Skip to content

Commit

Permalink
Fixes and tests
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Feb 9, 2024
1 parent b66d7c7 commit 3520b86
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 9 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -228,8 +228,6 @@ func iamMemberToAccess(member string) (string, string, error) {
return "userByEmail", pieces[1], nil
case "serviceAccount":
return "userByEmail", pieces[1], nil
default:
return "", "", fmt.Errorf("Failed to parse BigQuery Dataset IAM member type: %s", member)
}
}
if member == "projectOwners" || member == "projectReaders" || member == "projectWriters" || member == "allAuthenticatedUsers" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
"github.com/hashicorp/terraform-provider-google/google/envvar"
)

func TestAccBigqueryDatasetIamMember_basic(t *testing.T) {
func TestAccBigqueryDatasetIamMember_serviceAccount(t *testing.T) {
t.Parallel()

datasetID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
Expand All @@ -25,27 +25,55 @@ func TestAccBigqueryDatasetIamMember_basic(t *testing.T) {
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
Steps: []resource.TestStep{
{
Config: testAccBigqueryDatasetIamMember_basic(datasetID, saID),
Config: testAccBigqueryDatasetIamMember_serviceAccount(datasetID, saID),
Check: testAccCheckBigQueryDatasetAccessPresent(t, "google_bigquery_dataset.dataset", expected),
},
{
// Destroy step instead of CheckDestroy so we can check the access is removed without deleting the dataset
Config: testAccBigqueryDatasetIamMember_destroy(datasetID, "dataset"),
Config: testAccBigqueryDatasetIamMember_destroy(datasetID),
Check: testAccCheckBigQueryDatasetAccessAbsent(t, "google_bigquery_dataset.dataset", expected),
},
},
})
}

func testAccBigqueryDatasetIamMember_destroy(datasetID, rs string) string {
func TestAccBigqueryDatasetIamMember_iamMember(t *testing.T) {
t.Parallel()

datasetID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
wifIDs := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))

expected := map[string]interface{}{
"role": "roles/viewer",
"iamMember": fmt.Sprintf("principal://iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/subject/test", envvar.GetTestProjectNumberFromEnv(), wifIDs),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
Steps: []resource.TestStep{
{
Config: testAccBigqueryDatasetIamMember_iamMember(datasetID, wifIDs),
Check: testAccCheckBigQueryDatasetAccessPresent(t, "google_bigquery_dataset.dataset", expected),
},
{
// Destroy step instead of CheckDestroy so we can check the access is removed without deleting the dataset
Config: testAccBigqueryDatasetIamMember_destroy(datasetID),
Check: testAccCheckBigQueryDatasetAccessAbsent(t, "google_bigquery_dataset.dataset", expected),
},
},
})
}

func testAccBigqueryDatasetIamMember_destroy(datasetID string) string {
return fmt.Sprintf(`
resource "google_bigquery_dataset" "%s" {
resource "google_bigquery_dataset" "dataset" {
dataset_id = "%s"
}
`, rs, datasetID)
`, datasetID)
}

func testAccBigqueryDatasetIamMember_basic(datasetID, saID string) string {
func testAccBigqueryDatasetIamMember_serviceAccount(datasetID, saID string) string {
return fmt.Sprintf(`
resource "google_bigquery_dataset_iam_member" "access" {
dataset_id = google_bigquery_dataset.dataset.dataset_id
Expand All @@ -62,3 +90,32 @@ resource "google_service_account" "bqviewer" {
}
`, datasetID, saID)
}

func testAccBigqueryDatasetIamMember_iamMember(datasetID, wifIDs string) string {
return fmt.Sprintf(`
resource "google_bigquery_dataset_iam_member" "access" {
dataset_id = google_bigquery_dataset.dataset.dataset_id
role = "roles/viewer"
member = "iamMember:principal://iam.googleapis.com/${google_iam_workload_identity_pool.wif_pool.name}/subject/test"
}
resource "google_bigquery_dataset" "dataset" {
dataset_id = "%s"
}
resource "google_iam_workload_identity_pool" "wif_pool" {
workload_identity_pool_id = "%s"
}
resource "google_iam_workload_identity_pool_provider" "wif_provider" {
workload_identity_pool_id = google_iam_workload_identity_pool.wif_pool.workload_identity_pool_id
workload_identity_pool_provider_id = "%s"
attribute_mapping = {
"google.subject" = "assertion.sub"
}
oidc {
issuer_uri = "https://issuer-uri.com"
}
}
`, datasetID, wifIDs, wifIDs)
}
6 changes: 6 additions & 0 deletions mmv1/third_party/terraform/tpgiamresource/iam.go.erb
Original file line number Diff line number Diff line change
Expand Up @@ -267,13 +267,19 @@ func iamMemberIsCaseSensitive(member string) bool {
// so lowercase the value unless iamMemberIsCaseSensitive and leave the type alone
// since Dec '19 members can be prefixed with "deleted:" to indicate the principal
// has been deleted

func normalizeIamMemberCasing(member string) string {
var pieces []string
if strings.HasPrefix(member, "deleted:") {
pieces = strings.SplitN(member, ":", 3)
if len(pieces) > 2 && !iamMemberIsCaseSensitive(strings.TrimPrefix(member, "deleted:")) {
pieces[2] = strings.ToLower(pieces[2])
}
} else if strings.HasPrefix(member, "iamMember:") {
pieces = strings.SplitN(member, ":", 3)
if len(pieces) > 2 && !iamMemberIsCaseSensitive(strings.TrimPrefix(member, "iamMember:")) {
pieces[2] = strings.ToLower(pieces[2])
}
} else if !iamMemberIsCaseSensitive(member) {
pieces = strings.SplitN(member, ":", 2)
if len(pieces) > 1 {
Expand Down

0 comments on commit 3520b86

Please sign in to comment.