Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add condition and accessPolicyVersion to BQ dataset access #12475

Merged
merged 27 commits into from
Dec 16, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
0edec7b
Add condition field to bigquery dataset access
obada-ab Nov 27, 2024
3677133
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 2, 2024
1daccab
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 2, 2024
1f52ebe
Fix bq dataset access with conditions
obada-ab Dec 3, 2024
2ef7a14
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 3, 2024
0a7fcd3
Merge branch 'dataset-acl-condition' of https://github.com/obada-ab/m…
obada-ab Dec 4, 2024
6903e71
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 4, 2024
d91c15f
Add debug message for BQ dataset access entries
obada-ab Dec 4, 2024
3547901
Merge branch 'dataset-acl-condition' of https://github.com/obada-ab/m…
obada-ab Dec 4, 2024
3c53b5e
Remove unused bq dataset encoder
obada-ab Dec 4, 2024
1ac1ac4
Fix testAccCheckBigQueryDatasetAccess
obada-ab Dec 4, 2024
40a7e55
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 6, 2024
0334398
Remove accessPolicyVersion field
obada-ab Dec 6, 2024
bee7e9d
Remove accessPolicyVersion from BQ dataset URLs
obada-ab Dec 6, 2024
2bad050
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 10, 2024
e3f8799
Fix BQ Dataset/DatasetAccess http URLs
obada-ab Dec 10, 2024
0ff8ccc
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 12, 2024
3e2cf62
Add condition to BQ Dataset
obada-ab Dec 12, 2024
dbdc91f
Fix create url for BQ dataset
obada-ab Dec 13, 2024
a7af1b3
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 13, 2024
82b6996
Fix BQ dataset access test
obada-ab Dec 13, 2024
169be9d
Move BQ external AWS dataset test to resource_bigquery_dataset_test
obada-ab Dec 13, 2024
3705c08
Fix BQ dataset tests
obada-ab Dec 13, 2024
bf98483
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 13, 2024
af61577
Add cai_base_url to BQ dataset
obada-ab Dec 13, 2024
3f1c07e
Merge branch 'GoogleCloudPlatform:main' into dataset-acl-condition
obada-ab Dec 16, 2024
11012e3
Add pre-read custom code to BQ dataset
obada-ab Dec 16, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions mmv1/products/bigquery/Dataset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ timeouts:
delete_minutes: 20
custom_code:
constants: 'templates/terraform/constants/bigquery_dataset.go.tmpl'
encoder: 'templates/terraform/encoders/bigquery_dataset.go.tmpl'
exclude_sweeper: true
examples:
- name: 'bigquery_dataset_basic'
Expand Down
26 changes: 26 additions & 0 deletions mmv1/products/bigquery/DatasetAccess.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -301,3 +301,29 @@ properties:
A-Z), numbers (0-9), or underscores (_). The maximum length
is 256 characters.
required: true
- name: 'condition'
type: NestedObject
description: |
Condition for the binding. If CEL expression in this field is true, this
access binding will be considered.
properties:
- name: expression
type: String
required: true
description: |
Textual representation of an expression in Common Expression Language syntax.
- name: title
type: String
description: |
Title for the expression, i.e. a short string describing its purpose.
This can be used e.g. in UIs which allow to enter the expression.
- name: description
type: String
description: |
Description of the expression. This is a longer text which describes the expression,
e.g. when hovered over it in a UI.
- name: location
type: String
description: |
String indicating the location of the expression for error reporting, e.g. a file
name and a position in the file.
14 changes: 14 additions & 0 deletions mmv1/templates/terraform/encoders/bigquery_dataset.go.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{/*
The license inside this block applies to this file
Copyright 2024 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/ -}}
obj["accessPolicyVersion"] = 3
zli82016 marked this conversation as resolved.
Show resolved Hide resolved
return obj, nil
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,34 @@ func TestAccBigQueryDatasetAccess_userByEmailWithMixedCase(t *testing.T) {
})
}

func TestAccBigQueryDatasetAccess_withCondition(t *testing.T) {
t.Parallel()

datasetID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
saID := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))

expected := map[string]interface{}{
"role": "OWNER",
"userByEmail": fmt.Sprintf("%s@%s.iam.gserviceaccount.com", saID, envvar.GetTestProjectFromEnv()),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
Steps: []resource.TestStep{
{
Config: testAccBigQueryDatasetAccess_withCondition(datasetID, saID),
Check: testAccCheckBigQueryDatasetAccessPresent(t, "google_bigquery_dataset.dataset", expected),
},
{
// Destroy step instead of CheckDestroy so we can check the access is removed without deleting the dataset
Config: testAccBigQueryDatasetAccess_destroy(datasetID, "dataset"),
Check: testAccCheckBigQueryDatasetAccessAbsent(t, "google_bigquery_dataset.dataset", expected),
},
},
})
}

func TestAccBigQueryDatasetAccess_groupByEmailWithMixedCase(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -575,3 +603,27 @@ resource "google_bigquery_dataset" "dataset" {
}
`, accessType, email, datasetID)
}

func testAccBigQueryDatasetAccess_withCondition(datasetID, saID string) string {
return fmt.Sprintf(`
resource "google_bigquery_dataset_access" "withCondition" {
dataset_id = google_bigquery_dataset.dataset.dataset_id
role = "OWNER"
user_by_email = google_service_account.bqowner.email
condition {
title = "test-condition"
description = "Request after midnight of 2019-12-31"
expression = "request.time > timestamp(\"2020-01-01T00:00:00Z\")"
location = "any.file.anywhere"
}
}

resource "google_bigquery_dataset" "dataset" {
dataset_id = "%s"
}

resource "google_service_account" "bqowner" {
account_id = "%s"
}
`, datasetID, saID)
}
Loading