privateca sweeper (#5560) (#10763)

Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Dec 15, 2021 · 4539e26 · 4539e26
1 parent 257292c
commit 4539e26
Show file tree

Hide file tree

Showing 3 changed files with 161 additions and 31 deletions.
diff --git a/.changelog/5560.txt b/.changelog/5560.txt
@@ -0,0 +1,3 @@
+```release-note:none
+
+```
diff --git a/google/resource_privateca_certificate_authority_sweeper_test.go b/google/resource_privateca_certificate_authority_sweeper_test.go
@@ -0,0 +1,127 @@
+package google
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func init() {
+	resource.AddTestSweepers("CertificateAuthority", &resource.Sweeper{
+		Name: "CertificateAuthority",
+		F:    testSweepCertificateAuthority,
+	})
+}
+
+// At the time of writing, the CI only passes us-central1 as the region
+func testSweepCertificateAuthority(region string) error {
+	resourceName := "CertificateAuthority"
+	log.Printf("[INFO][SWEEPER_LOG] Starting sweeper for %s", resourceName)
+
+	config, err := sharedConfigForRegion(region)
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err)
+		return err
+	}
+
+	err = config.LoadAndValidate(context.Background())
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err)
+		return err
+	}
+
+	// Setup variables to replace in list template
+	d := &ResourceDataMock{
+		FieldsInSchema: map[string]interface{}{
+			"project":  config.Project,
+			"location": region,
+		},
+	}
+
+	caPoolsUrl, err := replaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools")
+	if err != nil {
+		return err
+	}
+
+	res, err := sendRequest(config, "GET", config.Project, caPoolsUrl, config.userAgent, nil)
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", caPoolsUrl, err)
+		return nil
+	}
+
+	resourceList, ok := res["caPools"]
+	if !ok {
+		log.Printf("[INFO][SWEEPER_LOG] Nothing found in response.")
+		return nil
+	}
+
+	rl := resourceList.([]interface{})
+
+	log.Printf("[INFO][SWEEPER_LOG] Found %d items in %s list response.", len(rl), resourceName)
+	// Count items that weren't sweeped.
+	nonPrefixCount := 0
+	for _, ri := range rl {
+		obj := ri.(map[string]interface{})
+
+		poolName := obj["name"].(string)
+
+		caListUrl := config.PrivatecaBasePath + poolName + "/certificateAuthorities"
+
+		res, err := sendRequest(config, "GET", config.Project, caListUrl, config.userAgent, nil)
+		if err != nil {
+			log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", caPoolsUrl, err)
+			return nil
+		}
+
+		caResourceList, ok := res["certificateAuthorities"]
+		if !ok {
+			log.Printf("[INFO][SWEEPER_LOG] Nothing found in certificate authority list response.")
+			continue
+		}
+
+		carl := caResourceList.([]interface{})
+		for _, cai := range carl {
+			obj := cai.(map[string]interface{})
+			caName := obj["name"].(string)
+
+			// Increment count and skip if resource is not sweepable.
+			nameParts := strings.Split(caName, "/")
+			id := nameParts[len(nameParts)-1]
+			if !isSweepableTestResource(id) {
+				nonPrefixCount++
+				continue
+			}
+
+			if obj["state"] == "DELETED" {
+				continue
+			}
+
+			if obj["state"] == "ENABLED" {
+				disableUrl := fmt.Sprintf("%s%s:disable", config.PrivatecaBasePath, caName)
+				_, err = sendRequest(config, "POST", config.Project, disableUrl, config.userAgent, nil)
+				if err != nil {
+					log.Printf("[INFO][SWEEPER_LOG] Error disabling for url %s : %s", disableUrl, err)
+				} else {
+					log.Printf("[INFO][SWEEPER_LOG] Disabling %s resource: %s", resourceName, caName)
+				}
+			}
+
+			deleteUrl := config.PrivatecaBasePath + caName
+			_, err = sendRequest(config, "DELETE", config.Project, deleteUrl, config.userAgent, nil)
+			if err != nil {
+				log.Printf("[INFO][SWEEPER_LOG] Error deleting for url %s : %s", deleteUrl, err)
+			} else {
+				log.Printf("[INFO][SWEEPER_LOG] Deleted a %s resource: %s", resourceName, caName)
+			}
+		}
+	}
+
+	if nonPrefixCount > 0 {
+		log.Printf("[INFO][SWEEPER_LOG] %d items without tf-test prefix remain.", nonPrefixCount)
+	}
+
+	return nil
+}
diff --git a/website/docs/r/os_config_os_policy_assignment.html.markdown b/website/docs/r/os_config_os_policy_assignment.html.markdown
@@ -703,23 +703,27 @@ The `disruption_budget` block supports:
   (Optional)
   Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
 
-The `source` block supports:
+The `validate` block supports:
 
-* `allow_insecure` -
+* `interpreter` -
+  (Required)
+  Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL
+
+* `args` -
   (Optional)
-  Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
+  Optional arguments to pass to the source during execution.
 
-* `gcs` -
+* `file` -
   (Optional)
-  A Cloud Storage object.
+  Required. A deb package.
 
-* `local_path` -
+* `output_file_path` -
   (Optional)
-  A local path within the VM to use.
+  Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.
 
-* `remote` -
+* `script` -
   (Optional)
-  A generic remote file.
+  An inline script. The size of the script is limited to 1024 characters.
 
 - - -
 
@@ -970,6 +974,24 @@ The `zypper` block supports:
   (Required)
   Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.
 
+The `file` block supports:
+
+* `allow_insecure` -
+  (Optional)
+  Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
+
+* `gcs` -
+  (Optional)
+  A Cloud Storage object.
+
+* `local_path` -
+  (Optional)
+  A local path within the VM to use.
+
+* `remote` -
+  (Optional)
+  A generic remote file.
+
 The `gcs` block supports:
 
 * `bucket` -
@@ -994,28 +1016,6 @@ The `remote` block supports:
   (Optional)
   SHA256 checksum of the remote file.
 
-The `enforce` block supports:
-
-* `interpreter` -
-  (Required)
-  Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL
-
-* `args` -
-  (Optional)
-  Optional arguments to pass to the source during execution.
-
-* `file` -
-  (Optional)
-  Required. A deb package.
-
-* `output_file_path` -
-  (Optional)
-  Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.
-
-* `script` -
-  (Optional)
-  An inline script. The size of the script is limited to 1024 characters.
-
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: