Add descriptions to Terraform schema

google-beta/resource_access_context_manager_access_level.go

@@ -47,93 +47,140 @@ func resourceAccessContextManagerAccessLevel() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
+				Description: `Resource name for the Access Level. The short_name component must begin
+with a letter and only include alphanumeric and '_'.
+Format: accessPolicies/{policy_id}/accessLevels/{short_name}`,
 			},
 			"parent": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
+				Description: `The AccessPolicy this AccessLevel lives in.
+Format: accessPolicies/{policy_id}`,
 			},
 			"title": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `Human readable title. Must be unique within the Policy.`,
 			},
 			"basic": {
-				Type:     schema.TypeList,
-				Optional: true,
-				MaxItems: 1,
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `A set of predefined conditions for the access level and a combining function.`,
+				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"conditions": {
-							Type:     schema.TypeList,
-							Required: true,
-							MinItems: 1,
+							Type:        schema.TypeList,
+							Required:    true,
+							Description: `A set of requirements for the AccessLevel to be granted.`,
+							MinItems:    1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"device_policy": {
 										Type:     schema.TypeList,
 										Optional: true,
+										Description: `Device specific restrictions, all restrictions must hold for
+the Condition to be true. If not specified, all devices are
+allowed.`,
 										MaxItems: 1,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
 												"allowed_device_management_levels": {
 													Type:     schema.TypeList,
 													Optional: true,
+													Description: `A list of allowed device management levels.
+An empty list allows all management levels.`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},
 												},
 												"allowed_encryption_statuses": {
 													Type:     schema.TypeList,
 													Optional: true,
+													Description: `A list of allowed encryptions statuses.
+An empty list allows all statuses.`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},
 												},
 												"os_constraints": {
 													Type:     schema.TypeList,
 													Optional: true,
+													Description: `A list of allowed OS versions.
+An empty list allows all types and all versions.`,
 													Elem: &schema.Resource{
 														Schema: map[string]*schema.Schema{
 															"minimum_version": {
 																Type:     schema.TypeString,
 																Optional: true,
+																Description: `The minimum allowed OS version. If not set, any version
+of this OS satisfies the constraint.
+Format: "major.minor.patch" such as "10.5.301", "9.2.1".`,
 															},
 															"os_type": {
 																Type:         schema.TypeString,
 																Optional:     true,
 																ValidateFunc: validation.StringInSlice([]string{"OS_UNSPECIFIED", "DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX", "DESKTOP_CHROME_OS", ""}, false),
+																Description:  `The operating system type of the device.`,
 															},
 														},
 													},
 												},
 												"require_screen_lock": {
 													Type:     schema.TypeBool,
 													Optional: true,
+													Description: `Whether or not screenlock is required for the DevicePolicy
+to be true. Defaults to false.`,
 												},
 											},
 										},
 									},
 									"ip_subnetworks": {
 										Type:     schema.TypeList,
 										Optional: true,
+										Description: `A list of CIDR block IP subnetwork specification. May be IPv4
+or IPv6.
+Note that for a CIDR IP address block, the specified IP address
+portion must be properly truncated (i.e. all the host bits must
+be zero) or the input is considered malformed. For example,
+"192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
+for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
+is not. The originating IP of a request must be in one of the
+listed subnets in order for this Condition to be true.
+If empty, all IP addresses are allowed.`,
 										Elem: &schema.Schema{
 											Type: schema.TypeString,
 										},
 									},
 									"members": {
 										Type:     schema.TypeList,
 										Optional: true,
+										Description: `An allowed list of members (users, groups, service accounts).
+The signed-in user originating the request must be a part of one
+of the provided members. If not specified, a request may come
+from any user (logged in/not logged in, not present in any
+groups, etc.).
+Formats: 'user:{emailid}', 'group:{emailid}', 'serviceAccount:{emailid}'`,
 										Elem: &schema.Schema{
 											Type: schema.TypeString,
 										},
 									},
 									"negate": {
 										Type:     schema.TypeBool,
 										Optional: true,
+										Description: `Whether to negate the Condition. If true, the Condition becomes
+a NAND over its non-empty fields, each field must be false for
+the Condition overall to be satisfied. Defaults to false.`,
 									},
 									"required_access_levels": {
 										Type:     schema.TypeList,
 										Optional: true,
+										Description: `A list of other access levels defined in the same Policy,
+referenced by resource name. Referencing an AccessLevel which
+does not exist is an error. All access levels listed must be
+granted for the Condition to be true.
+Format: accessPolicies/{policy_id}/accessLevels/{short_name}`,
 										Elem: &schema.Schema{
 											Type: schema.TypeString,
 										},
@@ -145,14 +192,20 @@ func resourceAccessContextManagerAccessLevel() *schema.Resource {
 							Type:         schema.TypeString,
 							Optional:     true,
 							ValidateFunc: validation.StringInSlice([]string{"AND", "OR", ""}, false),
-							Default:      "AND",
+							Description: `How the conditions list should be combined to determine if a request
+is granted this AccessLevel. If AND is used, each Condition in
+conditions must be satisfied for the AccessLevel to be applied. If
+OR is used, at least one Condition in conditions must be satisfied
+for the AccessLevel to be applied. Defaults to AND if unspecified.`,
+							Default: "AND",
 						},
 					},
 				},
 			},
 			"description": {
-				Type:     schema.TypeString,
-				Optional: true,
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `Description of the AccessLevel and its use. Does not affect behavior.`,
 			},
 		},
 	}

google-beta/resource_access_context_manager_access_policy.go

@@ -46,22 +46,28 @@ func resourceAccessContextManagerAccessPolicy() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
+				Description: `The parent of this AccessPolicy in the Cloud Resource Hierarchy.
+Format: organizations/{organization_id}`,
 			},
 			"title": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `Human readable title. Does not affect behavior.`,
 			},
 			"create_time": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `Time the AccessPolicy was created in UTC.`,
 			},
 			"name": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `Resource name of the AccessPolicy. Format: {policy_id}`,
 			},
 			"update_time": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `Time the AccessPolicy was updated in UTC.`,
 			},
 		},
 	}

google-beta/resource_access_context_manager_service_perimeter.go

@@ -47,50 +47,95 @@ func resourceAccessContextManagerServicePerimeter() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
+				Description: `Resource name for the ServicePerimeter. The short_name component must
+begin with a letter and only include alphanumeric and '_'.
+Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}`,
 			},
 			"parent": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
+				Description: `The AccessPolicy this ServicePerimeter lives in.
+Format: accessPolicies/{policy_id}`,
 			},
 			"title": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `Human readable title. Must be unique within the Policy.`,
 			},
 			"description": {
 				Type:     schema.TypeString,
 				Optional: true,
+				Description: `Description of the ServicePerimeter and its use. Does not affect
+behavior.`,
 			},
 			"perimeter_type": {
 				Type:         schema.TypeString,
 				Optional:     true,
 				ForceNew:     true,
 				ValidateFunc: validation.StringInSlice([]string{"PERIMETER_TYPE_REGULAR", "PERIMETER_TYPE_BRIDGE", ""}, false),
-				Default:      "PERIMETER_TYPE_REGULAR",
+				Description: `Specifies the type of the Perimeter. There are two types: regular and
+bridge. Regular Service Perimeter contains resources, access levels,
+and restricted services. Every resource can be in at most
+ONE regular Service Perimeter.
+
+In addition to being in a regular service perimeter, a resource can also
+be in zero or more perimeter bridges. A perimeter bridge only contains
+resources. Cross project operations are permitted if all effected
+resources share some perimeter (whether bridge or regular). Perimeter
+Bridge does not contain access levels or services: those are governed
+entirely by the regular perimeter that resource is in.
+
+Perimeter Bridges are typically useful when building more complex
+topologies with many independent perimeters that need to share some data
+with a common perimeter, but should not be able to share data among
+themselves.`,
+				Default: "PERIMETER_TYPE_REGULAR",
 			},
 			"status": {
 				Type:     schema.TypeList,
 				Optional: true,
+				Description: `ServicePerimeter configuration. Specifies sets of resources,
+restricted services and access levels that determine
+perimeter content and boundaries.`,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"access_levels": {
 							Type:     schema.TypeList,
 							Optional: true,
+							Description: `A list of AccessLevel resource names that allow resources within
+the ServicePerimeter to be accessed from the internet.
+AccessLevels listed must be in the same policy as this
+ServicePerimeter. Referencing a nonexistent AccessLevel is a
+syntax error. If no AccessLevel names are listed, resources within
+the perimeter can only be accessed via GCP calls with request
+origins within the perimeter. For Service Perimeter Bridge, must
+be empty.
+
+Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},
 						},
 						"resources": {
 							Type:     schema.TypeList,
 							Optional: true,
+							Description: `A list of GCP resources that are inside of the service perimeter.
+Currently only projects are allowed.
+Format: projects/{project_number}`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},
 						},
 						"restricted_services": {
 							Type:     schema.TypeList,
 							Optional: true,
+							Description: `GCP services that are subject to the Service Perimeter
+restrictions. Must contain a list of services. For example, if
+'storage.googleapis.com' is specified, access to the storage
+buckets inside the perimeter must meet the perimeter's access
+restrictions.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},
@@ -99,12 +144,14 @@ func resourceAccessContextManagerServicePerimeter() *schema.Resource {
 				},
 			},
 			"create_time": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `Time the AccessPolicy was created in UTC.`,
 			},
 			"update_time": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `Time the AccessPolicy was updated in UTC.`,
 			},
 		},
 	}

google-beta/resource_app_engine_application_url_dispatch_rules.go

@@ -43,22 +43,29 @@ func resourceAppEngineApplicationUrlDispatchRules() *schema.Resource {
 
 		Schema: map[string]*schema.Schema{
 			"dispatch_rules": {
-				Type:     schema.TypeList,
-				Required: true,
+				Type:        schema.TypeList,
+				Required:    true,
+				Description: `Rules to match an HTTP request and dispatch that request to a service.`,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"path": {
 							Type:     schema.TypeString,
 							Required: true,
+							Description: `Pathname within the host. Must start with a "/". A single "*" can be included at the end of the path.
+The sum of the lengths of the domain and path may not exceed 100 characters.`,
 						},
 						"service": {
 							Type:     schema.TypeString,
 							Required: true,
+							Description: `Pathname within the host. Must start with a "/". A single "*" can be included at the end of the path.
+The sum of the lengths of the domain and path may not exceed 100 characters.`,
 						},
 						"domain": {
 							Type:     schema.TypeString,
 							Optional: true,
-							Default:  "*",
+							Description: `Domain name to match against. The wildcard "*" is supported if specified before a period: "*.".
+Defaults to matching all domains: "*".`,
+							Default: "*",
 						},
 					},
 				},