add backend bucket signed url key test

products/compute/ansible.yaml

@@ -26,6 +26,8 @@ manifest: !ruby/object:Provider::Ansible::Manifest
 datasources: !ruby/object:Overrides::ResourceOverrides
   Autoscaler: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
+  BackendBucketSignedUrlKey: !ruby/object:Overrides::Ansible::ResourceOverride
+    exclude: true
   Snapshot: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
   ManagedSslCertificate: !ruby/object:Overrides::Ansible::ResourceOverride
@@ -211,9 +213,11 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       - 'products/compute/helpers/python/provider_target_pool.py'
   TargetVpnGateway: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: false
-  # Not yet implemented.
+  # Not yet implemented
   Autoscaler: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
+  BackendBucketSignedUrlKey: !ruby/object:Overrides::Ansible::ResourceOverride
+    exclude: true
   RegionAutoscaler: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
   Snapshot: !ruby/object:Overrides::Ansible::ResourceOverride

products/compute/api.yaml

@@ -205,12 +205,45 @@ objects:
       guides:
         'Using a Cloud Storage bucket as a load balancer backend': 'https://cloud.google.com/compute/docs/load-balancing/http/backend-bucket'
       api: 'https://cloud.google.com/compute/docs/reference/v1/backendBuckets'
-<%= indent(compile_file({}, 'templates/global_async.yaml.erb'), 4) %>
+    async: !ruby/object:Api::Async
+      operation: !ruby/object:Api::Async::Operation
+        kind: 'compute#operation'
+        path: 'name'
+        base_url: 'projects/{{project}}/global/operations/{{op_id}}'
+        wait_ms: 1000
+      result: !ruby/object:Api::Async::Result
+        path: 'targetLink'
+      status: !ruby/object:Api::Async::Status
+        path: 'status'
+        complete: 'DONE'
+        allowed:
+          - 'PENDING'
+          - 'RUNNING'
+          - 'DONE'
+      error: !ruby/object:Api::Async::Error
+        path: 'error/errors'
+        message: 'message'
     properties:
       - !ruby/object:Api::Type::String
         name: 'bucketName'
         description: 'Cloud Storage bucket name.'
         required: true
+      - !ruby/object:Api::Type::NestedObject
+        name: 'cdnPolicy'
+        description: 'Cloud CDN configuration for this Backend Bucket.'
+        properties:
+        - !ruby/object:Api::Type::Integer
+          name: 'signedUrlCacheMaxAgeSec'
+          default_value: 3600
+          description: |
+            Maximum number of seconds the response to a signed URL request will
+            be considered fresh. Defaults to 1hr (3600s). After this time period,
+            the response will be revalidated before being served.
+            When serving responses to signed URL requests,
+            Cloud CDN will internally behave as though
+            all responses from this backend had a "Cache-Control: public,
+            max-age=[TTL]" header, regardless of any existing Cache-Control
+            header. The actual headers served in responses will not be altered.
       - !ruby/object:Api::Type::Time
         name: 'creationTimestamp'
         description: 'Creation timestamp in RFC3339 text format.'
@@ -239,6 +272,73 @@ objects:
           last character, which cannot be a dash.
         input: true
         required: true
+  - !ruby/object:Api::Resource
+    name: 'BackendBucketSignedUrlKey'
+    kind: 'compute#BackendBucketSignedUrlKey'
+    input: true
+    base_url: projects/{{project}}/global/backendBuckets/{{backend_bucket}}
+    create_url: projects/{{project}}/global/backendBuckets/{{backend_bucket}}/addSignedUrlKey
+    create_verb: :POST
+    delete_url: projects/{{project}}/global/backendBuckets/{{backend_bucket}}/deleteSignedUrlKey?keyName={{name}}
+    delete_verb: :POST
+    self_link: projects/{{project}}/global/backendBuckets/{{backend_bucket}}
+    nested_decoder: !ruby/object:Api::Resource::NestedDecoder
+      keys:
+        - cdnPolicy
+        - signedUrlKeyNames
+      has_id_only_list: true
+    identity:
+      - name
+    description: |
+      A key for signing Cloud CDN signed URLs for BackendBuckets.
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Using Signed URLs': 'https://cloud.google.com/cdn/docs/using-signed-urls/'
+      api: 'https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets'
+    async: !ruby/object:Api::Async
+      operation: !ruby/object:Api::Async::Operation
+        kind: 'compute#operation'
+        path: 'name'
+        base_url: 'projects/{{project}}/global/operations/{{op_id}}'
+        wait_ms: 1000
+      result: !ruby/object:Api::Async::Result
+        path: 'targetLink'
+      status: !ruby/object:Api::Async::Status
+        path: 'status'
+        complete: 'DONE'
+        allowed:
+          - 'PENDING'
+          - 'RUNNING'
+          - 'DONE'
+      error: !ruby/object:Api::Async::Error
+        path: 'error/errors'
+        message: 'message'
+    transport: !ruby/object:Api::Resource::Transport
+      decoder: decode_response
+    parameters:
+      - !ruby/object:Api::Type::ResourceRef
+        name: 'backendBucket'
+        resource: 'BackendBucket'
+        imports: 'name'
+        description: |
+          The backend bucket this signed URL key belongs.
+        required: true
+        input: true
+    properties:
+      - !ruby/object:Api::Type::String
+        name: 'name'
+        api_name: 'keyName'
+        description: |
+          Name of the signed URL key.
+        required: true
+        input: true
+      - !ruby/object:Api::Type::String
+        name: 'keyValue'
+        description: |
+          128-bit key value used for signing the URL. The key value must be a
+          valid RFC 4648 Section 5 base64url encoded string.
+        required: true
+        input: true
   - !ruby/object:Api::Resource
     name: 'BackendService'
     kind: 'compute#backendService'
@@ -250,7 +350,24 @@ objects:
     description: |
       Creates a BackendService resource in the specified project using the data
       included in the request.
-<%= indent(compile_file({}, 'templates/global_async.yaml.erb'), 4) %>
+    async: !ruby/object:Api::Async
+      operation: !ruby/object:Api::Async::Operation
+        kind: 'compute#operation'
+        path: 'name'
+        base_url: 'projects/{{project}}/global/operations/{{op_id}}'
+        wait_ms: 1000
+      result: !ruby/object:Api::Async::Result
+        path: 'targetLink'
+      status: !ruby/object:Api::Async::Status
+        path: 'status'
+        complete: 'DONE'
+        allowed:
+          - 'PENDING'
+          - 'RUNNING'
+          - 'DONE'
+      error: !ruby/object:Api::Async::Error
+        path: 'error/errors'
+        message: 'message'
     properties:
       - !ruby/object:Api::Type::Integer
         name: 'affinityCookieTtlSec'
@@ -408,6 +525,20 @@ objects:
                   '&' and '=' will be percent encoded and not treated as
                   delimiters.
                 item_type: Api::Type::String
+          - !ruby/object:Api::Type::Integer
+            name: 'signedUrlCacheMaxAgeSec'
+            default_value: 3600
+            description: |
+              Maximum number of seconds the response to a signed URL request
+              will be considered fresh, defaults to 1hr (3600s). After this
+              time period, the response will be revalidated before
+              being served.
+
+              When serving responses to signed URL requests, Cloud CDN will
+              internally behave as though all responses from this backend had a
+              "Cache-Control: public, max-age=[TTL]" header, regardless of any
+              existing Cache-Control header. The actual headers served in
+              responses will not be altered.
       - !ruby/object:Api::Type::NestedObject
         name: 'connectionDraining'
         description: 'Settings for connection draining'

products/compute/inspec.yaml

@@ -21,6 +21,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     exclude: true
   BackendBucket: !ruby/object:Overrides::Inspec::ResourceOverride
     exclude: true
+  BackendBucketSignedUrlKey: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
   DiskType: !ruby/object:Overrides::Inspec::ResourceOverride
     exclude: true
   Firewall: !ruby/object:Overrides::Inspec::ResourceOverride

products/compute/terraform.yaml

@@ -138,6 +138,35 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       name: !ruby/object:Overrides::Terraform::PropertyOverride
         validation: !ruby/object:Provider::Terraform::Validation
           regex: '^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$'
+      cdnPolicy: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
+  BackendBucketSignedUrlKey: !ruby/object:Overrides::Terraform::ResourceOverride
+    exclude_import: true
+    mutex: signedUrlKey/{{project}}/backendBuckets/{{backend_bucket}}/
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "backend_bucket_signed_url_key"
+        primary_resource_id: "backend_key"
+        vars:
+          key_name: "test-key"
+          backend_name: "test-signed-backend-bucket"
+          bucket_name: "test-storage-bucket"
+        skip_test: true
+    properties:
+      backendBucket: !ruby/object:Overrides::Terraform::PropertyOverride
+        ignore_read: true
+      name: !ruby/object:Overrides::Terraform::PropertyOverride
+        validation: !ruby/object:Provider::Terraform::Validation
+          regex: '^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$'
+      keyValue: !ruby/object:Overrides::Terraform::PropertyOverride
+        sensitive: true
+        ignore_read: true
+    docs: !ruby/object:Provider::Terraform::Docs
+      warning: |
+        All arguments including the key's value will be stored in the raw
+        state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
+        Because the API does not return the sensitive key value,
+        we cannot confirm or reverse changes to a key outside of Terraform.
   BackendService: !ruby/object:Overrides::Terraform::ResourceOverride
     exclude: true
   Disk: !ruby/object:Overrides::Terraform::ResourceOverride

templates/terraform/decoders/backend_signed_url_key.go.erb

@@ -0,0 +1,29 @@
+keyName := d.Get("name").(string)
+
+policyRaw, ok := res["cdnPolicy"]
+if !ok {
+  return nil, nil
+}
+
+policy := policyRaw.(map[string]interface{})
+keyNames, ok := policy["signedUrlKeyNames"]
+if !ok {
+  keyNames = make([]interface{}, 0)
+}
+
+// Because the sensitive key value is not returned, all we can do is verify a
+// key with this name exists and assume the key value hasn't been changed.
+for _, k := range keyNames.([]interface{}) {
+  if keyName == k.(string) {
+    // Just return partial map to indicate key was found
+    return map[string]interface{}{
+      "keyName": keyName,
+    }, nil
+  }
+}
+
+// If not found, the key doesn't exist anymore
+log.Printf("[WARN] Removing SignedUrlKey %q because it's gone", d.Id())
+d.SetId("")
+
+return nil, nil

templates/terraform/examples/backend_bucket_signed_url_key.tf.erb

@@ -0,0 +1,17 @@
+resource "google_compute_backend_bucket_signed_url_key" "backend_key" {
+  name           = "<%= ctx[:vars]['key_name'] %>"
+  key_value      = "pPsVemX8GM46QVeezid6Rw=="
+  backend_bucket = "${google_compute_backend_bucket.test_backend.name}"
+}
+
+resource "google_compute_backend_bucket" "test_backend" {
+  name        = "<%= ctx[:vars]['backend_name'] %>"
+  description = "Contains beautiful images"
+  bucket_name = "${google_storage_bucket.bucket.name}"
+  enable_cdn  = true
+}
+
+resource "google_storage_bucket" "bucket" {
+  name     = "<%= ctx[:vars]['bucket_name'] %>"
+  location = "EU"
+}