diff --git a/build/ansible b/build/ansible index 8e5608fb86fe..8e959e032599 160000 --- a/build/ansible +++ b/build/ansible @@ -1 +1 @@ -Subproject commit 8e5608fb86fea0419283094c553aaf97eb05f673 +Subproject commit 8e959e032599ceade785032a52f7d019db1db885 diff --git a/products/compute/ansible.yaml b/products/compute/ansible.yaml index f697d1336ae9..b96fc5048870 100644 --- a/products/compute/ansible.yaml +++ b/products/compute/ansible.yaml @@ -78,6 +78,8 @@ datasources: !ruby/object:Overrides::ResourceOverrides version_added: '2.7' SslCertificate: !ruby/object:Overrides::Ansible::ResourceOverride version_added: '2.7' + ManagedSslCertificate: !ruby/object:Overrides::Ansible::ResourceOverride + exclude: true SslPolicy: !ruby/object:Overrides::Ansible::ResourceOverride version_added: '2.7' Subnetwork: !ruby/object:Overrides::Ansible::ResourceOverride diff --git a/products/compute/api.yaml b/products/compute/api.yaml index 52e6733e4d19..b9a234ac46ba 100644 --- a/products/compute/api.yaml +++ b/products/compute/api.yaml @@ -3492,6 +3492,87 @@ objects: description: 'The write-only private key in PEM format.' required: true input: true + - !ruby/object:Api::Resource + # This is intentionally out of alphabetic order because it represents the same + # GCP resource as the preceeding certificate object. + name: 'ManagedSslCertificate' + kind: 'compute#sslCertificate' + min_version: beta + base_url: projects/{{project}}/global/sslCertificates + collection_url_response: !ruby/object:Api::Resource::ResponseList + kind: 'compute#sslCertificateList' + items: 'items' + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Official Documentation': 'https://cloud.google.com/load-balancing/docs/ssl-certificates' + api: 'https://cloud.google.com/compute/docs/reference/rest/v1/sslCertificates' + input: true + has_self_link: true + description: | + An SslCertificate resource, used for HTTPS load balancing. This resource + represents a certificate for which the certificate secrets are created and + managed by Google. +<%= indent(compile_file({timeouts: { + insert_sec: 6 * 60, + update_sec: 6 * 60, + # Deletes can take 20-30 minutes to complete, since they depend + # on the provisioning process either succeeding or failing completely. + delete_sec: 30 * 60}}, 'templates/global_async.yaml.erb'), 4) %> + properties: + - !ruby/object:Api::Type::Time + name: 'creationTimestamp' + description: 'Creation timestamp in RFC3339 text format.' + output: true + - !ruby/object:Api::Type::String + name: 'description' + description: 'An optional description of this resource.' + - !ruby/object:Api::Type::Integer + name: 'id' + description: 'The unique identifier for the resource.' + output: true + - !ruby/object:Api::Type::String + name: 'name' + description: | + Name of the resource. Provided by the client when the resource is + created. The name must be 1-63 characters long, and comply with + RFC1035. Specifically, the name must be 1-63 characters long and match + the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the + first character must be a lowercase letter, and all following + characters must be a dash, lowercase letter, or digit, except the last + character, which cannot be a dash. + - !ruby/object:Api::Type::NestedObject + name: 'managed' + description: | + Properties relevant to a managed certificate. These will be used if the + certificate is managed (as indicated by a value of `MANAGED` in `type`). + properties: + - !ruby/object:Api::Type::Array + name: 'domains' + description: | + Domains for which a managed SSL certificate will be valid. Currently, + there can only be one domain in this list. + max_size: 1 + item_type: Api::Type::String + required: true + - !ruby/object:Api::Type::Enum + name: 'type' + description: | + Specifies the type of SSL certificate, either `SELF_MANAGED` or `MANAGED`. + If not specified, the certificate is self-managed. + values: + - :MANAGED + default_value: :MANAGED + - !ruby/object:Api::Type::Array + name: 'subjectAlternativeNames' + description: | + Domains associated with the certificate via Subject Alternative Name. + item_type: Api::Type::String + output: true + - !ruby/object:Api::Type::Time + name: 'expireTime' + description: | + Expire time of the certificate. + output: true - !ruby/object:Api::Resource name: 'SslPolicy' kind: 'compute#sslPolicy' diff --git a/products/compute/terraform.yaml b/products/compute/terraform.yaml index 3f21614740e0..27e7decd8e5a 100644 --- a/products/compute/terraform.yaml +++ b/products/compute/terraform.yaml @@ -728,6 +728,47 @@ overrides: !ruby/object:Overrides::ResourceOverrides custom_code: !ruby/object:Provider::Terraform::CustomCode decoder: templates/terraform/decoders/snapshot.go.erb extra_schema_entry: templates/terraform/extra_schema_entry/snapshot.erb + ManagedSslCertificate: !ruby/object:Overrides::Terraform::ResourceOverride + docs: !ruby/object:Provider::Terraform::Docs + warning: | + This resource should be used with extreme caution! Provisioning an SSL + certificate is complex. Ensure that you understand the lifecycle of a + certificate before attempting complex tasks like cert rotation automatically. + This resource will "return" as soon as the certificate object is created, + but post-creation the certificate object will go through a "provisioning" + process. The provisioning process can complete only when the domain name + for which the certificate is created points to a target pool which, itself, + points at the certificate. Depending on your DNS provider, this may take + some time, and migrating from self-managed certificates to Google-managed + certificates may entail some downtime while the certificate provisions. + + In conclusion: Be extremely cautious. + examples: + - !ruby/object:Provider::Terraform::Examples + name: "managed_ssl_certificate_basic" + primary_resource_id: "default" + version: <%= version_name %> + vars: + cert_name: "test-cert" + proxy_name: "test-proxy" + url_map_name: "url-map" + backend_service_name: "backend-service" + dns_zone_name: "dnszone" + forwarding_rule_name: "forwarding-rule" + http_health_check_name: "http-health-check" + description: | + {{description}} + For a resource where you provide the key, see the + SSL Certificate resource. + properties: + id: !ruby/object:Overrides::Terraform::PropertyOverride + name: 'certificate_id' + default_from_api: true + name: !ruby/object:Overrides::Terraform::PropertyOverride + description: | + {{description}} + + These are in the same namespace as the managed SSL certificates. SslCertificate: !ruby/object:Overrides::Terraform::ResourceOverride docs: !ruby/object:Provider::Terraform::Docs optional_properties: | @@ -763,6 +804,10 @@ overrides: !ruby/object:Overrides::ResourceOverrides custom_expand: 'templates/terraform/custom_expand/name_or_name_prefix.go.erb' validation: !ruby/object:Provider::Terraform::Validation function: 'validateGCPName' + description: | + {{description}} + + These are in the same namespace as the managed SSL certificates. id: !ruby/object:Overrides::Terraform::PropertyOverride name: 'certificate_id' certificate: !ruby/object:Overrides::Terraform::PropertyOverride diff --git a/templates/terraform/examples/managed_ssl_certificate_basic.tf.erb b/templates/terraform/examples/managed_ssl_certificate_basic.tf.erb new file mode 100644 index 000000000000..b3ba5cd89a4c --- /dev/null +++ b/templates/terraform/examples/managed_ssl_certificate_basic.tf.erb @@ -0,0 +1,70 @@ +resource "google_compute_managed_ssl_certificate" "default" { + name = "<%= ctx[:vars]['cert_name'] %>" + + managed { + domains = ["sslcert.tf-test.club"] + } +} + +resource "google_compute_target_https_proxy" "default" { + name = "<%= ctx[:vars]['proxy_name'] %>" + url_map = "${google_compute_url_map.default.self_link}" + ssl_certificates = ["${google_compute_managed_ssl_certificate.default.self_link}"] +} + +resource "google_compute_url_map" "default" { + name = "<%= ctx[:vars]['url_map_name'] %>" + description = "a description" + + default_service = "${google_compute_backend_service.default.self_link}" + + host_rule { + hosts = ["sslcert.tf-test.club"] + path_matcher = "allpaths" + } + + path_matcher { + name = "allpaths" + default_service = "${google_compute_backend_service.default.self_link}" + + path_rule { + paths = ["/*"] + service = "${google_compute_backend_service.default.self_link}" + } + } +} + +resource "google_compute_backend_service" "default" { + name = "<%= ctx[:vars]['backend_service_name'] %>" + port_name = "http" + protocol = "HTTP" + timeout_sec = 10 + + health_checks = ["${google_compute_http_health_check.default.self_link}"] +} + +resource "google_compute_http_health_check" "default" { + name = "<%= ctx[:vars]['http_health_check_name'] %>" + request_path = "/" + check_interval_sec = 1 + timeout_sec = 1 +} + +resource "google_dns_managed_zone" "zone" { + name = "<%= ctx[:vars]['dns_zone_name'] %>" + dns_name = "sslcert.tf-test.club." +} + +resource "google_compute_global_forwarding_rule" "default" { + name = "<%= ctx[:vars]['forwarding_rule_name'] %>" + target = "${google_compute_target_https_proxy.default.self_link}" + port_range = 443 +} + +resource "google_dns_record_set" "set" { + name = "sslcert.tf-test.club." + type = "A" + ttl = 3600 + managed_zone = "${google_dns_managed_zone.zone.name}" + rrdatas = ["${google_compute_global_forwarding_rule.default.ip_address}"] +} diff --git a/templates/terraform/provider_gen.erb b/templates/terraform/provider_gen.erb index f08d2d72a243..e6338d79ee96 100644 --- a/templates/terraform/provider_gen.erb +++ b/templates/terraform/provider_gen.erb @@ -19,7 +19,7 @@ package google import "github.com/hashicorp/terraform/helper/schema" var Generated<%= product_ns -%>ResourcesMap = map[string]*schema.Resource{ -<% product.objects.reject { |r| r.exclude }.each do |object| -%> +<% product.objects.reject { |r| r.exclude || r.not_in_version?(product.version_obj_or_default(version)) }.each do |object| -%> <% if @config.legacy_name.nil? terraform_name = "google_" + (product_ns + object.name).underscore