generate compute instance and subnetwork iam (GoogleCloudPlatform#2647)

Merged PR GoogleCloudPlatform#2647.
emilymye · Nov 12, 2019 · bf5e882 · bf5e882
1 parent 614f406
commit bf5e882
Show file tree

Hide file tree

Showing 14 changed files with 74 additions and 887 deletions.
diff --git a/build/terraform b/build/terraform
diff --git a/build/terraform-beta b/build/terraform-beta
diff --git a/products/compute/terraform.yaml b/products/compute/terraform.yaml
@@ -857,7 +857,18 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       insert_minutes: 6
       update_minutes: 6
       delete_minutes: 6
-    exclude: true
+    iam_policy: !ruby/object:Api::Resource::IamPolicy
+      allowed_iam_role: 'roles/compute.osLogin'
+      parent_resource_attribute: 'instance_name'
+      iam_conditions_request_type: :QUERY_PARAM
+    exclude_resource: true
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "instance_basic"
+        primary_resource_id: "default"
+        vars:
+          instance_name: "my-instance"
+        primary_resource_name: "fmt.Sprintf(\"my-instance%s\", context[\"random_suffix\"])"
   InstanceGroup: !ruby/object:Overrides::Terraform::ResourceOverride
     exclude: true
   InstanceGroupManager: !ruby/object:Overrides::Terraform::ResourceOverride
@@ -1663,6 +1674,9 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       update_minutes: 6
       delete_minutes: 6
     id_format: "{{region}}/{{name}}"
+    iam_policy: !ruby/object:Api::Resource::IamPolicy
+      allowed_iam_role: 'roles/compute.networkUser'
+      parent_resource_attribute: 'subnetwork'
     properties:
       id: !ruby/object:Overrides::Terraform::PropertyOverride
         exclude: true
@@ -1713,6 +1727,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         vars:
           subnetwork_name: "test-subnetwork"
           network_name: "test-network"
+        primary_resource_name: "fmt.Sprintf(\"test-subnetwork%s\", context[\"random_suffix\"])"
       - !ruby/object:Provider::Terraform::Examples
         name: "subnetwork_logging_config"
         primary_resource_id: "subnet-with-logging"

diff --git a/products/iap/terraform.yaml b/products/iap/terraform.yaml
@@ -71,7 +71,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       exclude: false
       method_name_separator: ':'
       parent_resource_type: 'google_app_engine_standard_app_version'
-      parent_resource_attribute: 'version'
+      parent_resource_attribute: 'version_id'
       fetch_iam_policy_verb: :POST
       allowed_iam_role: 'roles/iap.httpsResourceAccessor'
       example_config_body: 'templates/terraform/iam/example_config_body/app_engine_version.tf.erb'

diff --git a/templates/terraform/examples/instance_basic.tf.erb b/templates/terraform/examples/instance_basic.tf.erb
@@ -0,0 +1,15 @@
+resource "google_compute_instance" "<%= ctx[:primary_resource_id] %>" {
+  name         = "<%= ctx[:vars]['instance_name'] %>"
+  zone         = "<%= ctx[:vars]['zone_name'] %>"
+  machine_type = "n1-standard-1"
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-9"
+    }
+  }
+
+  network_interface {
+    network = "default"
+  }
+}
diff --git a/templates/terraform/iam_policy.go.erb b/templates/terraform/iam_policy.go.erb
@@ -29,7 +29,8 @@ import (
 <% resource_name = product_ns + object.name -%>
 <%
 resource_uri = object.self_link_url
-resource_params = extract_identifiers(resource_uri.gsub('{{name}}', "{{#{object.name.underscore}}}"))
+parent_resource_name = object.iam_policy.parent_resource_attribute || object.name.underscore
+resource_params = extract_identifiers(resource_uri.gsub('{{name}}', "{{#{parent_resource_name}}}"))
 -%>
 
 var <%= resource_name -%>IamSchema = map[string]*schema.Schema{
@@ -88,7 +89,7 @@ func <%= resource_name -%>IamUpdaterProducer(d *schema.ResourceData, config *Con
 <% end # resource_params.each -%>
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
-	m, err := getImportIdQualifiers([]string{"<%= import_id_formats(object).map{|s| format2regex s}.map{|s| s.gsub('<name>', "<#{object.name.underscore}>")}.join('","') -%>"}, d, config, d.Get("<%= resource_params.last.underscore -%>").(string))
+	m, err := getImportIdQualifiers([]string{"<%= import_id_formats(object).map{|s| format2regex s}.map{|s| s.gsub('<name>', "<#{object.name.underscore}>")}.join('","') -%>"}, d, config, d.Get("<%= parent_resource_name -%>").(string))
 	if err != nil {
 		return nil, err
 	}
@@ -112,7 +113,7 @@ func <%= resource_name -%>IamUpdaterProducer(d *schema.ResourceData, config *Con
 	d.Set("project", u.project)
 <% else -%>
 <%# Set the last parameter as the long name (unless it is project) -%>
-	d.Set("<%= resource_params.last.underscore -%>", u.GetResourceId())
+	d.Set("<%= parent_resource_name -%>", u.GetResourceId())
 <% end -%>
 <% else -%>
 	d.Set("<%= param.underscore -%>", u.<%= param.camelize(:lower) -%>)
@@ -157,7 +158,7 @@ func <%= resource_name -%>IdParseFunc(d *schema.ResourceData, config *Config) er
 	d.Set("project", u.project)
 <% else -%>
 <%# Set resource long name in state, this has all the information that we need to identify it -%>
-	d.Set("<%= resource_params.last.underscore -%>", u.GetResourceId())
+	d.Set("<%= parent_resource_name -%>", u.GetResourceId())
 <% end -%>
 	d.SetId(u.GetResourceId())
 	return nil
@@ -177,7 +178,7 @@ func (u *<%= resource_name -%>IamUpdater) GetResourceIamPolicy() (*cloudresource
 <%   if object.iam_policy.iam_conditions_request_type == :QUERY_PARAM -%>
 	url, err = addQueryParams(url, map[string]string{"optionsRequestedPolicyVersion": fmt.Sprintf("%d", iamPolicyVersion)})
 	if err != nil {
-		return err
+		return nil, err
 	}
 <%   elsif object.iam_policy.iam_conditions_request_type == :REQUEST_BODY -%>
 	obj = map[string]interface{}{
@@ -236,7 +237,7 @@ func (u *<%= resource_name -%>IamUpdater) qualify<%= object.name -%>Url(methodId
 }
 
 func (u *<%= resource_name -%>IamUpdater) GetResourceId() string {
-	return fmt.Sprintf("<%= object.id_format.gsub('{{name}}', "{{#{object.name.underscore}}}").gsub(/({{)(\w+)(}})/, '%s') -%>", <%= string_qualifiers -%>)
+	return fmt.Sprintf("<%= import_url -%>", <%= string_qualifiers -%>)
 }
 
 func (u *<%= resource_name -%>IamUpdater) GetMutexKey() string {

diff --git a/templates/terraform/resource_iam.html.markdown.erb b/templates/terraform/resource_iam.html.markdown.erb
@@ -188,7 +188,11 @@ The following arguments are supported:
 
 <% url_properties.each do |param| -%>
 <% if param.name == "name" -%>
-* `<%= object.name.underscore -%>` - (Required) Used to find the parent resource to bind the IAM policy to
+* `<%= object.iam_policy.parent_resource_attribute || object.name.underscore -%>` - (Required) Used to find the parent resource to bind the IAM policy to
+<% elsif ["region", "zone"].include?(param.name.underscore) -%>
+* `<%= param.name.underscore -%>` - (Optional) <%= param.description -%> Used to find the parent resource to bind the IAM policy to. If not specified,
+  the value will be parsed from the identifier of the parent resource. If no <%= param.name.underscore -%> is provided in the parent identifier and no
+  <%= param.name.underscore -%> is specified, it is taken from the provider configuration.
 <% else -%>
 * `<%= param.name.underscore -%>` - (Required) <%= param.description -%> Used to find the parent resource to bind the IAM policy to
 <% end -%>
@@ -243,14 +247,29 @@ exported:
 
 ## Import
 
-<%= product_ns -%> <%= object.name.downcase -%> IAM resources can be imported using the project, resource identifiers, role and member.
+For all import syntaxes, the "resource in question" can take any of the following forms:
 
+<% import_id_formats(object).each do |id_format| -%>
+* <%= id_format %>
+<% end -%>
+
+Any variables not passed in the import command will be taken from the provider configuration.
+
+<%= product_ns -%> <%= object.name.downcase -%> IAM resources can be imported using the resource identifiers, role, and member.
+
+IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.
+```
+$ terraform import <% if object.min_version.name == 'beta' %>-provider=google-beta <% end -%><%= resource_ns_iam -%>_member.editor "<%= object.id_format.gsub('{{name}}', "{{#{object.name.underscore}}}") -%> <%= object.iam_policy.allowed_iam_role -%> [email protected]"
 ```
-$ terraform import <%= resource_ns_iam -%>_policy.editor <%= object.id_format.gsub('{{name}}', "{{#{object.name.underscore}}}") %>
 
+IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.
+```
 $ terraform import <%= resource_ns_iam -%>_binding.editor "<%= object.id_format.gsub('{{name}}', "{{#{object.name.underscore}}}") -%> <%= object.iam_policy.allowed_iam_role -%>"
+```
 
-$ terraform import <%= resource_ns_iam -%>_member.editor "<%= object.id_format.gsub('{{name}}', "{{#{object.name.underscore}}}") -%> <%= object.iam_policy.allowed_iam_role -%> [email protected]"
+IAM policy imports use the identifier of the resource in question, e.g.
+```
+$ terraform import <% if object.min_version.name == 'beta' %>-provider=google-beta <% end -%><%= resource_ns_iam -%>_policy.editor <%= object.id_format.gsub('{{name}}', "{{#{object.name.underscore}}}") %>
 ```
 
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`

diff --git a/third_party/terraform/resources/iam_compute_instance.go b/third_party/terraform/resources/iam_compute_instance.go