diff --git a/products/iam/ansible.yaml b/products/iam/ansible.yaml index 8721b624c367..6f3516381dc5 100644 --- a/products/iam/ansible.yaml +++ b/products/iam/ansible.yaml @@ -24,8 +24,6 @@ datasources: !ruby/object:Overrides::ResourceOverrides exclude: true OrganizationCustomRole: !ruby/object:Overrides::Ansible::ResourceOverride exclude: true - WorkloadIdentityPool: !ruby/object:Overrides::Ansible::ResourceOverride - exclude: true overrides: !ruby/object:Overrides::ResourceOverrides Role: !ruby/object:Overrides::Ansible::ResourceOverride custom_code: !ruby/object:Provider::Ansible::CustomCode @@ -48,8 +46,6 @@ overrides: !ruby/object:Overrides::ResourceOverrides has_autogenerated_test: false OrganizationCustomRole: !ruby/object:Overrides::Ansible::ResourceOverride exclude: true - WorkloadIdentityPool: !ruby/object:Overrides::Ansible::ResourceOverride - exclude: true files: !ruby/object:Provider::Config::Files resource: <%= lines(indent(compile('provider/ansible/resource~compile.yaml'), 4)) -%> diff --git a/products/iam/api.yaml b/products/iam/api.yaml index cade114fad63..9a7b00df287b 100644 --- a/products/iam/api.yaml +++ b/products/iam/api.yaml @@ -20,9 +20,6 @@ versions: - !ruby/object:Api::Product::Version name: ga base_url: https://iam.googleapis.com/v1/ - - !ruby/object:Api::Product::Version - name: beta - base_url: https://iam.googleapis.com/v1beta/ scopes: - https://www.googleapis.com/auth/iam apis_required: @@ -198,75 +195,4 @@ objects: - !ruby/object:Api::Type::Boolean name: 'deleted' description: The current deleted state of the role - output: true - - !ruby/object:Api::Resource - name: 'WorkloadIdentityPool' - min_version: beta - base_url: projects/{{project}}/locations/global/workloadIdentityPools - create_url: projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}} - description: | - Represents a collection of external workload identities. You can define IAM policies to - grant these identities access to Google Cloud resources. - update_mask: true - async: !ruby/object:Api::OpAsync - operation: !ruby/object:Api::OpAsync::Operation - path: 'name' - base_url: '{{op_id}}' - wait_ms: 1000 - result: !ruby/object:Api::OpAsync::Result - path: 'response' - resource_inside_response: true - status: !ruby/object:Api::OpAsync::Status - path: 'done' - complete: True - allowed: - - True - - False - error: !ruby/object:Api::OpAsync::Error - path: 'error' - message: 'message' - properties: - - !ruby/object:Api::Type::String - name: 'workloadIdentityPoolId' - description: | - The ID to use for the pool, which becomes the final component of the resource name. This - value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix - `gcp-` is reserved for use by Google, and may not be specified. - required: true - input: true - url_param_only: true - - !ruby/object:Api::Type::Enum - name: 'state' - description: | - The state of the pool. - STATE_UNSPECIFIED: State unspecified. - ACTIVE: The pool is active, and may be used in Google Cloud policies. - DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after - approximately 30 days. You can restore a soft-deleted pool using - UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is - permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or - use existing tokens to access resources. If the pool is undeleted, existing tokens grant - access again. - output: true - values: - - :STATE_UNSPECIFIED - - :ACTIVE - - :DELETED - - !ruby/object:Api::Type::String - name: 'displayName' - description: A display name for the pool. Cannot exceed 32 characters. - - !ruby/object:Api::Type::String - name: 'description' - description: A description of the pool. Cannot exceed 256 characters. - - !ruby/object:Api::Type::String - name: 'name' - description: | - The resource name of the pool as - `projects//locations/global/workloadIdentityPools/`. - output: true - - !ruby/object:Api::Type::Boolean - name: 'disabled' - description: | - Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use - existing tokens to access resources. If the pool is re-enabled, existing tokens grant - access again. + output: true \ No newline at end of file diff --git a/products/iam/inspec.yaml b/products/iam/inspec.yaml index 25f9f3268508..e70c0f862ceb 100644 --- a/products/iam/inspec.yaml +++ b/products/iam/inspec.yaml @@ -46,6 +46,4 @@ overrides: !ruby/object:Overrides::ResourceOverrides base_url: organizations/{{org_id}}/roles?view=FULL self_link: organizations/{{org_id}}/roles/{{name}} collection_url_key: roles - privileged: true - WorkloadIdentityPool: !ruby/object:Overrides::Inspec::ResourceOverride - exclude: true + privileged: true \ No newline at end of file diff --git a/products/iambeta/api.yaml b/products/iambeta/api.yaml new file mode 100644 index 000000000000..3c8a4cdd82e9 --- /dev/null +++ b/products/iambeta/api.yaml @@ -0,0 +1,81 @@ +# Copyright 2017 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- !ruby/object:Api::Product +name: IAMBeta +display_name: Cloud IAM +versions: + - !ruby/object:Api::Product::Version + name: beta + base_url: https://iam.googleapis.com/v1beta/ +scopes: + - https://www.googleapis.com/auth/iam +apis_required: + - !ruby/object:Api::Product::ApiReference + name: Identity and Access Management (IAM) API + url: https://console.cloud.google.com/apis/library/iam.googleapis.com/ +objects: + - !ruby/object:Api::Resource + name: 'WorkloadIdentityPool' + min_version: beta + base_url: projects/{{project}}/locations/global/workloadIdentityPools + create_url: projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}} + description: | + Represents a collection of external workload identities. You can define IAM policies to + grant these identities access to Google Cloud resources. + update_mask: true + properties: + - !ruby/object:Api::Type::String + name: 'workloadIdentityPoolId' + description: | + The ID to use for the pool, which becomes the final component of the resource name. This + value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + required: true + input: true + url_param_only: true + - !ruby/object:Api::Type::Enum + name: 'state' + description: | + The state of the pool. + STATE_UNSPECIFIED: State unspecified. + ACTIVE: The pool is active, and may be used in Google Cloud policies. + DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after + approximately 30 days. You can restore a soft-deleted pool using + UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is + permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or + use existing tokens to access resources. If the pool is undeleted, existing tokens grant + access again. + output: true + values: + - :STATE_UNSPECIFIED + - :ACTIVE + - :DELETED + - !ruby/object:Api::Type::String + name: 'displayName' + description: A display name for the pool. Cannot exceed 32 characters. + - !ruby/object:Api::Type::String + name: 'description' + description: A description of the pool. Cannot exceed 256 characters. + - !ruby/object:Api::Type::String + name: 'name' + description: | + The resource name of the pool as + `projects//locations/global/workloadIdentityPools/`. + output: true + - !ruby/object:Api::Type::Boolean + name: 'disabled' + description: | + Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use + existing tokens to access resources. If the pool is re-enabled, existing tokens grant + access again. diff --git a/products/iam/terraform.yaml b/products/iambeta/terraform.yaml similarity index 69% rename from products/iam/terraform.yaml rename to products/iambeta/terraform.yaml index 8d2178c73b5f..88485f19bf30 100644 --- a/products/iam/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -12,15 +12,7 @@ # limitations under the License. --- !ruby/object:Provider::Terraform::Config -overrides: !ruby/object:Overrides::ResourceOverrides - Role: !ruby/object:Overrides::Terraform::ResourceOverride - exclude: true - ServiceAccount: !ruby/object:Overrides::Terraform::ResourceOverride - exclude: true - ServiceAccountKey: !ruby/object:Overrides::Terraform::ResourceOverride - exclude: true - OrganizationCustomRole: !ruby/object:Overrides::Terraform::ResourceOverride - exclude: true +legacy_name: iam # This is for copying files over files: !ruby/object:Provider::Config::Files # These files have templating (ERB) code that will be run. diff --git a/third_party/terraform/tests/resource_iam_workload_identity_pool_test.go b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb similarity index 70% rename from third_party/terraform/tests/resource_iam_workload_identity_pool_test.go rename to third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb index 3983c5697036..50a4fdf54cbd 100644 --- a/third_party/terraform/tests/resource_iam_workload_identity_pool_test.go +++ b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb @@ -1,12 +1,14 @@ +<% autogen_exception -%> package google +<% unless version == 'ga' %> import ( "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" ) -func TestAccIAMWorkloadIdentityPool_example(t *testing.T) { +func TestAccIAMBetaWorkloadIdentityPool_example(t *testing.T) { t.Parallel() context := map[string]interface{}{ @@ -20,19 +22,13 @@ func TestAccIAMWorkloadIdentityPool_example(t *testing.T) { Providers: testAccProviders, Steps: []resource.TestStep{ { - Config: testAccIAMWorkloadIdentityPool_example(context), - }, - { - ResourceName: "google_iam_workload_identity_pool.my_pool", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"project"}, + Config: testAccIAMBetaWorkloadIdentityPool_example(context), }, }, }) } -func testAccIAMWorkloadIdentityPool_example(context map[string]interface{}) string { +func testAccIAMBetaWorkloadIdentityPool_example(context map[string]interface{}) string { return Nprintf(` resource "google_project" "my_project" { project_id = "tf-test%{random_suffix}" @@ -53,3 +49,4 @@ resource "google_iam_workload_identity_pool" "my_pool" { } `, context) } +<% end -%> diff --git a/third_party/terraform/utils/config.go.erb b/third_party/terraform/utils/config.go.erb index 4d3ba9b5039b..27a21c63f7aa 100644 --- a/third_party/terraform/utils/config.go.erb +++ b/third_party/terraform/utils/config.go.erb @@ -104,6 +104,7 @@ type Config struct { DnsBetaBasePath string IamCredentialsBasePath string ResourceManagerV2Beta1BasePath string + IAMBasePath string CloudIoTBasePath string ServiceNetworkingBasePath string StorageTransferBasePath string @@ -866,6 +867,7 @@ func ConfigureBasePaths(c *Config) { c.DnsBetaBasePath = DnsBetaDefaultBasePath c.IamCredentialsBasePath = IamCredentialsDefaultBasePath c.ResourceManagerV2Beta1BasePath = ResourceManagerV2Beta1DefaultBasePath + c.IAMBasePath = IAMDefaultBasePath c.ServiceNetworkingBasePath = ServiceNetworkingDefaultBasePath c.BigQueryBasePath = BigQueryDefaultBasePath c.StorageTransferBasePath = StorageTransferDefaultBasePath diff --git a/third_party/terraform/utils/provider.go.erb b/third_party/terraform/utils/provider.go.erb index 60aae5e9e1cf..32845a074bf3 100644 --- a/third_party/terraform/utils/provider.go.erb +++ b/third_party/terraform/utils/provider.go.erb @@ -158,6 +158,7 @@ func Provider() *schema.Provider { IamCredentialsCustomEndpointEntryKey: IamCredentialsCustomEndpointEntry, ResourceManagerV2Beta1CustomEndpointEntryKey: ResourceManagerV2Beta1CustomEndpointEntry, RuntimeConfigCustomEndpointEntryKey: RuntimeConfigCustomEndpointEntry, + IAMCustomEndpointEntryKey: IAMCustomEndpointEntry, ServiceNetworkingCustomEndpointEntryKey: ServiceNetworkingCustomEndpointEntry, ServiceUsageCustomEndpointEntryKey: ServiceUsageCustomEndpointEntry, StorageTransferCustomEndpointEntryKey: StorageTransferCustomEndpointEntry, @@ -529,6 +530,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData, p *schema.Pr config.IamCredentialsBasePath = d.Get(IamCredentialsCustomEndpointEntryKey).(string) config.ResourceManagerV2Beta1BasePath = d.Get(ResourceManagerV2Beta1CustomEndpointEntryKey).(string) config.RuntimeConfigBasePath = d.Get(RuntimeConfigCustomEndpointEntryKey).(string) + config.IAMBasePath = d.Get(IAMCustomEndpointEntryKey).(string) config.ServiceNetworkingBasePath = d.Get(ServiceNetworkingCustomEndpointEntryKey).(string) config.ServiceUsageBasePath = d.Get(ServiceUsageCustomEndpointEntryKey).(string) config.StorageTransferBasePath = d.Get(StorageTransferCustomEndpointEntryKey).(string) diff --git a/third_party/terraform/utils/provider_handwritten_endpoint.go.erb b/third_party/terraform/utils/provider_handwritten_endpoint.go.erb index 03b4b263f25c..52a537369a8b 100644 --- a/third_party/terraform/utils/provider_handwritten_endpoint.go.erb +++ b/third_party/terraform/utils/provider_handwritten_endpoint.go.erb @@ -104,6 +104,17 @@ var DnsBetaCustomEndpointEntry = &schema.Schema{ }, DnsBetaDefaultBasePath), } +var IAMDefaultBasePath = "https://iam.googleapis.com/v1/" +var IAMCustomEndpointEntryKey = "iam_custom_endpoint" +var IAMCustomEndpointEntry = &schema.Schema{ + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateCustomEndpoint, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "GOOGLE_IAM_CUSTOM_ENDPOINT", + }, IAMDefaultBasePath), +} + var IamCredentialsDefaultBasePath = "https://iamcredentials.googleapis.com/v1/" var IamCredentialsCustomEndpointEntryKey = "iam_credentials_custom_endpoint" var IamCredentialsCustomEndpointEntry = &schema.Schema{ diff --git a/third_party/terraform/website/docs/guides/provider_reference.html.markdown b/third_party/terraform/website/docs/guides/provider_reference.html.markdown index 6c52aa542c8b..63cfe899dfa0 100644 --- a/third_party/terraform/website/docs/guides/provider_reference.html.markdown +++ b/third_party/terraform/website/docs/guides/provider_reference.html.markdown @@ -126,9 +126,9 @@ resource project for preconditions, quota, and billing, instead of the project the credentials belong to. Not all resources support this- see the documentation for each resource to learn whether it does. -* `billing_project` - (Optional) This fields specifies a project that's used for -preconditions, quota, and billing for requests. All resources that support user project -overrides will use this project instead of the resource's project (if available). This +* `billing_project` - (Optional) This fields specifies a project that's used for +preconditions, quota, and billing for requests. All resources that support user project +overrides will use this project instead of the resource's project (if available). This field is ignored if `user_project_override` is set to false or unset. * `{{service}}_custom_endpoint` - (Optional) The endpoint for a service's APIs, @@ -211,7 +211,7 @@ following ordered by precedence. --- * `billing_project` - (Optional) This fields allows Terraform to set X-Goog-User-Project -for APIs that require a billing project to be specified like Access Context Manager APIs if +for APIs that require a billing project to be specified like Access Context Manager APIs if User ADCs are being used. This can also be specified using the `GOOGLE_BILLING_PROJECT` environment variable. @@ -304,7 +304,7 @@ be used for configuration are below: * `dns_beta_custom_endpoint` (`GOOGLE_DNS_BETA_CUSTOM_ENDPOINT`) - `https://www.googleapis.com/dns/v1beta2/` * `filestore_custom_endpoint` (`GOOGLE_FILESTORE_CUSTOM_ENDPOINT`) - `https://file.googleapis.com/v1/` * `firestore_custom_endpoint` (`GOOGLE_FIRESTORE_CUSTOM_ENDPOINT`) - `https://firestore.googleapis.com/v1/` -* `iam_custom_endpoint` (`GOOGLE_IAM_CUSTOM_ENDPOINT`) - `https://iam.googleapis.com/v1/` | `https://iam.googleapis.com/v1beta/` +* `iam_custom_endpoint` (`GOOGLE_IAM_CUSTOM_ENDPOINT`) - `https://iam.googleapis.com/v1/` * `iam_credentials_custom_endpoint` (`GOOGLE_IAM_CREDENTIALS_CUSTOM_ENDPOINT`) - `https://iamcredentials.googleapis.com/v1/` * `kms_custom_endpoint` (`GOOGLE_KMS_CUSTOM_ENDPOINT`) - `https://cloudkms.googleapis.com/v1/` * `logging_custom_endpoint` (`GOOGLE_LOGGING_CUSTOM_ENDPOINT`) - `https://logging.googleapis.com/v2/` @@ -351,12 +351,12 @@ as their versioned counterpart but that won't necessarily always be the case. * `batching` - (Optional) Controls batching for specific GCP request types where users have encountered quota or speed issues using `count` with - resources that affect the same GCP resource (e.g. `google_project_service`). + resources that affect the same GCP resource (e.g. `google_project_service`). It is not used for every resource/request type and can only group parallel similar calls for nodes at a similar traversal time in the graph during `terraform apply` (e.g. resources created using `count` that affect a single - `project`). Thus, it is also bounded by the `terraform` - [`-parallelism`](https://www.terraform.io/docs/commands/apply.html#parallelism-n) + `project`). Thus, it is also bounded by the `terraform` + [`-parallelism`](https://www.terraform.io/docs/commands/apply.html#parallelism-n) flag, as reducing the number of parallel calls will reduce the number of simultaneous requests being added to a batcher.