split iam and iambeta product

GoogleCloudPlatform · Oct 16, 2020 · e73a919 · e73a919
1 parent 771269d
commit e73a919
Show file tree

Hide file tree

Showing 10 changed files with 113 additions and 108 deletions.
diff --git a/products/iam/ansible.yaml b/products/iam/ansible.yaml
@@ -24,8 +24,6 @@ datasources: !ruby/object:Overrides::ResourceOverrides
     exclude: true
   OrganizationCustomRole: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
-  WorkloadIdentityPool: !ruby/object:Overrides::Ansible::ResourceOverride
-    exclude: true
 overrides: !ruby/object:Overrides::ResourceOverrides
   Role: !ruby/object:Overrides::Ansible::ResourceOverride
     custom_code: !ruby/object:Provider::Ansible::CustomCode
@@ -48,8 +46,6 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       has_autogenerated_test: false
   OrganizationCustomRole: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
-  WorkloadIdentityPool: !ruby/object:Overrides::Ansible::ResourceOverride
-    exclude: true
 files: !ruby/object:Provider::Config::Files
   resource:
 <%= lines(indent(compile('provider/ansible/resource~compile.yaml'), 4)) -%>
diff --git a/products/iam/api.yaml b/products/iam/api.yaml
@@ -20,9 +20,6 @@ versions:
   - !ruby/object:Api::Product::Version
     name: ga
     base_url: https://iam.googleapis.com/v1/
-  - !ruby/object:Api::Product::Version
-    name: beta
-    base_url: https://iam.googleapis.com/v1beta/
 scopes:
   - https://www.googleapis.com/auth/iam
 apis_required:
@@ -198,75 +195,4 @@ objects:
       - !ruby/object:Api::Type::Boolean
         name: 'deleted'
         description: The current deleted state of the role
-        output: true
-  - !ruby/object:Api::Resource
-    name: 'WorkloadIdentityPool'
-    min_version: beta
-    base_url: projects/{{project}}/locations/global/workloadIdentityPools
-    create_url: projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}}
-    description: |
-      Represents a collection of external workload identities. You can define IAM policies to
-      grant these identities access to Google Cloud resources.
-    update_mask: true
-    async: !ruby/object:Api::OpAsync
-      operation: !ruby/object:Api::OpAsync::Operation
-        path: 'name'
-        base_url: '{{op_id}}'
-        wait_ms: 1000
-      result: !ruby/object:Api::OpAsync::Result
-        path: 'response'
-        resource_inside_response: true
-      status: !ruby/object:Api::OpAsync::Status
-        path: 'done'
-        complete: True
-        allowed:
-          - True
-          - False
-      error: !ruby/object:Api::OpAsync::Error
-        path: 'error'
-        message: 'message'
-    properties:
-      - !ruby/object:Api::Type::String
-         name: 'workloadIdentityPoolId'
-         description: |
-           The ID to use for the pool, which becomes the final component of the resource name. This
-           value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
-           `gcp-` is reserved for use by Google, and may not be specified.
-         required: true
-         input: true
-         url_param_only: true
-      - !ruby/object:Api::Type::Enum
-        name: 'state'
-        description: |
-          The state of the pool.
-          STATE_UNSPECIFIED: State unspecified.
-          ACTIVE: The pool is active, and may be used in Google Cloud policies.
-          DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
-          approximately 30 days. You can restore a soft-deleted pool using
-          UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
-          permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
-          use existing tokens to access resources. If the pool is undeleted, existing tokens grant
-          access again.
-        output: true
-        values:
-          - :STATE_UNSPECIFIED
-          - :ACTIVE
-          - :DELETED
-      - !ruby/object:Api::Type::String
-        name: 'displayName'
-        description: A display name for the pool. Cannot exceed 32 characters.
-      - !ruby/object:Api::Type::String
-        name: 'description'
-        description: A description of the pool. Cannot exceed 256 characters.
-      - !ruby/object:Api::Type::String
-        name: 'name'
-        description: |
-          The resource name of the pool as
-          `projects/<projectnumber>/locations/global/workloadIdentityPools/<id>`.
-        output: true
-      - !ruby/object:Api::Type::Boolean
-        name: 'disabled'
-        description: |
-          Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
-          existing tokens to access resources. If the pool is re-enabled, existing tokens grant
-          access again.
+        output: true
diff --git a/products/iam/inspec.yaml b/products/iam/inspec.yaml
@@ -46,6 +46,4 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     base_url: organizations/{{org_id}}/roles?view=FULL
     self_link: organizations/{{org_id}}/roles/{{name}}
     collection_url_key: roles
-    privileged: true
-  WorkloadIdentityPool: !ruby/object:Overrides::Inspec::ResourceOverride
-    exclude: true
+    privileged: true
diff --git a/products/iambeta/api.yaml b/products/iambeta/api.yaml
@@ -0,0 +1,81 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Product
+name: IAMBeta
+display_name: Cloud IAM
+versions:
+  - !ruby/object:Api::Product::Version
+    name: beta
+    base_url: https://iam.googleapis.com/v1beta/
+scopes:
+  - https://www.googleapis.com/auth/iam
+apis_required:
+  - !ruby/object:Api::Product::ApiReference
+    name: Identity and Access Management (IAM) API
+    url: https://console.cloud.google.com/apis/library/iam.googleapis.com/
+objects:
+  - !ruby/object:Api::Resource
+    name: 'WorkloadIdentityPool'
+    min_version: beta
+    base_url: projects/{{project}}/locations/global/workloadIdentityPools
+    create_url: projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}}
+    description: |
+      Represents a collection of external workload identities. You can define IAM policies to
+      grant these identities access to Google Cloud resources.
+    update_mask: true
+    properties:
+      - !ruby/object:Api::Type::String
+         name: 'workloadIdentityPoolId'
+         description: |
+           The ID to use for the pool, which becomes the final component of the resource name. This
+           value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
+           `gcp-` is reserved for use by Google, and may not be specified.
+         required: true
+         input: true
+         url_param_only: true
+      - !ruby/object:Api::Type::Enum
+        name: 'state'
+        description: |
+          The state of the pool.
+          STATE_UNSPECIFIED: State unspecified.
+          ACTIVE: The pool is active, and may be used in Google Cloud policies.
+          DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
+          approximately 30 days. You can restore a soft-deleted pool using
+          UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
+          permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
+          use existing tokens to access resources. If the pool is undeleted, existing tokens grant
+          access again.
+        output: true
+        values:
+          - :STATE_UNSPECIFIED
+          - :ACTIVE
+          - :DELETED
+      - !ruby/object:Api::Type::String
+        name: 'displayName'
+        description: A display name for the pool. Cannot exceed 32 characters.
+      - !ruby/object:Api::Type::String
+        name: 'description'
+        description: A description of the pool. Cannot exceed 256 characters.
+      - !ruby/object:Api::Type::String
+        name: 'name'
+        description: |
+          The resource name of the pool as
+          `projects/<projectnumber>/locations/global/workloadIdentityPools/<id>`.
+        output: true
+      - !ruby/object:Api::Type::Boolean
+        name: 'disabled'
+        description: |
+          Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
+          existing tokens to access resources. If the pool is re-enabled, existing tokens grant
+          access again.
diff --git a/products/iam/terraform.yaml → products/iambeta/terraform.yaml b/products/iam/terraform.yaml → products/iambeta/terraform.yaml
@@ -12,15 +12,7 @@
 # limitations under the License.
 
 --- !ruby/object:Provider::Terraform::Config
-overrides: !ruby/object:Overrides::ResourceOverrides
-  Role: !ruby/object:Overrides::Terraform::ResourceOverride
-    exclude: true
-  ServiceAccount: !ruby/object:Overrides::Terraform::ResourceOverride
-    exclude: true
-  ServiceAccountKey: !ruby/object:Overrides::Terraform::ResourceOverride
-    exclude: true
-  OrganizationCustomRole: !ruby/object:Overrides::Terraform::ResourceOverride
-    exclude: true
+legacy_name: iam
 # This is for copying files over
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.

diff --git a/...source_iam_workload_identity_pool_test.go → ...m_beta_workload_identity_pool_test.go.erb b/...source_iam_workload_identity_pool_test.go → ...m_beta_workload_identity_pool_test.go.erb
@@ -1,12 +1,14 @@
+<% autogen_exception -%>
 package google
 
+<% unless version == 'ga' %>
 import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 )
 
-func TestAccIAMWorkloadIdentityPool_example(t *testing.T) {
+func TestAccIAMBetaWorkloadIdentityPool_example(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
@@ -20,19 +22,13 @@ func TestAccIAMWorkloadIdentityPool_example(t *testing.T) {
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccIAMWorkloadIdentityPool_example(context),
-			},
-			{
-				ResourceName:            "google_iam_workload_identity_pool.my_pool",
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"project"},
+				Config: testAccIAMBetaWorkloadIdentityPool_example(context),
 			},
 		},
 	})
 }
 
-func testAccIAMWorkloadIdentityPool_example(context map[string]interface{}) string {
+func testAccIAMBetaWorkloadIdentityPool_example(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "my_project" {
   project_id = "tf-test%{random_suffix}"
@@ -53,3 +49,4 @@ resource "google_iam_workload_identity_pool" "my_pool" {
 }
 `, context)
 }
+<% end -%>
diff --git a/third_party/terraform/utils/config.go.erb b/third_party/terraform/utils/config.go.erb
@@ -104,6 +104,7 @@ type Config struct {
 	DnsBetaBasePath string
 	IamCredentialsBasePath string
 	ResourceManagerV2Beta1BasePath string
+	IAMBasePath string
 	CloudIoTBasePath string
 	ServiceNetworkingBasePath string
 	StorageTransferBasePath string
@@ -866,6 +867,7 @@ func ConfigureBasePaths(c *Config) {
 	c.DnsBetaBasePath = DnsBetaDefaultBasePath
 	c.IamCredentialsBasePath = IamCredentialsDefaultBasePath
 	c.ResourceManagerV2Beta1BasePath = ResourceManagerV2Beta1DefaultBasePath
+	c.IAMBasePath = IAMDefaultBasePath
 	c.ServiceNetworkingBasePath = ServiceNetworkingDefaultBasePath
 	c.BigQueryBasePath = BigQueryDefaultBasePath
 	c.StorageTransferBasePath = StorageTransferDefaultBasePath

diff --git a/third_party/terraform/utils/provider.go.erb b/third_party/terraform/utils/provider.go.erb
@@ -158,6 +158,7 @@ func Provider() *schema.Provider {
 			IamCredentialsCustomEndpointEntryKey:         IamCredentialsCustomEndpointEntry,
 			ResourceManagerV2Beta1CustomEndpointEntryKey: ResourceManagerV2Beta1CustomEndpointEntry,
 			RuntimeConfigCustomEndpointEntryKey:          RuntimeConfigCustomEndpointEntry,
+			IAMCustomEndpointEntryKey:                    IAMCustomEndpointEntry,
 			ServiceNetworkingCustomEndpointEntryKey:      ServiceNetworkingCustomEndpointEntry,
 			ServiceUsageCustomEndpointEntryKey:           ServiceUsageCustomEndpointEntry,
 			StorageTransferCustomEndpointEntryKey:        StorageTransferCustomEndpointEntry,
@@ -529,6 +530,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData, p *schema.Pr
 	config.IamCredentialsBasePath = d.Get(IamCredentialsCustomEndpointEntryKey).(string)
 	config.ResourceManagerV2Beta1BasePath = d.Get(ResourceManagerV2Beta1CustomEndpointEntryKey).(string)
 	config.RuntimeConfigBasePath = d.Get(RuntimeConfigCustomEndpointEntryKey).(string)
+	config.IAMBasePath = d.Get(IAMCustomEndpointEntryKey).(string)
 	config.ServiceNetworkingBasePath = d.Get(ServiceNetworkingCustomEndpointEntryKey).(string)
 	config.ServiceUsageBasePath = d.Get(ServiceUsageCustomEndpointEntryKey).(string)
 	config.StorageTransferBasePath = d.Get(StorageTransferCustomEndpointEntryKey).(string)

diff --git a/third_party/terraform/utils/provider_handwritten_endpoint.go.erb b/third_party/terraform/utils/provider_handwritten_endpoint.go.erb
@@ -104,6 +104,17 @@ var DnsBetaCustomEndpointEntry = &schema.Schema{
 	}, DnsBetaDefaultBasePath),
 }
 
+var IAMDefaultBasePath = "https://iam.googleapis.com/v1/"
+var IAMCustomEndpointEntryKey = "iam_custom_endpoint"
+var IAMCustomEndpointEntry = &schema.Schema{
+	Type:         schema.TypeString,
+	Optional:     true,
+	ValidateFunc: validateCustomEndpoint,
+	DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+		"GOOGLE_IAM_CUSTOM_ENDPOINT",
+	}, IAMDefaultBasePath),
+}
+
 var IamCredentialsDefaultBasePath = "https://iamcredentials.googleapis.com/v1/"
 var IamCredentialsCustomEndpointEntryKey = "iam_credentials_custom_endpoint"
 var IamCredentialsCustomEndpointEntry = &schema.Schema{

diff --git a/third_party/terraform/website/docs/guides/provider_reference.html.markdown b/third_party/terraform/website/docs/guides/provider_reference.html.markdown
@@ -126,9 +126,9 @@ resource project for preconditions, quota, and billing, instead of the project
 the credentials belong to. Not all resources support this- see the
 documentation for each resource to learn whether it does.
 
-* `billing_project` - (Optional) This fields specifies a project that's used for
-preconditions, quota, and billing for requests. All resources that support user project
-overrides will use this project instead of the resource's project (if available). This
+* `billing_project` - (Optional) This fields specifies a project that's used for 
+preconditions, quota, and billing for requests. All resources that support user project 
+overrides will use this project instead of the resource's project (if available). This 
 field is ignored if `user_project_override` is set to false or unset.
 
 * `{{service}}_custom_endpoint` - (Optional) The endpoint for a service's APIs,
@@ -211,7 +211,7 @@ following ordered by precedence.
 ---
 
 * `billing_project` - (Optional) This fields allows Terraform to set X-Goog-User-Project
-for APIs that require a billing project to be specified like Access Context Manager APIs if
+for APIs that require a billing project to be specified like Access Context Manager APIs if 
 User ADCs are being used. This can also be
 specified using the `GOOGLE_BILLING_PROJECT` environment variable.
 
@@ -304,7 +304,7 @@ be used for configuration are below:
 * `dns_beta_custom_endpoint` (`GOOGLE_DNS_BETA_CUSTOM_ENDPOINT`) - `https://www.googleapis.com/dns/v1beta2/`
 * `filestore_custom_endpoint` (`GOOGLE_FILESTORE_CUSTOM_ENDPOINT`) - `https://file.googleapis.com/v1/`
 * `firestore_custom_endpoint` (`GOOGLE_FIRESTORE_CUSTOM_ENDPOINT`) - `https://firestore.googleapis.com/v1/`
-* `iam_custom_endpoint` (`GOOGLE_IAM_CUSTOM_ENDPOINT`) - `https://iam.googleapis.com/v1/` | `https://iam.googleapis.com/v1beta/`
+* `iam_custom_endpoint` (`GOOGLE_IAM_CUSTOM_ENDPOINT`) - `https://iam.googleapis.com/v1/`
 * `iam_credentials_custom_endpoint` (`GOOGLE_IAM_CREDENTIALS_CUSTOM_ENDPOINT`) - `https://iamcredentials.googleapis.com/v1/`
 * `kms_custom_endpoint` (`GOOGLE_KMS_CUSTOM_ENDPOINT`) - `https://cloudkms.googleapis.com/v1/`
 * `logging_custom_endpoint` (`GOOGLE_LOGGING_CUSTOM_ENDPOINT`) - `https://logging.googleapis.com/v2/`
@@ -351,12 +351,12 @@ as their versioned counterpart but that won't necessarily always be the case.
 
 * `batching` - (Optional) Controls batching for specific GCP request types
   where users have encountered quota or speed issues using `count` with
-  resources that affect the same GCP resource (e.g. `google_project_service`).
+  resources that affect the same GCP resource (e.g. `google_project_service`). 
   It is not used for every resource/request type and can only group parallel
   similar calls for nodes at a similar traversal time in the graph during
   `terraform apply` (e.g. resources created using `count` that affect a single
-  `project`). Thus, it is also bounded by the `terraform`
-  [`-parallelism`](https://www.terraform.io/docs/commands/apply.html#parallelism-n)
+  `project`). Thus, it is also bounded by the `terraform` 
+  [`-parallelism`](https://www.terraform.io/docs/commands/apply.html#parallelism-n) 
   flag, as reducing the number of parallel calls will reduce the number of
   simultaneous requests being added to a batcher.