From 04940af147b0728e8c9280b67c178e18f3d54da3 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 29 Oct 2018 08:21:41 -0700 Subject: [PATCH 1/5] Generate DefaultObjectAccessControl in Terraform --- products/storage/api.yaml | 11 +- products/storage/terraform.yaml | 18 ++- ...rage_default_object_access_control_test.go | 110 ++++++++++++++++++ ...rce_storage_object_access_control_test.go} | 0 ...efault_object_access_control_public.tf.erb | 9 ++ 5 files changed, 144 insertions(+), 4 deletions(-) create mode 100644 provider/terraform/tests/resource_storage_default_object_access_control_test.go rename provider/terraform/tests/{resource_google_storage_object_access_control_test.go => resource_storage_object_access_control_test.go} (100%) create mode 100644 templates/terraform/examples/storage_default_object_access_control_public.tf.erb diff --git a/products/storage/api.yaml b/products/storage/api.yaml index f36d2db35a8a..b84ca9722d2d 100644 --- a/products/storage/api.yaml +++ b/products/storage/api.yaml @@ -347,10 +347,15 @@ objects: kind: 'storage#objectAccessControl' base_url: b/{{bucket}}/defaultObjectAcl self_link: b/{{bucket}}/defaultObjectAcl/{{entity}} + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Official Documentation': 'https://cloud.google.com/storage/docs/access-control/create-manage-lists' + api: 'https://cloud.google.com/storage/docs/json_api/v1/defaultObjectAccessControls' description: | - The ObjectAccessControls resources represent the Access Control Lists - (ACLs) for objects within Google Cloud Storage. ACLs let you specify - who has access to your data and to what extent. + The DefaultObjectAccessControls resources represent the Access Control + Lists (ACLs) applied to a new object within a Google Cloud Storage bucket + when no ACL was provided for that object. ACLs let you specify who has + access to your bucket contents and to what extent. There are two roles that can be assigned to an entity: diff --git a/products/storage/terraform.yaml b/products/storage/terraform.yaml index 1eee3f47f5d6..a6977732ea03 100644 --- a/products/storage/terraform.yaml +++ b/products/storage/terraform.yaml @@ -36,7 +36,23 @@ overrides: !ruby/object:Provider::ResourceOverrides object: !ruby/object:Provider::Terraform::PropertyOverride description: The name of the object to apply the access control to. DefaultObjectACL: !ruby/object:Provider::Terraform::ResourceOverride - exclude: true + name: "DefaultObjectAccessControl" + example: + - !ruby/object:Provider::Terraform::Examples + name: "storage_default_object_access_control_public" + primary_resource_id: "public_rule" + skip_test: true + vars: + bucket_name: "static-content-bucket" + id_format: "{{bucket}}/{{entity}}" + import_format: ["{{bucket}}/{{entity}}"] + properties: + id: !ruby/object:Provider::Terraform::PropertyOverride + exclude: true + bucket: !ruby/object:Provider::Terraform::PropertyOverride + custom_expand: 'templates/terraform/custom_expand/resourceref_as_string.go.erb' + # This field is (unexpectedly) not returned from the API + ignore_read: true # This is for copying files over files: !ruby/object:Provider::Config::Files diff --git a/provider/terraform/tests/resource_storage_default_object_access_control_test.go b/provider/terraform/tests/resource_storage_default_object_access_control_test.go new file mode 100644 index 000000000000..a3fca09c8b5f --- /dev/null +++ b/provider/terraform/tests/resource_storage_default_object_access_control_test.go @@ -0,0 +1,110 @@ +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccStorageDefaultObjectAccessControl_basic(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccStorageDefaultObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_default_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccStorageDefaultObjectAccessControl_update(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccStorageDefaultObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_default_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "OWNER", "allUsers"), + }, + { + ResourceName: "google_storage_default_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccStorageDefaultObjectAccessControlDestroy(s *terraform.State) error { + config := testAccProvider.Meta().(*Config) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_storage_bucket_acl" { + continue + } + + bucket := rs.Primary.Attributes["bucket"] + entity := rs.Primary.Attributes["entity"] + + rePairs, err := config.clientStorage.DefaultObjectAccessControls.List(bucket).Do() + if err != nil { + return fmt.Errorf("Can't list role entity acl for bucket %s", bucket) + } + + for _, v := range rePairs.Items { + if v.Entity == entity { + return fmt.Errorf("found entity %s as role entity acl entry in bucket %s", entity, bucket) + } + } + + } + + return nil +} + +func testGoogleStorageDefaultObjectAccessControlBasic(bucketName, role, entity string) string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "%s" +} + +resource "google_storage_default_object_access_control" "default" { + bucket = "${google_storage_bucket.bucket.name}" + role = "%s" + entity = "%s" +} +`, bucketName, role, entity) +} diff --git a/provider/terraform/tests/resource_google_storage_object_access_control_test.go b/provider/terraform/tests/resource_storage_object_access_control_test.go similarity index 100% rename from provider/terraform/tests/resource_google_storage_object_access_control_test.go rename to provider/terraform/tests/resource_storage_object_access_control_test.go diff --git a/templates/terraform/examples/storage_default_object_access_control_public.tf.erb b/templates/terraform/examples/storage_default_object_access_control_public.tf.erb new file mode 100644 index 000000000000..bd83d319ec5c --- /dev/null +++ b/templates/terraform/examples/storage_default_object_access_control_public.tf.erb @@ -0,0 +1,9 @@ +resource "google_storage_default_object_access_control" "<%= ctx[:primary_resource_id] %>" { + bucket = "${google_storage_bucket.bucket.name}" + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "<%= ctx[:vars]['bucket_name'] %>" +} From c567e3bf2f413559ec782eeed00eb991546c4ae7 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 29 Oct 2018 08:44:08 -0700 Subject: [PATCH 2/5] Enable OiCS for StorageAccessControl, DefaultStorageAccessControl --- products/storage/terraform.yaml | 2 -- provider/terraform/common~copy.yaml | 1 + provider/terraform/custom_code.rb | 2 ++ .../utils/test-fixtures/header-logo.png | Bin 0 -> 3368 bytes ...ge_object_access_control_public_object.tf.erb | 2 +- 5 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 provider/terraform/utils/test-fixtures/header-logo.png diff --git a/products/storage/terraform.yaml b/products/storage/terraform.yaml index a6977732ea03..2bbbfc87c842 100644 --- a/products/storage/terraform.yaml +++ b/products/storage/terraform.yaml @@ -22,7 +22,6 @@ overrides: !ruby/object:Provider::ResourceOverrides - !ruby/object:Provider::Terraform::Examples name: "storage_object_access_control_public_object" primary_resource_id: "public_rule" - skip_test: true vars: bucket_name: "static-content-bucket" object_name: "public-object" @@ -41,7 +40,6 @@ overrides: !ruby/object:Provider::ResourceOverrides - !ruby/object:Provider::Terraform::Examples name: "storage_default_object_access_control_public" primary_resource_id: "public_rule" - skip_test: true vars: bucket_name: "static-content-bucket" id_format: "{{bucket}}/{{entity}}" diff --git a/provider/terraform/common~copy.yaml b/provider/terraform/common~copy.yaml index 25a0a5442b28..48c7f1335789 100644 --- a/provider/terraform/common~copy.yaml +++ b/provider/terraform/common~copy.yaml @@ -41,4 +41,5 @@ -%> '<%= dir -%>/<%= fname -%>': 'provider/terraform/utils/<%= fname -%>' <% end -%> +'<%= dir -%>/test-fixtures/': 'provider/terraform/utils/test-fixtures' 'website': 'provider/terraform/website' diff --git a/provider/terraform/custom_code.rb b/provider/terraform/custom_code.rb index d1761dd18a5a..c61673f97600 100644 --- a/provider/terraform/custom_code.rb +++ b/provider/terraform/custom_code.rb @@ -147,11 +147,13 @@ def oics_link end def substitute_test_paths(config) + config = config.gsub('../static/img/header-logo.png', 'test-fixtures/header-logo.png') config = config.gsub('path/to/private.key', 'test-fixtures/ssl_cert/test.key') config.gsub('path/to/certificate.crt', 'test-fixtures/ssl_cert/test.crt') end def substitute_example_paths(config) + config = config.gsub('../static/img/header-logo.jpg', '../static/header-logo.png') config = config.gsub('path/to/private.key', '../static/ssl_cert/test.key') config.gsub('path/to/certificate.crt', '../static/ssl_cert/test.crt') end diff --git a/provider/terraform/utils/test-fixtures/header-logo.png b/provider/terraform/utils/test-fixtures/header-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..7d65c7a1554ac20ed40231fc67ae5d5a1f46d123 GIT binary patch literal 3368 zcmZ`*c|6qX8vl)yEiuK|_bm=HmN3KEN7n4JXB~`X#xgZhjD3w{i^(BLkv&P0Em_LG z6*ZQM2HBUQ43|3h-1GU|d*9FJ-Ja+9KHK;G<4rU((PL)hW&{9$*+3sht3bT zo!6&{Ijy5@R#PaP+L|CNOrzvthH5jHl!v^Eiq$d){iNkWWd>FYN=f~U5bIwGZ~VFZ znhF&yf`(=tvPKWm_{lAPk&^g^|Fm zhV9jjLKe-DuTGl_wg>w^iR@QT*}OUdFzUi1Mcf{WT<0EwKGn=&0Ho+@zE<|K83!}J zOwzuu8RPH}fyr)sfN;$gQ&0!H=F_*(0j8ccF$MtUIM^Pd%8;n@K*;YkWo?JvlyVs@ zQ46PE)f|^r3+p&npgVr{BP=j|AEKbeozY>KzTpQ`i2D91krq=vc0dW-!x@;K8JHW? z&CHYDV$!*owGeFN1QtYxYX@}mZo(Dz74oFNCFi+6?N-31BBZN;g{dbqtq7CZUD@J5 z`CM?Yv?EwNWq|!^{D7R%j@oUwV!BXY58BY(Q$i0l5D0-ug{111egsX2A&ajR!j0{N z?+xm`cYi()3tP{zIOv_F*TCE?U#$z&l^f=UJHl|Ke+o!$gFQm^KQj$$7w?nLIhQ(R zvO_2DB);&Q{vKyIAQ3w!pwiXK5hEzz%u4?P#Jm&j;&QAUB$Cl675p4Dz#cWGeaRw7 zJSCDW2u*qI<&ZN}E>kfN7*BUibWvCKd)1;d*Qfonj6n2Uw15s3TdRA854G`ToWZ`;E&%L!T)EAEkcl6}z)4fp%DDrG3(>#SVoP8w z)wWMl_h7Ws!FRK7#L*PWo`odErwgi!#=X_PQ%F<7DHVT8>+;~hAlJMwo^LUdU-Q@? z{TAfM$s!l|a(ds^6Kga%rxa!YIL#$Si8ihPr938Fe9w&34k!7fa}4ffQ#Eb)@tZ|J zQjEoUOi`~nK2t)9mOb7O#bEx`e7D5Hiv1C2EN&4sscT?XRATBaO-g!D*f-Sgt$`OM zrSxl7>2cia8PXf`V7?7 zdqP98oLa_0SkY`SPl8Rt&BRrG(ezWVZ#_wPB{G-xMqfhzo&K@=rXI&1GfZT>h>;e@ zNeGD7X9%QCo1bMnmZU0{nr<**Qd;DA4_SOYv+#{=w=5bi&*LHGK|-%|zsMHrUhI+g zxc%C*C;Lr)dXt!{lwO)b+GeKv>x$cDX{sXcV9HR_ton48Tc)>RnHo|=r~OzOlQzvZ zhsdI|GP8;R1J|^qdy5uorGAT^KFr&Um-WGA-X+~u#^%yy$jb2w_=Ed*J<8aMpBR>E zFXW}8xQhMm_F9=(LM_xw$q)Cg=651Hkt;9!H@Uw|<|-G;J9jw6mZet>mkgI}*kwIf ztROvlZds?hoycw9hw{Jm-ms49V>5c5@<%@*e;~g=<6w3#ezE#_Vrb3}?rooK=yo9U z1!iaF$j(bCM%+cDH>4GkBuR`!QPg`H5Z}UgxMiWOT?vIpgqHdQMy}K|fGqgO&H!?EJH0)4jQ}x}f;I8RA)3?(_)1?}& zF5ayE)nj)%W?~DIghpgPR8OtdfIGVT&bF7lna`Jdn}f~sc`>l_l)=xP8 zsZMz=cST`Yu001qTJL+*`=jsmmy?^)o1vQ^CUml9@&$+tq>5u+Cc&XPSc?*c%f6D0 z$yUt1S?}2IKDIPSBh9~)Q#XmbHl6Cj;ZZ+U*}hWN z6x}q~+!p>yYd~nKaJaCbQlF)mW4H?8#;eAw49~y3H|w#Qxqu&DF!c(iSW$}lVGwTU zEVSGXK7a4?%OJ$8aA0vmXCps8>lvo8hWv<}-|+Q$Fxhu9o~!c)Tc=#7FN+aNpyL&;mJU)oI1%<#5gxpykhSsxhHUy~jbHRBwI(9-SFEi;DlmJ9TI>Q zn|Iu!xL$PiZC7b8{n*ofGme=_>-fE) z9auT*MRs3gWUg7RZ09$RRo9kJ&w>r%B90tbIRbo0tOmZWn{G5*dHwd z-gog1*qr7Yl#l-6$I;R!^G`bQ*F&%W;A*DP$Rb{i{gPz;M=0%sC}gB)yQDjzGe=g_ z_Kzr(k#0q9QuoY=n9^w+n8l;P)7m4 z?!B*aC7*4VEx}vuiMnf8*NI8y2A;T}>%pmhqFCd}ov-3O7dq}t;Zmo_*=4uxWT-yt zAQ*+^8|TYb5z98;9@Dr>oS_aj^?81n@}J&7>?$)#GZ`{9vpr_Q?RjszPu#TpaHgKX zF~PAs9XZ)HJybv9Pr2o``)TP@o0C=}$;ex5S8SC4n+|IleY(}k|A~K{-@wkr?(3zd zCe?4@lBUqrinS8&a;qxxMMTZb+SUH>?^I^GbEnvNcdn-q*7k*_b^5GNSQn3tFP1M- z6wMX?)EFW@Dzh$=DWQhu5N(4*m%8Uv;-5b+TGUHk{1_TY?XD5)!U}v>nR@Rs6;NW{ zP%}dd7gAr}pzIXWnk+aDUH!C6-n8U+47*X!^j;4p?!>!fJGDM<(OZ1&Hiy$n^XY)O_tphv zw^g|Q;xU5L^`R;33A4b@eiFc@|=fl-+OD`daUCaF) zjh6^jQ|?oZ6FlS(BODWi7NSARtU6^snGVA;h3pN5@1CW|eF@w@(;!i7I#zIz>bd7o z^y*R&w$=CUSG%2Bz38Pjo0jD81NqFKc^fbAw!Y6+Vz-lPMbt&=ouT1~EyFdRpmVD% zyBbo?JWcA}-nBxBXZ!$9=sw|7dY-R=tugoq8LHUA_CY(dMVLb26_OX zp}|<$;%zS&tGMI*p{^b{H#9WFKj83l3joLvmBXVy8t*C?;_rtIRtZrP{$-(Zcs>%t zgav<@;CfnOVf{M^{P+4JhMnOSAWRQoaiUsQYU+}}5ny@z>AD{w*5eNh* zK>>;j@`A}B5D1v8JWO6*=FmbW_$n6f8X|)Y7WwVu-+oZ&VD}(Q03L(G3Lg1&b;Di8 zs|gDq1^RpZ&J!Ji`A;Nl@Ly#e76?1iz~rE^u>S?aV?6&4>`3z)_N%Vn;gCnpRLn3T zXg@m?#vhFhK1@wrP6_!d%6}>TljlExw*L?K55+%#M|r5224T>LEjnt1x*QVrU$VdK zk+7pK{iAEYDfuNm&GFZ*O;#c!Ci)b3C-oUXR(u jg_AjYNESfHMVit96Ya-#!dax_j^2oYt_iAA+a>B>-**I5 literal 0 HcmV?d00001 diff --git a/templates/terraform/examples/storage_object_access_control_public_object.tf.erb b/templates/terraform/examples/storage_object_access_control_public_object.tf.erb index 84179bd9c937..c379d667dc48 100644 --- a/templates/terraform/examples/storage_object_access_control_public_object.tf.erb +++ b/templates/terraform/examples/storage_object_access_control_public_object.tf.erb @@ -12,5 +12,5 @@ resource "google_storage_bucket" "bucket" { resource "google_storage_bucket_object" "object" { name = "<%= ctx[:vars]['object_name'] %>" bucket = "${google_storage_bucket.bucket.name}" - source = "../static/img/header-logo.jpg" + source = "../static/img/header-logo.png" } From 743939398ebc36efc60ddcaadbfef36693352a55 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 29 Oct 2018 08:48:54 -0700 Subject: [PATCH 3/5] Update complementary docs. --- .../website/docs/r/storage_default_object_acl.html.markdown | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/provider/terraform/website/docs/r/storage_default_object_acl.html.markdown b/provider/terraform/website/docs/r/storage_default_object_acl.html.markdown index 9295575f9cc1..413715d37307 100644 --- a/provider/terraform/website/docs/r/storage_default_object_acl.html.markdown +++ b/provider/terraform/website/docs/r/storage_default_object_acl.html.markdown @@ -14,12 +14,14 @@ without managing the bucket itself. -> Note that for each object, its creator will have the `"OWNER"` role in addition to the default ACL that has been defined. - For more information see [the official documentation](https://cloud.google.com/storage/docs/access-control/lists) and [API](https://cloud.google.com/storage/docs/json_api/v1/defaultObjectAccessControls). +-> Want fine-grained control over default object ACLs? Use `google_storage_default_object_access_control` +to control individual role entity pairs. + ## Example Usage Example creating a default object ACL on a bucket with one owner, and one reader. From 41d1fd52d10a676653bb6d353b7da42046abb662 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 29 Oct 2018 13:48:03 -0700 Subject: [PATCH 4/5] Fix filetype --- provider/terraform/custom_code.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider/terraform/custom_code.rb b/provider/terraform/custom_code.rb index c61673f97600..0595f2bd3469 100644 --- a/provider/terraform/custom_code.rb +++ b/provider/terraform/custom_code.rb @@ -153,7 +153,7 @@ def substitute_test_paths(config) end def substitute_example_paths(config) - config = config.gsub('../static/img/header-logo.jpg', '../static/header-logo.png') + config = config.gsub('../static/img/header-logo.png', '../static/header-logo.png') config = config.gsub('path/to/private.key', '../static/ssl_cert/test.key') config.gsub('path/to/certificate.crt', '../static/ssl_cert/test.crt') end From 1ba53124da762cc203baa6654b28faf016a19565 Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Tue, 30 Oct 2018 01:19:13 +0000 Subject: [PATCH 5/5] Update tracked submodules -> HEAD on Tue Oct 30 01:19:13 UTC 2018 Tracked submodules are build/terraform-beta build/terraform build/ansible build/inspec. --- build/terraform | 2 +- build/terraform-beta | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/terraform b/build/terraform index 6124c20db77a..c3764b2898f0 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit 6124c20db77a1bbcbe9cd323291d5dc6cc683ec6 +Subproject commit c3764b2898f0d1af9d61793a1505c976217c026f diff --git a/build/terraform-beta b/build/terraform-beta index f05c534b087c..896d3d5e562a 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit f05c534b087c996ea4e1857e8c5314f51af2763f +Subproject commit 896d3d5e562a421f4fa60ff539e27780bfe0082f