Generate BackendService in Terraform

api/type.rb

@@ -115,6 +115,8 @@ def check_default_value_property
         clazz = ::String
       when Api::Type::Integer
         clazz = ::Integer
+      when Api::Type::Double
+        clazz = ::Float
       when Api::Type::Enum
         clazz = ::Symbol
       when Api::Type::Boolean

products/compute/api.yaml

@@ -384,6 +384,11 @@ objects:
           properties:
             - !ruby/object:Api::Type::Enum
               name: 'balancingMode'
+              default_value: :UTILIZATION
+              values:
+                - :UTILIZATION
+                - :RATE
+                - :CONNECTION
               description: |
                 Specifies the balancing mode for this backend.
 
@@ -392,12 +397,9 @@ objects:
                 and CONNECTION (for TCP/SSL).
 
                 This cannot be used for internal load balancing.
-              values:
-                - :UTILIZATION
-                - :RATE
-                - :CONNECTION
             - !ruby/object:Api::Type::Double
               name: 'capacityScaler'
+              default_value: 1.0
               description: |
                 A multiplier applied to the group's maximum servicing capacity
                 (based on UTILIZATION, RATE or CONNECTION).
@@ -471,6 +473,7 @@ objects:
                 This cannot be used for internal load balancing.
             - !ruby/object:Api::Type::Double
               name: 'maxUtilization'
+              default_value: 0.8
               description: |
                 Used when balancingMode is UTILIZATION. This ratio defines the
                 CPU utilization target for the group. The default is 0.8. Valid
@@ -539,43 +542,56 @@ objects:
               responses will not be altered.
       - !ruby/object:Api::Type::NestedObject
         name: 'connectionDraining'
-        description: 'Settings for connection draining'
+        description: |
+          Settings for connection draining
         properties:
           - !ruby/object:Api::Type::Integer
             name: 'drainingTimeoutSec'
+            default_value: 300
             description: |
               Time for which instance will be drained (not accept new
               connections, but still work to finish started).
       - !ruby/object:Api::Type::Time
         name: 'creationTimestamp'
-        description: 'Creation timestamp in RFC3339 text format.'
+        description: |
+          Creation timestamp in RFC3339 text format.
+        output: true
+      - !ruby/object:Api::Type::Array
+        name: 'customRequestHeaders'
+        min_version: beta
+        item_type: Api::Type::String
+        description: |
+          Headers that the HTTP/S load balancer should add to proxied
+          requests.
+      - !ruby/object:Api::Type::Fingerprint
+        name: 'fingerprint'
         output: true
+        description: |
+          Fingerprint of this resource. A hash of the contents stored in this
+          object. This field is used in optimistic locking.
       - !ruby/object:Api::Type::String
         name: 'description'
-        description: 'An optional description of this resource.'
+        description: |
+          An optional description of this resource.
       - !ruby/object:Api::Type::Boolean
         name: 'enableCDN'
         description: |
           If true, enable Cloud CDN for this BackendService.
 
           When the load balancing scheme is INTERNAL, this field is not used.
-      # 'fingerprint' is not suitable for resource convergence.
-      # TODO(nelsonjr): Limitation: healthChecks can point to various distinct
-      # object types and there's no way to differentiate them right now.
-      # Investigate if there is a way to enforce this on the client side as it
-      # depends on the value of load balancing being internal or external.
-      # TODO(nelsonjr): Make 'healthChecks' into a single object as the API
-      # cannot take 2+ anyway.
       - !ruby/object:Api::Type::Array
         name: 'healthChecks'
+        item_type: Api::Type::String
+        required: true
+        min_size: 1
+        max_size: 1
         description: |
            The list of URLs to the HttpHealthCheck or HttpsHealthCheck resource
            for health checking this BackendService. Currently at most one health
            check can be specified, and a health check is required.
 
            For internal load balancing, a URL to a HealthCheck resource must be
            specified instead.
-        item_type: Api::Type::String
       - !ruby/object:Api::Type::Integer
         name: 'id'
         description: 'The unique identifier for the resource.'
@@ -589,14 +605,19 @@ objects:
             description: Enables IAP.
           - !ruby/object:Api::Type::String
             name: 'oauth2ClientId'
-            description: OAuth2 Client ID for IAP
+            required: true
+            description: |
+              OAuth2 Client ID for IAP
           - !ruby/object:Api::Type::String
             name: 'oauth2ClientSecret'
-            description: OAuth2 Client Secret for IAP
+            required: true
+            description: |
+              OAuth2 Client Secret for IAP
           - !ruby/object:Api::Type::String
             name: 'oauth2ClientSecretSha256'
-            description: OAuth2 Client Secret SHA-256 for IAP
             output: true
+            description: |
+              OAuth2 Client Secret SHA-256 for IAP
       - !ruby/object:Api::Type::Enum
         name: 'loadBalancingScheme'
         description: |
@@ -608,6 +629,8 @@ objects:
           - :EXTERNAL
       - !ruby/object:Api::Type::String
         name: 'name'
+        required: true
+        input: true
         description: |
           Name of the resource. Provided by the client when the resource is
           created. The name must be 1-63 characters long, and comply with
@@ -638,10 +661,19 @@ objects:
           - :HTTPS
           - :TCP
           - :SSL
+      # TODO: make a ResourceRef to Security Policy
+      - !ruby/object:Api::Type::String
+        name: 'securityPolicy'
+        update_verb: :POST
+        update_url:
+          'projects/{{project}}/global/backendServices/{{name}}/setSecurityPolicy'
+        description: |
+          The security policy associated with this backend service.
       - !ruby/object:Api::Type::ResourceRef
         name: 'region'
         resource: 'Region'
         imports: 'selfLink'
+        exclude: true
         description: |
           The region where the regional backend service resides.
           This field is not applicable to global backend services.

products/compute/terraform.yaml

@@ -168,7 +168,72 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         Because the API does not return the sensitive key value,
         we cannot confirm or reverse changes to a key outside of Terraform.
   BackendService: !ruby/object:Overrides::Terraform::ResourceOverride
-    exclude: true
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "backend_service_basic"
+        primary_resource_id: "default"
+        vars:
+          backend_service_name: "backend-service"
+          http_health_check_name: "health-check"
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      encoder: 'templates/terraform/encoders/backend_service.go.erb'
+      decoder: 'templates/terraform/decoders/backend_service.go.erb'
+      post_create: 'templates/terraform/post_create/compute_backend_service_security_policy.go.erb'
+      post_update: 'templates/terraform/post_create/compute_backend_service_security_policy.go.erb'
+      resource_definition: 'templates/terraform/resource_definition/backend_service.go.erb'
+    properties:
+      backends: !ruby/object:Overrides::Terraform::PropertyOverride
+        name: backend
+        is_set: true
+        set_hash_func: 'resourceGoogleComputeBackendServiceBackendHash'
+      backends.group: !ruby/object:Overrides::Terraform::PropertyOverride
+        diff_suppress_func: 'compareSelfLinkRelativePaths'
+      cdnPolicy: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
+      cdnPolicy.cacheKeyPolicy.queryStringWhitelist: !ruby/object:Overrides::Terraform::PropertyOverride
+        is_set: true
+      cdnPolicy.cacheKeyPolicy.queryStringBlacklist: !ruby/object:Overrides::Terraform::PropertyOverride
+        is_set: true
+      # TODO(rileykarson): Add this- exclude for now to make the PR easier to review.
+      cdnPolicy.signedUrlCacheMaxAgeSec: !ruby/object:Overrides::Terraform::PropertyOverride
+        exclude: true
+      connectionDraining: !ruby/object:Overrides::Terraform::PropertyOverride
+        flatten_object: true
+      connectionDraining.drainingTimeoutSec: !ruby/object:Overrides::Terraform::PropertyOverride
+        name: connection_draining_timeout_sec
+      customRequestHeaders: !ruby/object:Overrides::Terraform::PropertyOverride
+        is_set: true
+      healthChecks: !ruby/object:Overrides::Terraform::PropertyOverride
+        is_set: true
+        set_hash_func: 'selfLinkRelativePathHash'
+        custom_flatten: templates/terraform/custom_flatten/guard_self_link_array.go.erb
+      iap: !ruby/object:Overrides::Terraform::PropertyOverride
+        send_empty_value: true
+      iap.enabled: !ruby/object:Overrides::Terraform::PropertyOverride
+        exclude: true
+      iap.oauth2ClientSecret: !ruby/object:Overrides::Terraform::PropertyOverride
+        send_empty_value: true
+        # We don't support ignore_read on nested fields
+        ignore_read: true
+        sensitive: true
+        custom_flatten: templates/terraform/custom_flatten/compute_backend_service_iap_oauth2_client_secret.go.erb
+      iap.oauth2ClientSecretSha256: !ruby/object:Overrides::Terraform::PropertyOverride
+        sensitive: true
+      id: !ruby/object:Overrides::Terraform::PropertyOverride
+        exclude: true
+      # TODO(rileykarson): Add this- exclude for now to make the PR easier to review.
+      loadBalancingScheme: !ruby/object:Overrides::Terraform::PropertyOverride
+        exclude: true
+      portName: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
+      protocol: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
+      sessionAffinity: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
+      securityPolicy: !ruby/object:Overrides::Terraform::PropertyOverride
+        diff_suppress_func: 'compareSelfLinkOrResourceName'
+      timeoutSec: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
   Disk: !ruby/object:Overrides::Terraform::ResourceOverride
     properties:
       id: !ruby/object:Overrides::Terraform::PropertyOverride

templates/terraform/custom_flatten/compute_backend_service_iap_oauth2_client_secret.go.erb

@@ -0,0 +1,17 @@
+<%# The license inside this block applies to this file.
+	# Copyright 2018 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d *schema.ResourceData) interface{} {
+	return d.Get("iap.0.oauth2_client_secret")
+}

templates/terraform/custom_flatten/guard_self_link_array.go.erb

@@ -0,0 +1,21 @@
+<%# The license inside this block applies to this file.
+	# Copyright 2019 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+<%# This should be used for multi-resource ref fields that can't be made to real resource refs yet %>
+func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d *schema.ResourceData) interface{} {
+	if v == nil {
+		return v
+	}
+	return convertAndMapStringArr(v.([]interface{}), ConvertSelfLinkToV1)
+}

templates/terraform/decoders/backend_service.go.erb

@@ -0,0 +1,23 @@
+<%# The license inside this block applies to this file.
+	# Copyright 2017 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+// We need to pretend IAP isn't there if it's disabled for Terraform to maintain
+// BC behaviour with the handwritten resource.
+v, ok :=  res["iap"]
+m := v.(map[string]interface{})
+if ok && m["enabled"] == false {
+	delete(res, "iap")
+}
+
+return res, nil

templates/terraform/encoders/backend_service.go.erb

@@ -0,0 +1,36 @@
+<%# The license inside this block applies to this file.
+	# Copyright 2017 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+// The BackendService API's Update / PUT API is badly formed and behaves like
+// a PATCH field for at least IAP. When sent a `null` `iap` field, the API
+// doesn't disable an existing field. To work around this, we need to emulate
+// the old Terraform behaviour of always sending the block (at both update and
+// create), and force sending each subfield as empty when the block isn't
+// present in config.
+
+iapVal := obj["iap"]
+if iapVal == nil {
+	data := map[string]interface{}{}
+	data["enabled"] = false
+	data["oauth2ClientId"] = ""
+	data["oauth2ClientSecret"] = ""
+	obj["iap"] = data
+} else {
+	iap := iapVal.(map[string]interface{})
+	iap["enabled"] = true
+	obj["iap"] = iap
+}
+
+
+return obj, nil

templates/terraform/examples/backend_service_basic.tf.erb

@@ -0,0 +1,11 @@
+resource "google_compute_backend_service" "<%= ctx[:primary_resource_id] %>" {
+  name          = "<%= ctx[:vars]['backend_service_name'] %>"
+  health_checks = ["${google_compute_http_health_check.default.self_link}"]
+}
+
+resource "google_compute_http_health_check" "default" {
+  name               = "<%= ctx[:vars]['http_health_check_name'] %>"
+  request_path       = "/"
+  check_interval_sec = 1
+  timeout_sec        = 1
+}

templates/terraform/extra_schema_entry/backend_service.erb

@@ -0,0 +1,20 @@
+<%# The license inside this block applies to this file.
+	# Copyright 2018 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+"region": {
+	Type:     schema.TypeString,
+	Optional: true,
+	ForceNew: true,
+	Removed:  "region has been removed as it was never used. For internal load balancing, use google_compute_region_backend_service",
+},