hashicorp · modular-magician · Jul 14, 2023 · Jul 14, 2023
diff --git a/.changelog/8317.txt b/.changelog/8317.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+apigee: added `disable_vpc_peering` field to `google_apigee_organization` resource
+```
diff --git a/google/resource_apigee_organization_generated_test.go b/google/resource_apigee_organization_generated_test.go
@@ -117,6 +117,60 @@ resource "google_apigee_organization" "org" {
 `, context)
 }
 
+func TestAccApigeeOrganization_apigeeOrganizationCloudBasicDisableVpcPeeringTestExample(t *testing.T) {
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+		"random_suffix":   acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckApigeeOrganizationDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccApigeeOrganization_apigeeOrganizationCloudBasicDisableVpcPeeringTestExample(context),
+			},
+			{
+				ResourceName:            "google_apigee_organization.org",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"project_id", "retention"},
+			},
+		},
+	})
+}
+
+func testAccApigeeOrganization_apigeeOrganizationCloudBasicDisableVpcPeeringTestExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_project" "project" {
+  project_id      = "tf-test%{random_suffix}"
+  name            = "tf-test%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "apigee" {
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_apigee_organization" "org" {
+  description         = "Terraform-provisioned basic Apigee Org without VPC Peering."
+  analytics_region    = "us-central1"
+  project_id          = google_project.project.project_id
+  disable_vpc_peering = true
+  depends_on          = [
+    google_project_service.apigee,
+  ]
+}
+`, context)
+}
+
 func testAccCheckApigeeOrganizationDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

diff --git a/google/services/apigee/resource_apigee_organization.go b/google/services/apigee/resource_apigee_organization.go
@@ -80,6 +80,15 @@ Valid only when 'RuntimeType' is set to CLOUD. The value can be updated only whe
 				Optional:    true,
 				Description: `Description of the Apigee organization.`,
 			},
+			"disable_vpc_peering": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Description: `Flag that specifies whether the VPC Peering through Private Google Access should be
+disabled between the consumer network and Apigee. Required if an 'authorizedNetwork'
+on the consumer project is not provided, in which case the flag should be set to 'true'.
+Valid only when 'RuntimeType' is set to CLOUD. The value must be set before the creation
+of any Apigee runtime instance and can be updated only when there are no runtime instances.`,
+			},
 			"display_name": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -201,6 +210,12 @@ func resourceApigeeOrganizationCreate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("authorized_network"); !tpgresource.IsEmptyValue(reflect.ValueOf(authorizedNetworkProp)) && (ok || !reflect.DeepEqual(v, authorizedNetworkProp)) {
 		obj["authorizedNetwork"] = authorizedNetworkProp
 	}
+	disableVpcPeeringProp, err := expandApigeeOrganizationDisableVpcPeering(d.Get("disable_vpc_peering"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("disable_vpc_peering"); !tpgresource.IsEmptyValue(reflect.ValueOf(disableVpcPeeringProp)) && (ok || !reflect.DeepEqual(v, disableVpcPeeringProp)) {
+		obj["disableVpcPeering"] = disableVpcPeeringProp
+	}
 	runtimeTypeProp, err := expandApigeeOrganizationRuntimeType(d.Get("runtime_type"), d, config)
 	if err != nil {
 		return err
@@ -338,6 +353,9 @@ func resourceApigeeOrganizationRead(d *schema.ResourceData, meta interface{}) er
 	if err := d.Set("authorized_network", flattenApigeeOrganizationAuthorizedNetwork(res["authorizedNetwork"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Organization: %s", err)
 	}
+	if err := d.Set("disable_vpc_peering", flattenApigeeOrganizationDisableVpcPeering(res["disableVpcPeering"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Organization: %s", err)
+	}
 	if err := d.Set("runtime_type", flattenApigeeOrganizationRuntimeType(res["runtimeType"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Organization: %s", err)
 	}
@@ -397,6 +415,12 @@ func resourceApigeeOrganizationUpdate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("authorized_network"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, authorizedNetworkProp)) {
 		obj["authorizedNetwork"] = authorizedNetworkProp
 	}
+	disableVpcPeeringProp, err := expandApigeeOrganizationDisableVpcPeering(d.Get("disable_vpc_peering"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("disable_vpc_peering"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, disableVpcPeeringProp)) {
+		obj["disableVpcPeering"] = disableVpcPeeringProp
+	}
 	runtimeTypeProp, err := expandApigeeOrganizationRuntimeType(d.Get("runtime_type"), d, config)
 	if err != nil {
 		return err
@@ -568,6 +592,10 @@ func flattenApigeeOrganizationAuthorizedNetwork(v interface{}, d *schema.Resourc
 	return v
 }
 
+func flattenApigeeOrganizationDisableVpcPeering(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenApigeeOrganizationRuntimeType(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -648,6 +676,10 @@ func expandApigeeOrganizationAuthorizedNetwork(v interface{}, d tpgresource.Terr
 	return v, nil
 }
 
+func expandApigeeOrganizationDisableVpcPeering(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandApigeeOrganizationRuntimeType(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

diff --git a/website/docs/r/apigee_organization.html.markdown b/website/docs/r/apigee_organization.html.markdown
@@ -59,6 +59,19 @@ resource "google_apigee_organization" "org" {
   depends_on         = [google_service_networking_connection.apigee_vpc_connection]
 }
 ```
+## Example Usage - Apigee Organization Cloud Basic Disable Vpc Peering
+
+
+```hcl
+data "google_client_config" "current" {}
+
+resource "google_apigee_organization" "org" {
+  description         = "Terraform-provisioned basic Apigee Org without VPC Peering."
+  analytics_region    = "us-central1"
+  project_id          = data.google_client_config.current.project
+  disable_vpc_peering = true
+}
+```
 ## Example Usage - Apigee Organization Cloud Full
 
 
@@ -126,6 +139,54 @@ resource "google_apigee_organization" "org" {
   ]
 }
 ```
+## Example Usage - Apigee Organization Cloud Full Disable Vpc Peering
+
+
+```hcl
+data "google_client_config" "current" {}
+
+resource "google_kms_key_ring" "apigee_keyring" {
+  name     = "apigee-keyring"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key" "apigee_key" {
+  name            = "apigee-key"
+  key_ring        = google_kms_key_ring.apigee_keyring.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_project_service_identity" "apigee_sa" {
+  provider = google-beta
+  project  = google_project.project.project_id
+  service  = google_project_service.apigee.service
+}
+
+resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+  crypto_key_id = google_kms_crypto_key.apigee_key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  members = [
+    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
+  ]
+}
+
+resource "google_apigee_organization" "org" {
+  analytics_region                     = "us-central1"
+  display_name                         = "apigee-org"
+  description                          = "Terraform-provisioned Apigee Org without VPC Peering."
+  project_id                           = data.google_client_config.current.project
+  disable_vpc_peering                  = true
+  runtime_database_encryption_key_name = google_kms_crypto_key.apigee_key.id
+
+  depends_on = [
+    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+  ]
+}
+```
 
 ## Argument Reference
 
@@ -158,6 +219,14 @@ The following arguments are supported:
   See [Getting started with the Service Networking API](https://cloud.google.com/service-infrastructure/docs/service-networking/getting-started).
   Valid only when `RuntimeType` is set to CLOUD. The value can be updated only when there are no runtime instances. For example: "default".
 
+* `disable_vpc_peering` -
+  (Optional)
+  Flag that specifies whether the VPC Peering through Private Google Access should be
+  disabled between the consumer network and Apigee. Required if an `authorizedNetwork`
+  on the consumer project is not provided, in which case the flag should be set to `true`.
+  Valid only when `RuntimeType` is set to CLOUD. The value must be set before the creation
+  of any Apigee runtime instance and can be updated only when there are no runtime instances.
+
 * `runtime_type` -
   (Optional)
   Runtime type of the Apigee organization based on the Apigee subscription purchased.