Make binding optional for iam_policy data source

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Jan 9, 2020 · e3db55c · e3db55c
1 parent a1503a8
commit e3db55c
Show file tree

Hide file tree

Showing 16 changed files with 599 additions and 2 deletions.
diff --git a/google/data_source_google_iam_policy.go b/google/data_source_google_iam_policy.go
@@ -29,8 +29,10 @@ func dataSourceGoogleIamPolicy() *schema.Resource {
 		Read: dataSourceGoogleIamPolicyRead,
 		Schema: map[string]*schema.Schema{
 			"binding": {
-				Type:     schema.TypeSet,
-				Required: true,
+				Type: schema.TypeSet,
+				// Binding is optional because a user may want to set an IAM policy with no bindings
+				// This allows users to ensure that no bindings were created outside of terraform
+				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"role": {

diff --git a/google/iam_binary_authorization_attestor_generated_test.go b/google/iam_binary_authorization_attestor_generated_test.go
@@ -104,6 +104,15 @@ func TestAccBinaryAuthorizationAttestorIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccBinaryAuthorizationAttestorIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_binary_authorization_attestor_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/attestors/%s", getTestProjectFromEnv(), fmt.Sprintf("test-attestor%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -208,6 +217,55 @@ resource "google_binary_authorization_attestor_iam_policy" "foo" {
 `, context)
 }
 
+func testAccBinaryAuthorizationAttestorIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_binary_authorization_attestor" "attestor" {
+  name = "test-attestor%{random_suffix}"
+  attestation_authority_note {
+    note_reference = google_container_analysis_note.note.name
+    public_keys {
+      ascii_armored_pgp_public_key = <<EOF
+mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
+bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
+oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
+V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
+Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
+83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
+IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
+uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
+0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
+51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
+WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
+MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
++OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
+qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
+=6Bvm
+EOF
+
+    }
+  }
+}
+
+resource "google_container_analysis_note" "note" {
+  name = "test-attestor-note%{random_suffix}"
+  attestation_authority {
+    hint {
+      human_readable_name = "Attestor Note"
+    }
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_binary_authorization_attestor_iam_policy" "foo" {
+  project = "${google_binary_authorization_attestor.attestor.project}"
+  attestor = "${google_binary_authorization_attestor.attestor.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccBinaryAuthorizationAttestorIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_binary_authorization_attestor" "attestor" {

diff --git a/google/iam_cloud_functions_cloud_function_generated_test.go b/google/iam_cloud_functions_cloud_function_generated_test.go
@@ -107,6 +107,15 @@ func TestAccCloudFunctionsCloudFunctionIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_cloudfunctions_function_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/locations/%s/functions/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("my-function%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -187,6 +196,43 @@ resource "google_cloudfunctions_function_iam_policy" "foo" {
 `, context)
 }
 
+func testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_storage_bucket" "bucket" {
+  name = "tf-cloudfunctions-function-example-bucket%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "archive" {
+  name   = "index.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "%{zip_path}"
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name        = "my-function%{random_suffix}"
+  description = "My function"
+  runtime     = "nodejs10"
+
+  available_memory_mb   = 128
+  source_archive_bucket = google_storage_bucket.bucket.name
+  source_archive_object = google_storage_bucket_object.archive.name
+  trigger_http          = true
+  timeout               = 60
+  entry_point           = "helloGET"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_cloudfunctions_function_iam_policy" "foo" {
+  project = "${google_cloudfunctions_function.function.project}"
+  region = "${google_cloudfunctions_function.function.region}"
+  cloud_function = "${google_cloudfunctions_function.function.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccCloudFunctionsCloudFunctionIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_storage_bucket" "bucket" {

diff --git a/google/iam_cloud_run_service_generated_test.go b/google/iam_cloud_run_service_generated_test.go
@@ -107,6 +107,15 @@ func TestAccCloudRunServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccCloudRunServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_cloud_run_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/locations/%s/services/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("tftest-cloudrun%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -177,6 +186,38 @@ resource "google_cloud_run_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccCloudRunServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_cloud_run_service" "default" {
+  name     = "tftest-cloudrun%{random_suffix}"
+  location = "us-central1"
+
+  template {
+    spec {
+      containers {
+        image = "gcr.io/cloudrun/hello"
+      }
+    }
+  }
+
+  traffic {
+    percent         = 100
+    latest_revision = true
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_cloud_run_service_iam_policy" "foo" {
+  location = "${google_cloud_run_service.default.location}"
+  project = "${google_cloud_run_service.default.project}"
+  service = "${google_cloud_run_service.default.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccCloudRunServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_cloud_run_service" "default" {

diff --git a/google/iam_compute_instance_generated_test.go b/google/iam_compute_instance_generated_test.go
@@ -104,6 +104,15 @@ func TestAccComputeInstanceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccComputeInstanceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_compute_instance_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/zones/%s/instances/%s", getTestProjectFromEnv(), getTestZoneFromEnv(), fmt.Sprintf("my-instance%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -170,6 +179,36 @@ resource "google_compute_instance_iam_policy" "foo" {
 `, context)
 }
 
+func testAccComputeInstanceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_instance" "default" {
+  name         = "my-instance%{random_suffix}"
+  zone         = ""
+  machine_type = "n1-standard-1"
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-9"
+    }
+  }
+
+  network_interface {
+    network = "default"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_compute_instance_iam_policy" "foo" {
+  project = "${google_compute_instance.default.project}"
+  zone = "${google_compute_instance.default.zone}"
+  instance_name = "${google_compute_instance.default.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccComputeInstanceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_instance" "default" {

diff --git a/google/iam_compute_subnetwork_generated_test.go b/google/iam_compute_subnetwork_generated_test.go
@@ -104,6 +104,15 @@ func TestAccComputeSubnetworkIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccComputeSubnetworkIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_compute_subnetwork_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/regions/%s/subnetworks/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("test-subnetwork%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -170,6 +179,36 @@ resource "google_compute_subnetwork_iam_policy" "foo" {
 `, context)
 }
 
+func testAccComputeSubnetworkIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
+  name          = "test-subnetwork%{random_suffix}"
+  ip_cidr_range = "10.2.0.0/16"
+  region        = "us-central1"
+  network       = google_compute_network.custom-test.self_link
+  secondary_ip_range {
+    range_name    = "tf-test-secondary-range-update1"
+    ip_cidr_range = "192.168.10.0/24"
+  }
+}
+
+resource "google_compute_network" "custom-test" {
+  name                    = "test-network%{random_suffix}"
+  auto_create_subnetworks = false
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_compute_subnetwork_iam_policy" "foo" {
+  project = "${google_compute_subnetwork.network-with-private-secondary-ip-ranges.project}"
+  region = "${google_compute_subnetwork.network-with-private-secondary-ip-ranges.region}"
+  subnetwork = "${google_compute_subnetwork.network-with-private-secondary-ip-ranges.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccComputeSubnetworkIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {

diff --git a/google/iam_iap_app_engine_service_generated_test.go b/google/iam_iap_app_engine_service_generated_test.go
@@ -113,6 +113,15 @@ func TestAccIapAppEngineServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapAppEngineServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", context["project_id"], context["project_id"], "default"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -251,6 +260,72 @@ resource "google_iap_app_engine_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapAppEngineServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = google_project.my_project.project_id
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = google_project_service.project_service.project
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = google_project_service.cloudbuild_service.project
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = google_app_engine_application.app.project
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name   = "hello-world.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project         = google_app_engine_application.app.project
+  version_id      = "v2"
+  service         = "default"
+  runtime         = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_app_engine_service_iam_policy" "foo" {
+  project = "${google_app_engine_standard_app_version.version.project}"
+  app_id = "${google_app_engine_standard_app_version.version.project}"
+  service = "${google_app_engine_standard_app_version.version.service}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapAppEngineServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "my_project" {