Add support IAM policy for the Environment of Apigee X #5270
Conversation
|
Hello! I am a robot who works on Magic Modules PRs. I have detected that you are a community contributor, so your PR will be assigned to someone with a commit-bit on this repo for initial review. Thanks for your contribution! A human will be with you soon. @melinath, please review this PR or find an appropriate assignee. |
|
I ran the following acceptance tests in my local: 5 out of the 6 passed, except for "TestAccApigeeEnvironmentIamPolicyGenerated". |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
The change from org_id -> org_name would be a breaking change, so we can't accept it. All existing configs need to keep working without being changed. Putting org_id and org_name side by side would likely be acceptable as long as it won't break existing configs.
However, unless it's absolutely necessary to include org_name changes, this PR should be limited to just adding support for IAM policy to Apigee X Environments.
I'm not sure offhand what to do about the etag fields. I can look into it a bit if you're not able to figure it out. But I wanted to cover the big issue first.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Thank you for the reply, Stephen! I ran the following tests in my local: Because I only made minimal changes to api.yaml, I'm not sure what I'm missing here. Please advise. Thanks! |
There was a problem hiding this comment.
You'll probably need to add back the separate test files. The reason we have them is that you can only have one apigee org per project. So, we need to set up separate unique projects for each test, each with their own apigee org (and then enable the relevant apis, etc.)
|
I see. I reverted all changes I made to test files. However I'm not able to run these tests in my local at the moment.. I'm working with my teams to get the permissions to create projects with billings. |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
It looks like this is resulting in invalid generated test code:
google/iam_apigee_environment_generated_test.go:43:24: Sprintf format %s reads arg #1, but call has 0 args
google/iam_apigee_environment_generated_test.go:53:24: Sprintf format %s reads arg #1, but call has 0 args
google/iam_apigee_environment_generated_test.go:81:24: Sprintf format %s reads arg #1, but call has 0 args
google/iam_apigee_environment_generated_test.go:108:24: Sprintf format %s reads arg #1, but call has 0 args
google/iam_apigee_environment_generated_test.go:117:24: Sprintf format %s reads arg #1, but call has 0 args
|
I couldn't run the existing test cases in my local, so I made the fix to the test files in the previous commit.. Now that those are reverted, can you look into the errors and we collaborate in this PR? |
|
@xuchenma the issue here seems to be that in order to support the automatic generation of IAM tests, you need to add a primary_resource_name to the example in terraform.yaml - here's an example of what that looks like: The lines that are currently failing to compile in your generated code look like this: https://github.com/modular-magician/terraform-provider-google/compare/auto-pr-5270-old..auto-pr-5270#diff-6f00cf9b869826b379f694c599e4c65cf5a78211f5123adbf1b8cf4711373c2fR43 (You can see this code using the links in the comment by the modular magician, or look at your locally-generated code.) Here's the corresponding line for a working IAM test: https://github.com/hashicorp/terraform-provider-google/blob/d312ba579b0017146eaca06203a2ac7ce29b3999/google/iam_bigquery_table_generated_test.go#L102 In case it helps, here's the line in the template file used to generate IAM tests: Please make sure the generated code compiles for you locally - for example, by ensuring that |
|
Thanks, I see. I've added "primary_resource_name", |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 5 files changed, 821 insertions(+), 2 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccApigeeEnvironmentIamBindingGenerated|TestAccApigeeEnvironmentIamMemberGenerated|TestAccApigeeEnvironmentIamPolicyGenerated|TestAccCloudbuildWorkerPool_withNetwork|TestAccCloudFunctionsFunction_vpcConnector|TestAccComputeFirewallPolicyRule_update|TestAccComputeInstanceFromMachineImage_basic|TestAccComputeInstanceFromMachineImage_overrideMetadataDotStartupScript|TestAccComputeInstanceFromMachineImage_diffProject|TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample|TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample|TestAccComputeRegionNetworkEndpointGroup_regionNetworkEndpointGroupAppengineExample|TestAccContainerAnalysisOccurrence_multipleSignatures|TestAccContainerCluster_withAuthenticatorGroupsConfig|TestAccContainerNodePool_withWorkloadIdentityConfig|TestAccContainerNodePool_withGPU|TestAccContainerNodePool_ephemeralStorageConfig|TestAccSqlDatabaseInstance_withPrivateNetwork|TestAccSqlUser_postgresIAM You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=214023 |
|
It looks like the reason that etag is present for the member/binding resources and not for the policy resources is because member/binding need to do a get request to merge the existing IAM policy with their changes - which gets them an etag as a side effect. The policy resource overrides whatever's there so it doesn't do a get request first (and so doesn't get an etag). I think we expect this kind of request to go through; this API must be slightly different from standard. |
|
The issues with the member/binding resources have to do with the import URL. I'm not entirely sure what the fix will be; I need to look into it some more. |
mmv1/products/apigee/api.yaml
Outdated
| exclude: false | ||
| method_name_separator: ':' | ||
| parent_resource_attribute: 'env_id' | ||
| import_format: ["{{org_id}}/environments/{{name}}", "{{name}}"] |
There was a problem hiding this comment.
This % will indicate that the org_id can contain slashes, which should resolve the problem. (Currently the import_format regex excludes the "organization/" at the start of the org id.)
| import_format: ["{{org_id}}/environments/{{name}}", "{{name}}"] | |
| import_format: ["{{%org_id}}/environments/{{name}}", "{{name}}"] |
Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
|
Thanks! I just committed the suggested change and rebased. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 5 files changed, 820 insertions(+), 2 deletions(-)) |
|
/gcbrun |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 5 files changed, 820 insertions(+), 2 deletions(-)) |
mmv1/products/apigee/terraform.yaml
Outdated
| @@ -103,6 +103,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides | |||
| # the resources needed for the acceptance test. | |||
| name: "apigee_environment_basic_test" | |||
| primary_resource_id: "apigee_environment" | |||
| primary_resource_name: "getTestProjectFromEnv(), fmt.Sprintf(\"tf-test-apigee-env%s\", context[\"random_suffix\"])" | |||
There was a problem hiding this comment.
It looks like this is causing issues; it is causing things like this to be generated:
{
ResourceName: "google_apigee_environment_iam_binding.foo",
ImportStateId: fmt.Sprintf("%s/environments/%s roles/viewer", getTestProjectFromEnv(), fmt.Sprintf("tf-test-apigee-env%s", context["random_suffix"])),
ImportState: true,
ImportStateVerify: true,
},
This results in the import id being set to something like my-project/environments/tf-test-apigee-envasdfklj but it should be organizations/tf-testasdfklj/environments/tf-testasdfklj. I think you could resolve the issue with something like this:
| primary_resource_name: "getTestProjectFromEnv(), fmt.Sprintf(\"tf-test-apigee-env%s\", context[\"random_suffix\"])" | |
| primary_resource_name: "fmt.Sprintf(\"organizations/tf-test%s\", context[\"random_suffix\"]), fmt.Sprintf(\"tf-test%s\", context[\"random_suffix\"])" |
There was a problem hiding this comment.
Let me know if that helps the tests pass for you locally!
There was a problem hiding this comment.
Thanks, done! I'm still working with my team to setup the permission for me to run tests locally. We can try and see if the tests pass in your system.
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 5 files changed, 820 insertions(+), 2 deletions(-)) |
|
It looks like the binding and member tests are now passing, so all that's left is the policy test. |
|
/gcbrun |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 5 files changed, 820 insertions(+), 2 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccApigeeEnvironmentIamBindingGenerated|TestAccApigeeEnvironmentIamMemberGenerated|TestAccApigeeEnvironmentIamPolicyGenerated|TestAccAssuredWorkloadsWorkload_BasicHandWritten|TestAccAssuredWorkloadsWorkload_FullHandWritten|TestAccCloudFunctionsFunction_vpcConnector|TestAccComputeForwardingRule_update|TestAccComputeInstanceFromMachineImage_basic|TestAccComputeInstanceFromMachineImage_overrideMetadataDotStartupScript|TestAccComputeInstanceFromMachineImage_diffProject|TestAccComputeRegionHealthCheck_tcp_update|TestAccComputeRegionHealthCheck_typeTransition|TestAccComputeRegionNetworkEndpointGroup_regionNetworkEndpointGroupAppengineExample|TestAccComputeServiceAttachment_serviceAttachmentBasicExampleUpdate|TestAccDataprocWorkflowTemplate_basic|TestAccEventarcTrigger_BasicHandWritten|TestAccMonitoringMonitoredProject_BasicMonitoredProject|TestAccOrgPolicyPolicy_EnforcePolicy|TestAccOrgPolicyPolicy_FolderPolicy|TestAccOrgPolicyPolicy_OrganizationPolicy|TestAccOrgPolicyPolicy_ProjectPolicy|TestAccPrivatecaCertificateTemplate_BasicCertificateTemplate|TestAccSqlUser_postgresIAM|TestAccTags You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=221386 |
…atform#5270) * Add support IAM policy for the Environment of Apigee X * Add support IAM policy for the Environment of Apigee X * Add support IAM policy for the Environment of Apigee X * Add support IAM policy for the Environment of Apigee X * Revert all changes to test files. * Revert all changes to test files. * Revert all changes to test files. * Add primary_resource_name to fix tests. * Update iam_attributes.tf.erb to honor skip_test. * Don't reject skip_tests when example is nil. * Update mmv1/products/apigee/api.yaml Co-authored-by: Stephen Lewis (Burrows) <[email protected]> * Fix primary_resource_name for apigee organization name. Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
This PR fixes hashicorp/terraform-provider-google#9767 by adding IAM support to ApigeeEnvironment.
It also changed the ApigeeEnvironment resource from requiring "org_id = organizations/<org_name>" to "org_name = <org_name>".
It also refactored some tests for ApigeeOrganization and ApigeeEnvironment. Previously there were separated sets of tests, some written solely for docs (skipped testing) and some solely for testing (skipped docs). This PR used the same test for docs and testing wherever possible. For cases where it has to be separated tests, it minimized the difference between them.
If this PR is for Terraform, I acknowledge that I have:
make testandmake lintto ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)