From 59c6c2972d55b9a54204851c17cdf0f7a90f2779 Mon Sep 17 00:00:00 2001 From: Cameron Thornton Date: Mon, 22 Jul 2024 11:57:49 -0500 Subject: [PATCH] go rewrite - firestore, gkebackup, gkehub, gkehub2, iam2, iambeta, iamworkforcepool, iap (#11221) --- mmv1/api/resource.go | 8 +- mmv1/products/cloudrun/DomainMapping.yaml | 4 +- mmv1/products/cloudrun/Service.yaml | 8 +- mmv1/products/cloudrun/go_DomainMapping.yaml | 4 +- mmv1/products/cloudrun/go_Service.yaml | 15 +- mmv1/products/cloudrunv2/go_Service.yaml | 1 + mmv1/products/compute/go_Autoscaler.yaml | 1 + mmv1/products/compute/go_BackendService.yaml | 33 +- mmv1/products/compute/go_NodeGroup.yaml | 1 + .../compute/go_PerInstanceConfig.yaml | 2 + .../compute/go_PublicAdvertisedPrefix.yaml | 5 + .../products/compute/go_RegionAutoscaler.yaml | 1 + .../compute/go_RegionPerInstanceConfig.yaml | 2 + mmv1/products/compute/go_Reservation.yaml | 1 + .../dialogflowcx/go_SecuritySettings.yaml | 1 + .../products/firestore/go_BackupSchedule.yaml | 123 ++++ mmv1/products/firestore/go_Database.yaml | 302 +++++++++ mmv1/products/firestore/go_Document.yaml | 114 ++++ mmv1/products/firestore/go_Field.yaml | 187 ++++++ mmv1/products/firestore/go_Index.yaml | 174 +++++ mmv1/products/firestore/go_product.yaml | 24 + mmv1/products/gkebackup/go_BackupPlan.yaml | 476 +++++++++++++ mmv1/products/gkebackup/go_RestorePlan.yaml | 632 ++++++++++++++++++ mmv1/products/gkebackup/go_product.yaml | 36 + mmv1/products/gkehub/go_Membership.yaml | 176 +++++ mmv1/products/gkehub/go_product.yaml | 25 + mmv1/products/gkehub2/go_Feature.yaml | 537 +++++++++++++++ mmv1/products/gkehub2/go_Fleet.yaml | 144 ++++ .../gkehub2/go_MembershipBinding.yaml | 148 ++++ .../gkehub2/go_MembershipRBACRoleBinding.yaml | 172 +++++ mmv1/products/gkehub2/go_Namespace.yaml | 141 ++++ mmv1/products/gkehub2/go_Scope.yaml | 132 ++++ .../gkehub2/go_ScopeRBACRoleBinding.yaml | 156 +++++ mmv1/products/gkehub2/go_product.yaml | 25 + .../iam2/go_AccessBoundaryPolicy.yaml | 137 ++++ mmv1/products/iam2/go_DenyPolicy.yaml | 155 +++++ mmv1/products/iam2/go_product.yaml | 37 + .../iambeta/go_WorkloadIdentityPool.yaml | 110 +++ .../go_WorkloadIdentityPoolProvider.yaml | 316 +++++++++ mmv1/products/iambeta/go_product.yaml | 37 + .../iamworkforcepool/go_WorkforcePool.yaml | 166 +++++ .../go_WorkforcePoolProvider.yaml | 457 +++++++++++++ .../products/iamworkforcepool/go_product.yaml | 37 + mmv1/products/iap/go_AppEngineService.yaml | 58 ++ mmv1/products/iap/go_AppEngineVersion.yaml | 58 ++ mmv1/products/iap/go_Brand.yaml | 93 +++ mmv1/products/iap/go_Client.yaml | 81 +++ mmv1/products/iap/go_Tunnel.yaml | 51 ++ mmv1/products/iap/go_TunnelDestGroup.yaml | 85 +++ mmv1/products/iap/go_TunnelInstance.yaml | 51 ++ mmv1/products/iap/go_Web.yaml | 51 ++ mmv1/products/iap/go_WebBackendService.yaml | 52 ++ .../iap/go_WebRegionBackendService.yaml | 52 ++ mmv1/products/iap/go_WebTypeAppEngine.yaml | 55 ++ mmv1/products/iap/go_WebTypeCompute.yaml | 52 ++ mmv1/products/iap/go_product.yaml | 22 + mmv1/template-converter.go | 1 + .../go/gke_hub_membership_diff.go.tmpl | 9 + .../base_configs/iam_test_file.go.tmpl | 28 +- ...re_source_manager_instance_private.tf.tmpl | 6 +- ...nager_instance_private_psc_backend.tf.tmpl | 178 +++++ ...ager_instance_private_psc_endpoint.tf.tmpl | 145 ++++ .../go/app_engine_service.tf.tmpl | 1 + .../go/app_engine_version.tf.tmpl | 1 + .../terraform/iam/go/iam_attributes.go.tmpl | 2 +- mmv1/templates/terraform/iam_policy.go.tmpl | 2 +- mmv1/templates/terraform/yaml_conversion.erb | 3 + ...ource_compute_backend_service_test.go.tmpl | 205 ++++++ 68 files changed, 6562 insertions(+), 43 deletions(-) create mode 100644 mmv1/products/firestore/go_BackupSchedule.yaml create mode 100644 mmv1/products/firestore/go_Database.yaml create mode 100644 mmv1/products/firestore/go_Document.yaml create mode 100644 mmv1/products/firestore/go_Field.yaml create mode 100644 mmv1/products/firestore/go_Index.yaml create mode 100644 mmv1/products/firestore/go_product.yaml create mode 100644 mmv1/products/gkebackup/go_BackupPlan.yaml create mode 100644 mmv1/products/gkebackup/go_RestorePlan.yaml create mode 100644 mmv1/products/gkebackup/go_product.yaml create mode 100644 mmv1/products/gkehub/go_Membership.yaml create mode 100644 mmv1/products/gkehub/go_product.yaml create mode 100644 mmv1/products/gkehub2/go_Feature.yaml create mode 100644 mmv1/products/gkehub2/go_Fleet.yaml create mode 100644 mmv1/products/gkehub2/go_MembershipBinding.yaml create mode 100644 mmv1/products/gkehub2/go_MembershipRBACRoleBinding.yaml create mode 100644 mmv1/products/gkehub2/go_Namespace.yaml create mode 100644 mmv1/products/gkehub2/go_Scope.yaml create mode 100644 mmv1/products/gkehub2/go_ScopeRBACRoleBinding.yaml create mode 100644 mmv1/products/gkehub2/go_product.yaml create mode 100644 mmv1/products/iam2/go_AccessBoundaryPolicy.yaml create mode 100644 mmv1/products/iam2/go_DenyPolicy.yaml create mode 100644 mmv1/products/iam2/go_product.yaml create mode 100644 mmv1/products/iambeta/go_WorkloadIdentityPool.yaml create mode 100644 mmv1/products/iambeta/go_WorkloadIdentityPoolProvider.yaml create mode 100644 mmv1/products/iambeta/go_product.yaml create mode 100644 mmv1/products/iamworkforcepool/go_WorkforcePool.yaml create mode 100644 mmv1/products/iamworkforcepool/go_WorkforcePoolProvider.yaml create mode 100644 mmv1/products/iamworkforcepool/go_product.yaml create mode 100644 mmv1/products/iap/go_AppEngineService.yaml create mode 100644 mmv1/products/iap/go_AppEngineVersion.yaml create mode 100644 mmv1/products/iap/go_Brand.yaml create mode 100644 mmv1/products/iap/go_Client.yaml create mode 100644 mmv1/products/iap/go_Tunnel.yaml create mode 100644 mmv1/products/iap/go_TunnelDestGroup.yaml create mode 100644 mmv1/products/iap/go_TunnelInstance.yaml create mode 100644 mmv1/products/iap/go_Web.yaml create mode 100644 mmv1/products/iap/go_WebBackendService.yaml create mode 100644 mmv1/products/iap/go_WebRegionBackendService.yaml create mode 100644 mmv1/products/iap/go_WebTypeAppEngine.yaml create mode 100644 mmv1/products/iap/go_WebTypeCompute.yaml create mode 100644 mmv1/products/iap/go_product.yaml create mode 100644 mmv1/templates/terraform/constants/go/gke_hub_membership_diff.go.tmpl create mode 100644 mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_backend.tf.tmpl create mode 100644 mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_endpoint.tf.tmpl diff --git a/mmv1/api/resource.go b/mmv1/api/resource.go index b6b69bfdda21..d87abb65f9dc 100644 --- a/mmv1/api/resource.go +++ b/mmv1/api/resource.go @@ -1327,9 +1327,11 @@ func (r Resource) IamImportQualifiersForTest() string { if param == "project" { if i != len(params)-1 { // If the last parameter is project then we want to create a new project to use for the test, so don't default from the environment - importQualifiers = append(importQualifiers, "envvar.GetTestProjectFromEnv()") - } else { - importQualifiers = append(importQualifiers, `context["project_id"]`) + if r.IamPolicy.TestProjectName == "" { + importQualifiers = append(importQualifiers, "envvar.GetTestProjectFromEnv()") + } else { + importQualifiers = append(importQualifiers, `context["project_id"]`) + } } } else if param == "zone" && r.IamPolicy.SubstituteZoneValue { importQualifiers = append(importQualifiers, "envvar.GetTestZoneFromEnv()") diff --git a/mmv1/products/cloudrun/DomainMapping.yaml b/mmv1/products/cloudrun/DomainMapping.yaml index 82aa8c386dd3..64f6a575726b 100644 --- a/mmv1/products/cloudrun/DomainMapping.yaml +++ b/mmv1/products/cloudrun/DomainMapping.yaml @@ -210,8 +210,8 @@ properties: name: 'annotations' description: |- Annotations is a key value map stored with a resource that - may be set by external tools to store and retrieve arbitrary metadata. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + may be set by external tools to store and retrieve arbitrary metadata. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations **Note**: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config diff --git a/mmv1/products/cloudrun/Service.yaml b/mmv1/products/cloudrun/Service.yaml index 5e8b071110c8..993c12f4c2c0 100644 --- a/mmv1/products/cloudrun/Service.yaml +++ b/mmv1/products/cloudrun/Service.yaml @@ -284,8 +284,8 @@ properties: name: 'annotations' description: |- Annotations is a key value map stored with a resource that - may be set by external tools to store and retrieve arbitrary metadata. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + may be set by external tools to store and retrieve arbitrary metadata. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations **Note**: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config @@ -1060,8 +1060,8 @@ properties: name: 'annotations' description: |- Annotations is a key value map stored with a resource that - may be set by external tools to store and retrieve arbitrary metadata. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + may be set by external tools to store and retrieve arbitrary metadata. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations **Note**: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config diff --git a/mmv1/products/cloudrun/go_DomainMapping.yaml b/mmv1/products/cloudrun/go_DomainMapping.yaml index 452207d50f6c..29402e0fe87f 100644 --- a/mmv1/products/cloudrun/go_DomainMapping.yaml +++ b/mmv1/products/cloudrun/go_DomainMapping.yaml @@ -222,8 +222,8 @@ properties: type: KeyValueAnnotations description: |- Annotations is a key value map stored with a resource that - may be set by external tools to store and retrieve arbitrary metadata. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + may be set by external tools to store and retrieve arbitrary metadata. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations **Note**: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config diff --git a/mmv1/products/cloudrun/go_Service.yaml b/mmv1/products/cloudrun/go_Service.yaml index 71993d09e517..4f36bbd0580d 100644 --- a/mmv1/products/cloudrun/go_Service.yaml +++ b/mmv1/products/cloudrun/go_Service.yaml @@ -271,8 +271,8 @@ properties: type: KeyValuePairs description: |- Annotations is a key value map stored with a resource that - may be set by external tools to store and retrieve arbitrary metadata. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + may be set by external tools to store and retrieve arbitrary metadata. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations **Note**: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config @@ -741,11 +741,8 @@ properties: type: Integer description: |- ContainerConcurrency specifies the maximum allowed in-flight (concurrent) - requests per container of the Revision. Values are: - - `0` thread-safe, the system should manage the max concurrency. This is - the default value. - - `1` not-thread-safe. Single concurrency - - `2-N` thread-safe, max concurrency of N + requests per container of the Revision. If not specified or 0, defaults to 80 when + requested CPU >= 1 and defaults to 1 when requested CPU < 1. default_from_api: true - name: 'timeoutSeconds' type: Integer @@ -1058,8 +1055,8 @@ properties: type: KeyValueAnnotations description: |- Annotations is a key value map stored with a resource that - may be set by external tools to store and retrieve arbitrary metadata. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + may be set by external tools to store and retrieve arbitrary metadata. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations **Note**: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config diff --git a/mmv1/products/cloudrunv2/go_Service.yaml b/mmv1/products/cloudrunv2/go_Service.yaml index e93c0ae54380..84222388d0b0 100644 --- a/mmv1/products/cloudrunv2/go_Service.yaml +++ b/mmv1/products/cloudrunv2/go_Service.yaml @@ -818,6 +818,7 @@ properties: type: Integer description: |- Sets the maximum number of requests that each serving instance can receive. + If not specified or 0, defaults to 80 when requested CPU >= 1 and defaults to 1 when requested CPU < 1. default_from_api: true - name: 'sessionAffinity' type: Boolean diff --git a/mmv1/products/compute/go_Autoscaler.yaml b/mmv1/products/compute/go_Autoscaler.yaml index 58e7e9cf016d..58af3f1aae8b 100644 --- a/mmv1/products/compute/go_Autoscaler.yaml +++ b/mmv1/products/compute/go_Autoscaler.yaml @@ -383,6 +383,7 @@ properties: key_description: | A name for the schedule. value_type: + name: scalingSchedule type: NestedObject properties: - name: 'minRequiredReplicas' diff --git a/mmv1/products/compute/go_BackendService.yaml b/mmv1/products/compute/go_BackendService.yaml index 9c3b8fd42b92..0ff6dc96a582 100644 --- a/mmv1/products/compute/go_BackendService.yaml +++ b/mmv1/products/compute/go_BackendService.yaml @@ -1250,9 +1250,8 @@ properties: ClientTlsPolicy is a resource that specifies how a client should authenticate connections to backends of a service. This resource itself does not affect configuration unless it is attached to a backend service resource. - required: true - custom_expand: 'templates/terraform/custom_expand/go/resourceref_with_validation.go.tmpl' - resource: 'Region' + diff_suppress_func: 'tpgresource.ProjectNumberDiffSuppress' + resource: 'ClientTlsPolicy' imports: 'name' - name: 'subjectAltNames' type: Array @@ -1260,9 +1259,35 @@ properties: A list of alternate names to verify the subject identity in the certificate. If specified, the client will verify that the server certificate's subject alt name matches one of the specified values. - required: true item_type: type: String + - name: 'awsV4Authentication' + type: NestedObject + description: | + The configuration needed to generate a signature for access to private storage buckets that support AWS's Signature Version 4 for authentication. + Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. + properties: + - name: 'accessKeyId' + type: String + description: | + The identifier of an access key used for s3 bucket authentication. + - name: 'accessKey' + type: String + description: | + The access key used for s3 bucket authentication. + Required for updating or creating a backend that uses AWS v4 signature authentication, but will not be returned as part of the configuration when queried with a REST API GET request. + ignore_read: true + sensitive: true + send_empty_value: true + - name: 'accessKeyVersion' + type: String + description: | + The optional version identifier for the access key. You can use this to keep track of different iterations of your access key. + - name: 'originRegion' + type: String + description: | + The name of the cloud region of your origin. This is a free-form field with the name of the region your cloud uses to host your origin. + For example, "us-east-1" for AWS or "us-ashburn-1" for OCI. - name: 'sessionAffinity' type: Enum description: | diff --git a/mmv1/products/compute/go_NodeGroup.yaml b/mmv1/products/compute/go_NodeGroup.yaml index a09bb63d9657..16df58318d41 100644 --- a/mmv1/products/compute/go_NodeGroup.yaml +++ b/mmv1/products/compute/go_NodeGroup.yaml @@ -194,6 +194,7 @@ properties: key_description: | The project ID. value_type: + name: projectConfig type: NestedObject properties: - name: 'projectId' diff --git a/mmv1/products/compute/go_PerInstanceConfig.yaml b/mmv1/products/compute/go_PerInstanceConfig.yaml index 03858858a4e9..e1f0003e0d3b 100644 --- a/mmv1/products/compute/go_PerInstanceConfig.yaml +++ b/mmv1/products/compute/go_PerInstanceConfig.yaml @@ -190,6 +190,7 @@ properties: api_name: internalIPs key_name: 'interface_name' value_type: + name: internalIp type: NestedObject properties: - name: 'autoDelete' @@ -219,6 +220,7 @@ properties: api_name: externalIPs key_name: 'interface_name' value_type: + name: externalIp type: NestedObject properties: - name: 'autoDelete' diff --git a/mmv1/products/compute/go_PublicAdvertisedPrefix.yaml b/mmv1/products/compute/go_PublicAdvertisedPrefix.yaml index 7d4440834824..42558bd8a439 100644 --- a/mmv1/products/compute/go_PublicAdvertisedPrefix.yaml +++ b/mmv1/products/compute/go_PublicAdvertisedPrefix.yaml @@ -76,3 +76,8 @@ properties: The IPv4 address range, in CIDR format, represented by this public advertised prefix. required: true + - name: 'sharedSecret' + type: String + description: | + Output Only. The shared secret to be used for reverse DNS verification. + output: true diff --git a/mmv1/products/compute/go_RegionAutoscaler.yaml b/mmv1/products/compute/go_RegionAutoscaler.yaml index b91645cf641a..494945ff6369 100644 --- a/mmv1/products/compute/go_RegionAutoscaler.yaml +++ b/mmv1/products/compute/go_RegionAutoscaler.yaml @@ -365,6 +365,7 @@ properties: key_description: | A name for the schedule. value_type: + name: scalingSchedule type: NestedObject properties: - name: 'minRequiredReplicas' diff --git a/mmv1/products/compute/go_RegionPerInstanceConfig.yaml b/mmv1/products/compute/go_RegionPerInstanceConfig.yaml index 06eb6b903b0d..673546790970 100644 --- a/mmv1/products/compute/go_RegionPerInstanceConfig.yaml +++ b/mmv1/products/compute/go_RegionPerInstanceConfig.yaml @@ -191,6 +191,7 @@ properties: api_name: internalIPs key_name: 'interface_name' value_type: + name: internalIp type: NestedObject properties: - name: 'autoDelete' @@ -220,6 +221,7 @@ properties: api_name: externalIPs key_name: 'interface_name' value_type: + name: externalIp type: NestedObject properties: - name: 'autoDelete' diff --git a/mmv1/products/compute/go_Reservation.yaml b/mmv1/products/compute/go_Reservation.yaml index 48a4f45d81da..b24fab3c88b6 100644 --- a/mmv1/products/compute/go_Reservation.yaml +++ b/mmv1/products/compute/go_Reservation.yaml @@ -146,6 +146,7 @@ properties: key_description: | The project id/number which is deleting or adding to the project list. value_type: + name: projectConfig type: NestedObject properties: - name: 'projectId' diff --git a/mmv1/products/dialogflowcx/go_SecuritySettings.yaml b/mmv1/products/dialogflowcx/go_SecuritySettings.yaml index de4efc950040..83c3adc6497d 100644 --- a/mmv1/products/dialogflowcx/go_SecuritySettings.yaml +++ b/mmv1/products/dialogflowcx/go_SecuritySettings.yaml @@ -33,6 +33,7 @@ timeouts: update_minutes: 40 delete_minutes: 20 custom_code: + post_create: 'templates/terraform/post_create/go/sleep.go.tmpl' examples: - name: 'dialogflowcx_security_settings_basic' primary_resource_id: 'basic_security_settings' diff --git a/mmv1/products/firestore/go_BackupSchedule.yaml b/mmv1/products/firestore/go_BackupSchedule.yaml new file mode 100644 index 000000000000..e94decfec4cc --- /dev/null +++ b/mmv1/products/firestore/go_BackupSchedule.yaml @@ -0,0 +1,123 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'BackupSchedule' +description: | + A backup schedule for a Cloud Firestore Database. + This resource is owned by the database it is backing up, and is deleted along with the database. + The actual backups are not though. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/firestore/docs/backups' + api: 'https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.backupSchedules' +docs: + warning: | + This resource creates a Firestore Backup Schedule on a project that already has + a Firestore database. + This resource is owned by the database it is backing up, and is deleted along + with the database. The actual backups are not though. +id_format: 'projects/{{project}}/databases/{{database}}/backupSchedules/{{name}}' +base_url: 'projects/{{project}}/databases/{{database}}/backupSchedules' +self_link: 'projects/{{project}}/databases/{{database}}/backupSchedules/{{name}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/databases/{{database}}/backupSchedules/{{name}}' + - '{{project}}/{{database}}/{{name}}' + - '{{database}}/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +custom_code: +skip_sweeper: true +examples: + - name: 'firestore_backup_schedule_daily' + primary_resource_id: 'daily-backup' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + - name: 'firestore_backup_schedule_weekly' + primary_resource_id: 'weekly-backup' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' +parameters: + - name: 'database' + type: String + description: | + The Firestore database id. Defaults to `"(default)"`. + url_param_only: true + immutable: true + default_value: "(default)" +properties: + - name: 'name' + type: String + description: | + The unique backup schedule identifier across all locations and databases for the given project. Format: + `projects/{{project}}/databases/{{database}}/backupSchedules/{{backupSchedule}}` + immutable: true + output: true + custom_flatten: 'templates/terraform/custom_flatten/go/name_from_self_link.tmpl' + - name: 'retention' + type: String + description: | + At what relative time in the future, compared to its creation time, the backup should be deleted, e.g. keep backups for 7 days. + A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s". + + You can set this to a value up to 14 weeks. + required: true + - name: 'dailyRecurrence' + type: NestedObject + description: | + For a schedule that runs daily. + immutable: true + send_empty_value: true + allow_empty_object: true + exactly_one_of: + - 'daily_recurrence' + - 'weekly_recurrence' + properties: + [] + - name: 'weeklyRecurrence' + type: NestedObject + description: | + For a schedule that runs weekly on a specific day. + immutable: true + exactly_one_of: + - 'weekly_recurrence' + - 'daily_recurrence' + properties: + - name: 'day' + type: Enum + description: | + The day of week to run. + enum_values: + - 'DAY_OF_WEEK_UNSPECIFIED' + - 'MONDAY' + - 'TUESDAY' + - 'WEDNESDAY' + - 'THURSDAY' + - 'FRIDAY' + - 'SATURDAY' + - 'SUNDAY' diff --git a/mmv1/products/firestore/go_Database.yaml b/mmv1/products/firestore/go_Database.yaml new file mode 100644 index 000000000000..e124a9bf997e --- /dev/null +++ b/mmv1/products/firestore/go_Database.yaml @@ -0,0 +1,302 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Database' +description: | + A Cloud Firestore Database. + + If you wish to use Firestore with App Engine, use the + [`google_app_engine_application`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_application) + resource instead. If you were previously using the `google_app_engine_application` resource exclusively for managing a Firestore database + and would like to use the `google_firestore_database` resource instead, please follow the instructions + [here](https://cloud.google.com/firestore/docs/app-engine-requirement). +references: + guides: + 'Official Documentation': 'https://cloud.google.com/firestore/docs/' + api: 'https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases' +docs: +id_format: 'projects/{{project}}/databases/{{name}}' +base_url: 'projects/{{project}}/databases' +create_url: 'projects/{{project}}/databases?databaseId={{name}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/databases/{{name}}' + - '{{project}}/{{name}}' + - '{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error' + message: 'message' +custom_code: + pre_delete: 'templates/terraform/pre_delete/go/firestore_database.go.tmpl' +examples: + - name: 'firestore_default_database' + primary_resource_id: 'database' + test_env_vars: + project_id: 'PROJECT_NAME' + ignore_read_extra: + - 'project' + - 'etag' + - 'deletion_policy' + skip_test: true + - name: 'firestore_database' + primary_resource_id: 'database' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + ignore_read_extra: + - 'project' + - 'etag' + - 'deletion_policy' + - name: 'firestore_cmek_database' + primary_resource_id: 'database' + min_version: 'beta' + vars: + database_id: 'cmek-database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + kms_key_ring_name: 'kms-key-ring' + kms_key_name: 'kms-key' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + ignore_read_extra: + - 'project' + - 'etag' + - 'deletion_policy' + - name: 'firestore_default_database_in_datastore_mode' + primary_resource_id: 'datastore_mode_database' + test_env_vars: + project_id: 'PROJECT_NAME' + ignore_read_extra: + - 'project' + - 'etag' + - 'deletion_policy' + skip_test: true + - name: 'firestore_database_in_datastore_mode' + primary_resource_id: 'datastore_mode_database' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + ignore_read_extra: + - 'project' + - 'etag' + - 'deletion_policy' + - name: 'firestore_cmek_database_in_datastore_mode' + primary_resource_id: 'database' + min_version: 'beta' + vars: + database_id: 'cmek-database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + kms_key_ring_name: 'kms-key-ring' + kms_key_name: 'kms-key' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + ignore_read_extra: + - 'project' + - 'etag' + - 'deletion_policy' +virtual_fields: + - name: 'deletion_policy' + description: | + Deletion behavior for this database. + If the deletion policy is `ABANDON`, the database will be removed from Terraform state but not deleted from Google Cloud upon destruction. + If the deletion policy is `DELETE`, the database will both be removed from Terraform state and deleted from Google Cloud upon destruction. + The default value is `ABANDON`. + See also `delete_protection`. + type: Enum + default_value: "ABANDON" +parameters: +properties: + - name: 'name' + type: String + description: | + The ID to use for the database, which will become the final + component of the database's resource name. This value should be 4-63 + characters. Valid characters are /[a-z][0-9]-/ with first character + a letter and the last a letter or a number. Must not be + UUID-like /[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}/. + "(default)" database id is also valid. + required: true + immutable: true + custom_flatten: 'templates/terraform/custom_flatten/go/name_from_self_link.tmpl' + custom_expand: 'templates/terraform/custom_expand/go/shortname_to_url.go.tmpl' + - name: 'locationId' + type: String + description: | + The location of the database. Available locations are listed at + https://cloud.google.com/firestore/docs/locations. + required: true + immutable: true + - name: 'type' + type: Enum + description: | + The type of the database. + See https://cloud.google.com/datastore/docs/firestore-or-datastore + for information about how to choose. + required: true + enum_values: + - 'FIRESTORE_NATIVE' + - 'DATASTORE_MODE' + - name: 'concurrencyMode' + type: Enum + description: | + The concurrency control mode to use for this database. + default_from_api: true + enum_values: + - 'OPTIMISTIC' + - 'PESSIMISTIC' + - 'OPTIMISTIC_WITH_ENTITY_GROUPS' + - name: 'appEngineIntegrationMode' + type: Enum + description: | + The App Engine integration mode to use for this database. + default_from_api: true + enum_values: + - 'ENABLED' + - 'DISABLED' + - name: 'pointInTimeRecoveryEnablement' + type: Enum + description: | + Whether to enable the PITR feature on this database. + If `POINT_IN_TIME_RECOVERY_ENABLED` is selected, reads are supported on selected versions of the data from within the past 7 days. + versionRetentionPeriod and earliestVersionTime can be used to determine the supported versions. These include reads against any timestamp within the past hour + and reads against 1-minute snapshots beyond 1 hour and within 7 days. + If `POINT_IN_TIME_RECOVERY_DISABLED` is selected, reads are supported on any version of the data from within the past 1 hour. + default_value: "POINT_IN_TIME_RECOVERY_DISABLED" + enum_values: + - 'POINT_IN_TIME_RECOVERY_ENABLED' + - 'POINT_IN_TIME_RECOVERY_DISABLED' + - name: 'key_prefix' + type: String + description: | + Output only. The keyPrefix for this database. + This keyPrefix is used, in combination with the project id ("~") to construct the application id + that is returned from the Cloud Datastore APIs in Google App Engine first generation runtimes. + This value may be empty in which case the appid to use for URL-encoded keys is the project_id (eg: foo instead of v~foo). + output: true + - name: 'deleteProtectionState' + type: Enum + description: | + State of delete protection for the database. + When delete protection is enabled, this database cannot be deleted. + The default value is `DELETE_PROTECTION_STATE_UNSPECIFIED`, which is currently equivalent to `DELETE_PROTECTION_DISABLED`. + **Note:** Additionally, to delete this database using `terraform destroy`, `deletion_policy` must be set to `DELETE`. + default_from_api: true + enum_values: + - 'DELETE_PROTECTION_STATE_UNSPECIFIED' + - 'DELETE_PROTECTION_ENABLED' + - 'DELETE_PROTECTION_DISABLED' + - name: 'etag' + type: Fingerprint + description: | + Output only. This checksum is computed by the server based on the value of other fields, + and may be sent on update and delete requests to ensure the client has an + up-to-date value before proceeding. + output: true + - name: 'create_time' + type: String + description: | + Output only. The timestamp at which this database was created. + output: true + - name: 'update_time' + type: String + description: | + Output only. The timestamp at which this database was most recently updated. + output: true + - name: 'uid' + type: String + description: | + Output only. The system-generated UUID4 for this Database. + output: true + - name: 'versionRetentionPeriod' + type: String + description: | + Output only. The period during which past versions of data are retained in the database. + Any read or query can specify a readTime within this window, and will read the state of the database at that time. + If the PITR feature is enabled, the retention period is 7 days. Otherwise, the retention period is 1 hour. + A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s". + output: true + - name: 'earliestVersionTime' + type: String + description: | + Output only. The earliest timestamp at which older versions of the data can be read from the database. See versionRetentionPeriod above; this field is populated with now - versionRetentionPeriod. + This value is continuously updated, and becomes stale the moment it is queried. If you are using this value to recover data, make sure to account for the time from the moment when the value is queried to the moment when you initiate the recovery. + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + output: true + - name: 'cmekConfig' + type: NestedObject + description: | + The CMEK (Customer Managed Encryption Key) configuration for a Firestore + database. If not present, the database is secured by the default Google + encryption key. + min_version: 'beta' + immutable: true + properties: + - name: 'kmsKeyName' + type: String + description: | + The resource ID of a Cloud KMS key. If set, the database created will + be a Customer-managed Encryption Key (CMEK) database encrypted with + this key. This feature is allowlist only in initial launch. + + Only keys in the same location as this database are allowed to be used + for encryption. For Firestore's nam5 multi-region, this corresponds to Cloud KMS + multi-region us. For Firestore's eur3 multi-region, this corresponds to + Cloud KMS multi-region europe. See https://cloud.google.com/kms/docs/locations. + + This value should be the KMS key resource ID in the format of + `projects/{project_id}/locations/{kms_location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`. + How to retrive this resource ID is listed at + https://cloud.google.com/kms/docs/getting-resource-ids#getting_the_id_for_a_key_and_version. + required: true + immutable: true + - name: 'activeKeyVersion' + type: Array + description: | + Currently in-use KMS key versions (https://cloud.google.com/kms/docs/resource-hierarchy#key_versions). + During key rotation (https://cloud.google.com/kms/docs/key-rotation), there can be + multiple in-use key versions. + + The expected format is + `projects/{project_id}/locations/{kms_location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{key_version}`. + output: true + item_type: + type: String diff --git a/mmv1/products/firestore/go_Document.yaml b/mmv1/products/firestore/go_Document.yaml new file mode 100644 index 000000000000..ab9348f8cd15 --- /dev/null +++ b/mmv1/products/firestore/go_Document.yaml @@ -0,0 +1,114 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Document' +description: | + In Cloud Firestore, the unit of storage is the document. A document is a lightweight record + that contains fields, which map to values. Each document is identified by a name. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/firestore/docs/manage-data/add-data' + api: 'https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.documents' +docs: + warning: | + This resource creates a Firestore Document on a project that already has + a Firestore database. If you haven't already created it, you may + create a `google_firestore_database` resource with `type` set to + `"FIRESTORE_NATIVE"` and `location_id` set to your chosen location. + If you wish to use App Engine, you may instead create a + `google_app_engine_application` resource with `database_type` set to + `"CLOUD_FIRESTORE"`. Your Firestore location will be the same as + the App Engine location specified. +base_url: 'projects/{{project}}/databases/{{database}}/documents/{{collection}}' +self_link: '{{name}}' +create_url: 'projects/{{project}}/databases/{{database}}/documents/{{collection}}?documentId={{document_id}}' +update_verb: 'PATCH' +import_format: + - '{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +custom_code: + decoder: 'templates/terraform/decoders/go/firestore_document.go.tmpl' + custom_import: 'templates/terraform/custom_import/go/firestore_document.go.tmpl' +skip_sweeper: true +examples: + - name: 'firestore_document_basic' + primary_resource_id: 'mydoc' + vars: + document_id: 'my-doc-id' + project_id: 'project-id' + test_env_vars: + org_id: 'ORG_ID' + external_providers: ["random", "time"] + - name: 'firestore_document_nested_document' + primary_resource_id: 'mydoc' + vars: + document_id: 'my-doc-id' + project_id: 'project-id' + test_env_vars: + org_id: 'ORG_ID' + external_providers: ["random", "time"] +parameters: + - name: 'database' + type: String + description: | + The Firestore database id. Defaults to `"(default)"`. + url_param_only: true + default_value: "(default)" + - name: 'collection' + type: String + description: | + The collection ID, relative to database. For example: chatrooms or chatrooms/my-document/private-messages. + url_param_only: true + required: true + - name: 'documentId' + type: String + description: | + The client-assigned document ID to use for this document during creation. + url_param_only: true + required: true +properties: + - name: 'name' + type: String + description: | + A server defined name for this document. Format: + `projects/{{project_id}}/databases/{{database_id}}/documents/{{path}}/{{document_id}}` + output: true + - name: 'path' + type: String + description: | + A relative path to the collection this document exists within + # This is a string instead of a NestedObject because fields can be deeply nested + output: true + - name: 'fields' + type: String + description: | + The document's [fields](https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.documents) formated as a json string. + required: true + state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }' + custom_flatten: 'templates/terraform/custom_flatten/go/json_schema.tmpl' + custom_expand: 'templates/terraform/custom_expand/go/json_schema.tmpl' + validation: + function: 'validation.StringIsJSON' + - name: 'createTime' + type: Time + description: 'Creation timestamp in RFC3339 format.' + output: true + - name: 'updateTime' + type: Time + description: 'Last update timestamp in RFC3339 format.' + output: true diff --git a/mmv1/products/firestore/go_Field.yaml b/mmv1/products/firestore/go_Field.yaml new file mode 100644 index 000000000000..c88dc793135b --- /dev/null +++ b/mmv1/products/firestore/go_Field.yaml @@ -0,0 +1,187 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Field' +description: | + Represents a single field in the database. + Fields are grouped by their "Collection Group", which represent all collections + in the database with the same id. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/firestore/docs/query-data/indexing' + api: 'https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.collectionGroups.fields' +docs: + warning: | + This resource creates a Firestore Single Field override on a project that + already has a Firestore database. If you haven't already created it, you may + create a `google_firestore_database` resource with `location_id` set to your + chosen location. +base_url: 'projects/{{project}}/databases/{{database}}/collectionGroups/{{collection}}/fields' +self_link: '{{name}}' +create_url: 'projects/{{project}}/databases/{{database}}/collectionGroups/{{collection}}/fields/{{field}}' +create_verb: 'PATCH' +update_verb: 'PATCH' +update_mask: true +immutable: false +import_format: + - '{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error' + message: 'message' +custom_code: + encoder: 'templates/terraform/encoders/go/firestore_field.go.tmpl' + custom_delete: 'templates/terraform/custom_delete/go/firestore_field_delete.go.tmpl' + custom_import: 'templates/terraform/custom_import/go/firestore_field.go.tmpl' + test_check_destroy: 'templates/terraform/custom_check_destroy/go/firestore_field.go.tmpl' +skip_sweeper: true +error_retry_predicates: + + - 'transport_tpg.FirestoreField409RetryUnderlyingDataChanged' +examples: + - name: 'firestore_field_basic' + primary_resource_id: 'basic' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + - name: 'firestore_field_timestamp' + primary_resource_id: 'timestamp' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' + - name: 'firestore_field_match_override' + primary_resource_id: 'match_override' + vars: + database_id: 'database-id' + delete_protection_state: 'DELETE_PROTECTION_ENABLED' + test_env_vars: + project_id: 'PROJECT_NAME' + test_vars_overrides: + 'delete_protection_state': '"DELETE_PROTECTION_DISABLED"' +parameters: +properties: + - name: 'database' + type: String + description: | + The Firestore database id. Defaults to `"(default)"`. + url_param_only: true + default_value: "(default)" + - name: 'collection' + type: String + description: | + The id of the collection group to configure. + url_param_only: true + required: true + - name: 'field' + type: String + description: | + The id of the field to configure. + url_param_only: true + required: true + - name: 'name' + type: String + description: | + The name of this field. Format: + `projects/{{project}}/databases/{{database}}/collectionGroups/{{collection}}/fields/{{field}}` + output: true + - name: 'indexConfig' + type: NestedObject + description: | + The single field index configuration for this field. + Creating an index configuration for this field will override any inherited configuration with the + indexes specified. Configuring the index configuration with an empty block disables all indexes on + the field. + send_empty_value: true + custom_flatten: 'templates/terraform/custom_flatten/go/firestore_field_index_config.go.tmpl' + custom_expand: 'templates/terraform/custom_expand/go/firestore_field_index_config.go.tmpl' + properties: + - name: 'indexes' + type: Array + description: + The indexes to configure on the field. Order or array contains must be + specified. + is_set: true + item_type: + type: NestedObject + properties: + - name: 'queryScope' + type: Enum + description: | + The scope at which a query is run. Collection scoped queries require you specify + the collection at query time. Collection group scope allows queries across all + collections with the same id. + default_value: "COLLECTION" + enum_values: + - 'COLLECTION' + - 'COLLECTION_GROUP' + - name: 'order' + type: Enum + description: | + Indicates that this field supports ordering by the specified order or comparing using =, <, <=, >, >=, !=. + Only one of `order` and `arrayConfig` can be specified. + exactly_one_of: + - 'order' + - 'arrayConfig' + enum_values: + - 'ASCENDING' + - 'DESCENDING' + - name: 'arrayConfig' + type: Enum + description: | + Indicates that this field supports operations on arrayValues. Only one of `order` and `arrayConfig` can + be specified. + exactly_one_of: + - 'order' + - 'arrayConfig' + enum_values: + - 'CONTAINS' + - name: 'ttlConfig' + type: NestedObject + description: | + The TTL configuration for this Field. If set to an empty block (i.e. `ttl_config {}`), a TTL policy is configured based on the field. If unset, a TTL policy is not configured (or will be disabled upon updating the resource). + send_empty_value: true + custom_expand: 'templates/terraform/custom_expand/go/empty_object_if_set.go.tmpl' + properties: + - name: 'state' + type: Enum + description: | + The state of TTL (time-to-live) configuration for documents that have this Field set. + output: true + enum_values: + - 'CREATING' + - 'ACTIVE' + - 'NEEDS_REPAIR' diff --git a/mmv1/products/firestore/go_Index.yaml b/mmv1/products/firestore/go_Index.yaml new file mode 100644 index 000000000000..23b81b12157a --- /dev/null +++ b/mmv1/products/firestore/go_Index.yaml @@ -0,0 +1,174 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Index' +description: | + Cloud Firestore indexes enable simple and complex queries against documents in a database. + This resource manages composite indexes and not single field indexes. + Both Firestore Native and Datastore Mode indexes are supported. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/firestore/docs/query-data/indexing' + api: 'https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.collectionGroups.indexes' +docs: + warning: | + This resource creates a Firestore Index on a project that already has + a Firestore database. If you haven't already created it, you may + create a `google_firestore_database` resource and `location_id` set + to your chosen location. If you wish to use App Engine, you may + instead create a `google_app_engine_application` resource. + Your Firestore location will be the same as the App Engine location specified. +base_url: 'projects/{{project}}/databases/{{database}}/collectionGroups/{{collection}}/indexes' +self_link: '{{name}}' +immutable: true +import_format: + - '{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error' + message: 'message' +custom_code: + constants: 'templates/terraform/constants/go/firestore_index.go.tmpl' + encoder: 'templates/terraform/encoders/go/index.go.tmpl' + post_create: 'templates/terraform/post_create/go/index.go.tmpl' + custom_import: 'templates/terraform/custom_import/go/index_self_link_as_name_set_project.go.tmpl' +error_retry_predicates: + + - 'transport_tpg.FirestoreIndex409Retry' +examples: + - name: 'firestore_index_basic' + primary_resource_id: 'my-index' + vars: + database_id: 'database-id' + test_env_vars: + project_id: 'PROJECT_NAME' + external_providers: ["random", "time"] + - name: 'firestore_index_datastore_mode' + primary_resource_id: 'my-index' + vars: + database_id: 'database-id-dm' + test_env_vars: + project_id: 'PROJECT_NAME' + - name: 'firestore_index_vector' + primary_resource_id: 'my-index' + vars: + database_id: 'database-id-vector' + test_env_vars: + project_id: 'PROJECT_NAME' +parameters: +properties: + - name: 'name' + type: String + description: | + A server defined name for this index. Format: + `projects/{{project}}/databases/{{database}}/collectionGroups/{{collection}}/indexes/{{server_generated_id}}` + output: true + - name: 'database' + type: String + description: | + The Firestore database id. Defaults to `"(default)"`. + ignore_read: true + default_value: "(default)" + - name: 'collection' + type: String + description: | + The collection being indexed. + required: true + ignore_read: true + - name: 'queryScope' + type: Enum + description: | + The scope at which a query is run. + default_value: "COLLECTION" + enum_values: + - 'COLLECTION' + - 'COLLECTION_GROUP' + - 'COLLECTION_RECURSIVE' + - name: 'apiScope' + type: Enum + description: | + The API scope at which a query is run. + custom_flatten: 'templates/terraform/custom_flatten/go/default_if_empty.tmpl' + default_value: "ANY_API" + enum_values: + - 'ANY_API' + - 'DATASTORE_MODE_API' + - name: 'fields' + type: Array + description: | + The fields supported by this index. The last non-stored field entry is + always for the field path `__name__`. If, on creation, `__name__` was not + specified as the last field, it will be added automatically with the same + direction as that of the last field defined. If the final field in a + composite index is not directional, the `__name__` will be ordered + `"ASCENDING"` (unless explicitly specified otherwise). + required: true + diff_suppress_func: 'firestoreIFieldsDiffSuppress' + item_type: + type: NestedObject + properties: + - name: 'fieldPath' + type: String + description: | + Name of the field. + - name: 'order' + type: Enum + description: | + Indicates that this field supports ordering by the specified order or comparing using =, <, <=, >, >=. + Only one of `order`, `arrayConfig`, and `vectorConfig` can be specified. + enum_values: + - 'ASCENDING' + - 'DESCENDING' + - name: 'arrayConfig' + type: Enum + description: | + Indicates that this field supports operations on arrayValues. Only one of `order`, `arrayConfig`, and + `vectorConfig` can be specified. + enum_values: + - 'CONTAINS' + - name: 'vectorConfig' + type: NestedObject + description: | + Indicates that this field supports vector search operations. Only one of `order`, `arrayConfig`, and + `vectorConfig` can be specified. Vector Fields should come after the field path `__name__`. + properties: + - name: 'dimension' + type: Integer + description: | + The resulting index will only include vectors of this dimension, and can be used for vector search + with the same dimension. + - name: 'flat' + type: NestedObject + description: | + Indicates the vector index is a flat index. + send_empty_value: true + allow_empty_object: true + properties: + [] + min_size: 2 diff --git a/mmv1/products/firestore/go_product.yaml b/mmv1/products/firestore/go_product.yaml new file mode 100644 index 000000000000..091f9a9a810a --- /dev/null +++ b/mmv1/products/firestore/go_product.yaml @@ -0,0 +1,24 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Firestore' +display_name: 'Firestore' +versions: + - name: 'ga' + base_url: 'https://firestore.googleapis.com/v1/' + - name: 'beta' + base_url: 'https://firestore.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/cloud-platform' diff --git a/mmv1/products/gkebackup/go_BackupPlan.yaml b/mmv1/products/gkebackup/go_BackupPlan.yaml new file mode 100644 index 000000000000..7152caa839ba --- /dev/null +++ b/mmv1/products/gkebackup/go_BackupPlan.yaml @@ -0,0 +1,476 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'BackupPlan' +description: | + Represents a Backup Plan instance. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke' + api: 'https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/projects.locations.backupPlans' +docs: +base_url: 'projects/{{project}}/locations/{{location}}/backupPlans' +create_url: 'projects/{{project}}/locations/{{location}}/backupPlans?backupPlanId={{name}}' +update_verb: 'PATCH' +update_mask: true +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error' + message: 'message' +iam_policy: + method_name_separator: ':' + parent_resource_attribute: 'name' + base_url: 'projects/{{project}}/locations/{{location}}/backupPlans/{{name}}' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + import_format: + - 'projects/{{project}}/locations/{{location}}/backupPlans/{{name}}' + - '{{name}}' +custom_code: +examples: + - name: 'gkebackup_backupplan_basic' + primary_resource_id: 'basic' + primary_resource_name: 'fmt.Sprintf("tf-test-basic-plan%s", context["random_suffix"])' + vars: + name: 'basic-plan' + cluster_name: 'basic-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_backupplan_autopilot' + primary_resource_id: 'autopilot' + vars: + name: 'autopilot-plan' + cluster_name: 'autopilot-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_backupplan_cmek' + primary_resource_id: 'cmek' + vars: + name: 'cmek-plan' + cluster_name: 'cmek-cluster' + key_name: 'backup-key' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_backupplan_full' + primary_resource_id: 'full' + vars: + name: 'full-plan' + cluster_name: 'full-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_backupplan_permissive' + primary_resource_id: 'permissive' + vars: + name: 'permissive-plan' + cluster_name: 'permissive-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_backupplan_rpo_daily_window' + primary_resource_id: 'rpo_daily_window' + vars: + name: 'rpo-daily-window' + cluster_name: 'rpo-daily-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_backupplan_rpo_weekly_window' + primary_resource_id: 'rpo_weekly_window' + vars: + name: 'rpo-weekly-window' + cluster_name: 'rpo-weekly-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' +parameters: + - name: 'location' + type: String + description: | + The region of the Backup Plan. + url_param_only: true + required: true + immutable: true +properties: + - name: 'name' + type: String + description: | + The full name of the BackupPlan Resource. + required: true + immutable: true + custom_flatten: 'templates/terraform/custom_flatten/go/name_from_self_link.tmpl' + custom_expand: 'templates/terraform/custom_expand/go/shortname_to_url.go.tmpl' + - name: 'uid' + type: String + description: | + Server generated, unique identifier of UUID format. + output: true + - name: 'description' + type: String + description: | + User specified descriptive string for this BackupPlan. + - name: 'cluster' + type: String + description: | + The source cluster from which Backups will be created via this BackupPlan. + required: true + immutable: true + - name: 'retentionPolicy' + type: NestedObject + description: + RetentionPolicy governs lifecycle of Backups created under this plan. + properties: + - name: 'backupDeleteLockDays' + type: Integer + description: | + Minimum age for a Backup created via this BackupPlan (in days). + Must be an integer value between 0-90 (inclusive). + A Backup created under this BackupPlan will not be deletable + until it reaches Backup's (create time + backup_delete_lock_days). + Updating this field of a BackupPlan does not affect existing Backups. + Backups created after a successful update will inherit this new value. + default_from_api: true + - name: 'backupRetainDays' + type: Integer + description: | + The default maximum age of a Backup created via this BackupPlan. + This field MUST be an integer value >= 0 and <= 365. If specified, + a Backup created under this BackupPlan will be automatically deleted + after its age reaches (createTime + backupRetainDays). + If not specified, Backups created under this BackupPlan will NOT be + subject to automatic deletion. Updating this field does NOT affect + existing Backups under it. Backups created AFTER a successful update + will automatically pick up the new value. + NOTE: backupRetainDays must be >= backupDeleteLockDays. + If cronSchedule is defined, then this must be <= 360 * the creation interval. + If rpo_config is defined, then this must be + <= 360 * targetRpoMinutes/(1440minutes/day) + default_from_api: true + - name: 'locked' + type: Boolean + description: | + This flag denotes whether the retention policy of this BackupPlan is locked. + If set to True, no further update is allowed on this policy, including + the locked field itself. + default_from_api: true + - name: 'labels' + type: KeyValueLabels + description: | + Description: A set of custom labels supplied by the user. + A list of key->value pairs. + Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + immutable: false + - name: 'backupSchedule' + type: NestedObject + description: + Defines a schedule for automatic Backup creation via this BackupPlan. + properties: + - name: 'cronSchedule' + type: String + description: | + A standard cron string that defines a repeating schedule for + creating Backups via this BackupPlan. + This is mutually exclusive with the rpoConfig field since at most one + schedule can be defined for a BackupPlan. + If this is defined, then backupRetainDays must also be defined. + - name: 'paused' + type: Boolean + description: | + This flag denotes whether automatic Backup creation is paused for this BackupPlan. + default_from_api: true + - name: 'rpoConfig' + type: NestedObject + description: | + Defines the RPO schedule configuration for this BackupPlan. This is mutually + exclusive with the cronSchedule field since at most one schedule can be defined + for a BackupPLan. If this is defined, then backupRetainDays must also be defined. + properties: + - name: 'targetRpoMinutes' + type: Integer + description: | + Defines the target RPO for the BackupPlan in minutes, which means the target + maximum data loss in time that is acceptable for this BackupPlan. This must be + at least 60, i.e., 1 hour, and at most 86400, i.e., 60 days. + required: true + - name: 'exclusionWindows' + type: Array + description: | + User specified time windows during which backup can NOT happen for this BackupPlan. + Backups should start and finish outside of any given exclusion window. Note: backup + jobs will be scheduled to start and finish outside the duration of the window as + much as possible, but running jobs will not get canceled when it runs into the window. + All the time and date values in exclusionWindows entry in the API are in UTC. We + only allow <=1 recurrence (daily or weekly) exclusion window for a BackupPlan while no + restriction on number of single occurrence windows. + # Exclusion Window Object + item_type: + type: NestedObject + properties: + - name: 'startTime' + type: NestedObject + description: | + Specifies the start time of the window using time of the day in UTC. + required: true + properties: + - name: 'hours' + type: Integer + description: | + Hours of day in 24 hour format. + - name: 'minutes' + type: Integer + description: | + Minutes of hour of day. + - name: 'seconds' + type: Integer + description: | + Seconds of minutes of the time. + - name: 'nanos' + type: Integer + description: | + Fractions of seconds in nanoseconds. + - name: 'duration' + type: String + description: | + Specifies duration of the window in seconds with up to nine fractional digits, + terminated by 's'. Example: "3.5s". Restrictions for duration based on the + recurrence type to allow some time for backup to happen: + - single_occurrence_date: no restriction + - daily window: duration < 24 hours + - weekly window: + - days of week includes all seven days of a week: duration < 24 hours + - all other weekly window: duration < 168 hours (i.e., 24 * 7 hours) + required: true + validation: + function: 'verify.ValidateDuration()' + - name: 'singleOccurrenceDate' + type: NestedObject + description: | + No recurrence. The exclusion window occurs only once and on this date in UTC. + Only one of singleOccurrenceDate, daily and daysOfWeek may be set. + properties: + - name: 'year' + type: Integer + description: | + Year of the date. + - name: 'month' + type: Integer + description: | + Month of a year. + - name: 'day' + type: Integer + description: | + Day of a month. + - name: 'daily' + type: Boolean + description: | + The exclusion window occurs every day if set to "True". + Specifying this field to "False" is an error. + Only one of singleOccurrenceDate, daily and daysOfWeek may be set. + - name: 'daysOfWeek' + type: NestedObject + description: | + The exclusion window occurs on these days of each week in UTC. + Only one of singleOccurrenceDate, daily and daysOfWeek may be set. + properties: + - name: 'daysOfWeek' + type: Array + description: | + A list of days of week. + item_type: + type: Enum + description: | + The day of the week. + enum_values: + - 'MONDAY' + - 'TUESDAY' + - 'WEDNESDAY' + - 'THURSDAY' + - 'FRIDAY' + - 'SATURDAY' + - 'SUNDAY' + - name: 'etag' + type: String + description: | + etag is used for optimistic concurrency control as a way to help prevent simultaneous + updates of a backup plan from overwriting each other. It is strongly suggested that + systems make use of the 'etag' in the read-modify-write cycle to perform BackupPlan updates + in order to avoid race conditions: An etag is returned in the response to backupPlans.get, + and systems are expected to put that etag in the request to backupPlans.patch or + backupPlans.delete to ensure that their change will be applied to the same version of the resource. + output: true + - name: 'deactivated' + type: Boolean + description: | + This flag indicates whether this BackupPlan has been deactivated. + Setting this field to True locks the BackupPlan such that no further updates will be allowed + (except deletes), including the deactivated field itself. It also prevents any new Backups + from being created via this BackupPlan (including scheduled Backups). + default_from_api: true + - name: 'backupConfig' + type: NestedObject + description: | + Defines the configuration of Backups created via this BackupPlan. + properties: + - name: 'includeVolumeData' + type: Boolean + description: | + This flag specifies whether volume data should be backed up when PVCs are + included in the scope of a Backup. + default_from_api: true + - name: 'includeSecrets' + type: Boolean + description: | + This flag specifies whether Kubernetes Secret resources should be included + when they fall into the scope of Backups. + default_from_api: true + - name: 'encryptionKey' + type: NestedObject + description: | + This defines a customer managed encryption key that will be used to encrypt the "config" + portion (the Kubernetes resources) of Backups created via this plan. + properties: + - name: 'gcpKmsEncryptionKey' + type: String + description: | + Google Cloud KMS encryption key. Format: projects/*/locations/*/keyRings/*/cryptoKeys/* + required: true + - name: 'allNamespaces' + type: Boolean + description: | + If True, include all namespaced resources. + exactly_one_of: + - 'backupConfig.0.allNamespaces' + - 'backupConfig.0.selectedNamespaces' + - 'backupConfig.0.selectedApplications' + - name: 'selectedNamespaces' + type: NestedObject + description: | + If set, include just the resources in the listed namespaces. + exactly_one_of: + - 'backupConfig.0.allNamespaces' + - 'backupConfig.0.selectedNamespaces' + - 'backupConfig.0.selectedApplications' + properties: + - name: 'namespaces' + type: Array + description: | + A list of Kubernetes Namespaces. + required: true + item_type: + type: String + - name: 'selectedApplications' + type: NestedObject + description: | + A list of namespaced Kubernetes Resources. + exactly_one_of: + - 'backupConfig.0.allNamespaces' + - 'backupConfig.0.selectedNamespaces' + - 'backupConfig.0.selectedApplications' + properties: + - name: 'namespacedNames' + type: Array + description: | + A list of namespaced Kubernetes resources. + required: true + item_type: + type: NestedObject + properties: + - name: 'namespace' + type: String + description: | + The namespace of a Kubernetes Resource. + required: true + - name: 'name' + type: String + description: | + The name of a Kubernetes Resource. + required: true + - name: 'permissiveMode' + type: Boolean + description: | + This flag specifies whether Backups will not fail when + Backup for GKE detects Kubernetes configuration that is + non-standard or requires additional setup to restore. + - name: 'protectedPodCount' + type: Integer + description: | + The number of Kubernetes Pods backed up in the last successful Backup created via this BackupPlan. + output: true + - name: 'state' + type: String + description: | + The State of the BackupPlan. + output: true + - name: 'stateReason' + type: String + description: | + Detailed description of why BackupPlan is in its current state. + output: true diff --git a/mmv1/products/gkebackup/go_RestorePlan.yaml b/mmv1/products/gkebackup/go_RestorePlan.yaml new file mode 100644 index 000000000000..0543e1e1e780 --- /dev/null +++ b/mmv1/products/gkebackup/go_RestorePlan.yaml @@ -0,0 +1,632 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'RestorePlan' +description: | + Represents a Restore Plan instance. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke' + api: 'https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/projects.locations.restorePlans' +docs: +base_url: 'projects/{{project}}/locations/{{location}}/restorePlans' +create_url: 'projects/{{project}}/locations/{{location}}/restorePlans?restorePlanId={{name}}' +update_verb: 'PATCH' +update_mask: true +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error' + message: 'message' +iam_policy: + method_name_separator: ':' + parent_resource_attribute: 'name' + base_url: 'projects/{{project}}/locations/{{location}}/restorePlans/{{name}}' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + import_format: + - 'projects/{{project}}/locations/{{location}}/restorePlans/{{name}}' + - '{{name}}' +custom_code: +examples: + - name: 'gkebackup_restoreplan_all_namespaces' + primary_resource_id: 'all_ns' + primary_resource_name: 'fmt.Sprintf("tf-test-restore-all-ns%s", context["random_suffix"])' + vars: + name: 'restore-all-ns' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_rollback_namespace' + primary_resource_id: 'rollback_ns' + vars: + name: 'rollback-ns' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_protected_application' + primary_resource_id: 'rollback_app' + vars: + name: 'rollback-app' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_all_cluster_resources' + primary_resource_id: 'all_cluster_resources' + vars: + name: 'all-groupkinds' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_rename_namespace' + primary_resource_id: 'rename_ns' + vars: + name: 'rename-ns' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_second_transformation' + primary_resource_id: 'transform_rule' + vars: + name: 'transform-rule' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_gitops_mode' + primary_resource_id: 'gitops_mode' + vars: + name: 'gitops-mode' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_restore_order' + primary_resource_id: 'restore_order' + vars: + name: 'restore-order' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkebackup_restoreplan_volume_res' + primary_resource_id: 'volume_res' + vars: + name: 'volume-res' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + deletion_protection: 'true' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' +parameters: + - name: 'location' + type: String + description: | + The region of the Restore Plan. + url_param_only: true + required: true + immutable: true +properties: + - name: 'name' + type: String + description: | + The full name of the BackupPlan Resource. + required: true + immutable: true + custom_flatten: 'templates/terraform/custom_flatten/go/name_from_self_link.tmpl' + custom_expand: 'templates/terraform/custom_expand/go/shortname_to_url.go.tmpl' + - name: 'uid' + type: String + description: | + Server generated, unique identifier of UUID format. + output: true + - name: 'description' + type: String + description: | + User specified descriptive string for this RestorePlan. + - name: 'labels' + type: KeyValueLabels + description: | + Description: A set of custom labels supplied by the user. + A list of key->value pairs. + Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + immutable: false + - name: 'backupPlan' + type: String + description: | + A reference to the BackupPlan from which Backups may be used + as the source for Restores created via this RestorePlan. + required: true + immutable: true + - name: 'cluster' + type: String + description: | + The source cluster from which Restores will be created via this RestorePlan. + required: true + immutable: true + - name: 'restoreConfig' + type: NestedObject + description: | + Defines the configuration of Restores created via this RestorePlan. + required: true + properties: + - name: 'allNamespaces' + type: Boolean + description: | + If True, restore all namespaced resources in the Backup. + Setting this field to False will result in an error. + exactly_one_of: + - 'restoreConfig.0.allNamespaces' + - 'restoreConfig.0.excludedNamespaces' + - 'restoreConfig.0.selectedNamespaces' + - 'restoreConfig.0.selectedApplications' + - 'restoreConfig.0.noNamespaces' + - name: 'excludedNamespaces' + type: NestedObject + description: | + A list of selected namespaces excluded from restoration. + All namespaces except those in this list will be restored. + exactly_one_of: + - 'restoreConfig.0.allNamespaces' + - 'restoreConfig.0.excludedNamespaces' + - 'restoreConfig.0.selectedNamespaces' + - 'restoreConfig.0.selectedApplications' + - 'restoreConfig.0.noNamespaces' + properties: + - name: 'namespaces' + type: Array + description: | + A list of Kubernetes Namespaces. + required: true + item_type: + type: String + - name: 'selectedNamespaces' + type: NestedObject + description: | + A list of selected namespaces to restore from the Backup. + The listed Namespaces and all resources contained in them will be restored. + exactly_one_of: + - 'restoreConfig.0.allNamespaces' + - 'restoreConfig.0.excludedNamespaces' + - 'restoreConfig.0.selectedNamespaces' + - 'restoreConfig.0.selectedApplications' + - 'restoreConfig.0.noNamespaces' + properties: + - name: 'namespaces' + type: Array + description: | + A list of Kubernetes Namespaces. + required: true + item_type: + type: String + - name: 'selectedApplications' + type: NestedObject + description: | + A list of selected ProtectedApplications to restore. + The listed ProtectedApplications and all the resources + to which they refer will be restored. + exactly_one_of: + - 'restoreConfig.0.allNamespaces' + - 'restoreConfig.0.excludedNamespaces' + - 'restoreConfig.0.selectedNamespaces' + - 'restoreConfig.0.selectedApplications' + - 'restoreConfig.0.noNamespaces' + properties: + - name: 'namespacedNames' + type: Array + description: | + A list of namespaced Kubernetes resources. + required: true + item_type: + type: NestedObject + properties: + - name: 'namespace' + type: String + description: | + The namespace of a Kubernetes Resource. + required: true + - name: 'name' + type: String + description: | + The name of a Kubernetes Resource. + required: true + - name: 'noNamespaces' + type: Boolean + description: | + Do not restore any namespaced resources if set to "True". + Specifying this field to "False" is not allowed. + exactly_one_of: + - 'restoreConfig.0.allNamespaces' + - 'restoreConfig.0.excludedNamespaces' + - 'restoreConfig.0.selectedNamespaces' + - 'restoreConfig.0.selectedApplications' + - 'restoreConfig.0.noNamespaces' + - name: 'namespacedResourceRestoreMode' + type: Enum + description: | + Defines the behavior for handling the situation where sets of namespaced resources + being restored already exist in the target cluster. + This MUST be set to a value other than `NAMESPACED_RESOURCE_RESTORE_MODE_UNSPECIFIED` + if the `namespacedResourceRestoreScope` is anything other than `noNamespaces`. + See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#namespacedresourcerestoremode + for more information on each mode. + enum_values: + - 'DELETE_AND_RESTORE' + - 'FAIL_ON_CONFLICT' + - 'MERGE_SKIP_ON_CONFLICT' + - 'MERGE_REPLACE_VOLUME_ON_CONFLICT' + - 'MERGE_REPLACE_ON_CONFLICT' + - name: 'volumeDataRestorePolicy' + type: Enum + description: | + Specifies the mechanism to be used to restore volume data. + This should be set to a value other than `NAMESPACED_RESOURCE_RESTORE_MODE_UNSPECIFIED` + if the `namespacedResourceRestoreScope` is anything other than `noNamespaces`. + If not specified, it will be treated as `NO_VOLUME_DATA_RESTORATION`. + See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#VolumeDataRestorePolicy + for more information on each policy option. + enum_values: + - 'RESTORE_VOLUME_DATA_FROM_BACKUP' + - 'REUSE_VOLUME_HANDLE_FROM_BACKUP' + - 'NO_VOLUME_DATA_RESTORATION' + - name: 'clusterResourceRestoreScope' + type: NestedObject + description: | + Identifies the cluster-scoped resources to restore from the Backup. + properties: + - name: 'allGroupKinds' + type: Boolean + description: | + If True, all valid cluster-scoped resources will be restored. + Mutually exclusive to any other field in `clusterResourceRestoreScope`. + exactly_one_of: + - 'restoreConfig.0.clusterResourceRestoreScope.0.allGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.excludedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.selectedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.noGroupKinds' + - name: 'excludedGroupKinds' + type: Array + description: | + A list of cluster-scoped resource group kinds to NOT restore from the backup. + If specified, all valid cluster-scoped resources will be restored except + for those specified in the list. + Mutually exclusive to any other field in `clusterResourceRestoreScope`. + exactly_one_of: + - 'restoreConfig.0.clusterResourceRestoreScope.0.allGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.excludedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.selectedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.noGroupKinds' + item_type: + type: NestedObject + properties: + - name: 'resourceGroup' + type: String + description: | + API Group string of a Kubernetes resource, e.g. + "apiextensions.k8s.io", "storage.k8s.io", etc. + Use empty string for core group. + - name: 'resourceKind' + type: String + description: | + Kind of a Kubernetes resource, e.g. + "CustomResourceDefinition", "StorageClass", etc. + - name: 'selectedGroupKinds' + type: Array + description: | + A list of cluster-scoped resource group kinds to restore from the backup. + If specified, only the selected resources will be restored. + Mutually exclusive to any other field in the `clusterResourceRestoreScope`. + exactly_one_of: + - 'restoreConfig.0.clusterResourceRestoreScope.0.allGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.excludedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.selectedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.noGroupKinds' + item_type: + type: NestedObject + properties: + - name: 'resourceGroup' + type: String + description: | + API Group string of a Kubernetes resource, e.g. + "apiextensions.k8s.io", "storage.k8s.io", etc. + Use empty string for core group. + - name: 'resourceKind' + type: String + description: | + Kind of a Kubernetes resource, e.g. + "CustomResourceDefinition", "StorageClass", etc. + - name: 'noGroupKinds' + type: Boolean + description: | + If True, no cluster-scoped resources will be restored. + Mutually exclusive to any other field in `clusterResourceRestoreScope`. + exactly_one_of: + - 'restoreConfig.0.clusterResourceRestoreScope.0.allGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.excludedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.selectedGroupKinds' + - 'restoreConfig.0.clusterResourceRestoreScope.0.noGroupKinds' + - name: 'clusterResourceConflictPolicy' + type: Enum + description: | + Defines the behavior for handling the situation where cluster-scoped resources + being restored already exist in the target cluster. + This MUST be set to a value other than `CLUSTER_RESOURCE_CONFLICT_POLICY_UNSPECIFIED` + if `clusterResourceRestoreScope` is anyting other than `noGroupKinds`. + See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#clusterresourceconflictpolicy + for more information on each policy option. + enum_values: + - 'USE_EXISTING_VERSION' + - 'USE_BACKUP_VERSION' + - name: 'transformationRules' + type: Array + description: | + A list of transformation rules to be applied against Kubernetes + resources as they are selected for restoration from a Backup. + Rules are executed in order defined - this order matters, + as changes made by a rule may impact the filtering logic of subsequent + rules. An empty list means no transformation will occur. + item_type: + description: | + A transformation rule to be applied against Kubernetes resources + as they are selected for restoration from a Backup. + A rule contains both filtering logic + (which resources are subject to transform) and transformation logic. + type: NestedObject + properties: + - name: 'description' + type: String + description: | + The description is a user specified string description + of the transformation rule. + - name: 'resourceFilter' + type: NestedObject + description: | + This field is used to specify a set of fields that should be used to + determine which resources in backup should be acted upon by the + supplied transformation rule actions, and this will ensure that only + specific resources are affected by transformation rule actions. + properties: + - name: 'namespaces' + type: Array + description: | + (Filtering parameter) Any resource subject to transformation must + be contained within one of the listed Kubernetes Namespace in the + Backup. If this field is not provided, no namespace filtering will + be performed (all resources in all Namespaces, including all + cluster-scoped resources, will be candidates for transformation). + To mix cluster-scoped and namespaced resources in the same rule, + use an empty string ("") as one of the target namespaces. + item_type: + type: String + - name: 'groupKinds' + type: Array + description: | + (Filtering parameter) Any resource subject to transformation must + belong to one of the listed "types". If this field is not provided, + no type filtering will be performed + (all resources of all types matching previous filtering parameters + will be candidates for transformation). + item_type: + type: NestedObject + properties: + - name: 'resourceGroup' + type: String + description: | + API Group string of a Kubernetes resource, e.g. + "apiextensions.k8s.io", "storage.k8s.io", etc. + Use empty string for core group. + - name: 'resourceKind' + type: String + description: | + Kind of a Kubernetes resource, e.g. + "CustomResourceDefinition", "StorageClass", etc. + - name: 'jsonPath' + type: String + description: | + This is a JSONPath expression that matches specific fields of + candidate resources and it operates as a filtering parameter + (resources that are not matched with this expression will not + be candidates for transformation). + - name: 'fieldActions' + type: Array + description: | + A list of transformation rule actions to take against candidate + resources. Actions are executed in order defined - this order + matters, as they could potentially interfere with each other and + the first operation could affect the outcome of the second operation. + required: true + item_type: + description: | + TransformationRuleAction defines a TransformationRule action + based on the JSON Patch RFC (https://www.rfc-editor.org/rfc/rfc6902) + type: NestedObject + properties: + - name: 'op' + type: Enum + description: | + Specifies the operation to perform. + required: true + enum_values: + - 'REMOVE' + - 'MOVE' + - 'COPY' + - 'ADD' + - 'TEST' + - 'REPLACE' + - name: 'fromPath' + type: String + description: | + A string containing a JSON Pointer value that references the + location in the target document to move the value from. + - name: 'path' + type: String + description: | + A string containing a JSON-Pointer value that references a + location within the target document where the operation is performed. + - name: 'value' + type: String + description: | + A string that specifies the desired value in string format + to use for transformation. + - name: 'volumeDataRestorePolicyBindings' + type: Array + description: | + A table that binds volumes by their scope to a restore policy. Bindings + must have a unique scope. Any volumes not scoped in the bindings are + subject to the policy defined in volume_data_restore_policy. + item_type: + type: NestedObject + properties: + - name: 'policy' + type: Enum + description: | + Specifies the mechanism to be used to restore this volume data. + See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#VolumeDataRestorePolicy + for more information on each policy option. + required: true + enum_values: + - 'RESTORE_VOLUME_DATA_FROM_BACKUP' + - 'REUSE_VOLUME_HANDLE_FROM_BACKUP' + - 'NO_VOLUME_DATA_RESTORATION' + - name: 'volumeType' + type: Enum + description: | + The volume type, as determined by the PVC's + bound PV, to apply the policy to. + required: true + enum_values: + - 'GCE_PERSISTENT_DISK' + - name: 'restoreOrder' + type: NestedObject + description: | + It contains custom ordering to use on a Restore. + properties: + - name: 'groupKindDependencies' + type: Array + description: | + A list of group kind dependency pairs + that is used by Backup for GKE to + generate a group kind restore order. + required: true + item_type: + type: NestedObject + properties: + - name: 'satisfying' + type: NestedObject + description: | + The satisfying group kind must be restored first + in order to satisfy the dependency. + required: true + properties: + - name: 'resourceGroup' + type: String + description: | + API Group of a Kubernetes resource, e.g. + "apiextensions.k8s.io", "storage.k8s.io", etc. + Use empty string for core group. + - name: 'resourceKind' + type: String + description: | + Kind of a Kubernetes resource, e.g. + "CustomResourceDefinition", "StorageClass", etc. + - name: 'requiring' + type: NestedObject + description: | + The requiring group kind requires that the satisfying + group kind be restored first. + required: true + properties: + - name: 'resourceGroup' + type: String + description: | + API Group of a Kubernetes resource, e.g. + "apiextensions.k8s.io", "storage.k8s.io", etc. + Use empty string for core group. + - name: 'resourceKind' + type: String + description: | + Kind of a Kubernetes resource, e.g. + "CustomResourceDefinition", "StorageClass", etc. + - name: 'state' + type: String + description: | + The State of the RestorePlan. + output: true + - name: 'stateReason' + type: String + description: | + Detailed description of why RestorePlan is in its current state. + output: true diff --git a/mmv1/products/gkebackup/go_product.yaml b/mmv1/products/gkebackup/go_product.yaml new file mode 100644 index 000000000000..3c3a4d94f4e2 --- /dev/null +++ b/mmv1/products/gkebackup/go_product.yaml @@ -0,0 +1,36 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'GKEBackup' +display_name: 'Backup for GKE' +versions: + - name: 'beta' + base_url: 'https://gkebackup.googleapis.com/v1/' + - name: 'ga' + base_url: 'https://gkebackup.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/cloud-platform' +async: + type: "OpAsync" + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error' + message: 'message' diff --git a/mmv1/products/gkehub/go_Membership.yaml b/mmv1/products/gkehub/go_Membership.yaml new file mode 100644 index 000000000000..2bf2f8bf08b0 --- /dev/null +++ b/mmv1/products/gkehub/go_Membership.yaml @@ -0,0 +1,176 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Membership' +description: | + Membership contains information about a member cluster. +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/multicluster-management/reference/rest/v1/projects.locations.memberships' +docs: +id_format: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}' +base_url: 'projects/{{project}}/locations/{{location}}/memberships' +self_link: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}' +create_url: 'projects/{{project}}/locations/{{location}}/memberships?membershipId={{membership_id}}' +update_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +iam_policy: + method_name_separator: ':' + parent_resource_attribute: 'membership_id' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + import_format: + - 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}' + - '{{membership_id}}' +custom_code: + constants: 'templates/terraform/constants/go/gke_hub_membership_diff.go.tmpl' +skip_sweeper: true +schema_version: 1 +state_upgraders: true +examples: + - name: 'gkehub_membership_regional' + primary_resource_id: 'membership' + primary_resource_name: 'fmt.Sprintf("basic%s", context["random_suffix"])' + vars: + name: 'basic' + cluster_name: 'basic-cluster' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + location: 'REGION' + test_vars_overrides: + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkehub_membership_basic' + primary_resource_id: 'membership' + primary_resource_name: 'fmt.Sprintf("basic%s", context["random_suffix"])' + vars: + name: 'basic' + cluster_name: 'basic-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' + - name: 'gkehub_membership_issuer' + primary_resource_id: 'membership' + vars: + name: 'basic' + cluster_name: 'basic-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' +parameters: + - name: 'location' + type: String + description: | + Location of the membership. + The default value is `global`. + url_param_only: true + immutable: true + default_value: "global" +properties: + - name: 'membershipId' + type: String + description: | + The client-provided identifier of the membership. + url_param_only: true + required: true + immutable: true + - name: 'name' + type: String + description: | + The unique identifier of the membership. + output: true + - name: 'description' + type: String + description: | + The name of this entity type to be displayed on the console. This field is unavailable in v1 of the API. + min_version: 'beta' + deprecation_message: '`description` is deprecated and will be removed in a future major release.' + - name: 'labels' + type: KeyValueLabels + description: | + Labels to apply to this membership. + immutable: false + - name: 'endpoint' + type: NestedObject + description: | + If this Membership is a Kubernetes API server hosted on GKE, this is a self link to its GCP resource. + immutable: true + properties: + - name: 'gkeCluster' + type: NestedObject + description: | + If this Membership is a Kubernetes API server hosted on GKE, this is a self link to its GCP resource. + immutable: true + properties: + - name: 'resourceLink' + type: String + description: | + Self-link of the GCP resource for the GKE cluster. + For example: `//container.googleapis.com/projects/my-project/zones/us-west1-a/clusters/my-cluster`. + It can be at the most 1000 characters in length. If the cluster is provisioned with Terraform, + this can be `"//container.googleapis.com/${google_container_cluster.my-cluster.id}"` or + `google_container_cluster.my-cluster.id`. + required: true + immutable: true + diff_suppress_func: 'suppressGkeHubEndpointSelfLinkDiff' + custom_expand: 'templates/terraform/custom_expand/go/gke_hub_membership.tmpl' + - name: 'authority' + type: NestedObject + description: | + Authority encodes how Google will recognize identities from this Membership. + See the workload identity documentation for more details: + https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity + properties: + - name: 'issuer' + type: String + description: | + A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and // be a valid + with length <2000 characters. For example: `https://container.googleapis.com/v1/projects/my-project/locations/us-west1/clusters/my-cluster` (must be `locations` rather than `zones`). If the cluster is provisioned with Terraform, this is `"https://container.googleapis.com/v1/${google_container_cluster.my-cluster.id}"`. + required: true + immutable: true diff --git a/mmv1/products/gkehub/go_product.yaml b/mmv1/products/gkehub/go_product.yaml new file mode 100644 index 000000000000..4a2e60b36c1b --- /dev/null +++ b/mmv1/products/gkehub/go_product.yaml @@ -0,0 +1,25 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'GKEHub' +legacy_name: 'gke_hub' +display_name: 'GKEHub' +versions: + - name: 'beta' + base_url: 'https://gkehub.googleapis.com/v1beta1/' + - name: 'ga' + base_url: 'https://gkehub.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/cloud-platform' diff --git a/mmv1/products/gkehub2/go_Feature.yaml b/mmv1/products/gkehub2/go_Feature.yaml new file mode 100644 index 000000000000..d0b5e2442fe2 --- /dev/null +++ b/mmv1/products/gkehub2/go_Feature.yaml @@ -0,0 +1,537 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Feature' +description: | + Feature represents the settings and status of any Hub Feature. +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.features' +docs: +id_format: 'projects/{{project}}/locations/{{location}}/features/{{name}}' +base_url: 'projects/{{project}}/locations/{{location}}/features' +self_link: 'projects/{{project}}/locations/{{location}}/features/{{name}}' +create_url: 'projects/{{project}}/locations/{{location}}/features?featureId={{name}}' +update_url: 'projects/{{project}}/locations/{{location}}/features/{{name}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/{{location}}/features/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub2#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +iam_policy: + method_name_separator: ':' + parent_resource_attribute: 'name' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + import_format: + - 'projects/{{project}}/locations/{{location}}/features/{{name}}' + - '{{name}}' +custom_code: +skip_sweeper: true +legacy_long_form_project: true +examples: + - name: 'gkehub_feature_multi_cluster_ingress' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("multiclusteringress")' + skip_test: true + - name: 'gkehub_feature_multi_cluster_service_discovery' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("multiclusterservicediscovery")' + skip_test: true + - name: 'gkehub_feature_anthos_service_mesh' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("servicemesh")' + skip_test: true + - name: 'enable_fleet_observability_for_default_logs_with_COPY' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("fleetobservability")' + skip_test: true + - name: 'enable_fleet_observability_for_scope_logs_with_MOVE' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("fleetobservability")' + skip_test: true + - name: 'enable_fleet_observability_for_both_default_and_scope_logs' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("fleetobservability")' + skip_test: true + - name: 'enable_fleet_default_member_config_service_mesh' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprintf("servicemesh")' + skip_test: true + - name: 'enable_fleet_default_member_config_configmanagement' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprintf("configmanagement")' + skip_test: true + - name: 'enable_fleet_default_member_config_policycontroller' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprintf("policycontroller")' + skip_test: true + - name: 'enable_fleet_default_member_config_policycontroller_full' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprintf("policycontroller")' + skip_test: true + - name: 'enable_fleet_default_member_config_policycontroller_minimal' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprintf("policycontroller")' + skip_test: true + - name: 'gkehub_feature_clusterupgrade' + primary_resource_id: 'feature' + primary_resource_name: 'fmt.Sprint("clusterupgrade")' + skip_test: true +parameters: + - name: 'location' + type: String + description: The location for the resource + url_param_only: true + required: true + immutable: true +properties: + - name: 'name' + type: String + description: The full, unique name of this Feature resource + url_param_only: true + immutable: true + diff_suppress_func: 'tpgresource.CompareSelfLinkOrResourceName' + custom_flatten: 'templates/terraform/custom_flatten/go/name_from_self_link.tmpl' + custom_expand: 'templates/terraform/custom_expand/go/resource_from_self_link.go.tmpl' + - name: 'labels' + type: KeyValueLabels + description: GCP labels for this Feature. + immutable: false + - name: 'resourceState' + type: NestedObject + description: State of the Feature resource itself. + output: true + properties: + - name: 'state' + type: Enum + description: The current state of the Feature resource in the Hub API. + output: true + enum_values: + - 'STATE_UNSPECIFIED' + - 'ENABLING' + - 'ACTIVE' + - 'DISABLING' + - 'UPDATING' + - 'SERVICE_UPDATING' + - name: 'hasResources' + type: Boolean + description: Whether this Feature has outstanding resources that need to be cleaned up before it can be disabled. + output: true + - name: 'spec' + type: NestedObject + description: Optional. Hub-wide Feature configuration. If this Feature does not support any Hub-wide configuration, this field may be unused. + properties: + - name: 'multiclusteringress' + type: NestedObject + description: Multicluster Ingress-specific spec. + properties: + - name: 'configMembership' + type: String + description: 'Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: `projects/foo-proj/locations/global/memberships/bar`' + required: true + - name: 'fleetobservability' + type: NestedObject + description: Fleet Observability feature spec. + properties: + - name: 'loggingConfig' + type: NestedObject + description: 'Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet.' + properties: + - name: 'defaultConfig' + type: NestedObject + description: 'Specified if applying the default routing config to logs not specified in other configs.' + properties: + - name: 'mode' + type: Enum + description: Specified if fleet logging feature is enabled. + enum_values: + - 'MODE_UNSPECIFIED' + - 'COPY' + - 'MOVE' + - name: 'fleetScopeLogsConfig' + type: NestedObject + description: 'Specified if applying the routing config to all logs for all fleet scopes.' + properties: + - name: 'mode' + type: Enum + description: Specified if fleet logging feature is enabled. + enum_values: + - 'MODE_UNSPECIFIED' + - 'COPY' + - 'MOVE' + - name: 'clusterupgrade' + type: NestedObject + description: Clusterupgrade feature spec. + properties: + - name: 'upstreamFleets' + type: Array + description: | + Specified if other fleet should be considered as a source of upgrades. Currently, at most one upstream fleet is allowed. The fleet name should be either fleet project number or id. + required: true + item_type: + type: String + - name: 'postConditions' + type: NestedObject + description: | + Post conditions to override for the specified upgrade. + required: true + default_from_api: true + properties: + - name: 'soaking' + type: String + description: | + Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. + required: true + - name: 'gkeUpgradeOverrides' + type: Array + description: | + Configuration overrides for individual upgrades. + item_type: + type: NestedObject + properties: + - name: 'upgrade' + type: NestedObject + description: | + Which upgrade to override. + required: true + properties: + - name: 'name' + type: String + description: | + Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters. + required: true + - name: 'version' + type: String + description: | + Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters. + required: true + - name: 'postConditions' + type: NestedObject + description: | + Post conditions to override for the specified upgrade. + required: true + properties: + - name: 'soaking' + type: String + description: | + Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. + required: true + - name: 'fleetDefaultMemberConfig' + type: NestedObject + description: Optional. Fleet Default Membership Configuration. + send_empty_value: true + properties: + - name: 'mesh' + type: NestedObject + description: Service Mesh spec + properties: + - name: 'management' + type: Enum + description: 'Whether to automatically manage Service Mesh' + required: true + enum_values: + - 'MANAGEMENT_UNSPECIFIED' + - 'MANAGEMENT_AUTOMATIC' + - 'MANAGEMENT_MANUAL' + - name: 'configmanagement' + type: NestedObject + description: Config Management spec + properties: + - name: 'version' + type: String + description: 'Version of ACM installed' + - name: 'configSync' + type: NestedObject + description: 'ConfigSync configuration for the cluster' + properties: + - name: 'sourceFormat' + type: String + description: 'Specifies whether the Config Sync Repo is in hierarchical or unstructured mode' + - name: 'enabled' + type: Boolean + description: 'Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.' + - name: 'preventDrift' + type: Boolean + description: 'Set to true to enable the Config Sync admission webhook to prevent drifts. If set to `false`, disables the Config Sync admission webhook and does not prevent drifts.' + - name: 'git' + type: NestedObject + description: 'Git repo configuration for the cluster' + properties: + - name: 'syncRepo' + type: String + description: 'The URL of the Git repository to use as the source of truth' + - name: 'syncBranch' + type: String + description: 'The branch of the repository to sync from. Default: master' + - name: 'policyDir' + type: String + description: 'The path within the Git repository that represents the top level of the repo to sync' + - name: 'syncRev' + type: String + description: 'Git revision (tag or hash) to check out. Default HEAD' + - name: 'secretType' + type: String + description: 'Type of secret configured for access to the Git repo' + required: true + - name: 'httpsProxy' + type: String + description: 'URL for the HTTPS Proxy to be used when communicating with the Git repo' + - name: 'gcpServiceAccountEmail' + type: String + description: 'The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount' + - name: 'syncWaitSecs' + type: String + description: 'Period in seconds between consecutive syncs. Default: 15' + - name: 'oci' + type: NestedObject + description: 'OCI repo configuration for the cluster' + properties: + - name: 'syncRepo' + type: String + description: 'The OCI image repository URL for the package to sync from' + - name: 'policyDir' + type: String + description: 'The absolute path of the directory that contains the local resources. Default: the root directory of the image' + - name: 'secretType' + type: String + description: 'Type of secret configured for access to the Git repo' + required: true + - name: 'gcpServiceAccountEmail' + type: String + description: 'The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount' + - name: 'syncWaitSecs' + type: String + description: 'Period in seconds between consecutive syncs. Default: 15' + - name: 'version' + type: String + description: 'Version of ACM installed' + deprecation_message: 'The `configmanagement.config_sync.oci.version` field is deprecated and will be removed in a future major release. Please use `configmanagement.version` field to specify the version of ACM installed instead.' + - name: 'policycontroller' + type: NestedObject + description: Policy Controller spec + properties: + - name: 'version' + type: String + description: 'Configures the version of Policy Controller' + default_from_api: true + - name: 'policyControllerHubConfig' + type: NestedObject + description: 'Configuration of Policy Controller' + required: true + properties: + - name: 'installSpec' + type: Enum + description: 'Configures the mode of the Policy Controller installation' + required: true + enum_values: + - 'INSTALL_SPEC_UNSPECIFIED' + - 'INSTALL_SPEC_NOT_INSTALLED' + - 'INSTALL_SPEC_ENABLED' + - 'INSTALL_SPEC_SUSPENDED' + - 'INSTALL_SPEC_DETACHED' + - name: 'auditIntervalSeconds' + type: Integer + description: 'Interval for Policy Controller Audit scans (in seconds). When set to 0, this disables audit functionality altogether.' + - name: 'exemptableNamespaces' + type: Array + description: 'The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.' + item_type: + type: String + - name: 'logDeniesEnabled' + type: Boolean + description: 'Logs all denies and dry run failures.' + - name: 'mutationEnabled' + type: Boolean + description: 'Enables the ability to mutate resources using Policy Controller.' + - name: 'referentialRulesEnabled' + type: Boolean + description: 'Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.' + - name: 'monitoring' + type: NestedObject + description: 'Monitoring specifies the configuration of monitoring Policy Controller.' + default_from_api: true + properties: + - name: 'backends' + type: Array + description: 'Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.' + default_from_api: true + item_type: + type: Enum + description: 'required but unused' + enum_values: + - 'MONITORING_BACKEND_UNSPECIFIED' + - 'PROMETHEUS' + - 'CLOUD_MONITORING' + - name: 'constraintViolationLimit' + type: Integer + description: 'The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used.' + - name: 'deploymentConfigs' + type: Map + description: 'Map of deployment configs to deployments ("admission", "audit", "mutation").' + default_from_api: true + key_name: 'component' + key_description: 'Specifies which component to apply the deployment config to. Accepted values are "admission", "audit" and "mutation".' + value_type: + description: 'Configures deployment-specific options, such as high availability.' + name: deploymentConfig + type: NestedObject + properties: + - name: 'replicaCount' + type: Integer + description: 'Pod replica count.' + default_from_api: true + send_empty_value: false + - name: 'containerResources' + type: NestedObject + description: 'Container resource requirements.' + properties: + - name: 'limits' + type: NestedObject + description: 'Limits describes the maximum amount of compute resources allowed for use by the running container.' + properties: + - name: 'memory' + type: String + description: 'Memory requirement expressed in Kubernetes resource units.' + - name: 'cpu' + type: String + description: 'CPU requirement expressed in Kubernetes resource units.' + - name: 'requests' + type: NestedObject + description: 'Requests describes the amount of compute resources reserved for the container by the kube-scheduler.' + properties: + - name: 'memory' + type: String + description: 'Memory requirement expressed in Kubernetes resource units.' + - name: 'cpu' + type: String + description: 'CPU requirement expressed in Kubernetes resource units.' + - name: 'podAffinity' + type: Enum + description: 'Pod affinity configuration.' + default_from_api: true + enum_values: + - 'AFFINITY_UNSPECIFIED' + - 'NO_AFFINITY' + - 'ANTI_AFFINITY' + - name: 'podToleration' + type: Array + description: 'Pod tolerations of node taints.' + api_name: podTolerations + item_type: + description: 'required but unused' + type: NestedObject + properties: + - name: 'key' + type: String + description: 'Matches a taint key (not necessarily unique).' + - name: 'operator' + type: String + description: 'Matches a taint operator.' + - name: 'value' + type: String + description: 'Matches a taint value.' + - name: 'effect' + type: String + description: 'Matches a taint effect.' + - name: 'policyContent' + type: NestedObject + description: 'Specifies the desired policy content on the cluster.' + # default_from_api: true + properties: + - name: 'templateLibrary' + type: NestedObject + description: 'Configures the installation of the Template Library.' + default_from_api: true + properties: + - name: 'installation' + type: Enum + description: 'Configures the manner in which the template library is installed on the cluster.' + enum_values: + - 'INSTALATION_UNSPECIFIED' + - 'NOT_INSTALLED' + - 'ALL' + - name: 'bundles' + type: Map + description: 'Configures which bundles to install and their corresponding install specs.' + key_name: 'bundle' + key_description: 'A bundle name supported in this version. Values configure the exempted namespaces for this bundle.' + value_type: + description: 'The specification configuration for a single managed bundle.' + name: bundleInstallSpec + type: NestedObject + properties: + - name: 'exemptedNamespaces' + type: Array + description: 'The set of namespaces to be exempted from the bundle.' + item_type: + type: String + - name: 'state' + type: NestedObject + description: Output only. The Hub-wide Feature state + output: true + properties: + - name: 'state' + type: NestedObject + description: Output only. The "running state" of the Feature in this Hub. + output: true + properties: + - name: 'code' + type: Enum + description: The high-level, machine-readable status of this Feature. + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'OK' + - 'WARNING' + - 'ERROR' + - name: 'description' + type: String + description: A human-readable description of the current status. + output: true + - name: 'updateTime' + type: String + description: 'The time this status and any related Feature-specific details were updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"' + output: true + - name: 'createTime' + type: String + description: Output only. When the Feature resource was created. + output: true + - name: 'updateTime' + type: String + description: Output only. When the Feature resource was last updated. + output: true + - name: 'deleteTime' + type: String + description: Output only. When the Feature resource was deleted. + output: true diff --git a/mmv1/products/gkehub2/go_Fleet.yaml b/mmv1/products/gkehub2/go_Fleet.yaml new file mode 100644 index 000000000000..64d931fb0b91 --- /dev/null +++ b/mmv1/products/gkehub2/go_Fleet.yaml @@ -0,0 +1,144 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Fleet' +description: | + Fleet contains information about a group of clusters. +references: + guides: + 'Registering a Cluster to a Fleet': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/multicluster-management/reference/rest/v1/projects.locations.fleets' +docs: +id_format: 'projects/{{project}}/locations/global/fleets/default' +base_url: 'projects/{{project}}/locations/global/fleets' +self_link: 'projects/{{project}}/locations/global/fleets/default' +create_url: 'projects/{{project}}/locations/global/fleets' +update_url: 'projects/{{project}}/locations/global/fleets/default' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/global/fleets/default' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +custom_code: +examples: + - name: 'gkehub_fleet_basic' + primary_resource_id: 'default' + skip_test: true +parameters: +properties: + - name: 'displayName' + type: String + description: | + A user-assigned display name of the Fleet. When present, it must be between 4 to 30 characters. + Allowed characters are: lowercase and uppercase letters, numbers, hyphen, single-quote, double-quote, space, and exclamation point. + - name: 'createTime' + type: Time + description: | + The time the fleet was created, in RFC3339 text format. + output: true + - name: 'updateTime' + type: Time + description: | + The time the fleet was last updated, in RFC3339 text format. + output: true + - name: 'deleteTime' + type: Time + description: | + The time the fleet was deleted, in RFC3339 text format. + output: true + - name: 'uid' + type: String + description: | + Google-generated UUID for this resource. This is unique across all + Fleet resources. If a Fleet resource is deleted and another + resource with the same name is created, it gets a different uid. + output: true + - name: 'state' + type: NestedObject + description: The state of the fleet resource. + output: true + properties: + - name: 'code' + type: Enum + description: Describes the state of a Fleet resource. + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'CREATING' + - 'READY' + - 'DELETING' + - 'UPDATING' + - name: 'defaultClusterConfig' + type: NestedObject + description: The default cluster configurations to apply across the fleet. + properties: + - name: 'binaryAuthorizationConfig' + type: NestedObject + description: Enable/Disable binary authorization features for the cluster. + properties: + - name: 'evaluationMode' + type: Enum + description: Mode of operation for binauthz policy evaluation. + enum_values: + - 'DISABLED' + - 'POLICY_BINDINGS' + - name: 'policyBindings' + type: Array + description: Binauthz policies that apply to this cluster. + item_type: + type: NestedObject + properties: + - name: 'name' + type: String + description: | + The relative resource name of the binauthz platform policy to audit. GKE + platform policies have the following format: + `projects/{project_number}/platforms/gke/policies/{policy_id}`. + - name: 'securityPostureConfig' + type: NestedObject + description: Enable/Disable Security Posture features for the cluster. + properties: + - name: 'mode' + type: Enum + description: Sets which mode to use for Security Posture features. + enum_values: + - 'DISABLED' + - 'BASIC' + - 'ENTERPRISE' + - name: 'vulnerabilityMode' + type: Enum + description: Sets which mode to use for vulnerability scanning. + enum_values: + - 'VULNERABILITY_DISABLED' + - 'VULNERABILITY_BASIC' + - 'VULNERABILITY_ENTERPRISE' diff --git a/mmv1/products/gkehub2/go_MembershipBinding.yaml b/mmv1/products/gkehub2/go_MembershipBinding.yaml new file mode 100644 index 000000000000..fd8357ff67b8 --- /dev/null +++ b/mmv1/products/gkehub2/go_MembershipBinding.yaml @@ -0,0 +1,148 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'MembershipBinding' +description: | + MembershipBinding is a subresource of a Membership, representing what Fleet Scopes (or other, future Fleet resources) a Membership is bound to. +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.memberships.bindings' +docs: +id_format: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/bindings/{{membership_binding_id}}' +base_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/bindings' +self_link: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/bindings/{{membership_binding_id}}' +create_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/bindings/?membership_binding_id={{membership_binding_id}}' +update_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/bindings/{{membership_binding_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/bindings/{{membership_binding_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +custom_code: +skip_sweeper: true +examples: + - name: 'gkehub_membership_binding_basic' + primary_resource_id: 'membership_binding' + primary_resource_name: 'fmt.Sprintf("tf-test-membership%s", context["random_suffix"]), fmt.Sprintf("tf-test-membership-binding%s", context["random_suffix"])' + vars: + cluster_name: 'basic-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + location: 'REGION' + membership_id: 'fmt.Sprintf("tf-test-membership%s", context["random_suffix"])' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' +parameters: + - name: 'membership_id' + type: String + description: | + Id of the membership + url_param_only: true + required: true + immutable: true + - name: 'location' + type: String + description: | + Location of the membership + url_param_only: true + required: true + immutable: true +properties: + - name: 'membershipBindingId' + type: String + description: | + The client-provided identifier of the membership binding. + url_param_only: true + required: true + immutable: true + - name: 'name' + type: String + description: | + The resource name for the membershipbinding itself + output: true + - name: 'uid' + type: String + description: | + Google-generated UUID for this resource. + output: true + - name: 'scope' + type: ResourceRef + description: | + A Workspace resource name in the format + `projects/*/locations/*/scopes/*`. + required: true + diff_suppress_func: 'tpgresource.ProjectNumberDiffSuppress' + resource: 'Scope' + imports: 'name' + - name: 'createTime' + type: Time + description: | + Time the MembershipBinding was created in UTC. + output: true + - name: 'updateTime' + type: Time + description: | + Time the MembershipBinding was updated in UTC. + output: true + - name: 'deleteTime' + type: Time + description: | + Time the MembershipBinding was deleted in UTC. + output: true + - name: 'state' + type: NestedObject + description: | + State of the membership binding resource. + output: true + properties: + - name: 'code' + type: Enum + description: Code describes the state of a MembershipBinding resource. + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'CREATING' + - 'READY' + - 'DELETING' + - 'UPDATING' + - name: 'labels' + type: KeyValueLabels + description: | + Labels for this Membership binding. + immutable: false diff --git a/mmv1/products/gkehub2/go_MembershipRBACRoleBinding.yaml b/mmv1/products/gkehub2/go_MembershipRBACRoleBinding.yaml new file mode 100644 index 000000000000..91a526afaae3 --- /dev/null +++ b/mmv1/products/gkehub2/go_MembershipRBACRoleBinding.yaml @@ -0,0 +1,172 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'MembershipRBACRoleBinding' +description: | + RBACRoleBinding represents a rbacrolebinding across the Fleet. +min_version: 'beta' +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.memberships' +docs: +id_format: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/{{membership_rbac_role_binding_id}}' +base_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings' +self_link: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/{{membership_rbac_role_binding_id}}' +create_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/?rbacrolebinding_id={{membership_rbac_role_binding_id}}' +immutable: true +import_format: + - 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/{{membership_rbac_role_binding_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +custom_code: +skip_sweeper: true +examples: + - name: 'gkehub_membership_rbac_role_binding_basic' + primary_resource_id: 'membership_rbac_role_binding' + primary_resource_name: 'fmt.Sprintf(\"tf-test-membership%s\", context[\"random_suffix\"]), fmt.Sprintf(\"tf-test-rbac-role-binding%s\", context[\"random_suffix\"])' + min_version: 'beta' + vars: + cluster_name: 'basic-cluster' + deletion_protection: 'true' + network_name: 'default' + subnetwork_name: 'default' + test_env_vars: + project: 'PROJECT_NAME' + location: 'global' + test_vars_overrides: + 'deletion_protection': 'false' + 'network_name': 'acctest.BootstrapSharedTestNetwork(t, "gke-cluster")' + 'subnetwork_name': 'acctest.BootstrapSubnet(t, "gke-cluster", acctest.BootstrapSharedTestNetwork(t, "gke-cluster"))' +parameters: + - name: 'membership_id' + type: String + description: | + Id of the membership + min_version: 'beta' + url_param_only: true + required: true + immutable: true + - name: 'location' + type: String + description: | + Location of the Membership + min_version: 'beta' + url_param_only: true + required: true + immutable: true +properties: + - name: 'membershipRbacRoleBindingId' + type: String + description: | + The client-provided identifier of the RBAC Role Binding. + min_version: 'beta' + url_param_only: true + required: true + immutable: true + - name: 'name' + type: String + description: | + The resource name for the RBAC Role Binding + min_version: 'beta' + output: true + - name: 'uid' + type: String + description: | + Google-generated UUID for this resource. + min_version: 'beta' + output: true + - name: 'createTime' + type: Time + description: | + Time the RBAC Role Binding was created in UTC. + min_version: 'beta' + output: true + - name: 'updateTime' + type: Time + description: | + Time the RBAC Role Binding was updated in UTC. + min_version: 'beta' + output: true + - name: 'deleteTime' + type: Time + description: | + Time the RBAC Role Binding was deleted in UTC. + min_version: 'beta' + output: true + - name: 'state' + type: NestedObject + description: | + State of the RBAC Role Binding resource. + min_version: 'beta' + output: true + properties: + - name: 'code' + type: Enum + description: | + Code describes the state of a RBAC Role Binding resource. + min_version: 'beta' + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'CREATING' + - 'READY' + - 'DELETING' + - 'UPDATING' + - name: 'user' + type: String + description: | + Principal that is be authorized in the cluster (at least of one the oneof + is required). Updating one will unset the other automatically. + user is the name of the user as seen by the kubernetes cluster, example + "alice" or "alice@domain.tld" + min_version: 'beta' + required: true + - name: 'role' + type: NestedObject + description: | + Role to bind to the principal. + min_version: 'beta' + required: true + properties: + - name: 'predefinedRole' + type: Enum + description: | + PredefinedRole is an ENUM representation of the default Kubernetes Roles + min_version: 'beta' + required: true + enum_values: + - 'UNKNOWN' + - 'ADMIN' + - 'EDIT' + - 'VIEW' + - 'ANTHOS_SUPPORT' diff --git a/mmv1/products/gkehub2/go_Namespace.yaml b/mmv1/products/gkehub2/go_Namespace.yaml new file mode 100644 index 000000000000..a5dbd58f4695 --- /dev/null +++ b/mmv1/products/gkehub2/go_Namespace.yaml @@ -0,0 +1,141 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Namespace' +description: | + Namespace represents a namespace across the Fleet. +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.scopes.namespaces' +docs: +id_format: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/namespaces/{{scope_namespace_id}}' +base_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/namespaces' +self_link: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/namespaces/{{scope_namespace_id}}' +create_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/namespaces/?scope_namespace_id={{scope_namespace_id}}' +update_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/namespaces/{{scope_namespace_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/global/scopes/{{scope_id}}/namespaces/{{scope_namespace_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +custom_code: +skip_sweeper: true +examples: + - name: 'gkehub_namespace_basic' + primary_resource_id: 'namespace' + primary_resource_name: 'fmt.Sprintf("basic%s", context["random_suffix"])' + test_env_vars: + project: 'PROJECT_NAME' + ignore_read_extra: + - 'scope' +parameters: + - name: 'scope_id' + type: String + description: | + Id of the scope + url_param_only: true + required: true + immutable: true +properties: + - name: 'scopeNamespaceId' + type: String + description: | + The client-provided identifier of the namespace. + url_param_only: true + required: true + immutable: true + - name: 'name' + type: String + description: | + The resource name for the namespace + output: true + - name: 'uid' + type: String + description: | + Google-generated UUID for this resource. + output: true + - name: 'createTime' + type: Time + description: | + Time the Namespace was created in UTC. + output: true + - name: 'updateTime' + type: Time + description: | + Time the Namespace was updated in UTC. + output: true + - name: 'deleteTime' + type: Time + description: | + Time the Namespace was deleted in UTC. + output: true + - name: 'scope' + type: ResourceRef + description: | + The name of the Scope instance. + required: true + immutable: true + diff_suppress_func: 'tpgresource.ProjectNumberDiffSuppress' + resource: 'Scope' + imports: 'name' + - name: 'state' + type: NestedObject + description: | + State of the namespace resource. + output: true + properties: + - name: 'code' + type: Enum + description: | + Code describes the state of a Namespace resource. + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'CREATING' + - 'READY' + - 'DELETING' + - 'UPDATING' + - name: 'namespaceLabels' + type: KeyValuePairs + description: | + Namespace-level cluster namespace labels. These labels are applied + to the related namespace of the member clusters bound to the parent + Scope. Scope-level labels (`namespace_labels` in the Fleet Scope + resource) take precedence over Namespace-level labels if they share + a key. Keys and values must be Kubernetes-conformant. + - name: 'labels' + type: KeyValueLabels + description: | + Labels for this Namespace. + immutable: false diff --git a/mmv1/products/gkehub2/go_Scope.yaml b/mmv1/products/gkehub2/go_Scope.yaml new file mode 100644 index 000000000000..e273cf9f2e13 --- /dev/null +++ b/mmv1/products/gkehub2/go_Scope.yaml @@ -0,0 +1,132 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Scope' +description: | + Scope represents a Scope in a Fleet. +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.scopes' +docs: +id_format: 'projects/{{project}}/locations/global/scopes/{{scope_id}}' +base_url: 'projects/{{project}}/locations/global/scopes' +self_link: 'projects/{{project}}/locations/global/scopes/{{scope_id}}' +create_url: 'projects/{{project}}/locations/global/scopes?scopeId={{scope_id}}' +update_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/global/scopes/{{scope_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +iam_policy: + method_name_separator: ':' + parent_resource_attribute: 'scope_id' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + import_format: + - 'projects/{{project}}/locations/global/scopes/{{scope_id}}' + - '{{scope_id}}' +custom_code: +skip_sweeper: true +examples: + - name: 'gkehub_scope_basic' + primary_resource_id: 'scope' + primary_resource_name: 'fmt.Sprintf("tf-test-my-scope%s", context["random_suffix"])' + vars: + resource_name: 'my-scope' + test_env_vars: + project: 'PROJECT_NAME' +parameters: +properties: + - name: 'scopeId' + type: String + description: | + The client-provided identifier of the scope. + url_param_only: true + required: true + immutable: true + - name: 'name' + type: String + description: | + The unique identifier of the scope + output: true + - name: 'uid' + type: String + description: | + Google-generated UUID for this resource. + output: true + - name: 'createTime' + type: Time + description: | + Time the Scope was created in UTC. + output: true + - name: 'updateTime' + type: Time + description: | + Time the Scope was updated in UTC. + output: true + - name: 'deleteTime' + type: Time + description: | + Time the Scope was deleted in UTC. + output: true + - name: 'state' + type: NestedObject + description: | + State of the scope resource. + output: true + properties: + - name: 'code' + type: Enum + description: | + Code describes the state of a Scope resource. + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'CREATING' + - 'READY' + - 'DELETING' + - 'UPDATING' + - name: 'namespaceLabels' + type: KeyValuePairs + description: | + Scope-level cluster namespace labels. For the member clusters bound + to the Scope, these labels are applied to each namespace under the + Scope. Scope-level labels take precedence over Namespace-level + labels (`namespace_labels` in the Fleet Namespace resource) if they + share a key. Keys and values must be Kubernetes-conformant. + - name: 'labels' + type: KeyValueLabels + description: | + Labels for this Scope. + immutable: false diff --git a/mmv1/products/gkehub2/go_ScopeRBACRoleBinding.yaml b/mmv1/products/gkehub2/go_ScopeRBACRoleBinding.yaml new file mode 100644 index 000000000000..a3a64ce804b1 --- /dev/null +++ b/mmv1/products/gkehub2/go_ScopeRBACRoleBinding.yaml @@ -0,0 +1,156 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'ScopeRBACRoleBinding' +description: | + RBACRoleBinding represents a rbacrolebinding across the Fleet. +references: + guides: + 'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster' + api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.scopes.rbacrolebindings' +docs: +id_format: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/rbacrolebindings/{{scope_rbac_role_binding_id}}' +base_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/rbacrolebindings' +self_link: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/rbacrolebindings/{{scope_rbac_role_binding_id}}' +create_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/rbacrolebindings/?rbacrolebinding_id={{scope_rbac_role_binding_id}}' +update_url: 'projects/{{project}}/locations/global/scopes/{{scope_id}}/rbacrolebindings/{{scope_rbac_role_binding_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/global/scopes/{{scope_id}}/rbacrolebindings/{{scope_rbac_role_binding_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + kind: 'gkehub#operation' + path: 'name' + wait_ms: 1000 + result: + path: 'response' + resource_inside_response: true + error: + path: 'error/errors' + message: 'message' +custom_code: +skip_sweeper: true +examples: + - name: 'gkehub_scope_rbac_role_binding_basic' + primary_resource_id: 'scope_rbac_role_binding' + primary_resource_name: 'fmt.Sprintf(\"tf-test-scope%s\", context[\"random_suffix\"]), fmt.Sprintf(\"tf-test-rbac-role-binding%s\", context[\"random_suffix\"])' + test_env_vars: + project: 'PROJECT_NAME' +parameters: + - name: 'scope_id' + type: String + description: | + Id of the scope + url_param_only: true + required: true + immutable: true +properties: + - name: 'scopeRbacRoleBindingId' + type: String + description: | + The client-provided identifier of the RBAC Role Binding. + url_param_only: true + required: true + immutable: true + - name: 'name' + type: String + description: | + The resource name for the RBAC Role Binding + output: true + - name: 'uid' + type: String + description: | + Google-generated UUID for this resource. + output: true + - name: 'createTime' + type: Time + description: | + Time the RBAC Role Binding was created in UTC. + output: true + - name: 'updateTime' + type: Time + description: | + Time the RBAC Role Binding was updated in UTC. + output: true + - name: 'deleteTime' + type: Time + description: | + Time the RBAC Role Binding was deleted in UTC. + output: true + - name: 'state' + type: NestedObject + description: | + State of the RBAC Role Binding resource. + output: true + properties: + - name: 'code' + type: Enum + description: | + Code describes the state of a RBAC Role Binding resource. + output: true + enum_values: + - 'CODE_UNSPECIFIED' + - 'CREATING' + - 'READY' + - 'DELETING' + - 'UPDATING' + - name: 'user' + type: String + description: | + Principal that is be authorized in the cluster (at least of one the oneof + is required). Updating one will unset the other automatically. + user is the name of the user as seen by the kubernetes cluster, example + "alice" or "alice@domain.tld" + exactly_one_of: + - 'user' + - 'group' + - name: 'group' + type: String + description: | + Principal that is be authorized in the cluster (at least of one the oneof + is required). Updating one will unset the other automatically. + group is the group, as seen by the kubernetes cluster. + exactly_one_of: + - 'user' + - 'group' + - name: 'role' + type: NestedObject + description: | + Role to bind to the principal. + required: true + properties: + - name: 'predefinedRole' + type: Enum + description: | + PredefinedRole is an ENUM representation of the default Kubernetes Roles + enum_values: + - 'UNKNOWN' + - 'ADMIN' + - 'EDIT' + - 'VIEW' + - name: 'labels' + type: KeyValueLabels + description: | + Labels for this ScopeRBACRoleBinding. + immutable: false diff --git a/mmv1/products/gkehub2/go_product.yaml b/mmv1/products/gkehub2/go_product.yaml new file mode 100644 index 000000000000..68e0bf17002e --- /dev/null +++ b/mmv1/products/gkehub2/go_product.yaml @@ -0,0 +1,25 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'GKEHub2' +legacy_name: 'gke_hub' +display_name: 'GKEHub' +versions: + - name: 'beta' + base_url: 'https://gkehub.googleapis.com/v1beta/' + - name: 'ga' + base_url: 'https://gkehub.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/cloud-platform' diff --git a/mmv1/products/iam2/go_AccessBoundaryPolicy.yaml b/mmv1/products/iam2/go_AccessBoundaryPolicy.yaml new file mode 100644 index 000000000000..21b9097d31ea --- /dev/null +++ b/mmv1/products/iam2/go_AccessBoundaryPolicy.yaml @@ -0,0 +1,137 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'AccessBoundaryPolicy' +description: | + Represents a collection of access boundary policies to apply to a given resource. + **NOTE**: This is a private feature and users should contact GCP support + if they would like to test it. +docs: +id_format: '{{parent}}/{{name}}' +base_url: 'policies/{{parent}}/accessboundarypolicies' +create_url: 'policies/{{parent}}/accessboundarypolicies?policyId={{name}}' +import_format: + - '{{parent}}/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' +custom_code: +skip_sweeper: true +examples: + - name: 'iam_access_boundary_policy_basic' + primary_resource_id: 'example' + vars: + policy_name: 'my-ab-policy' + account_id: 'svc-acc' + project_id: 'my-project' + access_level_title: 'chromeos_no_lock' + test_env_vars: + org_id: 'ORG_ID' + billing_account: 'BILLING_ACCT' + skip_test: true +parameters: +properties: + - name: 'name' + type: String + description: | + The name of the policy. + url_param_only: true + required: true + immutable: true + - name: 'parent' + type: String + description: | + The attachment point is identified by its URL-encoded full resource name. + url_param_only: true + required: true + immutable: true + - name: 'displayName' + type: String + description: | + The display name of the rule. + - name: 'etag' + type: Fingerprint + description: | + The hash of the resource. Used internally during updates. + output: true + - name: 'rules' + type: Array + description: | + Rules to be applied. + required: true + item_type: + type: NestedObject + properties: + - name: 'description' + type: String + description: | + The description of the rule. + - name: 'accessBoundaryRule' + type: NestedObject + description: | + An access boundary rule in an IAM policy. + properties: + - name: 'availableResource' + type: String + description: + The full resource name of a Google Cloud resource entity. + - name: 'availablePermissions' + type: Array + description: + A list of permissions that may be allowed for use on the + specified resource. + item_type: + type: String + - name: 'availabilityCondition' + type: NestedObject + description: + The availability condition further constrains the access allowed + by the access boundary rule. + properties: + - name: 'expression' + type: String + description: | + Textual representation of an expression in Common Expression Language syntax. + required: true + - name: 'title' + type: String + description: | + Title for the expression, i.e. a short string describing its purpose. + This can be used e.g. in UIs which allow to enter the expression. + - name: 'description' + type: String + description: | + Description of the expression. This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + - name: 'location' + type: String + description: | + String indicating the location of the expression for error reporting, + e.g. a file name and a position in the file. diff --git a/mmv1/products/iam2/go_DenyPolicy.yaml b/mmv1/products/iam2/go_DenyPolicy.yaml new file mode 100644 index 000000000000..05dd1e59eee7 --- /dev/null +++ b/mmv1/products/iam2/go_DenyPolicy.yaml @@ -0,0 +1,155 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'DenyPolicy' +description: | + Represents a collection of denial policies to apply to a given resource. +references: + guides: + 'Permissions supported in deny policies': 'https://cloud.google.com/iam/docs/deny-permissions-support' + api: 'https://cloud.google.com/iam/docs/reference/rest/v2/policies' +docs: +id_format: '{{parent}}/{{name}}' +base_url: 'policies/{{parent}}/denypolicies' +create_url: 'policies/{{parent}}/denypolicies?policyId={{name}}' +import_format: + - '{{parent}}/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' +custom_code: +examples: + - name: 'iam_deny_policy_basic' + primary_resource_id: 'example' + vars: + policy_name: 'my-deny-policy' + account_id: 'svc-acc' + project_name: 'my-project' + test_env_vars: + org_id: 'ORG_ID' + billing_account: 'BILLING_ACCT' +parameters: +properties: + - name: 'name' + type: String + description: | + The name of the policy. + url_param_only: true + required: true + immutable: true + - name: 'parent' + type: String + description: | + The attachment point is identified by its URL-encoded full resource name. + url_param_only: true + required: true + immutable: true + - name: 'displayName' + type: String + description: | + The display name of the rule. + - name: 'etag' + type: Fingerprint + description: | + The hash of the resource. Used internally during updates. + output: true + - name: 'rules' + type: Array + description: | + Rules to be applied. + required: true + item_type: + type: NestedObject + properties: + - name: 'description' + type: String + description: | + The description of the rule. + - name: 'denyRule' + type: NestedObject + description: | + A deny rule in an IAM deny policy. + properties: + - name: 'deniedPrincipals' + type: Array + description: + The identities that are prevented from using one or more + permissions on Google Cloud resources. + item_type: + type: String + - name: 'exceptionPrincipals' + type: Array + description: | + The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. + For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group. + item_type: + type: String + - name: 'deniedPermissions' + type: Array + description: | + The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`, + where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`. + item_type: + type: String + - name: 'exceptionPermissions' + type: Array + description: | + Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. + If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. + The excluded permissions can be specified using the same syntax as deniedPermissions. + item_type: + type: String + - name: 'denialCondition' + type: NestedObject + description: + User defined CEVAL expression. A CEVAL expression is used to + specify match criteria such as origin.ip, source.region_code and + contents in the request header. + properties: + - name: 'expression' + type: String + description: | + Textual representation of an expression in Common Expression Language syntax. + required: true + - name: 'title' + type: String + description: | + Title for the expression, i.e. a short string describing its purpose. + This can be used e.g. in UIs which allow to enter the expression. + - name: 'description' + type: String + description: | + Description of the expression. This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + - name: 'location' + type: String + description: | + String indicating the location of the expression for error reporting, + e.g. a file name and a position in the file. diff --git a/mmv1/products/iam2/go_product.yaml b/mmv1/products/iam2/go_product.yaml new file mode 100644 index 000000000000..dfe2d8dcac86 --- /dev/null +++ b/mmv1/products/iam2/go_product.yaml @@ -0,0 +1,37 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'IAM2' +legacy_name: 'iam' +display_name: 'Cloud IAM' +versions: + - name: 'beta' + base_url: 'https://iam.googleapis.com/v2beta/' + - name: 'ga' + base_url: 'https://iam.googleapis.com/v2/' +scopes: + - 'https://www.googleapis.com/auth/iam' +async: + type: "OpAsync" + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' diff --git a/mmv1/products/iambeta/go_WorkloadIdentityPool.yaml b/mmv1/products/iambeta/go_WorkloadIdentityPool.yaml new file mode 100644 index 000000000000..7768df674318 --- /dev/null +++ b/mmv1/products/iambeta/go_WorkloadIdentityPool.yaml @@ -0,0 +1,110 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WorkloadIdentityPool' +description: | + Represents a collection of external workload identities. You can define IAM policies to + grant these identities access to Google Cloud resources. +references: + guides: + 'Managing workload identity pools': 'https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools' + api: 'https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools' +docs: +base_url: 'projects/{{project}}/locations/global/workloadIdentityPools' +self_link: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}' +create_url: 'projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' +custom_code: + constants: 'templates/terraform/constants/go/iam_workload_identity_pool.go.tmpl' + decoder: 'templates/terraform/decoders/go/treat_deleted_state_as_gone.go.tmpl' + test_check_destroy: 'templates/terraform/custom_check_destroy/go/iam_workload_identity_pool.go.tmpl' +examples: + - name: 'iam_workload_identity_pool_basic' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + - name: 'iam_workload_identity_pool_full' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' +parameters: +properties: + - name: 'workloadIdentityPoolId' + type: String + description: | + The ID to use for the pool, which becomes the final component of the resource name. This + value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + url_param_only: true + required: true + immutable: true + validation: + function: 'ValidateWorkloadIdentityPoolId' + - name: 'state' + type: Enum + description: | + The state of the pool. + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The pool is active, and may be used in Google Cloud policies. + * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after + approximately 30 days. You can restore a soft-deleted pool using + UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is + permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or + use existing tokens to access resources. If the pool is undeleted, existing tokens grant + access again. + output: true + enum_values: + - 'STATE_UNSPECIFIED' + - 'ACTIVE' + - 'DELETED' + - name: 'displayName' + type: String + description: A display name for the pool. Cannot exceed 32 characters. + - name: 'description' + type: String + description: A description of the pool. Cannot exceed 256 characters. + - name: 'name' + type: String + description: | + The resource name of the pool as + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. + output: true + - name: 'disabled' + type: Boolean + description: | + Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use + existing tokens to access resources. If the pool is re-enabled, existing tokens grant + access again. diff --git a/mmv1/products/iambeta/go_WorkloadIdentityPoolProvider.yaml b/mmv1/products/iambeta/go_WorkloadIdentityPoolProvider.yaml new file mode 100644 index 000000000000..7bc6308f2e31 --- /dev/null +++ b/mmv1/products/iambeta/go_WorkloadIdentityPoolProvider.yaml @@ -0,0 +1,316 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WorkloadIdentityPoolProvider' +description: A configuration for an external identity provider. +references: + guides: + 'Managing workload identity providers': 'https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers' + api: 'https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers' +docs: +base_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers' +self_link: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}' +create_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers?workloadIdentityPoolProviderId={{workload_identity_pool_provider_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' +custom_code: + constants: 'templates/terraform/constants/go/iam_workload_identity_pool_provider.go.tmpl' + decoder: 'templates/terraform/decoders/go/treat_deleted_state_as_gone.go.tmpl' + test_check_destroy: 'templates/terraform/custom_check_destroy/go/iam_workload_identity_pool_provider.go.tmpl' +examples: + - name: 'iam_workload_identity_pool_provider_aws_basic' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' + - name: 'iam_workload_identity_pool_provider_aws_full' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' + - name: 'iam_workload_identity_pool_provider_oidc_basic' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' + - name: 'iam_workload_identity_pool_provider_oidc_full' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' + - name: 'iam_workload_identity_pool_provider_saml_basic' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' + - name: 'iam_workload_identity_pool_provider_saml_full' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' + - name: 'iam_workload_identity_pool_provider_oidc_upload_key' + primary_resource_id: 'example' + vars: + workload_identity_pool_id: 'example-pool' + workload_identity_pool_provider_id: 'example-prvdr' +parameters: +properties: + - name: 'workloadIdentityPoolId' + type: String + description: | + The ID used for the pool, which is the final component of the pool resource name. This + value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + url_param_only: true + required: true + immutable: true + - name: 'workloadIdentityPoolProviderId' + type: String + description: | + The ID for the provider, which becomes the final component of the resource name. This + value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + url_param_only: true + required: true + immutable: true + validation: + function: 'ValidateWorkloadIdentityPoolProviderId' + - name: 'state' + type: Enum + description: | + The state of the provider. + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The provider is active, and may be used to validate authentication credentials. + * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted + after approximately 30 days. You can restore a soft-deleted provider using + UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider + until it is permanently deleted. + output: true + enum_values: + - 'STATE_UNSPECIFIED' + - 'ACTIVE' + - 'DELETED' + - name: 'displayName' + type: String + description: A display name for the provider. Cannot exceed 32 characters. + - name: 'description' + type: String + description: A description for the provider. Cannot exceed 256 characters. + - name: 'name' + type: String + description: | + The resource name of the provider as + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`. + output: true + - name: 'disabled' + type: Boolean + description: | + Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. + However, existing tokens still grant access. + - name: 'attributeMapping' + type: KeyValuePairs + description: | + Maps attributes from authentication credentials issued by an external identity provider + to Google Cloud attributes, such as `subject` and `segment`. + + Each key must be a string specifying the Google Cloud IAM attribute to map to. + + The following keys are supported: + * `google.subject`: The principal IAM is authenticating. You can reference this value + in IAM bindings. This is also the subject that appears in Cloud Logging logs. + Cannot exceed 127 characters. + * `google.groups`: Groups the external identity belongs to. You can grant groups + access to resources using an IAM `principalSet` binding; access applies to all + members of the group. + + You can also provide custom attributes by specifying `attribute.{custom_attribute}`, + where `{custom_attribute}` is the name of the custom attribute to be mapped. You can + define a maximum of 50 custom attributes. The maximum length of a mapped attribute key + is 100 characters, and the key may only contain the characters [a-z0-9_]. + + You can reference these attributes in IAM policies to define fine-grained access for a + workload to Google Cloud resources. For example: + * `google.subject`: + `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` + * `google.groups`: + `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` + * `attribute.{custom_attribute}`: + `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` + + Each value must be a [Common Expression Language](https://opensource.google/projects/cel) + function that maps an identity provider credential to the normalized attribute specified + by the corresponding map key. + + You can use the `assertion` keyword in the expression to access a JSON representation of + the authentication credential issued by the provider. + + The maximum length of an attribute mapping expression is 2048 characters. When evaluated, + the total size of all mapped attributes must not exceed 8KB. + + For AWS providers, the following rules apply: + - If no attribute mapping is defined, the following default mapping applies: + ``` + { + "google.subject":"assertion.arn", + "attribute.aws_role": + "assertion.arn.contains('assumed-role')" + " ? assertion.arn.extract('{account_arn}assumed-role/')" + " + 'assumed-role/'" + " + assertion.arn.extract('assumed-role/{role_name}/')" + " : assertion.arn", + } + ``` + - If any custom attribute mappings are defined, they must include a mapping to the + `google.subject` attribute. + + For OIDC providers, the following rules apply: + - Custom attribute mappings must be defined, and must include a mapping to the + `google.subject` attribute. For example, the following maps the `sub` claim of the + incoming credential to the `subject` attribute on a Google token. + ``` + {"google.subject": "assertion.sub"} + ``` + - name: 'attributeCondition' + type: String + description: | + [A Common Expression Language](https://opensource.google/projects/cel) expression, in + plain text, to restrict what otherwise valid authentication credentials issued by the + provider should not be accepted. + + The expression must output a boolean representing whether to allow the federation. + + The following keywords may be referenced in the expressions: + * `assertion`: JSON representing the authentication credential issued by the provider. + * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. + * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. + + The maximum length of the attribute condition expression is 4096 characters. If + unspecified, all valid authentication credential are accepted. + + The following example shows how to only allow credentials with a mapped `google.groups` + value of `admins`: + ``` + "'admins' in google.groups" + ``` + - name: 'aws' + type: NestedObject + description: + An Amazon Web Services identity provider. Not compatible with the property + oidc or saml. + exactly_one_of: + - 'aws' + - 'oidc' + - 'saml' + properties: + - name: 'accountId' + type: String + description: The AWS account ID. + required: true + - name: 'oidc' + type: NestedObject + description: + An OpenId Connect 1.0 identity provider. Not compatible with the property + aws or saml. + update_mask_fields: + - 'oidc.allowed_audiences' + - 'oidc.issuer_uri' + - 'oidc.jwks_json' + exactly_one_of: + - 'aws' + - 'oidc' + - 'saml' + properties: + - name: 'allowedAudiences' + type: Array + description: | + Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange + requests are rejected if the token audience does not match one of the configured + values. Each audience may be at most 256 characters. A maximum of 10 audiences may + be configured. + + If this list is empty, the OIDC token audience must be equal to the full canonical + resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. + For example: + ``` + //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ + https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ + ``` + item_type: + type: String + - name: 'issuerUri' + type: String + description: The OIDC issuer URL. + required: true + - name: 'jwksJson' + type: String + description: | + OIDC JWKs in JSON String format. For details on definition of a + JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we + use the `jwks_uri` from the discovery document fetched from the + .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric + keys are supported. The JWK must use following format and include only + the following fields: + ``` + { + "keys": [ + { + "kty": "RSA/EC", + "alg": "", + "use": "sig", + "kid": "", + "n": "", + "e": "", + "x": "", + "y": "", + "crv": "" + } + ] + } + ``` + required: false + - name: 'saml' + type: NestedObject + description: + An SAML 2.0 identity provider. Not compatible with the property + oidc or aws. + exactly_one_of: + - 'aws' + - 'oidc' + - 'saml' + properties: + - name: 'idpMetadataXml' + type: String + description: SAML Identity provider configuration metadata xml doc. + required: true diff --git a/mmv1/products/iambeta/go_product.yaml b/mmv1/products/iambeta/go_product.yaml new file mode 100644 index 000000000000..ef2f07ac1090 --- /dev/null +++ b/mmv1/products/iambeta/go_product.yaml @@ -0,0 +1,37 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'IAMBeta' +legacy_name: 'iam' +display_name: 'Cloud IAM' +versions: + - name: 'beta' + base_url: 'https://iam.googleapis.com/v1/' + - name: 'ga' + base_url: 'https://iam.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/iam' +async: + type: "OpAsync" + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' diff --git a/mmv1/products/iamworkforcepool/go_WorkforcePool.yaml b/mmv1/products/iamworkforcepool/go_WorkforcePool.yaml new file mode 100644 index 000000000000..d98fd1b5cb2b --- /dev/null +++ b/mmv1/products/iamworkforcepool/go_WorkforcePool.yaml @@ -0,0 +1,166 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WorkforcePool' +description: | + Represents a collection of external workforces. Provides namespaces for + federated users that can be referenced in IAM policies. +references: + guides: + 'Manage pools': 'https://cloud.google.com/iam/docs/manage-workforce-identity-pools-providers#manage_pools' + api: 'https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools' +docs: + note: | + Ask your Google Cloud account team to request access to workforce identity federation for + your billing/quota project. The account team notifies you when the project is granted access. +base_url: 'locations/{{location}}/workforcePools' +self_link: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}' +create_url: 'locations/{{location}}/workforcePools?workforcePoolId={{workforce_pool_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'locations/{{location}}/workforcePools/{{workforce_pool_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' +custom_code: + constants: 'templates/terraform/constants/go/iam_workforce_pool.go.tmpl' + decoder: 'templates/terraform/decoders/go/treat_deleted_state_as_gone.go.tmpl' + test_check_destroy: 'templates/terraform/custom_check_destroy/go/iam_workforce_pool.go.tmpl' +examples: + - name: 'iam_workforce_pool_basic' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + test_env_vars: + org_id: 'ORG_ID' + - name: 'iam_workforce_pool_full' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + test_env_vars: + org_id: 'ORG_ID' +parameters: +properties: + - name: 'location' + type: String + description: The location for the resource. + url_param_only: true + required: true + immutable: true + - name: 'workforcePoolId' + type: String + description: | + The name of the pool. The ID must be a globally unique string of 6 to 63 lowercase letters, + digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. + The prefix `gcp-` is reserved for use by Google, and may not be specified. + url_param_only: true + required: true + immutable: true + validation: + function: 'ValidateWorkforcePoolId' + - name: 'name' + type: String + description: | + Output only. The resource name of the pool. + Format: `locations/{location}/workforcePools/{workforcePoolId}` + output: true + - name: 'parent' + type: String + description: | + Immutable. The resource name of the parent. Format: `organizations/{org-id}`. + required: true + immutable: true + - name: 'displayName' + type: String + description: + A user-specified display name of the pool in Google Cloud Console. Cannot + exceed 32 characters. + - name: 'description' + type: String + description: + A user-specified description of the pool. Cannot exceed 256 characters. + - name: 'state' + type: Enum + description: | + Output only. The state of the pool. + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The pool is active, and may be used in Google Cloud policies. + * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted + after approximately 30 days. You can restore a soft-deleted pool using + [workforcePools.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePool). + You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. + While a pool is deleted, you cannot use it to exchange tokens, or use + existing tokens to access resources. If the pool is undeleted, existing + tokens grant access again. + output: true + enum_values: + - 'STATE_UNSPECIFIED' + - 'ACTIVE' + - 'DELETED' + - name: 'disabled' + type: Boolean + description: | + Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, + or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. + - name: 'sessionDuration' + type: String + description: | + Duration that the Google Cloud access tokens, console sign-in sessions, + and `gcloud` sign-in sessions from this pool are valid. + Must be greater than 15 minutes (900s) and less than 12 hours (43200s). + If `sessionDuration` is not configured, minted credentials have a default duration of one hour (3600s). + A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: "`3.5s`". + default_value: "3600s" + - name: 'accessRestrictions' + type: NestedObject + description: | + Configure access restrictions on the workforce pool users. This is an optional field. If specified web + sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users. + immutable: true + properties: + - name: 'allowedServices' + type: Array + description: | + Services allowed for web sign-in with the workforce pool. + If not set by default there are no restrictions. + item_type: + type: NestedObject + properties: + - name: 'domain' + type: String + description: | + Domain name of the service. + Example: console.cloud.google + - name: 'disableProgrammaticSignin' + type: Boolean + description: | + Disable programmatic sign-in by disabling token issue via the Security Token API endpoint. + See [Security Token Service API](https://cloud.google.com/iam/docs/reference/sts/rest). diff --git a/mmv1/products/iamworkforcepool/go_WorkforcePoolProvider.yaml b/mmv1/products/iamworkforcepool/go_WorkforcePoolProvider.yaml new file mode 100644 index 000000000000..fafe22bf5819 --- /dev/null +++ b/mmv1/products/iamworkforcepool/go_WorkforcePoolProvider.yaml @@ -0,0 +1,457 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WorkforcePoolProvider' +description: | + A configuration for an external identity provider. +references: + guides: + 'Configure a provider within the workforce pool': 'https://cloud.google.com/iam/docs/manage-workforce-identity-pools-providers#configure_a_provider_within_the_workforce_pool' + api: 'https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers' +docs: + note: | + Ask your Google Cloud account team to request access to workforce identity federation for your + billing/quota project. The account team notifies you when the project is granted access. +base_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers' +self_link: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}' +create_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers?workforcePoolProviderId={{provider_id}}' +update_verb: 'PATCH' +update_mask: true +import_format: + - 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +autogen_async: true +async: + actions: ['create', 'delete', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' +custom_code: + constants: 'templates/terraform/constants/go/iam_workforce_pool_provider.go.tmpl' + decoder: 'templates/terraform/decoders/go/treat_deleted_state_as_gone.go.tmpl' + post_create: 'templates/terraform/post_create/go/iam_workforce_pool_provider.go.tmpl' + post_update: 'templates/terraform/post_update/go/iam_workforce_pool_provider.go.tmpl' +examples: + - name: 'iam_workforce_pool_provider_saml_basic' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + - name: 'iam_workforce_pool_provider_saml_full' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + - name: 'iam_workforce_pool_provider_oidc_basic' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + ignore_read_extra: + - 'oidc.0.client_secret.0.value.0.plain_text' + - name: 'iam_workforce_pool_provider_oidc_full' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + ignore_read_extra: + - 'oidc.0.client_secret.0.value.0.plain_text' + - name: 'iam_workforce_pool_provider_oidc_upload_key' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + ignore_read_extra: + - 'oidc.0.client_secret.0.value.0.plain_text' + skip_docs: true + - name: 'iam_workforce_pool_provider_extra_attributes_oauth2_config_client_basic' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + ignore_read_extra: + - 'oidc.0.client_secret.0.value.0.plain_text' + - 'extra_attributes_oauth2_client.0.client_secret.0.value.0.plain_text' + - name: 'iam_workforce_pool_provider_extra_attributes_oauth2_config_client_full' + primary_resource_id: 'example' + vars: + workforce_pool_id: 'example-pool' + provider_id: 'example-prvdr' + test_env_vars: + org_id: 'ORG_ID' + ignore_read_extra: + - 'oidc.0.client_secret.0.value.0.plain_text' + - 'extra_attributes_oauth2_client.0.client_secret.0.value.0.plain_text' +parameters: +properties: + - name: 'location' + type: String + description: The location for the resource. + url_param_only: true + required: true + immutable: true + - name: 'workforcePoolId' + type: String + description: | + The ID to use for the pool, which becomes the final component of the resource name. + The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. + It must start with a letter, and cannot have a trailing hyphen. + The prefix `gcp-` is reserved for use by Google, and may not be specified. + url_param_only: true + required: true + immutable: true + - name: 'providerId' + type: String + description: | + The ID for the provider, which becomes the final component of the resource name. + This value must be 4-32 characters, and may contain the characters [a-z0-9-]. + The prefix `gcp-` is reserved for use by Google, and may not be specified. + url_param_only: true + required: true + immutable: true + validation: + function: 'ValidateWorkforcePoolProviderId' + - name: 'name' + type: String + description: | + Output only. The resource name of the provider. + Format: `locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}` + output: true + - name: 'displayName' + type: String + description: + A user-specified display name for the provider. Cannot exceed 32 + characters. + - name: 'description' + type: String + description: + A user-specified description of the provider. Cannot exceed 256 + characters. + - name: 'state' + type: Enum + description: | + The current state of the provider. + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The provider is active and may be used to validate authentication credentials. + * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently + deleted after approximately 30 days. You can restore a soft-deleted provider using + [providers.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePoolProvider). + output: true + enum_values: + - 'STATE_UNSPECIFIED' + - 'ACTIVE' + - 'DELETED' + - name: 'disabled' + type: Boolean + description: | + Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. + However, existing tokens still grant access. + - name: 'attributeMapping' + type: KeyValuePairs + description: | + Maps attributes from the authentication credentials issued by an external identity provider + to Google Cloud attributes, such as `subject` and `segment`. + + Each key must be a string specifying the Google Cloud IAM attribute to map to. + + The following keys are supported: + * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. + This is also the subject that appears in Cloud Logging logs. This is a required field and + the mapped subject cannot exceed 127 bytes. + * `google.groups`: Groups the authenticating user belongs to. You can grant groups access to + resources using an IAM `principalSet` binding; access applies to all members of the group. + * `google.display_name`: The name of the authenticated user. This is an optional field and + the mapped display name cannot exceed 100 bytes. If not set, `google.subject` will be displayed instead. + This attribute cannot be referenced in IAM bindings. + * `google.profile_photo`: The URL that specifies the authenticated user's thumbnail photo. + This is an optional field. When set, the image will be visible as the user's profile picture. + If not set, a generic user icon will be displayed instead. + This attribute cannot be referenced in IAM bindings. + + You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where {custom_attribute} + is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. + The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. + + You can reference these attributes in IAM policies to define fine-grained access for a workforce pool + to Google Cloud resources. For example: + * `google.subject`: + `principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}` + * `google.groups`: + `principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}` + * `attribute.{custom_attribute}`: + `principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}` + + Each value must be a [Common Expression Language](https://opensource.google/projects/cel) + function that maps an identity provider credential to the normalized attribute specified + by the corresponding map key. + + You can use the `assertion` keyword in the expression to access a JSON representation of + the authentication credential issued by the provider. + + The maximum length of an attribute mapping expression is 2048 characters. When evaluated, + the total size of all mapped attributes must not exceed 8KB. + + For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute. + For example, the following maps the sub claim of the incoming credential to the `subject` attribute + on a Google token: + ``` + {"google.subject": "assertion.sub"} + ``` + + An object containing a list of `"key": value` pairs. + Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`. + - name: 'attributeCondition' + type: String + description: | + A [Common Expression Language](https://opensource.google/projects/cel) expression, in + plain text, to restrict what otherwise valid authentication credentials issued by the + provider should not be accepted. + + The expression must output a boolean representing whether to allow the federation. + + The following keywords may be referenced in the expressions: + * `assertion`: JSON representing the authentication credential issued by the provider. + * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. + `google.profile_photo` and `google.display_name` are not supported. + * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. + + The maximum length of the attribute condition expression is 4096 characters. + If unspecified, all valid authentication credentials will be accepted. + + The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: + ``` + "'admins' in google.groups" + ``` + - name: 'saml' + type: NestedObject + description: Represents a SAML identity provider. + exactly_one_of: + - 'saml' + - 'oidc' + properties: + - name: 'idpMetadataXml' + type: String + description: | + SAML Identity provider configuration metadata xml doc. + The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). + The max size of the acceptable xml document will be bounded to 128k characters. + + The metadata xml document should satisfy the following constraints: + 1) Must contain an Identity Provider Entity ID. + 2) Must contain at least one non-expired signing key certificate. + 3) For each signing key: + a) Valid from should be no more than 7 days from now. + b) Valid to should be no more than 10 years in the future. + 4) Up to 3 IdP signing keys are allowed in the metadata xml. + + When updating the provider's metadata xml, at least one non-expired signing key + must overlap with the existing metadata. This requirement is skipped if there are + no non-expired signing keys present in the existing metadata. + required: true + - name: 'oidc' + type: NestedObject + description: Represents an OpenId Connect 1.0 identity provider. + exactly_one_of: + - 'saml' + - 'oidc' + properties: + - name: 'issuerUri' + type: String + description: + The OIDC issuer URI. Must be a valid URI using the 'https' scheme. + required: true + - name: 'clientId' + type: String + description: + The client ID. Must match the audience claim of the JWT issued by the + identity provider. + required: true + - name: 'clientSecret' + type: NestedObject + description: | + The optional client secret. Required to enable Authorization Code flow for web sign-in. + properties: + - name: 'value' + type: NestedObject + description: | + The value of the client secret. + exactly_one_of: + - 'oidc.0.client_secret.0.value' + custom_flatten: 'templates/terraform/custom_flatten/go/iam_workforce_pool_provider_oidc_client_secret_value.go.tmpl' + properties: + - name: 'plainText' + type: String + description: | + The plain text of the client secret value. + required: true + sensitive: true + validation: + function: 'validation.StringIsNotEmpty' + - name: 'thumbprint' + type: String + description: | + A thumbprint to represent the current client secret value. + output: true + - name: 'webSsoConfig' + type: NestedObject + description: | + Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. + default_from_api: true + properties: + - name: 'responseType' + type: Enum + description: | + The Response Type to request for in the OIDC Authorization Request for web sign-in. + + The `CODE` Response Type is recommended to avoid the Implicit Flow, for security reasons. + * CODE: The `response_type=code` selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. + * ID_TOKEN: The `response_type=id_token` selection uses the Implicit Flow for web sign-in. + required: true + enum_values: + - 'CODE' + - 'ID_TOKEN' + - name: 'assertionClaimsBehavior' + type: Enum + description: | + The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition. + * MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow. + * ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. + required: true + enum_values: + - 'MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS' + - 'ONLY_ID_TOKEN_CLAIMS' + - name: 'additionalScopes' + type: Array + description: | + Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested. + Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured. + required: false + item_type: + type: String + - name: 'jwksJson' + type: String + description: | + OIDC JWKs in JSON String format. For details on definition of a + JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we + use the `jwks_uri` from the discovery document fetched from the + .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric + keys are supported. The JWK must use following format and include only + the following fields: + ``` + { + "keys": [ + { + "kty": "RSA/EC", + "alg": "", + "use": "sig", + "kid": "", + "n": "", + "e": "", + "x": "", + "y": "", + "crv": "" + } + ] + } + ``` + - name: 'extraAttributesOauth2Client' + type: NestedObject + description: | + The configuration for OAuth 2.0 client used to get the additional user + attributes. This should be used when users can't get the desired claims + in authentication credentials. Currently this configuration is only + supported with OIDC protocol. + properties: + - name: 'issuerUri' + type: String + description: | + The OIDC identity provider's issuer URI. Must be a valid URI using the `https` scheme. Required to get the OIDC discovery document. + required: true + - name: 'clientId' + type: String + description: | + The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. + required: true + - name: 'clientSecret' + type: NestedObject + description: | + The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. + required: true + properties: + - name: 'value' + type: NestedObject + description: | + The value of the client secret. + exactly_one_of: + - 'extraAttributesOauth2Client.0.client_secret.0.value' + custom_flatten: 'templates/terraform/custom_flatten/go/iam_workforce_pool_provider_extra_attributes_oauth2_config_client_secret_value.go.tmpl' + properties: + - name: 'plainText' + type: String + description: | + The plain text of the client secret value. + required: true + validation: + function: 'validation.StringIsNotEmpty' + - name: 'thumbprint' + type: String + description: | + A thumbprint to represent the current client secret value. + output: true + - name: 'attributesType' + type: Enum + description: | + Represents the IdP and type of claims that should be fetched. + * AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided + in ExtraAttributesOAuth2Client and `mail` property of the `microsoft.graph.group` object is used for claim mapping. + See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on + `microsoft.graph.group` properties. The attributes obtained from idntity provider are mapped to `assertion.groups`. + required: true + enum_values: + - 'AZURE_AD_GROUPS_MAIL' + - name: 'queryParameters' + type: NestedObject + description: | + Represents the parameters to control which claims are fetched from an IdP. + properties: + - name: 'filter' + type: String + description: | + The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the + filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The + groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details. diff --git a/mmv1/products/iamworkforcepool/go_product.yaml b/mmv1/products/iamworkforcepool/go_product.yaml new file mode 100644 index 000000000000..7256f5f16841 --- /dev/null +++ b/mmv1/products/iamworkforcepool/go_product.yaml @@ -0,0 +1,37 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'IAMWorkforcePool' +legacy_name: 'iam' +display_name: 'Cloud IAM' +versions: + - name: 'beta' + base_url: 'https://iam.googleapis.com/v1/' + - name: 'ga' + base_url: 'https://iam.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/iam' +async: + type: "OpAsync" + operation: + base_url: '{{op_id}}' + path: 'name' + wait_ms: 1000 + result: + path: 'targetLink' + resource_inside_response: false + error: + path: 'error' + message: 'message' diff --git a/mmv1/products/iap/go_AppEngineService.yaml b/mmv1/products/iap/go_AppEngineService.yaml new file mode 100644 index 000000000000..c02f70a3bf34 --- /dev/null +++ b/mmv1/products/iap/go_AppEngineService.yaml @@ -0,0 +1,58 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'AppEngineService' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}' +base_url: 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}' +self_link: 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}' +import_format: + - 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}' + - '{{service}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_app_engine_standard_app_version' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'service' + test_project_name: 'tf-test' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/example_config_body/go/app_engine_service.tf.tmpl' +custom_code: +exclude_tgc: true +examples: + - name: 'iap_app_engine_service' + primary_resource_id: 'version' + primary_resource_name: 'context["project_id"], "default"' + test_env_vars: + org_id: 'ORG_ID' + billing_account: 'BILLING_ACCT' +parameters: +properties: + - name: 'appId' + type: String + description: Id of the App Engine application. + required: true + - name: 'service' + type: String + description: Service id of the App Engine application + required: true diff --git a/mmv1/products/iap/go_AppEngineVersion.yaml b/mmv1/products/iap/go_AppEngineVersion.yaml new file mode 100644 index 000000000000..214f51121270 --- /dev/null +++ b/mmv1/products/iap/go_AppEngineVersion.yaml @@ -0,0 +1,58 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'AppEngineVersion' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}' +base_url: 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}' +self_link: 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}' +import_format: + - 'projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}' + - '{{version}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_app_engine_standard_app_version' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'version_id' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/example_config_body/go/app_engine_version.tf.tmpl' +custom_code: +exclude_tgc: true +examples: + - name: 'iap_app_engine_version' + primary_resource_id: 'version' + primary_resource_name: 'envvar.GetTestProjectFromEnv(), "default", context["random_suffix"]' +parameters: +properties: + - name: 'appId' + type: String + description: Id of the App Engine application. + required: true + - name: 'service' + type: String + description: Service id of the App Engine application + required: true + - name: 'versionId' + type: String + description: Version id of the App Engine application + required: true diff --git a/mmv1/products/iap/go_Brand.yaml b/mmv1/products/iap/go_Brand.yaml new file mode 100644 index 000000000000..153186a46034 --- /dev/null +++ b/mmv1/products/iap/go_Brand.yaml @@ -0,0 +1,93 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Brand' +description: | + OAuth brand data. Only "Organization Internal" brands can be created + programmatically via API. To convert it into an external brands + please use the GCP Console. + + + ~> **Note:** Brands can only be created once for a Google Cloud + project and the underlying Google API doesn't not support DELETE or PATCH methods. + Destroying a Terraform-managed Brand will remove it from state + but *will not delete it from Google Cloud.* +references: + guides: + 'Setting up IAP Brand': 'https://cloud.google.com/iap/docs/tutorial-gce#set_up_iap' + api: 'https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands' +docs: +id_format: '{{name}}' +base_url: 'projects/{{project}}/brands' +self_link: '{{name}}' +skip_delete: true +immutable: true +import_format: + - 'projects/{{project_number}}/brands/{{brand_id}}' + - 'projects/{{project_id}}/brands/{{brand_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +async: + type: 'PollAsync' + check_response_func_existence: 'transport_tpg.PollCheckForExistence' + check_response_func_absence: 'transport_tpg.PollCheckForAbsence' + suppress_error: false + target_occurrences: 5 + actions: ['create'] +identity: + - name +custom_code: + post_create: 'templates/terraform/post_create/go/set_computed_name.tmpl' + custom_import: 'templates/terraform/custom_import/go/iap_brand.go.tmpl' +examples: + - name: 'iap_brand' + primary_resource_id: 'project_brand' + vars: + project_id: 'my-project' + test_env_vars: + org_id: 'ORG_ID' + org_domain: 'ORG_DOMAIN' + skip_test: true +parameters: + - name: 'name' + type: String + description: | + Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}` + NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing. + NOTE: The brand identification corresponds to the project number as only one + brand can be created per project. + output: true +properties: + - name: 'supportEmail' + type: String + description: | + Support email displayed on the OAuth consent screen. Can be either a + user or group email. When a user email is specified, the caller must + be the user with the associated email address. When a group email is + specified, the caller can be either a user or a service account which + is an owner of the specified group in Cloud Identity. + required: true + - name: 'applicationTitle' + type: String + description: | + Application name displayed on OAuth consent screen. + required: true + - name: 'orgInternalOnly' + type: Boolean + description: | + Whether the brand is only intended for usage inside the GSuite organization only. + output: true diff --git a/mmv1/products/iap/go_Client.yaml b/mmv1/products/iap/go_Client.yaml new file mode 100644 index 000000000000..55bd11f5ac54 --- /dev/null +++ b/mmv1/products/iap/go_Client.yaml @@ -0,0 +1,81 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Client' +description: | + Contains the data that describes an Identity Aware Proxy owned client. + + ~> **Note:** Only internal org clients can be created via declarative tools. External clients must be + manually created via the GCP console. This restriction is due to the existing APIs and not lack of support + in this tool. +references: + guides: + 'Setting up IAP Client': 'https://cloud.google.com/iap/docs/authentication-howto' + api: 'https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients' +docs: +id_format: '{{brand}}/identityAwareProxyClients/{{client_id}}' +base_url: '{{brand}}/identityAwareProxyClients' +self_link: '{{brand}}/identityAwareProxyClients/{{client_id}}' +immutable: true +import_format: + - '{{brand}}/identityAwareProxyClients/{{client_id}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +custom_code: + post_create: 'templates/terraform/post_create/go/iap_client.go.tmpl' + custom_import: 'templates/terraform/custom_import/go/iap_client.go.tmpl' +skip_sweeper: true +error_retry_predicates: + + - 'transport_tpg.IapClient409Operation' +examples: + - name: 'iap_client' + primary_resource_id: 'project_client' + vars: + project_id: 'my-project' + test_env_vars: + org_id: 'ORG_ID' + org_domain: 'ORG_DOMAIN' +parameters: + - name: 'clientId' + type: String + description: | + Output only. Unique identifier of the OAuth client. + api_name: name + output: true + custom_flatten: 'templates/terraform/custom_flatten/go/name_from_self_link.tmpl' + - name: 'brand' + type: String + description: | + Identifier of the brand to which this client + is attached to. The format is + `projects/{project_number}/brands/{brand_id}`. + url_param_only: true + required: true + immutable: true +properties: + - name: 'secret' + type: String + description: | + Output only. Client secret of the OAuth client. + sensitive: true + output: true + - name: 'displayName' + type: String + description: | + Human-friendly name given to the OAuth client. + required: true diff --git a/mmv1/products/iap/go_Tunnel.yaml b/mmv1/products/iap/go_Tunnel.yaml new file mode 100644 index 000000000000..579403fff911 --- /dev/null +++ b/mmv1/products/iap/go_Tunnel.yaml @@ -0,0 +1,51 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Tunnel' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_tunnel' +base_url: 'projects/{{project}}/iap_tunnel' +self_link: 'projects/{{project}}/iap_tunnel' +import_format: + - 'projects/{{project}}/iap_tunnel' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_project_service' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.tunnelResourceAccessor' + parent_resource_attribute: 'project' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' +custom_code: +examples: + - name: 'iap_project' + primary_resource_id: 'project_service' + primary_resource_name: 'fmt.Sprintf("tf-test%s", context["random_suffix"])' + test_env_vars: + org_id: 'ORG_ID' + external_providers: ["random", "time"] +parameters: +properties: + - name: 'project' + type: String + description: Project ID. + required: true diff --git a/mmv1/products/iap/go_TunnelDestGroup.yaml b/mmv1/products/iap/go_TunnelDestGroup.yaml new file mode 100644 index 000000000000..f7ab77d191f7 --- /dev/null +++ b/mmv1/products/iap/go_TunnelDestGroup.yaml @@ -0,0 +1,85 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'TunnelDestGroup' +description: | + Tunnel destination groups represent resources that have the same tunnel access restrictions. +references: + guides: + 'Set up IAP TCP forwarding with an IP address or hostname in a Google Cloud or non-Google Cloud environment': 'https://cloud.google.com/iap/docs/tcp-by-host' + api: 'https://cloud.google.com/iap/docs/reference/rest/v1/projects.iap_tunnel.locations.destGroups' +docs: +base_url: 'projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups' +self_link: 'projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}' +create_url: 'projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups?tunnelDestGroupId={{group_name}}' +update_verb: 'PATCH' +import_format: + - 'projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}' + - '{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}' + - '{{region}}/destGroups/{{group_name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + skip_import_test: true + method_name_separator: ':' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.tunnelResourceAccessor' + parent_resource_attribute: 'dest_group' + iam_conditions_request_type: 'REQUEST_BODY' + base_url: 'projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + import_format: + - 'projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}' + - '{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}' +custom_code: +examples: + - name: 'iap_destgroup' + primary_resource_id: 'dest_group' + primary_resource_name: 'fmt.Sprintf("tf-test%s", context["random_suffix"])' + external_providers: ["random", "time"] +parameters: + - name: 'region' + type: String + description: | + The region of the tunnel group. Must be the same as the network resources in the group. + url_param_only: true + immutable: true + default_from_api: true + - name: 'group_name' + type: String + description: Unique tunnel destination group name. + url_param_only: true + required: true + immutable: true +properties: + - name: 'name' + type: String + description: Full resource name. + immutable: true + output: true + - name: 'cidrs' + type: Array + description: | + List of CIDRs that this group applies to. + item_type: + type: String + - name: 'fqdns' + type: Array + description: | + List of FQDNs that this group applies to. + item_type: + type: String diff --git a/mmv1/products/iap/go_TunnelInstance.yaml b/mmv1/products/iap/go_TunnelInstance.yaml new file mode 100644 index 000000000000..bcf8b4636274 --- /dev/null +++ b/mmv1/products/iap/go_TunnelInstance.yaml @@ -0,0 +1,51 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'TunnelInstance' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}' +base_url: 'projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}' +self_link: 'projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}' +import_format: + - 'projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}' + - 'projects/{{project}}/zones/{{zone}}/instances/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_compute_instance' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.tunnelResourceAccessor' + parent_resource_attribute: 'instance' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' +custom_code: +examples: + - name: 'instance_basic' + primary_resource_id: 'tunnelvm' + primary_resource_name: 'fmt.Sprintf("tf-test-tunnel-vm%s", context["random_suffix"])' + vars: + instance_name: 'tunnel-vm' +parameters: +properties: + - name: 'name' + type: String + description: Name of the instance. + required: true diff --git a/mmv1/products/iap/go_Web.yaml b/mmv1/products/iap/go_Web.yaml new file mode 100644 index 000000000000..be47416e9a4f --- /dev/null +++ b/mmv1/products/iap/go_Web.yaml @@ -0,0 +1,51 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Web' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web' +base_url: 'projects/{{project}}/iap_web' +self_link: 'projects/{{project}}/iap_web' +import_format: + - 'projects/{{project}}/iap_web' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_project_service' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'project' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' +custom_code: +examples: + - name: 'iap_project' + primary_resource_id: 'project_service' + primary_resource_name: 'fmt.Sprintf("tf-test%s", context["random_suffix"])' + test_env_vars: + org_id: 'ORG_ID' + external_providers: ["random", "time"] +parameters: +properties: + - name: 'name' + type: String + description: Dummy property. + required: true diff --git a/mmv1/products/iap/go_WebBackendService.yaml b/mmv1/products/iap/go_WebBackendService.yaml new file mode 100644 index 000000000000..4edbdb2becaf --- /dev/null +++ b/mmv1/products/iap/go_WebBackendService.yaml @@ -0,0 +1,52 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WebBackendService' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web/compute/services/{{name}}' +base_url: 'projects/{{project}}/iap_web/compute/services/{{name}}' +self_link: 'projects/{{project}}/iap_web/compute/services/{{name}}' +import_format: + - 'projects/{{project}}/iap_web/compute/services/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_compute_backend_service' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'web_backend_service' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' +custom_code: +exclude_tgc: true +examples: + - name: 'backend_service_basic' + primary_resource_id: 'default' + primary_resource_name: 'fmt.Sprintf("tf-test-backend-service%s", context["random_suffix"])' + vars: + backend_service_name: 'backend-service' + http_health_check_name: 'health-check' +parameters: +properties: + - name: 'name' + type: String + description: Name or self link of a backend service. + required: true diff --git a/mmv1/products/iap/go_WebRegionBackendService.yaml b/mmv1/products/iap/go_WebRegionBackendService.yaml new file mode 100644 index 000000000000..31884a391f80 --- /dev/null +++ b/mmv1/products/iap/go_WebRegionBackendService.yaml @@ -0,0 +1,52 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WebRegionBackendService' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}' +base_url: 'projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}' +self_link: 'projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}' +import_format: + - 'projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_compute_region_backend_service' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'web_region_backend_service' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' +custom_code: +exclude_tgc: true +examples: + - name: 'region_backend_service_basic' + primary_resource_id: 'default' + primary_resource_name: 'fmt.Sprintf("tf-test-region-backend-service%s", context["random_suffix"])' + vars: + region_backend_service_name: 'region-backend-service' + health_check_name: 'health-check' +parameters: +properties: + - name: 'name' + type: String + description: Name or self link of a regional backend service. + required: true diff --git a/mmv1/products/iap/go_WebTypeAppEngine.yaml b/mmv1/products/iap/go_WebTypeAppEngine.yaml new file mode 100644 index 000000000000..65eb368de26d --- /dev/null +++ b/mmv1/products/iap/go_WebTypeAppEngine.yaml @@ -0,0 +1,55 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WebTypeAppEngine' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web/appengine-{{appId}}' +base_url: 'projects/{{project}}/iap_web/appengine-{{appId}}' +self_link: 'projects/{{project}}/iap_web/appengine-{{appId}}' +import_format: + - 'projects/{{project}}/iap_web/appengine-{{appId}}' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_app_engine_application' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'app_id' + test_project_name: 'tf-test' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' + custom_diff_suppress: 'templates/terraform/iam/go/iap_web_appengine_diff_suppress.go.tmpl' +custom_code: +exclude_tgc: true +examples: + - name: 'iap_appengine' + primary_resource_id: 'app' + primary_resource_name: 'context["project_id"]' + test_env_vars: + org_id: 'ORG_ID' + billing_account: 'BILLING_ACCT' + external_providers: ["random", "time"] +parameters: +properties: + - name: 'appId' + type: String + description: Id of the App Engine application. + required: true diff --git a/mmv1/products/iap/go_WebTypeCompute.yaml b/mmv1/products/iap/go_WebTypeCompute.yaml new file mode 100644 index 000000000000..6db797568cbf --- /dev/null +++ b/mmv1/products/iap/go_WebTypeCompute.yaml @@ -0,0 +1,52 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'WebTypeCompute' +description: | + Only used to generate IAM resources +exclude_resource: true +docs: +id_format: 'projects/{{project}}/iap_web/compute' +base_url: 'projects/{{project}}/iap_web/compute' +self_link: 'projects/{{project}}/iap_web/compute' +import_format: + - 'projects/{{project}}/iap_web/compute' +timeouts: + insert_minutes: 20 + update_minutes: 20 + delete_minutes: 20 +iam_policy: + method_name_separator: ':' + parent_resource_type: 'google_project_service' + fetch_iam_policy_verb: 'POST' + allowed_iam_role: 'roles/iap.httpsResourceAccessor' + parent_resource_attribute: 'project' + iam_conditions_request_type: 'REQUEST_BODY' + example_config_body: 'templates/terraform/iam/go/iam_attributes.go.tmpl' +custom_code: +exclude_tgc: true +examples: + - name: 'iap_project' + primary_resource_id: 'project_service' + primary_resource_name: 'fmt.Sprintf("tf-test%s", context["random_suffix"])' + test_env_vars: + org_id: 'ORG_ID' + external_providers: ["random", "time"] +parameters: +properties: + - name: 'name' + type: String + description: Dummy property. + required: true diff --git a/mmv1/products/iap/go_product.yaml b/mmv1/products/iap/go_product.yaml new file mode 100644 index 000000000000..c0de7c0e578d --- /dev/null +++ b/mmv1/products/iap/go_product.yaml @@ -0,0 +1,22 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Warning: This is a temporary file, and should not be edited directly +--- +name: 'Iap' +display_name: 'Identity-Aware Proxy' +versions: + - name: 'ga' + base_url: 'https://iap.googleapis.com/v1/' +scopes: + - 'https://www.googleapis.com/auth/cloud-platform' diff --git a/mmv1/template-converter.go b/mmv1/template-converter.go index 3c0097564bf0..98575247656d 100644 --- a/mmv1/template-converter.go +++ b/mmv1/template-converter.go @@ -700,6 +700,7 @@ func checkExceptionList(filePath string) bool { "containeranalysis_attestation", "iam/example_config_body/privateca", "iam/example_config_body/vertex_ai", + "iam/example_config_body/app_engine_", // TODO: remove the following files from the exception list after all of the services are migrated to Go // It will generate diffs when partial services are migrated. diff --git a/mmv1/templates/terraform/constants/go/gke_hub_membership_diff.go.tmpl b/mmv1/templates/terraform/constants/go/gke_hub_membership_diff.go.tmpl new file mode 100644 index 000000000000..59e9b78bd3bf --- /dev/null +++ b/mmv1/templates/terraform/constants/go/gke_hub_membership_diff.go.tmpl @@ -0,0 +1,9 @@ +func suppressGkeHubEndpointSelfLinkDiff(_, old, new string, _ *schema.ResourceData) bool { + // The custom expander injects //container.googleapis.com/ if a selflink is supplied. + selfLink := strings.TrimPrefix(old, "//container.googleapis.com/") + if selfLink == new { + return true + } + + return false +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/base_configs/iam_test_file.go.tmpl b/mmv1/templates/terraform/examples/base_configs/iam_test_file.go.tmpl index 99d20d6bc122..9983bb4ccc5d 100644 --- a/mmv1/templates/terraform/examples/base_configs/iam_test_file.go.tmpl +++ b/mmv1/templates/terraform/examples/base_configs/iam_test_file.go.tmpl @@ -55,7 +55,7 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_binding.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }}", {{ if $.IamImportQualifiersForTest }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }}", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, @@ -67,7 +67,7 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_binding.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }}", {{ if $.IamImportQualifiersForTest }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }}", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, @@ -102,7 +102,7 @@ func TestAcc{{ $.ResourceName }}IamMemberGenerated(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_member.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com", {{ if $.IamImportQualifiersForTest }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, @@ -145,7 +145,7 @@ func TestAcc{{ $.ResourceName }}IamPolicyGenerated(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_policy.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }}", {{ if $.IamImportQualifiersForTest }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }}", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, @@ -156,7 +156,7 @@ func TestAcc{{ $.ResourceName }}IamPolicyGenerated(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_policy.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }}", {{ if $.IamImportQualifiersForTest }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }}", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, @@ -190,7 +190,7 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated_withCondition(t *testing.T) {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_binding.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} %s", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}, context["condition_title"]), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} %s", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}, context["condition_title"]), ImportState: true, ImportStateVerify: true, }, @@ -226,19 +226,19 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated_withAndWithoutCondition(t *t {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_binding.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }}", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }}", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, { ResourceName: "{{ $.IamTerraformName }}_binding.foo2", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} %s", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}, context["condition_title"]), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} %s", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}, context["condition_title"]), ImportState: true, ImportStateVerify: true, }, { ResourceName: "{{ $.IamTerraformName }}_binding.foo3", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} %s", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}, context["condition_title_no_desc"]), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} %s", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}, context["condition_title_no_desc"]), ImportState: true, ImportStateVerify: true, }, @@ -273,7 +273,7 @@ func TestAcc{{ $.ResourceName }}IamMemberGenerated_withCondition(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_member.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com %s", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}, context["condition_title"]), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com %s", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}, context["condition_title"]), ImportState: true, ImportStateVerify: true, }, @@ -309,19 +309,19 @@ func TestAcc{{ $.ResourceName }}IamMemberGenerated_withAndWithoutCondition(t *te {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_member.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, { ResourceName: "{{ $.IamTerraformName }}_member.foo2", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com %s", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}, context["condition_title"]), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com %s", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}, context["condition_title"]), ImportState: true, ImportStateVerify: true, }, { ResourceName: "{{ $.IamTerraformName }}_member.foo3", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com %s", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}, context["condition_title_no_desc"]), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }} {{ $.IamPolicy.AllowedIamRole }} user:admin@hashicorptest.com %s", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}, context["condition_title_no_desc"]), ImportState: true, ImportStateVerify: true, }, @@ -376,7 +376,7 @@ func TestAcc{{ $.ResourceName }}IamPolicyGenerated_withCondition(t *testing.T) { {{- if not $.IamPolicy.SkipImportTest }} { ResourceName: "{{ $.IamTerraformName }}_policy.foo", - ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }}", {{ $.IamImportQualifiersForTest }}, {{ $example.PrimaryResourceName }}), + ImportStateId: fmt.Sprintf("{{ $.IamImportFormat }}", {{ if ne $.IamImportQualifiersForTest "" }}{{ $.IamImportQualifiersForTest }}, {{ end }}{{ $example.PrimaryResourceName }}), ImportState: true, ImportStateVerify: true, }, diff --git a/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private.tf.tmpl b/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private.tf.tmpl index b6ea6f9ed078..e6509f48ea09 100644 --- a/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private.tf.tmpl +++ b/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private.tf.tmpl @@ -62,15 +62,15 @@ resource "google_secure_source_manager_instance" "{{$.PrimaryResourceId}}" { } depends_on = [ google_privateca_certificate_authority.root_ca, - time_sleep.wait_60_seconds + time_sleep.wait_120_seconds ] } # ca pool IAM permissions can take time to propagate -resource "time_sleep" "wait_60_seconds" { +resource "time_sleep" "wait_120_seconds" { depends_on = [google_privateca_ca_pool_iam_binding.ca_pool_binding] - create_duration = "60s" + create_duration = "120s" } data "google_project" "project" {} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_backend.tf.tmpl b/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_backend.tf.tmpl new file mode 100644 index 000000000000..fba2c6ec4757 --- /dev/null +++ b/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_backend.tf.tmpl @@ -0,0 +1,178 @@ +data "google_project" "project" {} + +resource "google_privateca_ca_pool" "ca_pool" { + name = "{{index $.Vars "ca_pool_id"}}" + location = "us-central1" + tier = "ENTERPRISE" + publishing_options { + publish_ca_cert = true + publish_crl = true + } +} + +resource "google_privateca_certificate_authority" "root_ca" { + pool = google_privateca_ca_pool.ca_pool.name + certificate_authority_id = "{{index $.Vars "root_ca_id"}}" + location = "us-central1" + config { + subject_config { + subject { + organization = "google" + common_name = "my-certificate-authority" + } + } + x509_config { + ca_options { + is_ca = true + } + key_usage { + base_key_usage { + cert_sign = true + crl_sign = true + } + extended_key_usage { + server_auth = true + } + } + } + } + key_spec { + algorithm = "RSA_PKCS1_4096_SHA256" + } + + // Disable deletion protections for easier test cleanup purposes + deletion_protection = false + ignore_active_certificates_on_deletion = true + skip_grace_period = true +} + +resource "google_privateca_ca_pool_iam_binding" "ca_pool_binding" { + ca_pool = google_privateca_ca_pool.ca_pool.id + role = "roles/privateca.certificateRequester" + + members = [ + "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com" + ] +} + +// See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api +resource "google_secure_source_manager_instance" "{{$.PrimaryResourceId}}" { + instance_id = "{{index $.Vars "instance_id"}}" + location = "us-central1" + private_config { + is_private = true + ca_pool = google_privateca_ca_pool.ca_pool.id + } + depends_on = [ + google_privateca_certificate_authority.root_ca, + time_sleep.wait_120_seconds + ] +} + +# ca pool IAM permissions can take time to propagate +resource "time_sleep" "wait_120_seconds" { + depends_on = [google_privateca_ca_pool_iam_binding.ca_pool_binding] + + create_duration = "120s" +} + +// Connect SSM private instance with L4 proxy ILB. +resource "google_compute_network" "network" { + name = "{{index $.Vars "network_id"}}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "subnet" { + name = "{{index $.Vars "subnet_id"}}" + region = "us-central1" + network = google_compute_network.network.id + ip_cidr_range = "10.0.1.0/24" + private_ip_google_access = true +} + +resource "google_compute_region_network_endpoint_group" "psc_neg" { + name = "{{index $.Vars "neg_id"}}" + region = "us-central1" + + network_endpoint_type = "PRIVATE_SERVICE_CONNECT" + psc_target_service = google_secure_source_manager_instance.{{$.PrimaryResourceId}}.private_config.0.http_service_attachment + + network = google_compute_network.network.id + subnetwork = google_compute_subnetwork.subnet.id +} + +resource "google_compute_region_backend_service" "backend_service" { + name = "{{index $.Vars "backend_id"}}" + region = "us-central1" + protocol = "TCP" + load_balancing_scheme = "INTERNAL_MANAGED" + backend { + group = google_compute_region_network_endpoint_group.psc_neg.id + balancing_mode = "UTILIZATION" + capacity_scaler = 1.0 + } +} + +resource "google_compute_subnetwork" "proxy_subnet" { + name = "{{index $.Vars "proxy_subnet_id"}}" + region = "us-central1" + network = google_compute_network.network.id + ip_cidr_range = "10.0.2.0/24" + purpose = "REGIONAL_MANAGED_PROXY" + role = "ACTIVE" +} + +resource "google_compute_region_target_tcp_proxy" "target_proxy" { + name = "{{index $.Vars "target_proxy_id"}}" + region = "us-central1" + backend_service = google_compute_region_backend_service.backend_service.id +} + +resource "google_compute_forwarding_rule" "fw_rule_target_proxy" { + name = "{{index $.Vars "fw_rule_to_target_proxy_id"}}" + region = "us-central1" + + load_balancing_scheme = "INTERNAL_MANAGED" + ip_protocol = "TCP" + port_range = "443" + target = google_compute_region_target_tcp_proxy.target_proxy.id + network = google_compute_network.network.id + subnetwork = google_compute_subnetwork.subnet.id + network_tier = "PREMIUM" + depends_on = [google_compute_subnetwork.proxy_subnet] +} + +resource "google_dns_managed_zone" "private_zone" { + name = "{{index $.Vars "dns_zone_id"}}" + dns_name = "p.sourcemanager.dev." + visibility = "private" + private_visibility_config { + networks { + network_url = google_compute_network.network.id + } + } +} + +resource "google_dns_record_set" "ssm_instance_html_record" { + name = "${google_secure_source_manager_instance.{{$.PrimaryResourceId}}.host_config.0.html}." + type = "A" + ttl = 300 + managed_zone = google_dns_managed_zone.private_zone.name + rrdatas = [google_compute_forwarding_rule.fw_rule_target_proxy.ip_address] +} + +resource "google_dns_record_set" "ssm_instance_api_record" { + name = "${google_secure_source_manager_instance.{{$.PrimaryResourceId}}.host_config.0.api}." + type = "A" + ttl = 300 + managed_zone = google_dns_managed_zone.private_zone.name + rrdatas = [google_compute_forwarding_rule.fw_rule_target_proxy.ip_address] +} + +resource "google_dns_record_set" "ssm_instance_git_record" { + name = "${google_secure_source_manager_instance.{{$.PrimaryResourceId}}.host_config.0.git_http}." + type = "A" + ttl = 300 + managed_zone = google_dns_managed_zone.private_zone.name + rrdatas = [google_compute_forwarding_rule.fw_rule_target_proxy.ip_address] +} diff --git a/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_endpoint.tf.tmpl b/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_endpoint.tf.tmpl new file mode 100644 index 000000000000..670b709ed73a --- /dev/null +++ b/mmv1/templates/terraform/examples/go/secure_source_manager_instance_private_psc_endpoint.tf.tmpl @@ -0,0 +1,145 @@ +data "google_project" "project" {} + +resource "google_privateca_ca_pool" "ca_pool" { + name = "{{index $.Vars "ca_pool_id"}}" + location = "us-central1" + tier = "ENTERPRISE" + publishing_options { + publish_ca_cert = true + publish_crl = true + } +} + +resource "google_privateca_certificate_authority" "root_ca" { + pool = google_privateca_ca_pool.ca_pool.name + certificate_authority_id = "{{index $.Vars "root_ca_id"}}" + location = "us-central1" + config { + subject_config { + subject { + organization = "google" + common_name = "my-certificate-authority" + } + } + x509_config { + ca_options { + is_ca = true + } + key_usage { + base_key_usage { + cert_sign = true + crl_sign = true + } + extended_key_usage { + server_auth = true + } + } + } + } + key_spec { + algorithm = "RSA_PKCS1_4096_SHA256" + } + + // Disable deletion protections for easier test cleanup purposes + deletion_protection = false + ignore_active_certificates_on_deletion = true + skip_grace_period = true +} + +resource "google_privateca_ca_pool_iam_binding" "ca_pool_binding" { + ca_pool = google_privateca_ca_pool.ca_pool.id + role = "roles/privateca.certificateRequester" + + members = [ + "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com" + ] +} + +// See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api +resource "google_secure_source_manager_instance" "{{$.PrimaryResourceId}}" { + instance_id = "{{index $.Vars "instance_id"}}" + location = "us-central1" + private_config { + is_private = true + ca_pool = google_privateca_ca_pool.ca_pool.id + } + depends_on = [ + google_privateca_certificate_authority.root_ca, + time_sleep.wait_120_seconds + ] +} + +# ca pool IAM permissions can take time to propagate +resource "time_sleep" "wait_120_seconds" { + depends_on = [google_privateca_ca_pool_iam_binding.ca_pool_binding] + + create_duration = "120s" +} + +// Connect SSM private instance with endpoint. +resource "google_compute_network" "network" { + name = "{{index $.Vars "network_id"}}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "subnet" { + name = "{{index $.Vars "subnet_id"}}" + region = "us-central1" + network = google_compute_network.network.id + ip_cidr_range = "10.0.60.0/24" + private_ip_google_access = true +} + +resource "google_compute_address" "address" { + name = "{{index $.Vars "address_id"}}" + region = "us-central1" + address = "10.0.60.100" + address_type = "INTERNAL" + subnetwork = google_compute_subnetwork.subnet.id +} + +resource "google_compute_forwarding_rule" "fw_rule_service_attachment" { + name = "{{index $.Vars "fw_rule_to_service_attachment_id"}}" + region = "us-central1" + + load_balancing_scheme = "" + ip_address = google_compute_address.address.id + network = google_compute_network.network.id + + target = google_secure_source_manager_instance.{{$.PrimaryResourceId}}.private_config.0.http_service_attachment +} + +resource "google_dns_managed_zone" "private_zone" { + name = "{{index $.Vars "dns_zone_id"}}" + dns_name = "p.sourcemanager.dev." + visibility = "private" + private_visibility_config { + networks { + network_url = google_compute_network.network.id + } + } +} + +resource "google_dns_record_set" "ssm_instance_html_record" { + name = "${google_secure_source_manager_instance.{{$.PrimaryResourceId}}.host_config.0.html}." + type = "A" + ttl = 300 + managed_zone = google_dns_managed_zone.private_zone.name + rrdatas = [google_compute_forwarding_rule.fw_rule_service_attachment.ip_address] +} + +resource "google_dns_record_set" "ssm_instance_api_record" { + name = "${google_secure_source_manager_instance.{{$.PrimaryResourceId}}.host_config.0.api}." + type = "A" + ttl = 300 + managed_zone = google_dns_managed_zone.private_zone.name + rrdatas = [google_compute_forwarding_rule.fw_rule_service_attachment.ip_address] +} + +resource "google_dns_record_set" "ssm_instance_git_record" { + name = "${google_secure_source_manager_instance.{{$.PrimaryResourceId}}.host_config.0.git_http}." + type = "A" + ttl = 300 + managed_zone = google_dns_managed_zone.private_zone.name + rrdatas = [google_compute_forwarding_rule.fw_rule_service_attachment.ip_address] +} diff --git a/mmv1/templates/terraform/iam/example_config_body/go/app_engine_service.tf.tmpl b/mmv1/templates/terraform/iam/example_config_body/go/app_engine_service.tf.tmpl index e1fd7799feac..8589c874312d 100644 --- a/mmv1/templates/terraform/iam/example_config_body/go/app_engine_service.tf.tmpl +++ b/mmv1/templates/terraform/iam/example_config_body/go/app_engine_service.tf.tmpl @@ -1,3 +1,4 @@ + project = "${google_app_engine_standard_app_version.version.project}" app_id = "${google_app_engine_standard_app_version.version.project}" service = "${google_app_engine_standard_app_version.version.service}" \ No newline at end of file diff --git a/mmv1/templates/terraform/iam/example_config_body/go/app_engine_version.tf.tmpl b/mmv1/templates/terraform/iam/example_config_body/go/app_engine_version.tf.tmpl index 4815daf16343..1382b5cfb584 100644 --- a/mmv1/templates/terraform/iam/example_config_body/go/app_engine_version.tf.tmpl +++ b/mmv1/templates/terraform/iam/example_config_body/go/app_engine_version.tf.tmpl @@ -1,3 +1,4 @@ + project = "${google_app_engine_standard_app_version.version.project}" app_id = "${google_app_engine_standard_app_version.version.project}" service = "${google_app_engine_standard_app_version.version.service}" diff --git a/mmv1/templates/terraform/iam/go/iam_attributes.go.tmpl b/mmv1/templates/terraform/iam/go/iam_attributes.go.tmpl index 091a0ac5ff44..0be3e707e4dd 100644 --- a/mmv1/templates/terraform/iam/go/iam_attributes.go.tmpl +++ b/mmv1/templates/terraform/iam/go/iam_attributes.go.tmpl @@ -1,5 +1,5 @@ {{- $primaryResourceId := $.ExamplePrimaryResourceId }} {{- $ids := $.IamSelfLinkIdentifiers }} {{- range $i, $attribue := $.IamAttributes}} - {{ $attribue }} = {{ $.IamParentSourceType }}.{{ $primaryResourceId }}.{{ (index $ids $i)}} + {{ $attribue }} = {{ $.IamParentSourceType }}.{{ $primaryResourceId }}.{{ underscore (index $ids $i)}} {{- end }} \ No newline at end of file diff --git a/mmv1/templates/terraform/iam_policy.go.tmpl b/mmv1/templates/terraform/iam_policy.go.tmpl index 80249b48bdbc..8e58a35c4ad6 100644 --- a/mmv1/templates/terraform/iam_policy.go.tmpl +++ b/mmv1/templates/terraform/iam_policy.go.tmpl @@ -68,7 +68,7 @@ var {{ $.ResourceName }}IamSchema = map[string]*schema.Schema{ } {{- if and $.IamPolicy $.IamPolicy.CustomDiffSuppress }} - {{- $.CustomTemplate $.IamPolicy.CustomDiffSuppress true }} + {{ $.CustomTemplate $.IamPolicy.CustomDiffSuppress true }} {{- end }} type {{ $.ResourceName }}IamUpdater struct { diff --git a/mmv1/templates/terraform/yaml_conversion.erb b/mmv1/templates/terraform/yaml_conversion.erb index 52ac46917a80..6564559b17d5 100644 --- a/mmv1/templates/terraform/yaml_conversion.erb +++ b/mmv1/templates/terraform/yaml_conversion.erb @@ -331,6 +331,9 @@ iam_policy: <% unless object.iam_policy.self_link.nil? -%> self_link: '<%= object.iam_policy.self_link %>' <% end -%> +<% unless object.iam_policy.custom_diff_suppress.nil? -%> + custom_diff_suppress: '<%= object.convert_go_file(object.iam_policy.custom_diff_suppress ) %>' +<% end -%> <% unless object.iam_policy.import_format.nil? -%> import_format: <% object.iam_policy.import_format.each do |iformat| -%> diff --git a/mmv1/third_party/terraform/services/compute/go/resource_compute_backend_service_test.go.tmpl b/mmv1/third_party/terraform/services/compute/go/resource_compute_backend_service_test.go.tmpl index ea9579c58f68..58b4b0b3c48b 100644 --- a/mmv1/third_party/terraform/services/compute/go/resource_compute_backend_service_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/go/resource_compute_backend_service_test.go.tmpl @@ -825,6 +825,68 @@ func TestAccComputeBackendService_trafficDirectorUpdateFull(t *testing.T) { } {{- end }} +func TestAccComputeBackendService_withPrivateOriginAuth(t *testing.T) { + t.Parallel() + + randomSuffix := acctest.RandString(t, 10) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckComputeBackendServiceDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeBackendService_withPrivateOriginAuth(randomSuffix), + }, + { + ResourceName: "google_compute_backend_service.foobar", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"security_settings.0.aws_v4_authentication.0.access_key"}, + }, + { + Config: testAccComputeBackendService_withPrivateOriginAuthUpdate(randomSuffix), + }, + { + ResourceName: "google_compute_backend_service.foobar", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"security_settings.0.aws_v4_authentication.0.access_key"}, + }, + }, + }) +} + +func TestAccComputeBackendService_withClientTlsPolicy(t *testing.T) { + t.Parallel() + + randomSuffix := acctest.RandString(t, 10) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckComputeBackendServiceDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeBackendService_clientTlsPolicy(randomSuffix), + }, + { + ResourceName: "google_compute_backend_service.foobar", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccComputeBackendService_clientTlsPolicyUpdate(randomSuffix), + }, + { + ResourceName: "google_compute_backend_service.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + {{ if ne $.TargetVersionName `ga` -}} func TestAccComputeBackendService_regionNegBackend(t *testing.T) { t.Parallel() @@ -2009,3 +2071,146 @@ resource "google_cloud_run_service" "cloudrun_neg" { `, suffix, suffix, suffix) } {{- end }} + +func testAccComputeBackendService_withPrivateOriginAuth(randomSuffix string) string { + return fmt.Sprintf(` +resource "google_compute_backend_service" "foobar" { + name = "tf-test-backend-service-%s" + security_settings { + aws_v4_authentication { + access_key_id = "AKIAIOSFODNN7EXAMPLE" + access_key = "c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9" + access_key_version = "prod-access-key-v1.2" + origin_region = "us-east-2" + } + } + backend { + group = google_compute_global_network_endpoint_group.group.self_link + } +} + +resource "google_compute_global_network_endpoint" "networkendpoint" { + global_network_endpoint_group = google_compute_global_network_endpoint_group.group.name + ip_address = "8.8.8.8" + port = 443 +} + +resource "google_compute_global_network_endpoint_group" "group" { + name = "tf-test-neg-%s" + network_endpoint_type = "INTERNET_IP_PORT" +} +`, randomSuffix, randomSuffix) +} + +func testAccComputeBackendService_withPrivateOriginAuthUpdate(randomSuffix string) string { + return fmt.Sprintf(` +resource "google_compute_backend_service" "foobar" { + name = "tf-test-backend-service-%s" + security_settings { + aws_v4_authentication { + access_key_id = "AKIAIOSFODNN7EXAMPLE" + access_key = "EXAMPLEc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3cELPMAXE" + access_key_version = "prod-access-key-v1.2" + origin_region = "us-east-2" + } + } + backend { + group = google_compute_global_network_endpoint_group.group.self_link + } +} + +resource "google_compute_global_network_endpoint" "networkendpoint" { + global_network_endpoint_group = google_compute_global_network_endpoint_group.group.name + ip_address = "8.8.8.8" + port = 443 +} + +resource "google_compute_global_network_endpoint_group" "group" { + name = "tf-test-neg-%s" + network_endpoint_type = "INTERNET_IP_PORT" +} +`, randomSuffix, randomSuffix) +} + +func testAccComputeBackendService_clientTlsPolicy(randomSuffix string) string { + return fmt.Sprintf(` +resource "google_compute_backend_service" "foobar" { + name = "tf-test-backend-service-%s" + load_balancing_scheme = "INTERNAL_SELF_MANAGED" + security_settings { + client_tls_policy = "//networksecurity.googleapis.com/${google_network_security_client_tls_policy.foobar.id}" + subject_alt_names = ["test-ca"] + } +} + +resource "google_network_security_client_tls_policy" "foobar" { + name = "tf-test-client-tls-policy-%s" + labels = { + foo = "bar" + } + description = "example description" + sni = "secure.example.com" + client_certificate { + certificate_provider_instance { + plugin_instance = "google_cloud_private_spiffe" + } + } + server_validation_ca { + certificate_provider_instance { + plugin_instance = "google_cloud_private_spiffe" + } + } +} +`, randomSuffix, randomSuffix) +} + +func testAccComputeBackendService_clientTlsPolicyUpdate(randomSuffix string) string { + return fmt.Sprintf(` +resource "google_compute_backend_service" "foobar" { + name = "tf-test-backend-service-%s" + load_balancing_scheme = "INTERNAL_SELF_MANAGED" + security_settings { + client_tls_policy = "//networksecurity.googleapis.com/${google_network_security_client_tls_policy.foobar2.id}" + subject_alt_names = ["test-ca", "test-ca-2"] + } +} + +resource "google_network_security_client_tls_policy" "foobar" { + name = "tf-test-client-tls-policy-%s" + labels = { + foo = "bar" + } + description = "example description" + sni = "secure.example.com" + client_certificate { + certificate_provider_instance { + plugin_instance = "google_cloud_private_spiffe" + } + } + server_validation_ca { + certificate_provider_instance { + plugin_instance = "google_cloud_private_spiffe" + } + } +} + +resource "google_network_security_client_tls_policy" "foobar2" { + name = "tf-test-client-tls-policy-the-second-%s" + labels = { + foo = "bar" + } + description = "example description of the second policy" + sni = "secure.example2.com" + client_certificate { + certificate_provider_instance { + plugin_instance = "google_cloud_private_spiffe" + } + } + server_validation_ca { + certificate_provider_instance { + plugin_instance = "google_cloud_private_spiffe" + } + } +} +`, randomSuffix, randomSuffix, randomSuffix) +}