diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http00.log b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http00.log new file mode 100644 index 0000000000..455902c4e7 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http00.log @@ -0,0 +1,159 @@ +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "errors": [ + { + "domain": "global", + "message": "Unknown service account", + "reason": "notFound" + } + ], + "message": "Unknown service account", + "status": "NOT_FOUND" + } +} + +--- + +POST https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts?alt=json&prettyPrint=false +Content-Type: application/json +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{ + "accountId": "gsa-1-${uniqueId}", + "serviceAccount": {} +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} \ No newline at end of file diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http01.log b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http01.log new file mode 100644 index 0000000000..059ed7ac32 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http01.log @@ -0,0 +1,159 @@ +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "errors": [ + { + "domain": "global", + "message": "Unknown service account", + "reason": "notFound" + } + ], + "message": "Unknown service account", + "status": "NOT_FOUND" + } +} + +--- + +POST https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts?alt=json&prettyPrint=false +Content-Type: application/json +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{ + "accountId": "gsa-2-${uniqueId}", + "serviceAccount": {} +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} \ No newline at end of file diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http02.log b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http02.log new file mode 100644 index 0000000000..46472d1421 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http02.log @@ -0,0 +1,196 @@ +GET https://privilegedaccessmanager.googleapis.com/v1/folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}?%24alt=json%3Benum-encoding%3Dint +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=folders%2F123451001%2Flocations%2Fglobal%2Fentitlements%2Fprivilegedaccessmanagerentitlement-${uniqueId} + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "message": "Resource 'folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}' was not found", + "status": "NOT_FOUND" + } +} + +--- + +POST https://privilegedaccessmanager.googleapis.com/v1/folders/123451001/locations/global/entitlements?%24alt=json%3Benum-encoding%3Dint&entitlementId=privilegedaccessmanagerentitlement-${uniqueId} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: parent=folders%2F123451001%2Flocations%2Fglobal + +{ + "additionalNotificationTargets": { + "adminEmailRecipients": [ + "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ], + "requesterEmailRecipients": [ + "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ] + }, + "approvalWorkflow": { + "manualApprovals": { + "steps": [ + { + "approvalsNeeded": 1, + "approverEmailRecipients": [ + "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ], + "approvers": [ + { + "principals": [ + "group:kcc-eng@google.com" + ] + } + ] + } + ] + } + }, + "eligibleUsers": [ + { + "principals": [ + "serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ] + } + ], + "maxRequestDuration": "1800s", + "privilegedAccess": { + "gcpIamAccess": { + "resource": "//cloudresourcemanager.googleapis.com/folders/123451001", + "resourceType": "cloudresourcemanager.googleapis.com/Folder", + "roleBindings": [ + { + "conditionExpression": "request.time \u003e timestamp(\"2019-12-31T12:00:00.000Z\")", + "role": "roles/pubsub.viewer" + } + ] + } + }, + "requesterJustificationConfig": { + "notMandatory": {} + } +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "metadata": { + "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1.OperationMetadata", + "apiVersion": "v1", + "createTime": "2024-04-01T12:34:56.123456Z", + "target": "folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}", + "verb": "create" + }, + "name": "folders/123451001/locations/global/operations/${operationID}" +} + +--- + +GET https://privilegedaccessmanager.googleapis.com/v1/folders/123451001/locations/global/operations/${operationID} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=folders%2F123451001%2Flocations%2Fglobal%2Foperations%2F${operationID} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "done": true, + "metadata": { + "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1.OperationMetadata", + "apiVersion": "v1", + "createTime": "2024-04-01T12:34:56.123456Z", + "endTime": "2024-04-01T12:34:56.123456Z", + "target": "folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}", + "verb": "create" + }, + "name": "folders/123451001/locations/global/operations/${operationID}", + "response": { + "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1.Entitlement", + "additionalNotificationTargets": { + "adminEmailRecipients": [ + "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ], + "requesterEmailRecipients": [ + "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ] + }, + "approvalWorkflow": { + "manualApprovals": { + "steps": [ + { + "approvalsNeeded": 1, + "approverEmailRecipients": [ + "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ], + "approvers": [ + { + "principals": [ + "group:kcc-eng@google.com" + ] + } + ] + } + ] + } + }, + "createTime": "2024-04-01T12:34:56.123456Z", + "eligibleUsers": [ + { + "principals": [ + "serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ] + } + ], + "etag": "abcdef0123A=", + "maxRequestDuration": "1800s", + "name": "folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}", + "privilegedAccess": { + "gcpIamAccess": { + "resource": "//cloudresourcemanager.googleapis.com/folders/123451001", + "resourceType": "cloudresourcemanager.googleapis.com/Folder", + "roleBindings": [ + { + "conditionExpression": "request.time \u003e timestamp(\"2019-12-31T12:00:00.000Z\")", + "role": "roles/pubsub.viewer" + } + ] + } + }, + "requesterJustificationConfig": { + "notMandatory": {} + }, + "state": "AVAILABLE", + "updateTime": "2024-04-01T12:34:56.123456Z" + } +} \ No newline at end of file diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http03.log b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http03.log new file mode 100644 index 0000000000..ef760cc15a --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_http03.log @@ -0,0 +1,74 @@ +GET https://privilegedaccessmanager.googleapis.com/v1/folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}?%24alt=json%3Benum-encoding%3Dint +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=folders%2F123451001%2Flocations%2Fglobal%2Fentitlements%2Fprivilegedaccessmanagerentitlement-${uniqueId} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "additionalNotificationTargets": { + "adminEmailRecipients": [ + "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ], + "requesterEmailRecipients": [ + "gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ] + }, + "approvalWorkflow": { + "manualApprovals": { + "steps": [ + { + "approvalsNeeded": 1, + "approverEmailRecipients": [ + "gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ], + "approvers": [ + { + "principals": [ + "group:kcc-eng@google.com" + ] + } + ] + } + ] + } + }, + "createTime": "2024-04-01T12:34:56.123456Z", + "eligibleUsers": [ + { + "principals": [ + "serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com" + ] + } + ], + "etag": "abcdef0123A=", + "maxRequestDuration": "1800s", + "name": "folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId}", + "privilegedAccess": { + "gcpIamAccess": { + "resource": "//cloudresourcemanager.googleapis.com/folders/123451001", + "resourceType": "cloudresourcemanager.googleapis.com/Folder", + "roleBindings": [ + { + "conditionExpression": "request.time \u003e timestamp(\"2019-12-31T12:00:00.000Z\")", + "role": "roles/pubsub.viewer" + } + ] + } + }, + "requesterJustificationConfig": { + "notMandatory": {} + }, + "state": 2, + "updateTime": "2024-04-01T12:34:56.123456Z" +} \ No newline at end of file diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object00.yaml b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object00.yaml new file mode 100644 index 0000000000..f7ef0046a2 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object00.yaml @@ -0,0 +1,27 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none + cnrm.cloud.google.com/project-id: ${projectId} + cnrm.cloud.google.com/state-into-spec: absent + finalizers: + - cnrm.cloud.google.com/finalizer + - cnrm.cloud.google.com/deletion-defender + generation: 2 + name: gsa-1-${uniqueId} + namespace: ${projectId} +spec: + resourceID: gsa-1-${uniqueId} +status: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: The resource is up to date + reason: UpToDate + status: "True" + type: Ready + email: gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + member: serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + name: projects/${projectId}/serviceAccounts/gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + observedGeneration: 2 + uniqueId: "12345678" diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object01.yaml b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object01.yaml new file mode 100644 index 0000000000..c728c4c586 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object01.yaml @@ -0,0 +1,27 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none + cnrm.cloud.google.com/project-id: ${projectId} + cnrm.cloud.google.com/state-into-spec: absent + finalizers: + - cnrm.cloud.google.com/finalizer + - cnrm.cloud.google.com/deletion-defender + generation: 2 + name: gsa-2-${uniqueId} + namespace: ${projectId} +spec: + resourceID: gsa-2-${uniqueId} +status: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: The resource is up to date + reason: UpToDate + status: "True" + type: Ready + email: gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + member: serviceAccount:gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + name: projects/${projectId}/serviceAccounts/gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + observedGeneration: 2 + uniqueId: "12345678" diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object02.yaml b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object02.yaml new file mode 100644 index 0000000000..4b0f852ba9 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object02.yaml @@ -0,0 +1,57 @@ +apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1beta1 +kind: PrivilegedAccessManagerEntitlement +metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none + cnrm.cloud.google.com/project-id: ${projectId} + finalizers: + - cnrm.cloud.google.com/finalizer + - cnrm.cloud.google.com/deletion-defender + generation: 1 + name: privilegedaccessmanagerentitlement-${uniqueId} + namespace: ${projectId} +spec: + additionalNotificationTargets: + adminEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + requesterEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvalWorkflow: + manualApprovals: + requireApproverJustification: false + steps: + - approvalsNeeded: 1 + approverEmailRecipients: + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvers: + - principals: + - group:kcc-eng@google.com + eligibleUsers: + - principals: + - serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + folderRef: + external: folders/123451001 + location: global + maxRequestDuration: 1800s + privilegedAccess: + gcpIAMAccess: + roleBindings: + - conditionExpression: request.time > timestamp("2019-12-31T12:00:00.000Z") + role: roles/pubsub.viewer + requesterJustificationConfig: + notMandatory: {} +status: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: The resource is up to date + reason: UpToDate + status: "True" + type: Ready + externalRef: //privilegedaccessmanager.googleapis.com/folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId} + observedGeneration: 1 + observedState: + createTime: "1970-01-01T00:00:00Z" + etag: abcdef123456 + state: AVAILABLE + updateTime: "1970-01-01T00:00:00Z" diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object03.yaml b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object03.yaml new file mode 100644 index 0000000000..16c9114f55 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/_object03.yaml @@ -0,0 +1,58 @@ +apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1beta1 +kind: PrivilegedAccessManagerEntitlement +metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none + cnrm.cloud.google.com/project-id: ${projectId} + finalizers: + - cnrm.cloud.google.com/finalizer + - cnrm.cloud.google.com/deletion-defender + generation: 2 + name: privilegedaccessmanagerentitlement-${uniqueId} + namespace: ${projectId} +spec: + additionalNotificationTargets: + adminEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + requesterEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvalWorkflow: + manualApprovals: + requireApproverJustification: false + steps: + - approvalsNeeded: 1 + approverEmailRecipients: + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvers: + - principals: + - group:kcc-eng@google.com + eligibleUsers: + - principals: + - serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + folderRef: + external: folders/123451001 + location: global + maxRequestDuration: 1800s + privilegedAccess: + gcpIAMAccess: + roleBindings: + - conditionExpression: request.time > timestamp("2019-12-31T12:00:00.000Z") + role: roles/pubsub.viewer + requesterJustificationConfig: + notMandatory: {} + resourceID: privilegedaccessmanagerentitlement-${uniqueId} +status: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: The resource is up to date + reason: UpToDate + status: "True" + type: Ready + externalRef: //privilegedaccessmanager.googleapis.com/folders/123451001/locations/global/entitlements/privilegedaccessmanagerentitlement-${uniqueId} + observedGeneration: 2 + observedState: + createTime: "1970-01-01T00:00:00Z" + etag: abcdef123456 + state: AVAILABLE + updateTime: "1970-01-01T00:00:00Z" diff --git a/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/script.yaml b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/script.yaml new file mode 100644 index 0000000000..3547e07285 --- /dev/null +++ b/tests/e2e/testdata/scenarios/privilegedaccessmanagerentitlement/project_no_change/script.yaml @@ -0,0 +1,108 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# 00 +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/project-id: ${projectId} + name: gsa-1-${uniqueId} +--- +# 01 +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/project-id: ${projectId} + name: gsa-2-${uniqueId} +--- +# 02 +apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1beta1 +kind: PrivilegedAccessManagerEntitlement +metadata: + name: privilegedaccessmanagerentitlement-${uniqueId} +spec: + folderRef: + external: folders/${TEST_FOLDER_ID} + location: global + maxRequestDuration: 1800s + privilegedAccess: + gcpIAMAccess: + roleBindings: + - role: roles/pubsub.viewer + conditionExpression: "request.time > timestamp(\"2019-12-31T12:00:00.000Z\")" + requesterJustificationConfig: + notMandatory: {} + eligibleUsers: + - principals: + - serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + additionalNotificationTargets: + adminEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + requesterEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvalWorkflow: + manualApprovals: + requireApproverJustification: false + steps: + - approvalsNeeded: 1 + approverEmailRecipients: + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvers: + - principals: + - group:kcc-eng@google.com +--- +# 03: Trigger the reconciliation with no change by setting `spec.resourceID`. +# This is to verify that when 'spec.approvalWorkflow.manualApprovals.requireApproverJustification' +# is set to the default value, 'false', and when it is reconciled without any +# change to the desired state, no diff will be detected. +# _http03.log should NOT contain a PATCH request. +apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1beta1 +kind: PrivilegedAccessManagerEntitlement +metadata: + name: privilegedaccessmanagerentitlement-${uniqueId} +spec: + folderRef: + external: folders/${TEST_FOLDER_ID} + location: global + maxRequestDuration: 1800s + privilegedAccess: + gcpIAMAccess: + roleBindings: + - role: roles/pubsub.viewer + conditionExpression: "request.time > timestamp(\"2019-12-31T12:00:00.000Z\")" + requesterJustificationConfig: + notMandatory: {} + eligibleUsers: + - principals: + - serviceAccount:gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + additionalNotificationTargets: + adminEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + requesterEmailRecipients: + - gsa-1-${uniqueId}@${projectId}.iam.gserviceaccount.com + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvalWorkflow: + manualApprovals: + requireApproverJustification: false + steps: + - approvalsNeeded: 1 + approverEmailRecipients: + - gsa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com + approvers: + - principals: + - group:kcc-eng@google.com + resourceID: privilegedaccessmanagerentitlement-${uniqueId}