artifactregistry: implement upstream credentials (GoogleCloudPlatform…

…#9439)

* implemented remote auth

* add IAM settings to test

mmv1/products/artifactregistry/Repository.yaml

@@ -101,6 +101,16 @@ examples:
     vars:
       repository_id: 'my-repository'
       description: 'example docker repository with cleanup policies'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'artifact_registry_repository_remote_custom'
+    primary_resource_id: 'my-repo'
+    vars:
+      repository_id: 'example-custom-remote'
+      description: 'example remote docker repository with credentials'
+      secret_id: 'example-secret'
+      secret_resource_id: 'example-custom-remote-secret'
+      username: 'remote-username'
+      secret_data: 'remote-password'
 custom_code: !ruby/object:Provider::Terraform::CustomCode
   encoder: templates/terraform/encoders/location_from_region.go.erb
 properties:
@@ -504,7 +514,30 @@ properties:
                 description: |-
                   Specific repository from the base, e.g. `"centos/8-stream/BaseOS/x86_64/os"`
                 immutable: true
-
+      - !ruby/object:Api::Type::NestedObject
+        name: 'upstreamCredentials'
+        description: |-
+          The credentials used to access the remote repository.
+        immutable: true
+        properties:
+          - !ruby/object:Api::Type::NestedObject
+            name: 'usernamePasswordCredentials'
+            description: |-
+              Use username and password to access the remote repository.
+            immutable: true
+            properties:
+              - !ruby/object:Api::Type::String
+                name: 'username'
+                description: |-
+                  The username to access the remote repository.
+                immutable: true
+              - !ruby/object:Api::Type::String
+                name: 'passwordSecretVersion'
+                description: |-
+                  The Secret Manager key version that holds the password to access the
+                  remote repository. Must be in the format of
+                  `projects/{project}/secrets/{secret}/versions/{version}`.
+                immutable: true
   - !ruby/object:Api::Type::Boolean
     name: 'cleanupPolicyDryRun'
     min_version: beta

mmv1/templates/terraform/examples/artifact_registry_repository_remote_custom.tf.erb

@@ -0,0 +1,39 @@
+data "google_project" "project" {}
+
+resource "google_secret_manager_secret" "<%= ctx[:vars]['secret_resource_id'] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "<%= ctx[:vars]['secret_resource_id'] %>_version" {
+  secret = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id
+  secret_data = "<%= ctx[:vars]['secret_data'] %>"
+}
+
+resource "google_secret_manager_secret_iam_member" "secret-access" {
+  secret_id = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
+}
+
+resource "google_artifact_registry_repository" "<%= ctx[:primary_resource_id] %>" {
+  location      = "us-central1"
+  repository_id = "<%= ctx[:vars]['repository_id'] %>"
+  description   = "<%= ctx[:vars]['description'] %>"
+  format        = "DOCKER"
+  mode          = "REMOTE_REPOSITORY"
+  remote_repository_config {
+    description = "docker hub with custom credentials"
+    docker_repository {
+      public_repository = "DOCKER_HUB"
+    }
+    upstream_credentials {
+      username_password_credentials {
+        username = "<%= ctx[:vars]['username'] %>"
+        password_secret_version = google_secret_manager_secret_version.<%= ctx[:vars]['secret_resource_id'] %>_version.name
+      }
+    }
+  }
+}