePaths[GKEHubBasePathKey] c.HealthcareBasePath = DefaultBasePaths[HealthcareBasePathKey] + c.IAMBetaBasePath = DefaultBasePaths[IAMBetaBasePathKey] c.IapBasePath = DefaultBasePaths[IapBasePathKey] c.IdentityPlatformBasePath = DefaultBasePaths[IdentityPlatformBasePathKey] c.KMSBasePath = DefaultBasePaths[KMSBasePathKey] diff --git a/google/iam_beta_operation.go b/google/iam_beta_operation.go new file mode 100644 index 00000000000..36a6a2228af --- /dev/null +++ b/google/iam_beta_operation.go @@ -0,0 +1,61 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- +package google + +import ( + "fmt" + "time" +) + +type IAMBetaOperationWaiter struct { + Config *Config + UserAgent string + Project string + CommonOperationWaiter +} + +func (w *IAMBetaOperationWaiter) QueryOp() (interface{}, error) { + if w == nil { + return nil, fmt.Errorf("Cannot query operation, it's unset or nil.") + } + // Returns the proper get. + url := fmt.Sprintf("%s%s", w.Config.IAMBetaBasePath, w.CommonOperationWaiter.Op.Name) + + return sendRequest(w.Config, "GET", w.Project, url, w.UserAgent, nil) +} + +func createIAMBetaWaiter(config *Config, op map[string]interface{}, project, activity, userAgent string) (*IAMBetaOperationWaiter, error) { + w := &IAMBetaOperationWaiter{ + Config: config, + UserAgent: userAgent, + Project: project, + } + if err := w.CommonOperationWaiter.SetOp(op); err != nil { + return nil, err + } + return w, nil +} + +func iAMBetaOperationWaitTime(config *Config, op map[string]interface{}, project, activity, userAgent string, timeout time.Duration) error { + if val, ok := op["name"]; !ok || val == "" { + // This was a synchronous call - there is no operation to wait for. + return nil + } + w, err := createIAMBetaWaiter(config, op, project, activity, userAgent) + if err != nil { + // If w is nil, the op was synchronous. + return err + } + return OperationWait(w, activity, timeout, config.PollInterval) +} diff --git a/google/provider.go b/google/provider.go index 53754f53ed5..ba74ef4ddff 100644 --- a/google/provider.go +++ b/google/provider.go @@ -477,6 +477,14 @@ func Provider() *schema.Provider { "GOOGLE_HEALTHCARE_CUSTOM_ENDPOINT", }, DefaultBasePaths[HealthcareBasePathKey]), }, + "iam_beta_custom_endpoint": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateCustomEndpoint, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "GOOGLE_IAM_BETA_CUSTOM_ENDPOINT", + }, DefaultBasePaths[IAMBetaBasePathKey]), + }, "iap_custom_endpoint": { Type: schema.TypeString, Optional: true, @@ -863,9 +871,9 @@ func Provider() *schema.Provider { return provider } -// Generated resources: 224 +// Generated resources: 226 // Generated IAM resources: 129 -// Total generated resources: 353 +// Total generated resources: 355 func ResourceMap() map[string]*schema.Resource { resourceMap, _ := ResourceMapWithErrors() return resourceMap @@ -1097,6 +1105,8 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) { "google_healthcare_consent_store_iam_binding": ResourceIamBinding(HealthcareConsentStoreIamSchema, HealthcareConsentStoreIamUpdaterProducer, HealthcareConsentStoreIdParseFunc), "google_healthcare_consent_store_iam_member": ResourceIamMember(HealthcareConsentStoreIamSchema, HealthcareConsentStoreIamUpdaterProducer, HealthcareConsentStoreIdParseFunc), "google_healthcare_consent_store_iam_policy": ResourceIamPolicy(HealthcareConsentStoreIamSchema, HealthcareConsentStoreIamUpdaterProducer, HealthcareConsentStoreIdParseFunc), + "google_iam_workload_identity_pool": resourceIAMBetaWorkloadIdentityPool(), + "google_iam_workload_identity_pool_provider": resourceIAMBetaWorkloadIdentityPoolProvider(), "google_iap_web_iam_binding": ResourceIamBinding(IapWebIamSchema, IapWebIamUpdaterProducer, IapWebIdParseFunc), "google_iap_web_iam_member": ResourceIamMember(IapWebIamSchema, IapWebIamUpdaterProducer, IapWebIdParseFunc), "google_iap_web_iam_policy": ResourceIamPolicy(IapWebIamSchema, IapWebIamUpdaterProducer, IapWebIdParseFunc), @@ -1515,6 +1525,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData, p *schema.Pr config.GameServicesBasePath = d.Get("game_services_custom_endpoint").(string) config.GKEHubBasePath = d.Get("gke_hub_custom_endpoint").(string) config.HealthcareBasePath = d.Get("healthcare_custom_endpoint").(string) + config.IAMBetaBasePath = d.Get("iam_beta_custom_endpoint").(string) config.IapBasePath = d.Get("iap_custom_endpoint").(string) config.IdentityPlatformBasePath = d.Get("identity_platform_custom_endpoint").(string) config.KMSBasePath = d.Get("kms_custom_endpoint").(string) diff --git a/google/resource_iam_workload_identity_pool.go b/google/resource_iam_workload_identity_pool.go new file mode 100644 index 00000000000..7f8134faf9e --- /dev/null +++ b/google/resource_iam_workload_identity_pool.go @@ -0,0 +1,456 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "log" + "reflect" + "regexp" + "strings" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +const workloadIdentityPoolIdRegexp = `^[0-9a-z-]+$` + +func validateWorkloadIdentityPoolId(v interface{}, k string) (ws []string, errors []error) { + value := v.(string) + + if strings.HasPrefix(value, "gcp-") { + errors = append(errors, fmt.Errorf( + "%q (%q) can not start with \"gcp-\"", k, value)) + } + + if !regexp.MustCompile(workloadIdentityPoolIdRegexp).MatchString(value) { + errors = append(errors, fmt.Errorf( + "%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k)) + } + + if len(value) < 4 { + errors = append(errors, fmt.Errorf( + "%q cannot be smaller than 4 characters", k)) + } + + if len(value) > 32 { + errors = append(errors, fmt.Errorf( + "%q cannot be greater than 32 characters", k)) + } + + return +} + +func resourceIAMBetaWorkloadIdentityPool() *schema.Resource { + return &schema.Resource{ + Create: resourceIAMBetaWorkloadIdentityPoolCreate, + Read: resourceIAMBetaWorkloadIdentityPoolRead, + Update: resourceIAMBetaWorkloadIdentityPoolUpdate, + Delete: resourceIAMBetaWorkloadIdentityPoolDelete, + + Importer: &schema.ResourceImporter{ + State: resourceIAMBetaWorkloadIdentityPoolImport, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(20 * time.Minute), + Update: schema.DefaultTimeout(20 * time.Minute), + Delete: schema.DefaultTimeout(20 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "workload_identity_pool_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validateWorkloadIdentityPoolId, + Description: `The ID to use for the pool, which becomes the final component of the resource name. This +value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix +'gcp-' is reserved for use by Google, and may not be specified.`, + }, + "description": { + Type: schema.TypeString, + Optional: true, + Description: `A description of the pool. Cannot exceed 256 characters.`, + }, + "disabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use +existing tokens to access resources. If the pool is re-enabled, existing tokens grant +access again.`, + }, + "display_name": { + Type: schema.TypeString, + Optional: true, + Description: `A display name for the pool. Cannot exceed 32 characters.`, + }, + "name": { + Type: schema.TypeString, + Computed: true, + Description: `The resource name of the pool as +'projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}'.`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `The state of the pool. +* STATE_UNSPECIFIED: State unspecified. +* ACTIVE: The pool is active, and may be used in Google Cloud policies. +* DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after + approximately 30 days. You can restore a soft-deleted pool using + UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is + permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or + use existing tokens to access resources. If the pool is undeleted, existing tokens grant + access again.`, + }, + "project": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + }, + }, + UseJSONNumber: true, + } +} + +func resourceIAMBetaWorkloadIdentityPoolCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + obj := make(map[string]interface{}) + displayNameProp, err := expandIAMBetaWorkloadIdentityPoolDisplayName(d.Get("display_name"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("display_name"); !isEmptyValue(reflect.ValueOf(displayNameProp)) && (ok || !reflect.DeepEqual(v, displayNameProp)) { + obj["displayName"] = displayNameProp + } + descriptionProp, err := expandIAMBetaWorkloadIdentityPoolDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + disabledProp, err := expandIAMBetaWorkloadIdentityPoolDisabled(d.Get("disabled"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("disabled"); !isEmptyValue(reflect.ValueOf(disabledProp)) && (ok || !reflect.DeepEqual(v, disabledProp)) { + obj["disabled"] = disabledProp + } + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new WorkloadIdentityPool: %#v", obj) + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPool: %s", err) + } + billingProject = project + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequestWithTimeout(config, "POST", billingProject, url, userAgent, obj, d.Timeout(schema.TimeoutCreate)) + if err != nil { + return fmt.Errorf("Error creating WorkloadIdentityPool: %s", err) + } + + // Store the ID now + id, err := replaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + err = iAMBetaOperationWaitTime( + config, res, project, "Creating WorkloadIdentityPool", userAgent, + d.Timeout(schema.TimeoutCreate)) + + if err != nil { + // The resource didn't actually create + d.SetId("") + return fmt.Errorf("Error waiting to create WorkloadIdentityPool: %s", err) + } + + log.Printf("[DEBUG] Finished creating WorkloadIdentityPool %q: %#v", d.Id(), res) + + return resourceIAMBetaWorkloadIdentityPoolRead(d, meta) +} + +func resourceIAMBetaWorkloadIdentityPoolRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") + if err != nil { + return err + } + + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPool: %s", err) + } + billingProject = project + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequest(config, "GET", billingProject, url, userAgent, nil) + if err != nil { + return handleNotFoundError(err, d, fmt.Sprintf("IAMBetaWorkloadIdentityPool %q", d.Id())) + } + + res, err = resourceIAMBetaWorkloadIdentityPoolDecoder(d, meta, res) + if err != nil { + return err + } + + if res == nil { + // Decoding the object has resulted in it being gone. It may be marked deleted + log.Printf("[DEBUG] Removing IAMBetaWorkloadIdentityPool because it no longer exists.") + d.SetId("") + return nil + } + + if err := d.Set("project", project); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPool: %s", err) + } + + if err := d.Set("state", flattenIAMBetaWorkloadIdentityPoolState(res["state"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPool: %s", err) + } + if err := d.Set("display_name", flattenIAMBetaWorkloadIdentityPoolDisplayName(res["displayName"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPool: %s", err) + } + if err := d.Set("description", flattenIAMBetaWorkloadIdentityPoolDescription(res["description"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPool: %s", err) + } + if err := d.Set("name", flattenIAMBetaWorkloadIdentityPoolName(res["name"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPool: %s", err) + } + if err := d.Set("disabled", flattenIAMBetaWorkloadIdentityPoolDisabled(res["disabled"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPool: %s", err) + } + + return nil +} + +func resourceIAMBetaWorkloadIdentityPoolUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPool: %s", err) + } + billingProject = project + + obj := make(map[string]interface{}) + displayNameProp, err := expandIAMBetaWorkloadIdentityPoolDisplayName(d.Get("display_name"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("display_name"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, displayNameProp)) { + obj["displayName"] = displayNameProp + } + descriptionProp, err := expandIAMBetaWorkloadIdentityPoolDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + disabledProp, err := expandIAMBetaWorkloadIdentityPoolDisabled(d.Get("disabled"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("disabled"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, disabledProp)) { + obj["disabled"] = disabledProp + } + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating WorkloadIdentityPool %q: %#v", d.Id(), obj) + updateMask := []string{} + + if d.HasChange("display_name") { + updateMask = append(updateMask, "displayName") + } + + if d.HasChange("description") { + updateMask = append(updateMask, "description") + } + + if d.HasChange("disabled") { + updateMask = append(updateMask, "disabled") + } + // updateMask is a URL parameter but not present in the schema, so replaceVars + // won't set it + url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")}) + if err != nil { + return err + } + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequestWithTimeout(config, "PATCH", billingProject, url, userAgent, obj, d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return fmt.Errorf("Error updating WorkloadIdentityPool %q: %s", d.Id(), err) + } else { + log.Printf("[DEBUG] Finished updating WorkloadIdentityPool %q: %#v", d.Id(), res) + } + + err = iAMBetaOperationWaitTime( + config, res, project, "Updating WorkloadIdentityPool", userAgent, + d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return err + } + + return resourceIAMBetaWorkloadIdentityPoolRead(d, meta) +} + +func resourceIAMBetaWorkloadIdentityPoolDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPool: %s", err) + } + billingProject = project + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") + if err != nil { + return err + } + + var obj map[string]interface{} + log.Printf("[DEBUG] Deleting WorkloadIdentityPool %q", d.Id()) + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequestWithTimeout(config, "DELETE", billingProject, url, userAgent, obj, d.Timeout(schema.TimeoutDelete)) + if err != nil { + return handleNotFoundError(err, d, "WorkloadIdentityPool") + } + + err = iAMBetaOperationWaitTime( + config, res, project, "Deleting WorkloadIdentityPool", userAgent, + d.Timeout(schema.TimeoutDelete)) + + if err != nil { + return err + } + + log.Printf("[DEBUG] Finished deleting WorkloadIdentityPool %q: %#v", d.Id(), res) + return nil +} + +func resourceIAMBetaWorkloadIdentityPoolImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*Config) + if err := parseImportId([]string{ + "projects/(?P[^/]+)/locations/global/workloadIdentityPools/(?P[^/]+)", + "(?P[^/]+)/(?P[^/]+)", + "(?P[^/]+)", + }, d, config); err != nil { + return nil, err + } + + // Replace import id for the resource id + id, err := replaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenIAMBetaWorkloadIdentityPoolState(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolDisplayName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolDescription(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolDisabled(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func expandIAMBetaWorkloadIdentityPoolDisplayName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolDisabled(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func resourceIAMBetaWorkloadIdentityPoolDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) { + if v := res["state"]; v == "DELETED" { + return nil, nil + } + + return res, nil +} diff --git a/google/resource_iam_workload_identity_pool_generated_test.go b/google/resource_iam_workload_identity_pool_generated_test.go new file mode 100644 index 00000000000..f1cbe235f1c --- /dev/null +++ b/google/resource_iam_workload_identity_pool_generated_test.go @@ -0,0 +1,126 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolBasicExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolBasicExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolBasicExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "example" { + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" +} +`, context) +} + +func TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "example" { + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" + display_name = "Name of pool" + description = "Identity pool for automated test" + disabled = true +} +`, context) +} + +func testAccCheckIAMBetaWorkloadIdentityPoolDestroyProducer(t *testing.T) func(s *terraform.State) error { + return func(s *terraform.State) error { + for name, rs := range s.RootModule().Resources { + if rs.Type != "google_iam_workload_identity_pool" { + continue + } + if strings.HasPrefix(name, "data.") { + continue + } + + config := googleProviderConfig(t) + + url, err := replaceVarsForTest(config, rs, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") + if err != nil { + return err + } + + res, err := sendRequest(config, "GET", "", url, config.userAgent, nil) + if err != nil { + return nil + } + + if v := res["state"]; v == "DELETED" { + return nil + } + + return fmt.Errorf("IAMBetaWorkloadIdentityPool still exists at %s", url) + } + + return nil + } +} diff --git a/google/resource_iam_workload_identity_pool_provider.go b/google/resource_iam_workload_identity_pool_provider.go new file mode 100644 index 00000000000..232f255beb8 --- /dev/null +++ b/google/resource_iam_workload_identity_pool_provider.go @@ -0,0 +1,797 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "log" + "reflect" + "regexp" + "strings" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +const workloadIdentityPoolProviderIdRegexp = `^[0-9a-z-]+$` + +func validateWorkloadIdentityPoolProviderId(v interface{}, k string) (ws []string, errors []error) { + value := v.(string) + + if strings.HasPrefix(value, "gcp-") { + errors = append(errors, fmt.Errorf( + "%q (%q) can not start with \"gcp-\"", k, value)) + } + + if !regexp.MustCompile(workloadIdentityPoolProviderIdRegexp).MatchString(value) { + errors = append(errors, fmt.Errorf( + "%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k)) + } + + if len(value) < 4 { + errors = append(errors, fmt.Errorf( + "%q cannot be smaller than 4 characters", k)) + } + + if len(value) > 32 { + errors = append(errors, fmt.Errorf( + "%q cannot be greater than 32 characters", k)) + } + + return +} + +func resourceIAMBetaWorkloadIdentityPoolProvider() *schema.Resource { + return &schema.Resource{ + Create: resourceIAMBetaWorkloadIdentityPoolProviderCreate, + Read: resourceIAMBetaWorkloadIdentityPoolProviderRead, + Update: resourceIAMBetaWorkloadIdentityPoolProviderUpdate, + Delete: resourceIAMBetaWorkloadIdentityPoolProviderDelete, + + Importer: &schema.ResourceImporter{ + State: resourceIAMBetaWorkloadIdentityPoolProviderImport, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(20 * time.Minute), + Update: schema.DefaultTimeout(20 * time.Minute), + Delete: schema.DefaultTimeout(20 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "workload_identity_pool_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `The ID used for the pool, which is the final component of the pool resource name. This +value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix +'gcp-' is reserved for use by Google, and may not be specified.`, + }, + "workload_identity_pool_provider_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validateWorkloadIdentityPoolProviderId, + Description: `The ID for the provider, which becomes the final component of the resource name. This +value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix +'gcp-' is reserved for use by Google, and may not be specified.`, + }, + "attribute_condition": { + Type: schema.TypeString, + Optional: true, + Description: `[A Common Expression Language](https://opensource.google/projects/cel) expression, in +plain text, to restrict what otherwise valid authentication credentials issued by the +provider should not be accepted. + +The expression must output a boolean representing whether to allow the federation. + +The following keywords may be referenced in the expressions: + * 'assertion': JSON representing the authentication credential issued by the provider. + * 'google': The Google attributes mapped from the assertion in the 'attribute_mappings'. + * 'attribute': The custom attributes mapped from the assertion in the 'attribute_mappings'. + +The maximum length of the attribute condition expression is 4096 characters. If +unspecified, all valid authentication credential are accepted. + +The following example shows how to only allow credentials with a mapped 'google.groups' +value of 'admins': +''' +"'admins' in google.groups" +'''`, + }, + "attribute_mapping": { + Type: schema.TypeMap, + Optional: true, + Description: `Maps attributes from authentication credentials issued by an external identity provider +to Google Cloud attributes, such as 'subject' and 'segment'. + +Each key must be a string specifying the Google Cloud IAM attribute to map to. + +The following keys are supported: + * 'google.subject': The principal IAM is authenticating. You can reference this value + in IAM bindings. This is also the subject that appears in Cloud Logging logs. + Cannot exceed 127 characters. + * 'google.groups': Groups the external identity belongs to. You can grant groups + access to resources using an IAM 'principalSet' binding; access applies to all + members of the group. + +You can also provide custom attributes by specifying 'attribute.{custom_attribute}', +where '{custom_attribute}' is the name of the custom attribute to be mapped. You can +define a maximum of 50 custom attributes. The maximum length of a mapped attribute key +is 100 characters, and the key may only contain the characters [a-z0-9_]. + +You can reference these attributes in IAM policies to define fine-grained access for a +workload to Google Cloud resources. For example: + * 'google.subject': + 'principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}' + * 'google.groups': + 'principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}' + * 'attribute.{custom_attribute}': + 'principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}' + +Each value must be a [Common Expression Language](https://opensource.google/projects/cel) +function that maps an identity provider credential to the normalized attribute specified +by the corresponding map key. + +You can use the 'assertion' keyword in the expression to access a JSON representation of +the authentication credential issued by the provider. + +The maximum length of an attribute mapping expression is 2048 characters. When evaluated, +the total size of all mapped attributes must not exceed 8KB. + +For AWS providers, the following rules apply: + - If no attribute mapping is defined, the following default mapping applies: + ''' + { + "google.subject":"assertion.arn", + "attribute.aws_role": + "assertion.arn.contains('assumed-role')" + " ? assertion.arn.extract('{account_arn}assumed-role/')" + " + 'assumed-role/'" + " + assertion.arn.extract('assumed-role/{role_name}/')" + " : assertion.arn", + } + ''' + - If any custom attribute mappings are defined, they must include a mapping to the + 'google.subject' attribute. + +For OIDC providers, the following rules apply: + - Custom attribute mappings must be defined, and must include a mapping to the + 'google.subject' attribute. For example, the following maps the 'sub' claim of the + incoming credential to the 'subject' attribute on a Google token. + ''' + {"google.subject": "assertion.sub"} + '''`, + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "aws": { + Type: schema.TypeList, + Optional: true, + Description: `An Amazon Web Services identity provider. Not compatible with the property oidc.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "account_id": { + Type: schema.TypeString, + Required: true, + Description: `The AWS account ID.`, + }, + }, + }, + ExactlyOneOf: []string{"aws", "oidc"}, + }, + "description": { + Type: schema.TypeString, + Optional: true, + Description: `A description for the provider. Cannot exceed 256 characters.`, + }, + "disabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. +However, existing tokens still grant access.`, + }, + "display_name": { + Type: schema.TypeString, + Optional: true, + Description: `A display name for the provider. Cannot exceed 32 characters.`, + }, + "oidc": { + Type: schema.TypeList, + Optional: true, + Description: `An OpenId Connect 1.0 identity provider. Not compatible with the property aws.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "issuer_uri": { + Type: schema.TypeString, + Required: true, + Description: `The OIDC issuer URL.`, + }, + "allowed_audiences": { + Type: schema.TypeList, + Optional: true, + Description: `Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange +requests are rejected if the token audience does not match one of the configured +values. Each audience may be at most 256 characters. A maximum of 10 audiences may +be configured. + +If this list is empty, the OIDC token audience must be equal to the full canonical +resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. +For example: +''' +//iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ +https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ +'''`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + ExactlyOneOf: []string{"aws", "oidc"}, + }, + "name": { + Type: schema.TypeString, + Computed: true, + Description: `The resource name of the provider as +'projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}'.`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `The state of the provider. +* STATE_UNSPECIFIED: State unspecified. +* ACTIVE: The provider is active, and may be used to validate authentication credentials. +* DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted + after approximately 30 days. You can restore a soft-deleted provider using + UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider + until it is permanently deleted.`, + }, + "project": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + }, + }, + UseJSONNumber: true, + } +} + +func resourceIAMBetaWorkloadIdentityPoolProviderCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + obj := make(map[string]interface{}) + displayNameProp, err := expandIAMBetaWorkloadIdentityPoolProviderDisplayName(d.Get("display_name"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("display_name"); !isEmptyValue(reflect.ValueOf(displayNameProp)) && (ok || !reflect.DeepEqual(v, displayNameProp)) { + obj["displayName"] = displayNameProp + } + descriptionProp, err := expandIAMBetaWorkloadIdentityPoolProviderDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + disabledProp, err := expandIAMBetaWorkloadIdentityPoolProviderDisabled(d.Get("disabled"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("disabled"); !isEmptyValue(reflect.ValueOf(disabledProp)) && (ok || !reflect.DeepEqual(v, disabledProp)) { + obj["disabled"] = disabledProp + } + attributeMappingProp, err := expandIAMBetaWorkloadIdentityPoolProviderAttributeMapping(d.Get("attribute_mapping"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("attribute_mapping"); !isEmptyValue(reflect.ValueOf(attributeMappingProp)) && (ok || !reflect.DeepEqual(v, attributeMappingProp)) { + obj["attributeMapping"] = attributeMappingProp + } + attributeConditionProp, err := expandIAMBetaWorkloadIdentityPoolProviderAttributeCondition(d.Get("attribute_condition"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("attribute_condition"); !isEmptyValue(reflect.ValueOf(attributeConditionProp)) && (ok || !reflect.DeepEqual(v, attributeConditionProp)) { + obj["attributeCondition"] = attributeConditionProp + } + awsProp, err := expandIAMBetaWorkloadIdentityPoolProviderAws(d.Get("aws"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("aws"); !isEmptyValue(reflect.ValueOf(awsProp)) && (ok || !reflect.DeepEqual(v, awsProp)) { + obj["aws"] = awsProp + } + oidcProp, err := expandIAMBetaWorkloadIdentityPoolProviderOidc(d.Get("oidc"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("oidc"); !isEmptyValue(reflect.ValueOf(oidcProp)) && (ok || !reflect.DeepEqual(v, oidcProp)) { + obj["oidc"] = oidcProp + } + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers?workloadIdentityPoolProviderId={{workload_identity_pool_provider_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new WorkloadIdentityPoolProvider: %#v", obj) + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolProvider: %s", err) + } + billingProject = project + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequestWithTimeout(config, "POST", billingProject, url, userAgent, obj, d.Timeout(schema.TimeoutCreate)) + if err != nil { + return fmt.Errorf("Error creating WorkloadIdentityPoolProvider: %s", err) + } + + // Store the ID now + id, err := replaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + err = iAMBetaOperationWaitTime( + config, res, project, "Creating WorkloadIdentityPoolProvider", userAgent, + d.Timeout(schema.TimeoutCreate)) + + if err != nil { + // The resource didn't actually create + d.SetId("") + return fmt.Errorf("Error waiting to create WorkloadIdentityPoolProvider: %s", err) + } + + log.Printf("[DEBUG] Finished creating WorkloadIdentityPoolProvider %q: %#v", d.Id(), res) + + return resourceIAMBetaWorkloadIdentityPoolProviderRead(d, meta) +} + +func resourceIAMBetaWorkloadIdentityPoolProviderRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") + if err != nil { + return err + } + + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolProvider: %s", err) + } + billingProject = project + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequest(config, "GET", billingProject, url, userAgent, nil) + if err != nil { + return handleNotFoundError(err, d, fmt.Sprintf("IAMBetaWorkloadIdentityPoolProvider %q", d.Id())) + } + + res, err = resourceIAMBetaWorkloadIdentityPoolProviderDecoder(d, meta, res) + if err != nil { + return err + } + + if res == nil { + // Decoding the object has resulted in it being gone. It may be marked deleted + log.Printf("[DEBUG] Removing IAMBetaWorkloadIdentityPoolProvider because it no longer exists.") + d.SetId("") + return nil + } + + if err := d.Set("project", project); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + + if err := d.Set("state", flattenIAMBetaWorkloadIdentityPoolProviderState(res["state"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("display_name", flattenIAMBetaWorkloadIdentityPoolProviderDisplayName(res["displayName"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("description", flattenIAMBetaWorkloadIdentityPoolProviderDescription(res["description"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("name", flattenIAMBetaWorkloadIdentityPoolProviderName(res["name"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("disabled", flattenIAMBetaWorkloadIdentityPoolProviderDisabled(res["disabled"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("attribute_mapping", flattenIAMBetaWorkloadIdentityPoolProviderAttributeMapping(res["attributeMapping"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("attribute_condition", flattenIAMBetaWorkloadIdentityPoolProviderAttributeCondition(res["attributeCondition"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("aws", flattenIAMBetaWorkloadIdentityPoolProviderAws(res["aws"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + if err := d.Set("oidc", flattenIAMBetaWorkloadIdentityPoolProviderOidc(res["oidc"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolProvider: %s", err) + } + + return nil +} + +func resourceIAMBetaWorkloadIdentityPoolProviderUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolProvider: %s", err) + } + billingProject = project + + obj := make(map[string]interface{}) + displayNameProp, err := expandIAMBetaWorkloadIdentityPoolProviderDisplayName(d.Get("display_name"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("display_name"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, displayNameProp)) { + obj["displayName"] = displayNameProp + } + descriptionProp, err := expandIAMBetaWorkloadIdentityPoolProviderDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + disabledProp, err := expandIAMBetaWorkloadIdentityPoolProviderDisabled(d.Get("disabled"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("disabled"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, disabledProp)) { + obj["disabled"] = disabledProp + } + attributeMappingProp, err := expandIAMBetaWorkloadIdentityPoolProviderAttributeMapping(d.Get("attribute_mapping"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("attribute_mapping"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, attributeMappingProp)) { + obj["attributeMapping"] = attributeMappingProp + } + attributeConditionProp, err := expandIAMBetaWorkloadIdentityPoolProviderAttributeCondition(d.Get("attribute_condition"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("attribute_condition"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, attributeConditionProp)) { + obj["attributeCondition"] = attributeConditionProp + } + awsProp, err := expandIAMBetaWorkloadIdentityPoolProviderAws(d.Get("aws"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("aws"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, awsProp)) { + obj["aws"] = awsProp + } + oidcProp, err := expandIAMBetaWorkloadIdentityPoolProviderOidc(d.Get("oidc"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("oidc"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, oidcProp)) { + obj["oidc"] = oidcProp + } + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating WorkloadIdentityPoolProvider %q: %#v", d.Id(), obj) + updateMask := []string{} + + if d.HasChange("display_name") { + updateMask = append(updateMask, "displayName") + } + + if d.HasChange("description") { + updateMask = append(updateMask, "description") + } + + if d.HasChange("disabled") { + updateMask = append(updateMask, "disabled") + } + + if d.HasChange("attribute_mapping") { + updateMask = append(updateMask, "attributeMapping") + } + + if d.HasChange("attribute_condition") { + updateMask = append(updateMask, "attributeCondition") + } + + if d.HasChange("aws") { + updateMask = append(updateMask, "aws") + } + + if d.HasChange("oidc") { + updateMask = append(updateMask, "oidc.allowed_audiences", + "oidc.issuer_uri") + } + // updateMask is a URL parameter but not present in the schema, so replaceVars + // won't set it + url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")}) + if err != nil { + return err + } + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequestWithTimeout(config, "PATCH", billingProject, url, userAgent, obj, d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return fmt.Errorf("Error updating WorkloadIdentityPoolProvider %q: %s", d.Id(), err) + } else { + log.Printf("[DEBUG] Finished updating WorkloadIdentityPoolProvider %q: %#v", d.Id(), res) + } + + err = iAMBetaOperationWaitTime( + config, res, project, "Updating WorkloadIdentityPoolProvider", userAgent, + d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return err + } + + return resourceIAMBetaWorkloadIdentityPoolProviderRead(d, meta) +} + +func resourceIAMBetaWorkloadIdentityPoolProviderDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + userAgent, err := generateUserAgentString(d, config.userAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := getProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolProvider: %s", err) + } + billingProject = project + + url, err := replaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") + if err != nil { + return err + } + + var obj map[string]interface{} + log.Printf("[DEBUG] Deleting WorkloadIdentityPoolProvider %q", d.Id()) + + // err == nil indicates that the billing_project value was found + if bp, err := getBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := sendRequestWithTimeout(config, "DELETE", billingProject, url, userAgent, obj, d.Timeout(schema.TimeoutDelete)) + if err != nil { + return handleNotFoundError(err, d, "WorkloadIdentityPoolProvider") + } + + err = iAMBetaOperationWaitTime( + config, res, project, "Deleting WorkloadIdentityPoolProvider", userAgent, + d.Timeout(schema.TimeoutDelete)) + + if err != nil { + return err + } + + log.Printf("[DEBUG] Finished deleting WorkloadIdentityPoolProvider %q: %#v", d.Id(), res) + return nil +} + +func resourceIAMBetaWorkloadIdentityPoolProviderImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*Config) + if err := parseImportId([]string{ + "projects/(?P[^/]+)/locations/global/workloadIdentityPools/(?P[^/]+)/providers/(?P[^/]+)", + "(?P[^/]+)/(?P[^/]+)/(?P[^/]+)", + "(?P[^/]+)/(?P[^/]+)", + }, d, config); err != nil { + return nil, err + } + + // Replace import id for the resource id + id, err := replaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenIAMBetaWorkloadIdentityPoolProviderState(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderDisplayName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderDescription(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderDisabled(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderAttributeMapping(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderAttributeCondition(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderAws(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["account_id"] = + flattenIAMBetaWorkloadIdentityPoolProviderAwsAccountId(original["accountId"], d, config) + return []interface{}{transformed} +} +func flattenIAMBetaWorkloadIdentityPoolProviderAwsAccountId(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderOidc(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["allowed_audiences"] = + flattenIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(original["allowedAudiences"], d, config) + transformed["issuer_uri"] = + flattenIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(original["issuerUri"], d, config) + return []interface{}{transformed} +} +func flattenIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func expandIAMBetaWorkloadIdentityPoolProviderDisplayName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderDisabled(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderAttributeMapping(v interface{}, d TerraformResourceData, config *Config) (map[string]string, error) { + if v == nil { + return map[string]string{}, nil + } + m := make(map[string]string) + for k, val := range v.(map[string]interface{}) { + m[k] = val.(string) + } + return m, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderAttributeCondition(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderAws(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedAccountId, err := expandIAMBetaWorkloadIdentityPoolProviderAwsAccountId(original["account_id"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccountId); val.IsValid() && !isEmptyValue(val) { + transformed["accountId"] = transformedAccountId + } + + return transformed, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderAwsAccountId(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderOidc(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedAllowedAudiences, err := expandIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(original["allowed_audiences"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAllowedAudiences); val.IsValid() && !isEmptyValue(val) { + transformed["allowedAudiences"] = transformedAllowedAudiences + } + + transformedIssuerUri, err := expandIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(original["issuer_uri"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIssuerUri); val.IsValid() && !isEmptyValue(val) { + transformed["issuerUri"] = transformedIssuerUri + } + + return transformed, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func resourceIAMBetaWorkloadIdentityPoolProviderDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) { + if v := res["state"]; v == "DELETED" { + return nil, nil + } + + return res, nil +} diff --git a/google/resource_iam_workload_identity_pool_provider_generated_test.go b/google/resource_iam_workload_identity_pool_provider_generated_test.go new file mode 100644 index 00000000000..38885f76d1b --- /dev/null +++ b/google/resource_iam_workload_identity_pool_provider_generated_test.go @@ -0,0 +1,248 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderAwsBasicExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderAwsBasicExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderAwsBasicExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "example" { + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}" + aws { + account_id = "999999999999" + } +} +`, context) +} + +func TestAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderAwsFullExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderAwsFullExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderAwsFullExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "example" { + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}" + display_name = "Name of provider" + description = "AWS identity pool provider for automated test" + disabled = true + attribute_condition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"" + attribute_mapping = { + "google.subject" = "assertion.arn" + "attribute.aws_account" = "assertion.account" + "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" + } + aws { + account_id = "999999999999" + } +} +`, context) +} + +func TestAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcBasicExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcBasicExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcBasicExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "example" { + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + oidc { + issuer_uri = "https://sts.windows.net/azure-tenant-id" + } +} +`, context) +} + +func TestAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcFullExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcFullExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcFullExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "example" { + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}" + display_name = "Name of provider" + description = "OIDC identity pool provider for automated test" + disabled = true + attribute_condition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups" + attribute_mapping = { + "google.subject" = "\"azure::\" + assertion.tid + \"::\" + assertion.sub" + "attribute.tid" = "assertion.tid" + "attribute.managed_identity_name" = < 0 { + log.Printf("[INFO][SWEEPER_LOG] %d items were non-sweepable and skipped.", nonPrefixCount) + } + + return nil +} diff --git a/google/resource_iam_workload_identity_pool_sweeper_test.go b/google/resource_iam_workload_identity_pool_sweeper_test.go new file mode 100644 index 00000000000..25f2c195f28 --- /dev/null +++ b/google/resource_iam_workload_identity_pool_sweeper_test.go @@ -0,0 +1,128 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "context" + "log" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" +) + +func init() { + resource.AddTestSweepers("IAMBetaWorkloadIdentityPool", &resource.Sweeper{ + Name: "IAMBetaWorkloadIdentityPool", + F: testSweepIAMBetaWorkloadIdentityPool, + }) +} + +// At the time of writing, the CI only passes us-central1 as the region +func testSweepIAMBetaWorkloadIdentityPool(region string) error { + resourceName := "IAMBetaWorkloadIdentityPool" + log.Printf("[INFO][SWEEPER_LOG] Starting sweeper for %s", resourceName) + + config, err := sharedConfigForRegion(region) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err) + return err + } + + err = config.LoadAndValidate(context.Background()) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err) + return err + } + + t := &testing.T{} + billingId := getTestBillingAccountFromEnv(t) + + // Setup variables to replace in list template + d := &ResourceDataMock{ + FieldsInSchema: map[string]interface{}{ + "project": config.Project, + "region": region, + "location": region, + "zone": "-", + "billing_account": billingId, + }, + } + + listTemplate := strings.Split("https://iam.googleapis.com/v/projects/{{project}}/locations/global/workloadIdentityPools", "?")[0] + listUrl, err := replaceVars(d, config, listTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing sweeper list url: %s", err) + return nil + } + + res, err := sendRequest(config, "GET", config.Project, listUrl, config.userAgent, nil) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", listUrl, err) + return nil + } + + resourceList, ok := res["workloadIdentityPools"] + if !ok { + log.Printf("[INFO][SWEEPER_LOG] Nothing found in response.") + return nil + } + + rl := resourceList.([]interface{}) + + log.Printf("[INFO][SWEEPER_LOG] Found %d items in %s list response.", len(rl), resourceName) + // Keep count of items that aren't sweepable for logging. + nonPrefixCount := 0 + for _, ri := range rl { + obj := ri.(map[string]interface{}) + var name string + // Id detected in the delete URL, attempt to use id. + if obj["id"] != nil { + name = GetResourceNameFromSelfLink(obj["id"].(string)) + } else if obj["name"] != nil { + name = GetResourceNameFromSelfLink(obj["name"].(string)) + } else { + log.Printf("[INFO][SWEEPER_LOG] %s resource name and id were nil", resourceName) + return nil + } + // Skip resources that shouldn't be sweeped + if !isSweepableTestResource(name) { + nonPrefixCount++ + continue + } + + deleteTemplate := "https://iam.googleapis.com/v/projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}" + deleteUrl, err := replaceVars(d, config, deleteTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing delete url: %s", err) + return nil + } + deleteUrl = deleteUrl + name + + // Don't wait on operations as we may have a lot to delete + _, err = sendRequest(config, "DELETE", config.Project, deleteUrl, config.userAgent, nil) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error deleting for url %s : %s", deleteUrl, err) + } else { + log.Printf("[INFO][SWEEPER_LOG] Sent delete request for %s resource: %s", resourceName, name) + } + } + + if nonPrefixCount > 0 { + log.Printf("[INFO][SWEEPER_LOG] %d items were non-sweepable and skipped.", nonPrefixCount) + } + + return nil +} diff --git a/website/docs/r/iam_workload_identity_pool.html.markdown b/website/docs/r/iam_workload_identity_pool.html.markdown index 88b281a1254..55d30455975 100644 --- a/website/docs/r/iam_workload_identity_pool.html.markdown +++ b/website/docs/r/iam_workload_identity_pool.html.markdown @@ -25,12 +25,10 @@ description: |- Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources. -~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. -See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. To get more information about WorkloadIdentityPool, see: -* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools) +* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools) * How-to Guides * [Managing workload identity pools](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools) @@ -44,7 +42,6 @@ To get more information about WorkloadIdentityPool, see: ```hcl resource "google_iam_workload_identity_pool" "example" { - provider = google-beta workload_identity_pool_id = "example-pool" } ``` @@ -58,7 +55,6 @@ resource "google_iam_workload_identity_pool" "example" { ```hcl resource "google_iam_workload_identity_pool" "example" { - provider = google-beta workload_identity_pool_id = "example-pool" display_name = "Name of pool" description = "Identity pool for automated test" diff --git a/website/docs/r/iam_workload_identity_pool_provider.html.markdown b/website/docs/r/iam_workload_identity_pool_provider.html.markdown index 99af1e66363..a18e7d870f3 100644 --- a/website/docs/r/iam_workload_identity_pool_provider.html.markdown +++ b/website/docs/r/iam_workload_identity_pool_provider.html.markdown @@ -24,12 +24,10 @@ description: |- A configuration for an external identity provider. -~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. -See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. To get more information about WorkloadIdentityPoolProvider, see: -* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools.providers) +* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers) * How-to Guides * [Managing workload identity providers](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers) @@ -43,12 +41,10 @@ To get more information about WorkloadIdentityPoolProvider, see: ```hcl resource "google_iam_workload_identity_pool" "pool" { - provider = google-beta workload_identity_pool_id = "example-pool" } resource "google_iam_workload_identity_pool_provider" "example" { - provider = google-beta workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id workload_identity_pool_provider_id = "example-prvdr" aws { @@ -66,12 +62,10 @@ resource "google_iam_workload_identity_pool_provider" "example" { ```hcl resource "google_iam_workload_identity_pool" "pool" { - provider = google-beta workload_identity_pool_id = "example-pool" } resource "google_iam_workload_identity_pool_provider" "example" { - provider = google-beta workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id workload_identity_pool_provider_id = "example-prvdr" display_name = "Name of provider" @@ -98,12 +92,10 @@ resource "google_iam_workload_identity_pool_provider" "example" { ```hcl resource "google_iam_workload_identity_pool" "pool" { - provider = google-beta workload_identity_pool_id = "example-pool" } resource "google_iam_workload_identity_pool_provider" "example" { - provider = google-beta workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id workload_identity_pool_provider_id = "example-prvdr" attribute_mapping = { @@ -124,12 +116,10 @@ resource "google_iam_workload_identity_pool_provider" "example" { ```hcl resource "google_iam_workload_identity_pool" "pool" { - provider = google-beta workload_identity_pool_id = "example-pool" } resource "google_iam_workload_identity_pool_provider" "example" { - provider = google-beta workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id workload_identity_pool_provider_id = "example-prvdr" display_name = "Name of provider"