Skip to content

Commit

Permalink
Fix storage notification tests (#1913)
Browse files Browse the repository at this point in the history
* Update google_storage_project_service_account to mirror API.

* Fix storage notifications test, clarify docs.
  • Loading branch information
rileykarson authored Aug 22, 2018
1 parent 35ab6d1 commit fbad37e
Show file tree
Hide file tree
Showing 5 changed files with 72 additions and 35 deletions.
18 changes: 17 additions & 1 deletion google/data_source_google_storage_project_service_account.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,15 @@ func dataSourceGoogleStorageProjectServiceAccount() *schema.Resource {
Optional: true,
ForceNew: true,
},
"user_project": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"email_address": {
Type: schema.TypeString,
Computed: true,
},
},
}
}
Expand All @@ -26,12 +35,19 @@ func dataSourceGoogleStorageProjectServiceAccountRead(d *schema.ResourceData, me
return err
}

serviceAccount, err := config.clientStorage.Projects.ServiceAccount.Get(project).Do()
serviceAccountGetRequest := config.clientStorage.Projects.ServiceAccount.Get(project)

if v, ok := d.GetOk("user_project"); ok {
serviceAccountGetRequest = serviceAccountGetRequest.UserProject(v.(string))
}

serviceAccount, err := serviceAccountGetRequest.Do()
if err != nil {
return handleNotFoundError(err, d, "GCS service account not found")
}

d.Set("project", project)
d.Set("email_address", serviceAccount.EmailAddress)

d.SetId(serviceAccount.EmailAddress)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,14 @@ func TestAccDataSourceGoogleStorageProjectServiceAccount_basic(t *testing.T) {
{
Config: testAccCheckGoogleStorageProjectServiceAccount_basic,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrSet(resourceName, "id"),
resource.TestCheckResourceAttrSet(resourceName, "email_address"),
),
},
},
})
}

const testAccCheckGoogleStorageProjectServiceAccount_basic = `
data "google_storage_project_service_account" "gcs_account" { }
data "google_storage_project_service_account" "gcs_account" {
}
`
17 changes: 11 additions & 6 deletions google/resource_storage_notification_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,7 @@ import (
)

var (
gcsServiceAccount = fmt.Sprintf("serviceAccount:%[email protected]", os.Getenv("GOOGLE_PROJECT"))
payload = "JSON_API_V1"
payload = "JSON_API_V1"
)

func TestAccStorageNotification_basic(t *testing.T) {
Expand Down Expand Up @@ -185,14 +184,17 @@ resource "google_storage_bucket" "bucket" {
resource "google_pubsub_topic" "topic" {
name = "%s"
}
// We have to provide GCS default storage account with the permission
// to publish to a Cloud Pub/Sub topic from this project
// Otherwise notification configuration won't work
data "google_storage_project_service_account" "gcs_account" {}
resource "google_pubsub_topic_iam_binding" "binding" {
topic = "${google_pubsub_topic.topic.name}"
role = "roles/pubsub.publisher"
members = ["%s"]
members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
}
resource "google_storage_notification" "notification" {
Expand All @@ -210,7 +212,7 @@ resource "google_storage_notification" "notification_with_prefix" {
depends_on = ["google_pubsub_topic_iam_binding.binding"]
}
`, bucketName, topicName, gcsServiceAccount)
`, bucketName, topicName)
}

func testGoogleStorageNotificationOptionalEventsAttributes(bucketName, topicName, topic, eventType1, eventType2 string) string {
Expand All @@ -222,14 +224,17 @@ resource "google_storage_bucket" "bucket" {
resource "google_pubsub_topic" "topic" {
name = "%s"
}
// We have to provide GCS default storage account with the permission
// to publish to a Cloud Pub/Sub topic from this project
// Otherwise notification configuration won't work
data "google_storage_project_service_account" "gcs_account" {}
resource "google_pubsub_topic_iam_binding" "binding" {
topic = "${google_pubsub_topic.topic.name}"
role = "roles/pubsub.publisher"
members = ["%s"]
members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
}
resource "google_storage_notification" "notification" {
Expand All @@ -243,5 +248,5 @@ resource "google_storage_notification" "notification" {
depends_on = ["google_pubsub_topic_iam_binding.binding"]
}
`, bucketName, topicName, gcsServiceAccount, eventType1, eventType2)
`, bucketName, topicName, eventType1, eventType2)
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,13 @@ description: |-

# google\_storage\_project\_service\_account

Use this data source to get the email address of the project's Google Cloud Storage service account.
For more information see
[API](https://cloud.google.com/storage/docs/json_api/v1/projects/serviceAccount).
Get the email address of a project's unique Google Cloud Storage service account.

Each Google Cloud project has a unique service account for use with Google Cloud Storage. Only this
special service account can be used to set up `google_storage_notification` resources.

For more information see
[the API reference](https://cloud.google.com/storage/docs/json_api/v1/projects/serviceAccount).

## Example Usage

Expand All @@ -21,18 +25,22 @@ resource "google_pubsub_topic_iam_binding" "binding" {
topic = "${google_pubsub_topic.topic.name}"
role = "roles/pubsub.publisher"
members = ["${data.google_storage_project_service_account.gcs_account.id}"]
members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
}
```

## Argument Reference

The following arguments are supported:

* `project` - (Optional) The project in which the resource belongs. If it is not provided, the provider project is used.
* `project` - (Optional) The project the unique service account was created for. If it is not provided, the provider project is used.

* `user_project` - (Optional) The project the lookup originates from. This field is used if you are making the request
from a different account than the one you are finding the service account for.

## Attributes Reference

The following attributes are exported:

* `id` - The ID of the service account, which is its email address
* `email_address` - The email address of the service account. This value is often used to refer to the service account
in order to grant IAM permissions.
47 changes: 27 additions & 20 deletions website/docs/r/storage_notification.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -14,29 +14,15 @@ Creates a new notification configuration on a specified bucket, establishing a f
and
[API](https://cloud.google.com/storage/docs/json_api/v1/notifications).

In order to enable notifications, a special Google Cloud Storage service account unique to the project
must have the IAM permission "projects.topics.publish" for a Cloud Pub/Sub topic in the project. To get the service
account's email address, use the `google_storage_project_service_account` datasource's `email_address` value, and see below
for an example of enabling notifications by granting the correct IAM permission. See
[the notifications documentation](https://cloud.google.com/storage/docs/gsutil/commands/notification) for more details.

## Example Usage

```hcl
data "google_storage_project_service_account" "gs_account" {}
resource "google_storage_bucket" "bucket" {
name = "default_bucket"
}
resource "google_pubsub_topic" "topic" {
name = "default_topic"
}
// In order to enable notifications, the Google Cloud Storage service account unique to each project
// must have the IAM permission "projects.topics.publish" to a Cloud Pub/Sub topic from this project.
// https://cloud.google.com/storage/docs/gsutil/commands/notification
resource "google_pubsub_topic_iam_binding" "binding" {
topic = "${google_pubsub_topic.topic.name}"
role = "roles/pubsub.publisher"
members = ["serviceAccount:${data.google_storage_project_service_account.gs_account.id}"]
}
resource "google_storage_notification" "notification" {
bucket = "${google_storage_bucket.bucket.name}"
payload_format = "JSON_API_V1"
Expand All @@ -47,6 +33,27 @@ resource "google_storage_notification" "notification" {
}
depends_on = ["google_pubsub_topic_iam_binding.binding"]
}
// Enable notifications by giving the correct IAM permission to the unique service account.
data "google_storage_project_service_account" "gcs_account" {}
resource "google_pubsub_topic_iam_binding" "binding" {
topic = "${google_pubsub_topic.topic.name}"
role = "roles/pubsub.publisher"
members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
}
// End enabling notifications
resource "google_storage_bucket" "bucket" {
name = "default_bucket"
}
resource "google_pubsub_topic" "topic" {
name = "default_topic"
}
```

## Argument Reference
Expand Down

0 comments on commit fbad37e

Please sign in to comment.