From 6d6e7922083807bbc93584f8c2667bbfb37a9dc1 Mon Sep 17 00:00:00 2001
From: Sam Levenick <slevenick@google.com>
Date: Tue, 24 Sep 2019 19:41:28 +0000
Subject: [PATCH] Make binding optional for iam_policy data source

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 google/data_source_google_iam_policy.go       |  4 +-
 ...functions_cloud_function_generated_test.go | 46 +++++++++++++++++++
 ..._iap_web_backend_service_generated_test.go | 34 ++++++++++++++
 google/iam_iap_web_generated_test.go          | 32 +++++++++++++
 ..._iap_web_type_app_engine_generated_test.go | 38 +++++++++++++++
 ...iam_iap_web_type_compute_generated_test.go | 32 +++++++++++++
 google/iam_pubsub_topic_generated_test.go     | 30 ++++++++++++
 ...am_runtime_config_config_generated_test.go | 27 +++++++++++
 ...m_source_repo_repository_generated_test.go | 26 +++++++++++
 9 files changed, 268 insertions(+), 1 deletion(-)

diff --git a/google/data_source_google_iam_policy.go b/google/data_source_google_iam_policy.go
index a2dd6237ab0..8845d2af548 100644
--- a/google/data_source_google_iam_policy.go
+++ b/google/data_source_google_iam_policy.go
@@ -28,7 +28,9 @@ func dataSourceGoogleIamPolicy() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"binding": {
 				Type:     schema.TypeSet,
-				Required: true,
+				// Binding is optional because a user may want to set an IAM policy with no bindings
+				// This allows users to ensure that no bindings were created outside of terraform
+				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"role": {
diff --git a/google/iam_cloud_functions_cloud_function_generated_test.go b/google/iam_cloud_functions_cloud_function_generated_test.go
index 9967940063a..0ae5db2d691 100644
--- a/google/iam_cloud_functions_cloud_function_generated_test.go
+++ b/google/iam_cloud_functions_cloud_function_generated_test.go
@@ -107,6 +107,15 @@ func TestAccCloudFunctionsCloudFunctionIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_cloudfunctions_function_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/locations/%s/functions/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("my-function%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -187,6 +196,43 @@ resource "google_cloudfunctions_function_iam_policy" "foo" {
 `, context)
 }
 
+func testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_storage_bucket" "bucket" {
+  name = "tf-cloudfunctions-function-example-bucket%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "archive" {
+  name   = "index.zip"
+  bucket = "${google_storage_bucket.bucket.name}"
+  source = "%{zip_path}"
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name                  = "my-function%{random_suffix}"
+  description           = "My function"
+  runtime               = "nodejs10"
+
+  available_memory_mb   = 128
+  source_archive_bucket = "${google_storage_bucket.bucket.name}"
+  source_archive_object = "${google_storage_bucket_object.archive.name}"
+  trigger_http          = true
+  timeout               = 60
+  entry_point           = "helloGET"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_cloudfunctions_function_iam_policy" "foo" {
+	project = "${google_cloudfunctions_function.function.project}"
+	region = "${google_cloudfunctions_function.function.region}"
+	cloud_function = "${google_cloudfunctions_function.function.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccCloudFunctionsCloudFunctionIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_storage_bucket" "bucket" {
diff --git a/google/iam_iap_web_backend_service_generated_test.go b/google/iam_iap_web_backend_service_generated_test.go
index 6bba31ed4b2..18bd2ea649c 100644
--- a/google/iam_iap_web_backend_service_generated_test.go
+++ b/google/iam_iap_web_backend_service_generated_test.go
@@ -104,6 +104,15 @@ func TestAccIapWebBackendServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebBackendServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_backend_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/compute/services/%s", getTestProjectFromEnv(), fmt.Sprintf("backend-service%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -160,6 +169,31 @@ resource "google_iap_web_backend_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebBackendServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_backend_service" "default" {
+  name          = "backend-service%{random_suffix}"
+  health_checks = ["${google_compute_http_health_check.default.self_link}"]
+}
+
+resource "google_compute_http_health_check" "default" {
+  name               = "health-check%{random_suffix}"
+  request_path       = "/"
+  check_interval_sec = 1
+  timeout_sec        = 1
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_backend_service_iam_policy" "foo" {
+	project = "${google_compute_backend_service.default.project}"
+	web_backend_service = "${google_compute_backend_service.default.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebBackendServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_backend_service" "default" {
diff --git a/google/iam_iap_web_generated_test.go b/google/iam_iap_web_generated_test.go
index 67568adbc2d..fa3f3c80dd6 100644
--- a/google/iam_iap_web_generated_test.go
+++ b/google/iam_iap_web_generated_test.go
@@ -107,6 +107,15 @@ func TestAccIapWebIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web", fmt.Sprintf("tf-test%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -159,6 +168,29 @@ resource "google_iap_web_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+	project_id = "tf-test%{random_suffix}"
+	name = "tf-test%{random_suffix}"
+	org_id = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+	project = "${google_project.project.project_id}"
+	service = "iap.googleapis.com"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_iam_policy" "foo" {
+	project = "${google_project_service.project_service.project}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "project" {
diff --git a/google/iam_iap_web_type_app_engine_generated_test.go b/google/iam_iap_web_type_app_engine_generated_test.go
index 8127515cc03..7f5497a67bc 100644
--- a/google/iam_iap_web_type_app_engine_generated_test.go
+++ b/google/iam_iap_web_type_app_engine_generated_test.go
@@ -110,6 +110,15 @@ func TestAccIapWebTypeAppEngineIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebTypeAppEngineIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_type_app_engine_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s", context["project_id"], context["project_id"]),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -174,6 +183,35 @@ resource "google_iap_web_type_app_engine_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebTypeAppEngineIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+	name       = "%{project_id}"
+	project_id = "%{project_id}"
+	org_id     = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+	project = "${google_project.my_project.project_id}"
+	service = "iap.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+	project     = "${google_project_service.project_service.project}"
+	location_id = "us-central"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_type_app_engine_iam_policy" "foo" {
+	project = "${google_app_engine_application.app.project}"
+	app_id = "${google_app_engine_application.app.app_id}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebTypeAppEngineIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "my_project" {
diff --git a/google/iam_iap_web_type_compute_generated_test.go b/google/iam_iap_web_type_compute_generated_test.go
index 290a7a55769..e1ef0e585c3 100644
--- a/google/iam_iap_web_type_compute_generated_test.go
+++ b/google/iam_iap_web_type_compute_generated_test.go
@@ -107,6 +107,15 @@ func TestAccIapWebTypeComputeIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebTypeComputeIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_type_compute_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/compute", fmt.Sprintf("tf-test%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -159,6 +168,29 @@ resource "google_iap_web_type_compute_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebTypeComputeIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+	project_id = "tf-test%{random_suffix}"
+	name = "tf-test%{random_suffix}"
+	org_id = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+	project = "${google_project.project.project_id}"
+	service = "iap.googleapis.com"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_type_compute_iam_policy" "foo" {
+	project = "${google_project_service.project_service.project}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebTypeComputeIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "project" {
diff --git a/google/iam_pubsub_topic_generated_test.go b/google/iam_pubsub_topic_generated_test.go
index 0f60901c920..6641c18764e 100644
--- a/google/iam_pubsub_topic_generated_test.go
+++ b/google/iam_pubsub_topic_generated_test.go
@@ -104,6 +104,15 @@ func TestAccPubsubTopicIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccPubsubTopicIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_pubsub_topic_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/topics/%s", getTestProjectFromEnv(), fmt.Sprintf("example-topic%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -152,6 +161,27 @@ resource "google_pubsub_topic_iam_policy" "foo" {
 `, context)
 }
 
+func testAccPubsubTopicIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_pubsub_topic" "example" {
+  name = "example-topic%{random_suffix}"
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_pubsub_topic_iam_policy" "foo" {
+	project = "${google_pubsub_topic.example.project}"
+	topic = "${google_pubsub_topic.example.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccPubsubTopicIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_pubsub_topic" "example" {
diff --git a/google/iam_runtime_config_config_generated_test.go b/google/iam_runtime_config_config_generated_test.go
index ce720dc7280..95be8888157 100644
--- a/google/iam_runtime_config_config_generated_test.go
+++ b/google/iam_runtime_config_config_generated_test.go
@@ -104,6 +104,15 @@ func TestAccRuntimeConfigConfigIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccRuntimeConfigConfigIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_runtimeconfig_config_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/configs/%s", getTestProjectFromEnv(), fmt.Sprintf("my-config%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -146,6 +155,24 @@ resource "google_runtimeconfig_config_iam_policy" "foo" {
 `, context)
 }
 
+func testAccRuntimeConfigConfigIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_runtimeconfig_config" "config" {
+ 	name = "my-config%{random_suffix}"
+ 	description = "Runtime configuration values for my service"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_runtimeconfig_config_iam_policy" "foo" {
+	project = "${google_runtimeconfig_config.config.project}"
+	config = "${google_runtimeconfig_config.config.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccRuntimeConfigConfigIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_runtimeconfig_config" "config" {
diff --git a/google/iam_source_repo_repository_generated_test.go b/google/iam_source_repo_repository_generated_test.go
index a607939f28b..2b226800bba 100644
--- a/google/iam_source_repo_repository_generated_test.go
+++ b/google/iam_source_repo_repository_generated_test.go
@@ -104,6 +104,15 @@ func TestAccSourceRepoRepositoryIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccSourceRepoRepositoryIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_sourcerepo_repository_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/repos/%s", getTestProjectFromEnv(), fmt.Sprintf("my-repository%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -144,6 +153,23 @@ resource "google_sourcerepo_repository_iam_policy" "foo" {
 `, context)
 }
 
+func testAccSourceRepoRepositoryIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_sourcerepo_repository" "my-repo" {
+  name = "my-repository%{random_suffix}"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_sourcerepo_repository_iam_policy" "foo" {
+	project = "${google_sourcerepo_repository.my-repo.project}"
+	repository = "${google_sourcerepo_repository.my-repo.name}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccSourceRepoRepositoryIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_sourcerepo_repository" "my-repo" {