From 3ea7fe8f06572e27c98b98ccbc3d343450f004ac Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Wed, 22 Jan 2020 16:53:18 -0800 Subject: [PATCH] read/write iam policies at version 3 in GA provider (#3003) Merged PR #3003. --- build/terraform | 2 +- templates/terraform/iam_policy.go.erb | 6 ++---- .../resources/resource_google_project_iam_policy.go.erb | 7 ------- .../terraform/resources/resource_iam_binding.go.erb | 2 -- third_party/terraform/resources/resource_iam_member.go.erb | 2 -- third_party/terraform/resources/resource_iam_policy.go.erb | 4 ---- .../tests/resource_google_service_account_iam_test.go.erb | 4 ---- third_party/terraform/utils/iam.go.erb | 4 ---- third_party/terraform/utils/iam_kms_crypto_key.go.erb | 4 ---- third_party/terraform/utils/iam_kms_key_ring.go.erb | 4 ---- third_party/terraform/utils/iam_project.go.erb | 5 ----- third_party/terraform/utils/iam_service_account.go.erb | 4 ---- 12 files changed, 3 insertions(+), 45 deletions(-) diff --git a/build/terraform b/build/terraform index fef24138a615..e47132abd91f 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit fef24138a6158b7fa7bd06156dc3a89c6ce233de +Subproject commit e47132abd91fd0410dbc8b4b55fef833ea302657 diff --git a/templates/terraform/iam_policy.go.erb b/templates/terraform/iam_policy.go.erb index 5d2b8093dc34..73dd24c3b230 100644 --- a/templates/terraform/iam_policy.go.erb +++ b/templates/terraform/iam_policy.go.erb @@ -178,19 +178,17 @@ func (u *<%= resource_name -%>IamUpdater) GetResourceIamPolicy() (*cloudresource } <% end -%> var obj map[string]interface{} -<% unless version == 'ga' -%> -<% if object.iam_policy.iam_conditions_request_type == :QUERY_PARAM -%> +<% if object.iam_policy.iam_conditions_request_type == :QUERY_PARAM -%> url, err = addQueryParams(url, map[string]string{"optionsRequestedPolicyVersion": fmt.Sprintf("%d", iamPolicyVersion)}) if err != nil { return nil, err } -<% elsif object.iam_policy.iam_conditions_request_type == :REQUEST_BODY -%> +<% elsif object.iam_policy.iam_conditions_request_type == :REQUEST_BODY -%> obj = map[string]interface{}{ "options": map[string]interface{}{ "requestedPolicyVersion": iamPolicyVersion, }, } -<% end -%> <% end -%> policy, err := sendRequest(u.Config, "<%= object.iam_policy.fetch_iam_policy_verb.to_s.upcase -%>", <% if resource_params.include?('project') %>project<% else %>""<% end %>, url, obj<%= object.error_retry_predicates ? ", " + object.error_retry_predicates.join(',') : "" -%>) diff --git a/third_party/terraform/resources/resource_google_project_iam_policy.go.erb b/third_party/terraform/resources/resource_google_project_iam_policy.go.erb index 2166903b99ef..820937a43c41 100644 --- a/third_party/terraform/resources/resource_google_project_iam_policy.go.erb +++ b/third_party/terraform/resources/resource_google_project_iam_policy.go.erb @@ -142,10 +142,8 @@ func resourceGoogleProjectIamPolicyImport(d *schema.ResourceData, meta interface } func setProjectIamPolicy(policy *cloudresourcemanager.Policy, config *Config, pid string) error { -<% unless version == 'ga' -%> policy.Version = iamPolicyVersion -<% end -%> // Apply the policy pbytes, _ := json.Marshal(policy) log.Printf("[DEBUG] Setting policy %#v for project: %s", string(pbytes), pid) @@ -171,17 +169,12 @@ func getResourceIamPolicy(d *schema.ResourceData) (*cloudresourcemanager.Policy, // Retrieve the existing IAM Policy for a Project func getProjectIamPolicy(project string, config *Config) (*cloudresourcemanager.Policy, error) { -<% if version == 'ga' -%> - p, err := config.clientResourceManager.Projects.GetIamPolicy(project, - &cloudresourcemanager.GetIamPolicyRequest{}).Do() -<% else -%> p, err := config.clientResourceManager.Projects.GetIamPolicy(project, &cloudresourcemanager.GetIamPolicyRequest{ Options: &cloudresourcemanager.GetPolicyOptions{ RequestedPolicyVersion: iamPolicyVersion, }, }).Do() -<% end -%> if err != nil { return nil, fmt.Errorf("Error retrieving IAM policy for project %q: %s", project, err) diff --git a/third_party/terraform/resources/resource_iam_binding.go.erb b/third_party/terraform/resources/resource_iam_binding.go.erb index 7241339b249d..f429eccebad1 100644 --- a/third_party/terraform/resources/resource_iam_binding.go.erb +++ b/third_party/terraform/resources/resource_iam_binding.go.erb @@ -94,9 +94,7 @@ func resourceIamBindingCreateUpdate(newUpdaterFunc newResourceIamUpdaterFunc, en modifyF := func(ep *cloudresourcemanager.Policy) error { cleaned := filterBindingsWithRoleAndCondition(ep.Bindings, binding.Role, binding.Condition) ep.Bindings = append(cleaned, binding) -<% unless version == 'ga' -%> ep.Version = iamPolicyVersion -<% end -%> return nil } diff --git a/third_party/terraform/resources/resource_iam_member.go.erb b/third_party/terraform/resources/resource_iam_member.go.erb index 86fa3463a82c..837c036afd17 100644 --- a/third_party/terraform/resources/resource_iam_member.go.erb +++ b/third_party/terraform/resources/resource_iam_member.go.erb @@ -185,9 +185,7 @@ func resourceIamMemberCreate(newUpdaterFunc newResourceIamUpdaterFunc, enableBat modifyF := func(ep *cloudresourcemanager.Policy) error { // Merge the bindings together ep.Bindings = mergeBindings(append(ep.Bindings, memberBind)) -<% unless version == 'ga' -%> ep.Version = iamPolicyVersion -<% end -%> return nil } if enableBatching { diff --git a/third_party/terraform/resources/resource_iam_policy.go.erb b/third_party/terraform/resources/resource_iam_policy.go.erb index b4637227e228..de103eb6ed41 100644 --- a/third_party/terraform/resources/resource_iam_policy.go.erb +++ b/third_party/terraform/resources/resource_iam_policy.go.erb @@ -120,9 +120,7 @@ func ResourceIamPolicyDelete(newUpdaterFunc newResourceIamUpdaterFunc) schema.De if v, ok := d.GetOk("etag"); ok { pol.Etag = v.(string) } -<% unless version == 'ga' -%> pol.Version = iamPolicyVersion -<% end -%> err = updater.SetResourceIamPolicy(pol) if err != nil { return err @@ -137,9 +135,7 @@ func setIamPolicyData(d *schema.ResourceData, updater ResourceIamUpdater) error if err != nil { return fmt.Errorf("'policy_data' is not valid for %s: %s", updater.DescribeResource(), err) } -<% unless version == 'ga' -%> policy.Version = iamPolicyVersion -<% end -%> err = updater.SetResourceIamPolicy(policy) if err != nil { diff --git a/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb b/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb index 0cc6e7fab48d..35c7be01725e 100644 --- a/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb +++ b/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb @@ -224,11 +224,7 @@ func TestAccServiceAccountIamPolicy_withCondition(t *testing.T) { func testAccCheckGoogleServiceAccountIam(account string, numBindings int) resource.TestCheckFunc { return func(s *terraform.State) error { config := testAccProvider.Meta().(*Config) -<% if version == 'ga' -%> - p, err := config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(serviceAccountCanonicalId(account)).Do() -<% else -%> p, err := config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(serviceAccountCanonicalId(account)).OptionsRequestedPolicyVersion(iamPolicyVersion).Do() -<% end -%> if err != nil { return err } diff --git a/third_party/terraform/utils/iam.go.erb b/third_party/terraform/utils/iam.go.erb index 31c0bd465b1f..b02f7fe273d0 100644 --- a/third_party/terraform/utils/iam.go.erb +++ b/third_party/terraform/utils/iam.go.erb @@ -16,9 +16,7 @@ import ( ) const maxBackoffSeconds = 30 -<% unless version == 'ga' -%> const iamPolicyVersion = 3 -<% end -%> // These types are implemented per GCP resource type and specify how to do per-resource IAM operations. // They are used in the generic Terraform IAM resource definitions @@ -276,7 +274,6 @@ func listFromIamBindingMap(bm map[iamBindingKey]map[string]struct{}) []*cloudres Role: key.Role, Members: stringSliceFromGolangSet(members), } -<% unless version == 'ga' -%> if !key.Condition.Empty() { b.Condition = &cloudresourcemanager.Expr{ Description: key.Condition.Description, @@ -284,7 +281,6 @@ func listFromIamBindingMap(bm map[iamBindingKey]map[string]struct{}) []*cloudres Title: key.Condition.Title, } } -<% end -%> rb = append(rb, b) } return rb diff --git a/third_party/terraform/utils/iam_kms_crypto_key.go.erb b/third_party/terraform/utils/iam_kms_crypto_key.go.erb index 73afe8365471..d6527fa2ea08 100644 --- a/third_party/terraform/utils/iam_kms_crypto_key.go.erb +++ b/third_party/terraform/utils/iam_kms_crypto_key.go.erb @@ -48,11 +48,7 @@ func CryptoIdParseFunc(d *schema.ResourceData, config *Config) error { } func (u *KmsCryptoKeyIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) { -<% if version == 'ga' -%> - p, err := u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.GetIamPolicy(u.resourceId).Do() -<% else -%> p, err := u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.GetIamPolicy(u.resourceId).OptionsRequestedPolicyVersion(iamPolicyVersion).Do() -<% end -%> if err != nil { return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err) diff --git a/third_party/terraform/utils/iam_kms_key_ring.go.erb b/third_party/terraform/utils/iam_kms_key_ring.go.erb index 85c7afb6517f..b0e270195b65 100644 --- a/third_party/terraform/utils/iam_kms_key_ring.go.erb +++ b/third_party/terraform/utils/iam_kms_key_ring.go.erb @@ -49,11 +49,7 @@ func KeyRingIdParseFunc(d *schema.ResourceData, config *Config) error { } func (u *KmsKeyRingIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) { -<% if version == 'ga' -%> - p, err := u.Config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(u.resourceId).Do() -<% else -%> p, err := u.Config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(u.resourceId).OptionsRequestedPolicyVersion(iamPolicyVersion).Do() -<% end -%> if err != nil { return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err) diff --git a/third_party/terraform/utils/iam_project.go.erb b/third_party/terraform/utils/iam_project.go.erb index 6e2736a5d49b..1146b5cd316f 100644 --- a/third_party/terraform/utils/iam_project.go.erb +++ b/third_party/terraform/utils/iam_project.go.erb @@ -43,17 +43,12 @@ func ProjectIdParseFunc(d *schema.ResourceData, _ *Config) error { } func (u *ProjectIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) { -<% if version == 'ga' -%> - p, err := u.Config.clientResourceManager.Projects.GetIamPolicy(u.resourceId, - &cloudresourcemanager.GetIamPolicyRequest{}).Do() -<% else -%> p, err := u.Config.clientResourceManager.Projects.GetIamPolicy(u.resourceId, &cloudresourcemanager.GetIamPolicyRequest{ Options: &cloudresourcemanager.GetPolicyOptions{ RequestedPolicyVersion: iamPolicyVersion, }, }).Do() -<% end -%> if err != nil { return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err) diff --git a/third_party/terraform/utils/iam_service_account.go.erb b/third_party/terraform/utils/iam_service_account.go.erb index 93e456d71352..2a03789939ed 100644 --- a/third_party/terraform/utils/iam_service_account.go.erb +++ b/third_party/terraform/utils/iam_service_account.go.erb @@ -37,11 +37,7 @@ func ServiceAccountIdParseFunc(d *schema.ResourceData, _ *Config) error { } func (u *ServiceAccountIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) { -<% if version == 'ga' -%> - p, err := u.Config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(u.serviceAccountId).Do() -<% else -%> p, err := u.Config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(u.serviceAccountId).OptionsRequestedPolicyVersion(iamPolicyVersion).Do() -<% end -%> if err != nil { return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)