Skip to content

Commit

Permalink
Add cloud identity group (#3696)
Browse files Browse the repository at this point in the history
* add cloud identity to mm

* make labels key value pair

* add cloud identity group

* fix white spacing, add description to update test

* make tests beta-only

* make customer id var beta-only

* Update products/cloudidentity/api.yaml

Co-authored-by: Dana Hoffman <[email protected]>

* Update products/cloudidentity/terraform.yaml

Co-authored-by: Dana Hoffman <[email protected]>

* update code review comments

* move unless ga to top of file for test

* move unless ga back

* add group membership back in

* remove last comma

* update per review comments

* add group membership test for user

* update admin -> identity, tabs -> spaces

Co-authored-by: Dana Hoffman <[email protected]>
  • Loading branch information
megan07 and danawillow authored Jun 24, 2020
1 parent 224ce38 commit f78a0a9
Show file tree
Hide file tree
Showing 12 changed files with 602 additions and 2 deletions.
321 changes: 321 additions & 0 deletions products/cloudidentity/api.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,321 @@
# Copyright 2020 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

--- !ruby/object:Api::Product
name: CloudIdentity
display_name: Cloud Identity
versions:
- !ruby/object:Api::Product::Version
name: beta
base_url: https://cloudidentity.googleapis.com/v1beta1/
scopes:
- https://www.googleapis.com/auth/cloud-identity
apis_required:
- !ruby/object:Api::Product::ApiReference
name: Cloud Identity API
url: https://console.cloud.google.com/apis/api/cloudidentity.googleapis.com/overview
objects:
- !ruby/object:Api::Resource
name: 'Group'
base_url: groups
update_url: '{{name}}'
self_link: '{{name}}'
update_verb: :PATCH
update_mask: true
description: |
A Cloud Identity resource representing a Group.
properties:
- !ruby/object:Api::Type::String
name: 'name'
output: true
description: |
Resource name of the Group in the format: groups/{group_id}, where group_id
is the unique ID assigned to the Group.
- !ruby/object:Api::Type::NestedObject
name: 'groupKey'
required: true
input: true
description: |
EntityKey of the Group.
properties:
- !ruby/object:Api::Type::String
name: 'id'
required: true
input: true
description: |
The ID of the entity.
For Google-managed entities, the id must be the email address of an existing
group or user.
For external-identity-mapped entities, the id must be a string conforming
to the Identity Source's requirements.
Must be unique within a namespace.
- !ruby/object:Api::Type::String
name: 'namespace'
input: true
description: |
The namespace in which the entity exists.
If not specified, the EntityKey represents a Google-managed entity
such as a Google user or a Google Group.
If specified, the EntityKey represents an external-identity-mapped group.
The namespace must correspond to an identity source created in Admin Console
and must be in the form of `identitysources/{identity_source_id}`.
- !ruby/object:Api::Type::String
name: 'parent'
required: true
input: true
description: |
The resource name of the entity under which this Group resides in the
Cloud Identity resource hierarchy.
Must be of the form identitysources/{identity_source_id} for external-identity-mapped
groups or customers/{customer_id} for Google Groups.
- !ruby/object:Api::Type::String
name: 'displayName'
description: |
The display name of the Group.
- !ruby/object:Api::Type::String
name: 'description'
description: |
An extended description to help users determine the purpose of a Group.
Must not be longer than 4,096 characters.
- !ruby/object:Api::Type::String
name: 'createTime'
output: true
description: |
The time when the Group was created.
- !ruby/object:Api::Type::String
name: 'updateTime'
output: true
description: |
The time when the Group was last updated.
- !ruby/object:Api::Type::KeyValuePairs
name: 'labels'
required: true
input: true
description: |
The labels that apply to the Group.
Must not contain more than one entry. Must contain the entry
'cloudidentity.googleapis.com/groups.discussion_forum': '' if the Group is a Google Group or
'system/groups/external': '' if the Group is an external-identity-mapped group.
# TODO (mbang): The full API doesn't seem to be implemented yet
# - !ruby/object:Api::Type::Array
# name: 'additionalGroupKeys'
# input: true
# description: |
# Additional entity key aliases for a Group.
# item_type: !ruby/object:Api::Type::NestedObject
# properties:
# - !ruby/object:Api::Type::String
# name: 'id'
# required: true
# description: |
# The ID of the entity.

# For Google-managed entities, the id must be the email address of an existing
# group or user.

# For external-identity-mapped entities, the id must be a string conforming
# to the Identity Source's requirements.

# Must be unique within a namespace.
# - !ruby/object:Api::Type::String
# name: 'namespace'
# description: |
# The namespace in which the entity exists.

# If not specified, the EntityKey represents a Google-managed entity
# such as a Google user or a Google Group.

# If specified, the EntityKey represents an external-identity-mapped group.
# The namespace must correspond to an identity source created in Admin Console
# and must be in the form of `identitysources/{identity_source_id}.
# - !ruby/object:Api::Type::NestedObject
# name: 'dynamicGroupMetadata'
# input: true
# description: |
# Dynamic group metadata like queries and status.
# properties:
# - !ruby/object:Api::Type::Array
# name: 'queries'
# required: true
# description: |
# Memberships will be the union of all queries. Only one entry with USER resource is currently supported.
# item_type: !ruby/object:Api::Type::NestedObject
# properties:
# - !ruby/object:Api::Type::Enum
# name: 'resourceType'
# description: |
# Resources supported for dynamic groups.
# default_value: :USER
# values:
# - :USER
# - !ruby/object:Api::Type::String
# name: 'query'
# description: |
# Query that determines the memberships of the dynamic group.

# Examples: All users with at least one organizations.department of engineering.

# user.organizations.exists(org, org.department=='engineering')

# All users with at least one location that has area of foo and building_id of bar.

# user.locations.exists(loc, loc.area=='foo' && loc.building_id=='bar')
# - !ruby/object:Api::Type::NestedObject
# name: 'DynamicGroupStatus'
# output: true
# description: |
# Status of the dynamic group.
# properties:
# - !ruby/object:Api::Type::String
# name: 'status'
# description: |
# Status of the dynamic group.
# - !ruby/object:Api::Type::String
# name: 'statusTime'
# description: |
# The latest time at which the dynamic group is guaranteed to be in the given status.
# For example, if status is: UP_TO_DATE - The latest time at which this dynamic group
# was confirmed to be up to date. UPDATING_MEMBERSHIPS - The time at which dynamic group was created.

# A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- !ruby/object:Api::Resource
name: 'GroupMembership'
base_url: '{{group}}/memberships'
self_link: '{{name}}'
description: |
A Membership defines a relationship between a Group and an entity belonging to that Group, referred to as a "member".
parameters:
- !ruby/object:Api::Type::ResourceRef
name: 'group'
resource: 'Group'
imports: 'name'
description: |
The name of the Group to create this membership in.
required: true
input: true
url_param_only: true
properties:
- !ruby/object:Api::Type::String
name: 'name'
output: true
description: |
The resource name of the Membership, of the form groups/{group_id}/memberships/{membership_id}.
- !ruby/object:Api::Type::NestedObject
name: 'memberKey'
input: true
description: |
EntityKey of the member.
exactly_one_of:
- member_key
- preferred_member_key
properties:
- !ruby/object:Api::Type::String
name: 'id'
required: true
input: true
description: |
The ID of the entity.
For Google-managed entities, the id must be the email address of an existing
group or user.
For external-identity-mapped entities, the id must be a string conforming
to the Identity Source's requirements.
Must be unique within a namespace.
- !ruby/object:Api::Type::String
name: 'namespace'
input: true
description: |
The namespace in which the entity exists.
If not specified, the EntityKey represents a Google-managed entity
such as a Google user or a Google Group.
If specified, the EntityKey represents an external-identity-mapped group.
The namespace must correspond to an identity source created in Admin Console
and must be in the form of `identitysources/{identity_source_id}`.
- !ruby/object:Api::Type::NestedObject
name: 'preferredMemberKey'
input: true
description: |
EntityKey of the member.
exactly_one_of:
- member_key
- preferred_member_key
properties:
- !ruby/object:Api::Type::String
name: 'id'
required: true
input: true
description: |
The ID of the entity.
For Google-managed entities, the id must be the email address of an existing
group or user.
For external-identity-mapped entities, the id must be a string conforming
to the Identity Source's requirements.
Must be unique within a namespace.
- !ruby/object:Api::Type::String
name: 'namespace'
input: true
description: |
The namespace in which the entity exists.
If not specified, the EntityKey represents a Google-managed entity
such as a Google user or a Google Group.
If specified, the EntityKey represents an external-identity-mapped group.
The namespace must correspond to an identity source created in Admin Console
and must be in the form of `identitysources/{identity_source_id}`.
- !ruby/object:Api::Type::String
name: 'createTime'
output: true
description: |
The time when the Membership was created.
- !ruby/object:Api::Type::String
name: 'updateTime'
output: true
description: |
The time when the Membership was last updated.
- !ruby/object:Api::Type::Array
name: 'roles'
required: true
description: |
The MembershipRoles that apply to the Membership.
Must not contain duplicate MembershipRoles with the same name.
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::Enum
name: 'name'
required: true
description: |
The name of the MembershipRole. Must be one of OWNER, MANAGER, MEMBER.
values:
- :OWNER
- :MANAGER
- :MEMBER
- !ruby/object:Api::Type::String
name: 'type'
output: true
description: |
The type of the membership.
75 changes: 75 additions & 0 deletions products/cloudidentity/terraform.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Copyright 2020 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

--- !ruby/object:Provider::Terraform::Config
overrides: !ruby/object:Overrides::ResourceOverrides
Group: !ruby/object:Overrides::Terraform::ResourceOverride
import_format: ["{{name}}"]
examples:
- !ruby/object:Provider::Terraform::Examples
name: "cloud_identity_groups_basic"
primary_resource_id: "cloud_identity_group_basic"
min_version: beta
vars:
id_group: "my-identity-group"
test_env_vars:
org_domain: :ORG_DOMAIN
cust_id: :CUST_ID
### The full API doesn't seem to be implemented yet
# - !ruby/object:Provider::Terraform::Examples
# name: "cloud_identity_groups_full"
# primary_resource_id: "cloud_identity_group_full"
# min_version: beta
# vars:
# id_group: "my-identity-group"
# test_env_vars:
# org_domain: :ORG_DOMAIN
# cust_id: :CUST_ID
custom_code: !ruby/object:Provider::Terraform::CustomCode
post_create: templates/terraform/post_create/set_computed_name.erb
GroupMembership: !ruby/object:Overrides::Terraform::ResourceOverride
import_format: ["{{name}}"]
examples:
- !ruby/object:Provider::Terraform::Examples
name: "cloud_identity_group_membership"
primary_resource_id: "cloud_identity_group_membership_basic"
min_version: beta
vars:
id_group: "my-identity-group"
test_env_vars:
org_domain: :ORG_DOMAIN
cust_id: :CUST_ID
- !ruby/object:Provider::Terraform::Examples
name: "cloud_identity_group_membership_user"
primary_resource_id: "cloud_identity_group_membership_basic"
min_version: beta
vars:
id_group: "my-identity-group"
test_env_vars:
org_domain: :ORG_DOMAIN
cust_id: :CUST_ID
identity_user: :IDENTITY_USER
properties:
memberKey: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
preferredMemberKey: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
custom_code: !ruby/object:Provider::Terraform::CustomCode
post_create: templates/terraform/post_create/set_computed_name.erb

# This is for copying files over
files: !ruby/object:Provider::Config::Files
# These files have templating (ERB) code that will be run.
# This is usually to add licensing info, autogeneration notices, etc.
compile:
<%= lines(indent(compile('provider/terraform/product~compile.yaml'), 4)) -%>
Loading

0 comments on commit f78a0a9

Please sign in to comment.