Skip to content

Commit

Permalink
Adding AuthorizedOrgsDesc to AccessContextManager (GoogleCloudPlatfor…
Browse files Browse the repository at this point in the history
  • Loading branch information
vmoros authored and ericayyliu committed Jul 26, 2023
1 parent f9f359f commit ba32999
Show file tree
Hide file tree
Showing 5 changed files with 229 additions and 0 deletions.
127 changes: 127 additions & 0 deletions mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
# Copyright 2023 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- !ruby/object:Api::Resource
name: 'AuthorizedOrgsDesc'
base_url: ""
create_url: "{{parent}}/authorizedOrgsDescs"
self_link: "{{name}}"
update_verb: :PATCH
references: !ruby/object:Api::Resource::ReferenceLinks
guides:
'gcloud docs': 'https://cloud.google.com/beyondcorp-enterprise/docs/cross-org-authorization'
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.authorizedOrgsDescs'
description: |
An authorized organizations description describes a list of organizations
(1) that have been authorized to use certain asset (for example, device) data
owned by different organizations at the enforcement points, or (2) with certain
asset (for example, device) have been authorized to access the resources in
another organization at the enforcement points.
docs: !ruby/object:Provider::Terraform::Docs
warning: |
If you are using User ADCs (Application Default Credentials) with this resource,
you must specify a `billing_project` and set `user_project_override` to true
in the provider configuration. Otherwise the ACM API will return a 403 error.
Your account must have the `serviceusage.services.use` permission on the
`billing_project` you defined.
autogen_async: true
id_format: "{{name}}"
import_format: ["{{name}}"]
examples:
- !ruby/object:Provider::Terraform::Examples
name: "access_context_manager_authorized_orgs_desc_basic"
primary_resource_id: "authorized-orgs-desc"
skip_test: true
# Skipping the sweeper due to the non-standard base_url
skip_sweeper: true
custom_code: !ruby/object:Provider::Terraform::CustomCode
encoder: templates/terraform/encoders/access_level_never_send_parent.go.erb
pre_update: templates/terraform/update_mask.erb
post_create: templates/terraform/post_create/sleep_2_min.go.erb
custom_import: templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.erb
parameters:
- !ruby/object:Api::Type::String
name: parent
input: true
required: true
description: |
Required. Resource name for the access policy which owns this `AuthorizedOrgsDesc`.
ignore_read: true
- !ruby/object:Api::Type::String
name: name
input: true
required: true
description: |
Resource name for the `AuthorizedOrgsDesc`. Format:
`accessPolicies/{access_policy}/authorizedOrgsDescs/{authorized_orgs_desc}`.
The `authorized_orgs_desc` component must begin with a letter, followed by
alphanumeric characters or `_`.
After you create an `AuthorizedOrgsDesc`, you cannot change its `name`.
- !ruby/object:Api::Type::Array
name: orgs
description: |
The list of organization ids in this AuthorizedOrgsDesc.
Format: `organizations/<org_number>`
Example: `organizations/123456`
item_type: Api::Type::String
- !ruby/object:Api::Type::Enum
name: assetType
input: true
description: |
The type of entities that need to use the authorization relationship during
evaluation, such as a device. Valid values are "ASSET_TYPE_DEVICE" and
"ASSET_TYPE_CREDENTIAL_STRENGTH".
values:
- :ASSET_TYPE_DEVICE
- :ASSET_TYPE_CREDENTIAL_STRENGTH
- !ruby/object:Api::Type::Enum
name: authorizationDirection
input: true
description: |
The direction of the authorization relationship between this organization
and the organizations listed in the "orgs" field. The valid values for this
field include the following:
AUTHORIZATION_DIRECTION_FROM: Allows this organization to evaluate traffic
in the organizations listed in the `orgs` field.
AUTHORIZATION_DIRECTION_TO: Allows the organizations listed in the `orgs`
field to evaluate the traffic in this organization.
For the authorization relationship to take effect, all of the organizations
must authorize and specify the appropriate relationship direction. For
example, if organization A authorized organization B and C to evaluate its
traffic, by specifying "AUTHORIZATION_DIRECTION_TO" as the authorization
direction, organizations B and C must specify
"AUTHORIZATION_DIRECTION_FROM" as the authorization direction in their
"AuthorizedOrgsDesc" resource.
values:
- :AUTHORIZATION_DIRECTION_TO
- :AUTHORIZATION_DIRECTION_FROM
- !ruby/object:Api::Type::Enum
name: authorizationType
input: true
description: |
A granular control type for authorization levels. Valid value is "AUTHORIZATION_TYPE_TRUST".
values:
- :AUTHORIZATION_TYPE_TRUST
properties:
- !ruby/object:Api::Type::Time
name: 'createTime'
description: |
Time the AuthorizedOrgsDesc was created in UTC.
output: true
- !ruby/object:Api::Type::Time
name: 'updateTime'
description: |
Time the AuthorizedOrgsDesc was updated in UTC.
output: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
resource "google_access_context_manager_authorized_orgs_desc" "<%= ctx[:primary_resource_id] %>" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName"
authorization_type = "AUTHORIZATION_TYPE_TRUST"
asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH"
authorization_direction = "AUTHORIZATION_DIRECTION_TO"
orgs = ["organizations/12345", "organizations/98765"]
}

resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
title = "my policy"
}
4 changes: 4 additions & 0 deletions mmv1/templates/terraform/post_create/sleep_2_min.go.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
// This is useful if the resource in question doesn't have a perfectly consistent API
// That is, the Operation for Create might return before the Get operation shows the
// completed state of the resource.
time.Sleep(2 * time.Minute)
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ func TestAccAccessContextManager(t *testing.T) {
"access_level_condition": testAccAccessContextManagerAccessLevelCondition_basicTest,
"service_perimeters": testAccAccessContextManagerServicePerimeters_basicTest,
"gcp_user_access_binding": testAccAccessContextManagerGcpUserAccessBinding_basicTest,
"authorized_orgs_desc": testAccAccessContextManagerAuthorizedOrgsDesc_basicTest,
}

for name, tc := range testCases {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package google

import (
"fmt"
"strings"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
)

func testAccAccessContextManagerAuthorizedOrgsDesc_basicTest(t *testing.T) {
context := map[string]interface{}{
"org_id": GetTestOrgFromEnv(t),
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: TestAccProviders,
CheckDestroy: testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context),
},
{
ResourceName: "google_access_context_manager_authorized_orgs_desc.authorized-orgs-desc",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"parent"},
},
},
})
}

func testAccAccessContextManagerAuthorizedOrgsDesc_accessContextManagerAuthorizedOrgsDescBasicExample(context map[string]interface{}) string {
return Nprintf(`
resource "google_access_context_manager_authorized_orgs_desc" "authorized-orgs-desc" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/authorizedOrgsDescs/fakeDescName"
authorization_type = "AUTHORIZATION_TYPE_TRUST"
asset_type = "ASSET_TYPE_CREDENTIAL_STRENGTH"
authorization_direction = "AUTHORIZATION_DIRECTION_TO"
orgs = ["organizations/12345", "organizations/98765"]
}
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%{org_id}"
title = "my policy"
}
`, context)
}

func testAccCheckAccessContextManagerAuthorizedOrgsDescDestroyProducer(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
for name, rs := range s.RootModule().Resources {
if rs.Type != "google_access_context_manager_authorized_orgs_desc" {
continue
}
if strings.HasPrefix(name, "data.") {
continue
}

config := GoogleProviderConfig(t)

url, err := replaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{name}}")
if err != nil {
return err
}

billingProject := ""

if config.BillingProject != "" {
billingProject = config.BillingProject
}

_, err = SendRequest(config, "GET", billingProject, url, config.UserAgent, nil)
if err == nil {
return fmt.Errorf("AccessContextManagerAuthorizedOrgsDesc still exists at %s", url)
}
}

return nil
}
}

0 comments on commit ba32999

Please sign in to comment.