Finish converting ACM resources to use policy mutex lock (#12735)

mmv1/products/accesscontextmanager/AccessLevel.yaml

@@ -39,6 +39,7 @@ self_link: '{{name}}'
 create_url: '{{parent}}/accessLevels'
 update_verb: 'PATCH'
 update_mask: true
+mutex: '{{parent}}'
 import_format:
   - '{{name}}'
 timeouts:

mmv1/products/accesscontextmanager/AccessLevelCondition.yaml

@@ -47,7 +47,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
-mutex: '{{access_level}}'
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{access_level}}'
  # no unique way to specify
@@ -78,6 +78,7 @@ nested_query:
   is_list_of_ids: false
   modify_by_patch: true
 custom_code:
+  encoder: 'templates/terraform/encoders/access_context_manager_access_level_condition.go.tmpl'
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under AccessLevel
 exclude_sweeper: true
@@ -248,3 +249,9 @@ properties:
               description: 'CIDR block IP subnetwork specification. Must be IPv4.'
               item_type:
                 type: String
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/AccessLevels.yaml

@@ -37,6 +37,7 @@ update_url: '{{parent}}/accessLevels:replaceAll'
 update_verb: 'POST'
 import_format:
   - '{{parent}}/accessLevels'
+mutex: '{{parent}}'
 timeouts:
   insert_minutes: 20
   update_minutes: 20

mmv1/products/accesscontextmanager/AccessPolicy.yaml

@@ -37,6 +37,7 @@ update_verb: 'PATCH'
 update_mask: true
 import_format:
   - '{{name}}'
+mutex: 'accessPolicies/{{name}}'
 timeouts:
   insert_minutes: 20
   update_minutes: 20

mmv1/products/accesscontextmanager/AuthorizedOrgsDesc.yaml

@@ -37,6 +37,7 @@ create_url: '{{parent}}/authorizedOrgsDescs'
 update_verb: 'PATCH'
 import_format:
   - '{{name}}'
+mutex: '{{parent}}'
 timeouts:
   insert_minutes: 20
   update_minutes: 20

mmv1/products/accesscontextmanager/EgressPolicy.yaml

@@ -28,6 +28,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{egress_policy_name}}/{{resource}}'
 timeouts:
@@ -51,6 +52,7 @@ nested_query:
   is_list_of_ids: true
   modify_by_patch: true
 custom_code:
+  encoder: 'templates/terraform/encoders/access_context_manager_egress_policy.go.tmpl'
   custom_import: 'templates/terraform/custom_import/access_context_manager_service_perimeter_egress_policy.go.tmpl'
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter/IngressPolicy
@@ -72,3 +74,9 @@ properties:
       A GCP resource that is inside of the service perimeter.
     required: true
     immutable: true
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/IngressPolicy.yaml

@@ -28,6 +28,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{ingress_policy_name}}/{{resource}}'
 timeouts:
@@ -51,6 +52,7 @@ nested_query:
   is_list_of_ids: true
   modify_by_patch: true
 custom_code:
+  encoder: 'templates/terraform/encoders/access_context_manager_ingress_policy.go.tmpl'
   custom_import: 'templates/terraform/custom_import/access_context_manager_service_perimeter_ingress_policy.go.tmpl'
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter/IngressPolicy
@@ -72,3 +74,9 @@ properties:
       A GCP resource that is inside of the service perimeter.
     required: true
     immutable: true
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/ServicePerimeter.yaml

@@ -47,7 +47,7 @@ self_link: '{{name}}'
 create_url: '{{parent}}/servicePerimeters'
 update_verb: 'PATCH'
 update_mask: true
-mutex: '{{name}}'
+mutex: '{{parent}}'
 import_format:
   - '{{name}}'
 timeouts:

mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml

@@ -43,7 +43,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
-mutex: '{{perimeter}}'
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{perimeter}}'
 exclude_import: true
@@ -70,6 +70,7 @@ nested_query:
   modify_by_patch: true
 custom_code:
   constants: 'templates/terraform/constants/access_context_manager.go.tmpl'
+  encoder: 'templates/terraform/encoders/access_context_manager_service_perimeter_dry_run_egress_policy.go.tmpl'
   pre_create: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
   pre_update: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
   pre_delete: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
@@ -194,3 +195,10 @@ properties:
                     description: |
                       Value for permission should be a valid Cloud IAM permission for the
                       corresponding `serviceName` in `ApiOperation`.
+    immutable: true
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml

@@ -44,7 +44,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
-mutex: '{{perimeter}}'
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{perimeter}}'
 exclude_import: true
@@ -71,6 +71,7 @@ nested_query:
   modify_by_patch: true
 custom_code:
   constants: 'templates/terraform/constants/access_context_manager.go.tmpl'
+  encoder: 'templates/terraform/encoders/access_context_manager_service_perimeter_dry_run_egress_policy.go.tmpl'
   pre_create: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
   pre_update: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
   pre_delete: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
@@ -203,3 +204,9 @@ properties:
                     description: |
                       Value for permission should be a valid Cloud IAM permission for the
                       corresponding `serviceName` in `ApiOperation`.
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/ServicePerimeterDryRunResource.yaml

@@ -43,7 +43,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
-mutex: '{{perimeter_name}}'
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{perimeter_name}}/{{resource}}'
 timeouts:
@@ -67,6 +67,7 @@ nested_query:
   is_list_of_ids: true
   modify_by_patch: true
 custom_code:
+  encoder: 'templates/terraform/encoders/access_context_manager_service_perimeter_dry_run_resource.go.tmpl'
   pre_create: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
   pre_update: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
   pre_delete: 'templates/terraform/pre_create/access_context_manager_dry_run_resource.go.tmpl'
@@ -99,3 +100,9 @@ properties:
       Format: projects/{project_number}
     required: true
     immutable: true
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml

@@ -43,7 +43,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
-mutex: '{{perimeter}}'
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{perimeter}}'
 exclude_import: true
@@ -71,6 +71,7 @@ nested_query:
 custom_code:
   constants: 'templates/terraform/constants/access_context_manager.go.tmpl'
   custom_import: 'templates/terraform/custom_import/access_context_manager_service_perimeter_egress_policy.go.tmpl'
+  encoder: 'templates/terraform/encoders/access_context_manager_service_perimeter_egress_policy.go.tmpl'
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
@@ -192,3 +193,9 @@ properties:
                     description: |
                       Value for permission should be a valid Cloud IAM permission for the
                       corresponding `serviceName` in `ApiOperation`.
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml

@@ -44,7 +44,7 @@ create_verb: 'PATCH'
 update_mask: true
 delete_verb: 'PATCH'
 immutable: true
-mutex: '{{perimeter}}'
+mutex: '{{access_policy_id}}'
 import_format:
   - '{{perimeter}}'
 exclude_import: true
@@ -72,6 +72,7 @@ nested_query:
 custom_code:
   constants: 'templates/terraform/constants/access_context_manager.go.tmpl'
   custom_import: 'templates/terraform/custom_import/access_context_manager_service_perimeter_ingress_policy.go.tmpl'
+  encoder: 'templates/terraform/encoders/access_context_manager_service_perimeter_ingress_policy.go.tmpl'
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
@@ -203,3 +204,9 @@ properties:
                     description: |
                       Value for permission should be a valid Cloud IAM permission for the
                       corresponding `serviceName` in `ApiOperation`.
+  - name: 'accessPolicyId'
+    type: String
+    description: |
+      The name of the Access Policy this resource belongs to.
+    ignore_read: true
+    output: true

mmv1/products/accesscontextmanager/ServicePerimeterResource.yaml

@@ -103,5 +103,4 @@ properties:
     description: |
       The name of the Access Policy this resource belongs to.
     ignore_read: true
-    immutable: true
     output: true

mmv1/products/accesscontextmanager/ServicePerimeters.yaml

@@ -30,6 +30,7 @@ base_url: '{{parent}}/servicePerimeters:replaceAll'
 self_link: '{{parent}}/servicePerimeters'
 update_url: '{{parent}}/servicePerimeters:replaceAll'
 update_verb: 'POST'
+mutex: '{{parent}}'
 import_format:
   - '{{parent}}/servicePerimeters'
 timeouts:

mmv1/templates/terraform/custom_import/access_context_manager_service_perimeter_egress_policy.go.tmpl

@@ -18,6 +18,9 @@
 		return nil, err
 	}
 
+	if err := d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts["accessPolicy"])); err != nil {
+		return nil, fmt.Errorf("Error setting access_policy_id: %s", err)
+	}
 	if err := d.Set("perimeter", fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", parts["accessPolicy"], parts["perimeter"])); err != nil {
 		return nil, fmt.Errorf("Error setting perimeter: %s", err)
 	}

mmv1/templates/terraform/custom_import/access_context_manager_service_perimeter_ingress_policy.go.tmpl

@@ -18,6 +18,9 @@
 		return nil, err
 	}
 
+	if err := d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts["accessPolicy"])); err != nil {
+		return nil, fmt.Errorf("Error setting access_policy_id: %s", err)
+	}
 	if err := d.Set("perimeter", fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", parts["accessPolicy"], parts["perimeter"])); err != nil {
 		return nil, fmt.Errorf("Error setting perimeter: %s", err)
 	}

mmv1/templates/terraform/encoders/access_context_manager_access_level_condition.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the access_level parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("access_level").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_egress_policy.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the egress_policy_name parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("egress_policy_name").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_ingress_policy.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the ingress_policy_name parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("ingress_policy_name").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_service_perimeter_dry_run_egress_policy.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the perimeter parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("perimeter").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_service_perimeter_dry_run_ingress_policy.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the perimeter parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("perimeter").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_service_perimeter_dry_run_resource.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the perimeter_name parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("perimeter_name").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_service_perimeter_egress_policy.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the perimeter parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("perimeter").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil

mmv1/templates/terraform/encoders/access_context_manager_service_perimeter_ingress_policy.go.tmpl

@@ -0,0 +1,8 @@
+// Set the access_policy_id field from part of the perimeter parameter.
+
+// The is logic is inside the encoder since the access_policy_id field is part of
+// the mutex lock and encoders run before the lock is set.
+parts := strings.Split(d.Get("perimeter").(string), "/")
+d.Set("access_policy_id", fmt.Sprintf("accessPolicies/%s", parts[1]))
+
+return obj, nil