Make binding optional for iam_policy data source

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Sep 24, 2019 · 6d6e792 · 6d6e792
1 parent 2bab40c
commit 6d6e792
Show file tree

Hide file tree

Showing 9 changed files with 268 additions and 1 deletion.
diff --git a/google/data_source_google_iam_policy.go b/google/data_source_google_iam_policy.go
@@ -28,7 +28,9 @@ func dataSourceGoogleIamPolicy() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"binding": {
 				Type:     schema.TypeSet,
-				Required: true,
+				// Binding is optional because a user may want to set an IAM policy with no bindings
+				// This allows users to ensure that no bindings were created outside of terraform
+				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"role": {

diff --git a/google/iam_cloud_functions_cloud_function_generated_test.go b/google/iam_cloud_functions_cloud_function_generated_test.go
@@ -107,6 +107,15 @@ func TestAccCloudFunctionsCloudFunctionIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_cloudfunctions_function_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/locations/%s/functions/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("my-function%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -187,6 +196,43 @@ resource "google_cloudfunctions_function_iam_policy" "foo" {
 `, context)
 }
 
+func testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_storage_bucket" "bucket" {
+  name = "tf-cloudfunctions-function-example-bucket%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "archive" {
+  name   = "index.zip"
+  bucket = "${google_storage_bucket.bucket.name}"
+  source = "%{zip_path}"
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name                  = "my-function%{random_suffix}"
+  description           = "My function"
+  runtime               = "nodejs10"
+
+  available_memory_mb   = 128
+  source_archive_bucket = "${google_storage_bucket.bucket.name}"
+  source_archive_object = "${google_storage_bucket_object.archive.name}"
+  trigger_http          = true
+  timeout               = 60
+  entry_point           = "helloGET"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_cloudfunctions_function_iam_policy" "foo" {
+	project = "${google_cloudfunctions_function.function.project}"
+	region = "${google_cloudfunctions_function.function.region}"
+	cloud_function = "${google_cloudfunctions_function.function.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccCloudFunctionsCloudFunctionIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_storage_bucket" "bucket" {

diff --git a/google/iam_iap_web_backend_service_generated_test.go b/google/iam_iap_web_backend_service_generated_test.go
@@ -104,6 +104,15 @@ func TestAccIapWebBackendServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebBackendServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_backend_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/compute/services/%s", getTestProjectFromEnv(), fmt.Sprintf("backend-service%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -160,6 +169,31 @@ resource "google_iap_web_backend_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebBackendServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_backend_service" "default" {
+  name          = "backend-service%{random_suffix}"
+  health_checks = ["${google_compute_http_health_check.default.self_link}"]
+}
+
+resource "google_compute_http_health_check" "default" {
+  name               = "health-check%{random_suffix}"
+  request_path       = "/"
+  check_interval_sec = 1
+  timeout_sec        = 1
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_backend_service_iam_policy" "foo" {
+	project = "${google_compute_backend_service.default.project}"
+	web_backend_service = "${google_compute_backend_service.default.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebBackendServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_backend_service" "default" {

diff --git a/google/iam_iap_web_generated_test.go b/google/iam_iap_web_generated_test.go
@@ -107,6 +107,15 @@ func TestAccIapWebIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web", fmt.Sprintf("tf-test%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -159,6 +168,29 @@ resource "google_iap_web_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+	project_id = "tf-test%{random_suffix}"
+	name = "tf-test%{random_suffix}"
+	org_id = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+	project = "${google_project.project.project_id}"
+	service = "iap.googleapis.com"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_iam_policy" "foo" {
+	project = "${google_project_service.project_service.project}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "project" {

diff --git a/google/iam_iap_web_type_app_engine_generated_test.go b/google/iam_iap_web_type_app_engine_generated_test.go
@@ -110,6 +110,15 @@ func TestAccIapWebTypeAppEngineIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebTypeAppEngineIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_type_app_engine_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s", context["project_id"], context["project_id"]),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -174,6 +183,35 @@ resource "google_iap_web_type_app_engine_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebTypeAppEngineIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+	name       = "%{project_id}"
+	project_id = "%{project_id}"
+	org_id     = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+	project = "${google_project.my_project.project_id}"
+	service = "iap.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+	project     = "${google_project_service.project_service.project}"
+	location_id = "us-central"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_type_app_engine_iam_policy" "foo" {
+	project = "${google_app_engine_application.app.project}"
+	app_id = "${google_app_engine_application.app.app_id}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebTypeAppEngineIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "my_project" {

diff --git a/google/iam_iap_web_type_compute_generated_test.go b/google/iam_iap_web_type_compute_generated_test.go
@@ -107,6 +107,15 @@ func TestAccIapWebTypeComputeIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebTypeComputeIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_type_compute_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/compute", fmt.Sprintf("tf-test%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -159,6 +168,29 @@ resource "google_iap_web_type_compute_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebTypeComputeIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+	project_id = "tf-test%{random_suffix}"
+	name = "tf-test%{random_suffix}"
+	org_id = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+	project = "${google_project.project.project_id}"
+	service = "iap.googleapis.com"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_type_compute_iam_policy" "foo" {
+	project = "${google_project_service.project_service.project}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebTypeComputeIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "project" {

diff --git a/google/iam_pubsub_topic_generated_test.go b/google/iam_pubsub_topic_generated_test.go
@@ -104,6 +104,15 @@ func TestAccPubsubTopicIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccPubsubTopicIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_pubsub_topic_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/topics/%s", getTestProjectFromEnv(), fmt.Sprintf("example-topic%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -152,6 +161,27 @@ resource "google_pubsub_topic_iam_policy" "foo" {
 `, context)
 }
 
+func testAccPubsubTopicIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_pubsub_topic" "example" {
+  name = "example-topic%{random_suffix}"
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_pubsub_topic_iam_policy" "foo" {
+	project = "${google_pubsub_topic.example.project}"
+	topic = "${google_pubsub_topic.example.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccPubsubTopicIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_pubsub_topic" "example" {

diff --git a/google/iam_runtime_config_config_generated_test.go b/google/iam_runtime_config_config_generated_test.go
@@ -104,6 +104,15 @@ func TestAccRuntimeConfigConfigIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccRuntimeConfigConfigIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_runtimeconfig_config_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/configs/%s", getTestProjectFromEnv(), fmt.Sprintf("my-config%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -146,6 +155,24 @@ resource "google_runtimeconfig_config_iam_policy" "foo" {
 `, context)
 }
 
+func testAccRuntimeConfigConfigIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_runtimeconfig_config" "config" {
+ 	name = "my-config%{random_suffix}"
+ 	description = "Runtime configuration values for my service"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_runtimeconfig_config_iam_policy" "foo" {
+	project = "${google_runtimeconfig_config.config.project}"
+	config = "${google_runtimeconfig_config.config.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccRuntimeConfigConfigIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_runtimeconfig_config" "config" {

diff --git a/google/iam_source_repo_repository_generated_test.go b/google/iam_source_repo_repository_generated_test.go
@@ -104,6 +104,15 @@ func TestAccSourceRepoRepositoryIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccSourceRepoRepositoryIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_sourcerepo_repository_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/repos/%s", getTestProjectFromEnv(), fmt.Sprintf("my-repository%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -144,6 +153,23 @@ resource "google_sourcerepo_repository_iam_policy" "foo" {
 `, context)
 }
 
+func testAccSourceRepoRepositoryIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_sourcerepo_repository" "my-repo" {
+  name = "my-repository%{random_suffix}"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_sourcerepo_repository_iam_policy" "foo" {
+	project = "${google_sourcerepo_repository.my-repo.project}"
+	repository = "${google_sourcerepo_repository.my-repo.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccSourceRepoRepositoryIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_sourcerepo_repository" "my-repo" {