Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding AuthorizedOrgsDesc to AccessContextManager #7178

Merged
merged 37 commits into from
Mar 7, 2023
Merged
Show file tree
Hide file tree
Changes from 35 commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
009e34c
First commit. My manual testing of creating an authorized orgs desc w…
vmoros Jan 25, 2023
1662c19
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Jan 25, 2023
5e20cb8
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Jan 26, 2023
83c042b
Creating and updating are working. Only orgs can be updated in-place.…
vmoros Jan 26, 2023
3f54964
Marking the correct parameters as 'input' so Terraform will know whic…
vmoros Jan 26, 2023
3d68146
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Jan 27, 2023
6130b03
Don't skip the test
vmoros Jan 27, 2023
eb22b20
Adding the AuthorizedOrgsDesc test to the overall ACM test sequence
vmoros Jan 27, 2023
46b9105
Trying new way to generate access policy in the test example
vmoros Jan 27, 2023
ec65e59
Empty push to run checks again
vmoros Jan 27, 2023
873f448
Improving test & example for authorize orgs desc
vmoros Jan 27, 2023
5dc4370
Skip generating tests for authorized orgs desc
vmoros Jan 27, 2023
267ab53
Adding org_id to test's context
vmoros Jan 27, 2023
7dba1e3
Removing unused variable
vmoros Jan 30, 2023
2bc4090
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Jan 30, 2023
62e8d21
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Jan 31, 2023
7650978
Hardcoding some parts of the AuthorizedOrgsDesc test
vmoros Feb 1, 2023
8854d86
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Feb 1, 2023
9c90499
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Feb 2, 2023
de9b6a3
Revert "Hardcoding some parts of the AuthorizedOrgsDesc test"
vmoros Feb 2, 2023
928fae0
Undoing the hardcoding of the access policy in my test
vmoros Feb 2, 2023
5909a45
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Feb 7, 2023
0781f74
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Feb 9, 2023
844e88c
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Feb 17, 2023
e3ec86d
Adding wait after creating access policy
vmoros Feb 17, 2023
792c2e4
Changing the way the post-create wait is handled
vmoros Feb 17, 2023
ba738cf
Increasing sleep to 2 minutes
vmoros Feb 21, 2023
56ae758
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Feb 21, 2023
6f7c8c0
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Mar 3, 2023
60818b0
Update mmv1/third_party/terraform/tests/resource_access_context_manag…
vmoros Mar 6, 2023
1201f54
Update mmv1/third_party/terraform/tests/resource_access_context_manag…
vmoros Mar 6, 2023
1119f49
Update mmv1/third_party/terraform/tests/resource_access_context_manag…
vmoros Mar 6, 2023
c8f5d4b
Update mmv1/third_party/terraform/tests/resource_access_context_manag…
vmoros Mar 6, 2023
e0a2386
Update mmv1/third_party/terraform/tests/resource_access_context_manag…
vmoros Mar 6, 2023
98ad4ce
Merge branch 'GoogleCloudPlatform:main' into main
vmoros Mar 6, 2023
5478868
Update mmv1/third_party/terraform/tests/resource_access_context_manag…
shuyama1 Mar 6, 2023
94134ba
Removing *_UNSPECIFIED values because they're not available to users
vmoros Mar 7, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 130 additions & 0 deletions mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
# Copyright 2023 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- !ruby/object:Api::Resource
name: 'AuthorizedOrgsDesc'
base_url: ""
create_url: "{{parent}}/authorizedOrgsDescs"
self_link: "{{name}}"
update_verb: :PATCH
references: !ruby/object:Api::Resource::ReferenceLinks
guides:
'gcloud docs': 'https://cloud.google.com/beyondcorp-enterprise/docs/cross-org-authorization'
vmoros marked this conversation as resolved.
Show resolved Hide resolved
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.authorizedOrgsDescs'
description: |
An authorized organizations description describes a list of organizations
(1) that have been authorized to use certain asset (for example, device) data
owned by different organizations at the enforcement points, or (2) with certain
asset (for example, device) have been authorized to access the resources in
another organization at the enforcement points.
docs: !ruby/object:Provider::Terraform::Docs
warning: |
If you are using User ADCs (Application Default Credentials) with this resource,
you must specify a `billing_project` and set `user_project_override` to true
in the provider configuration. Otherwise the ACM API will return a 403 error.
Your account must have the `serviceusage.services.use` permission on the
`billing_project` you defined.
autogen_async: true
id_format: "{{name}}"
import_format: ["{{name}}"]
examples:
- !ruby/object:Provider::Terraform::Examples
name: "access_context_manager_authorized_orgs_desc_basic"
primary_resource_id: "authorized-orgs-desc"
skip_test: true
# Skipping the sweeper due to the non-standard base_url
skip_sweeper: true
custom_code: !ruby/object:Provider::Terraform::CustomCode
encoder: templates/terraform/encoders/access_level_never_send_parent.go.erb
pre_update: templates/terraform/update_mask.erb
post_create: templates/terraform/post_create/sleep_2_min.go.erb
custom_import: templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.erb
parameters:
- !ruby/object:Api::Type::String
name: parent
input: true
required: true
description: |
Required. Resource name for the access policy which owns this `AuthorizedOrgsDesc`.
ignore_read: true
- !ruby/object:Api::Type::String
name: name
input: true
required: true
description: |
Resource name for the `AuthorizedOrgsDesc`. Format:
`accessPolicies/{access_policy}/authorizedOrgsDescs/{authorized_orgs_desc}`.
The `authorized_orgs_desc` component must begin with a letter, followed by
alphanumeric characters or `_`.
After you create an `AuthorizedOrgsDesc`, you cannot change its `name`.
- !ruby/object:Api::Type::Array
name: orgs
description: |
The list of organization ids in this AuthorizedOrgsDesc.
Format: `organizations/<org_number>`
Example: `organizations/123456`
item_type: Api::Type::String
- !ruby/object:Api::Type::Enum
name: assetType
input: true
description: |
The type of entities that need to use the authorization relationship during
evaluation, such as a device. Valid values are "ASSET_TYPE_DEVICE" and
"ASSET_TYPE_CREDENTIAL_STRENGTH".
values:
- :ASSET_TYPE_UNSPECIFIED
- :ASSET_TYPE_DEVICE
- :ASSET_TYPE_CREDENTIAL_STRENGTH
- !ruby/object:Api::Type::Enum
name: authorizationDirection
input: true
description: |
The direction of the authorization relationship between this organization
and the organizations listed in the "orgs" field. The valid values for this
field include the following:

AUTHORIZATION_DIRECTION_FROM: Allows this organization to evaluate traffic
in the organizations listed in the `orgs` field.

AUTHORIZATION_DIRECTION_TO: Allows the organizations listed in the `orgs`
field to evaluate the traffic in this organization.

For the authorization relationship to take effect, all of the organizations
must authorize and specify the appropriate relationship direction. For
example, if organization A authorized organization B and C to evaluate its
traffic, by specifying "AUTHORIZATION_DIRECTION_TO" as the authorization
direction, organizations B and C must specify
"AUTHORIZATION_DIRECTION_FROM" as the authorization direction in their
"AuthorizedOrgsDesc" resource.
values:
- :AUTHORIZATION_DIRECTION_UNSPECIFIED
- :AUTHORIZATION_DIRECTION_TO
- :AUTHORIZATION_DIRECTION_FROM
- !ruby/object:Api::Type::Enum
name: authorizationType
input: true
description: |
A granular control type for authorization levels. Valid value is "AUTHORIZATION_TYPE_TRUST".
values:
- :AUTHORIZATION_TYPE_UNSPECIFIED
- :AUTHORIZATION_TYPE_TRUST
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a server-side default values for these fields -- Does API return values for them if they are not explicitly specified?

Also should we remove *_UNSPECIFIED values? My understanding is that they are not valid values for users to specify.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are no server-side default values for assetType, authorizationDirection, or authorizationType. The user must specify them.

The *_UNSPECIFIED values exist under the hood, which is why I added them in the code here, but they cannot be used so IMO it's reasonable to remove them here.

properties:
- !ruby/object:Api::Type::Time
name: 'createTime'
description: |
Time the AuthorizedOrgsDesc was created in UTC.
output: true
- !ruby/object:Api::Type::Time
name: 'updateTime'
description: |
Time the AuthorizedOrgsDesc was updated in UTC.
output: true
Comment on lines +118 to +127
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove these two fields as they may not be useful for Terraform users

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
resource "google_access_context_manager_authorized_orgs_desc" "<%= ctx[:primary_resource_id] %>" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName"
authorization_type = "AUTHORIZATION_TYPE_TRUST"
asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH"
authorization_direction = "AUTHORIZATION_DIRECTION_TO"
orgs = ["organizations/12345", "organizations/98765"]
}

resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
title = "my policy"
}
4 changes: 4 additions & 0 deletions mmv1/templates/terraform/post_create/sleep_2_min.go.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
// This is useful if the resource in question doesn't have a perfectly consistent API
// That is, the Operation for Create might return before the Get operation shows the
// completed state of the resource.
time.Sleep(2 * time.Minute)
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ func TestAccAccessContextManager(t *testing.T) {
"access_level_condition": testAccAccessContextManagerAccessLevelCondition_basicTest,
"service_perimeters": testAccAccessContextManagerServicePerimeters_basicTest,
"gcp_user_access_binding": testAccAccessContextManagerGcpUserAccessBinding_basicTest,
"authorized_orgs_desc": testAccAccessContextManagerAuthorizedOrgsDesc_basicTest,
}

for name, tc := range testCases {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package google

import (
"fmt"
"strings"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
)

func testAccAccessContextManagerAuthorizedOrgsDesc_basicTest(t *testing.T) {
context := map[string]interface{}{
"org_id": GetTestOrgFromEnv(t),
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: TestAccProviders,
CheckDestroy: testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context),
},
{
ResourceName: "google_access_context_manager_authorized_orgs_desc.authorized-orgs-desc",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"parent"},
},
},
})
}

func testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context map[string]interface{}) string {
return Nprintf(`
resource "google_access_context_manager_authorized_orgs_desc" "authorized-orgs-desc" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName"
authorization_type = "AUTHORIZATION_TYPE_TRUST"
asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH"
authorization_direction = "AUTHORIZATION_DIRECTION_TO"
orgs = ["organizations/12345", "organizations/98765"]
}

resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%{org_id}"
title = "my policy"
}
`, context)
}

func testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
for name, rs := range s.RootModule().Resources {
if rs.Type != "google_access_context_manager_authorized_orgs_desc" {
continue
}
if strings.HasPrefix(name, "data.") {
continue
}

config := GoogleProviderConfig(t)

url, err := replaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{name}}")
if err != nil {
return err
}

billingProject := ""

if config.BillingProject != "" {
billingProject = config.BillingProject
}

_, err = SendRequest(config, "GET", billingProject, url, config.userAgent, nil)
shuyama1 marked this conversation as resolved.
Show resolved Hide resolved
if err == nil {
return fmt.Errorf("AccessContextManagerAuthorizedOrgsDesc still exists at %s", url)
}
}

return nil
}
}