diff --git a/google/iam_storage_bucket.go b/google/iam_storage_bucket.go index 71a21f7e821..3dc9fb830a2 100644 --- a/google/iam_storage_bucket.go +++ b/google/iam_storage_bucket.go @@ -16,6 +16,11 @@ var IamStorageBucketSchema = map[string]*schema.Schema{ }, } +func StorageBucketIdParseFunc(d *schema.ResourceData, _ *Config) error { + d.Set("bucket", d.Id()) + return nil +} + type StorageBucketIamUpdater struct { bucket string Config *Config diff --git a/google/provider.go b/google/provider.go index edbab73e95a..69af56ce3b6 100644 --- a/google/provider.go +++ b/google/provider.go @@ -270,9 +270,9 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) { // Legacy roles such as roles/storage.legacyBucketReader are automatically added // when creating a bucket. For this reason, it is better not to add the authoritative // google_storage_bucket_iam_policy resource. - "google_storage_bucket_iam_binding": ResourceIamBinding(IamStorageBucketSchema, NewStorageBucketIamUpdater), - "google_storage_bucket_iam_member": ResourceIamMember(IamStorageBucketSchema, NewStorageBucketIamUpdater), - "google_storage_bucket_iam_policy": ResourceIamPolicy(IamStorageBucketSchema, NewStorageBucketIamUpdater), + "google_storage_bucket_iam_binding": ResourceIamBindingWithImport(IamStorageBucketSchema, NewStorageBucketIamUpdater, StorageBucketIdParseFunc), + "google_storage_bucket_iam_member": ResourceIamMemberWithImport(IamStorageBucketSchema, NewStorageBucketIamUpdater, StorageBucketIdParseFunc), + "google_storage_bucket_iam_policy": ResourceIamPolicyWithImport(IamStorageBucketSchema, NewStorageBucketIamUpdater, StorageBucketIdParseFunc), "google_storage_bucket_object": resourceStorageBucketObject(), "google_storage_object_acl": resourceStorageObjectAcl(), "google_storage_default_object_acl": resourceStorageDefaultObjectAcl(), diff --git a/google/resource_storage_bucket_iam_test.go b/google/resource_storage_bucket_iam_test.go index 12fa2b95717..bac5ceb02b0 100644 --- a/google/resource_storage_bucket_iam_test.go +++ b/google/resource_storage_bucket_iam_test.go @@ -16,6 +16,7 @@ func TestAccStorageBucketIamBinding(t *testing.T) { bucket := acctest.RandomWithPrefix("tf-test") account := acctest.RandomWithPrefix("tf-test") + role := "roles/storage.objectViewer" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -23,14 +24,20 @@ func TestAccStorageBucketIamBinding(t *testing.T) { Steps: []resource.TestStep{ { // Test IAM Binding creation - Config: testAccStorageBucketIamBinding_basic(bucket, account), - Check: testAccCheckGoogleStorageBucketIam(bucket, "roles/storage.objectViewer", []string{ + Config: testAccStorageBucketIamBinding_basic(bucket, account, role), + Check: testAccCheckGoogleStorageBucketIam(bucket, role, []string{ fmt.Sprintf("serviceAccount:%s-1@%s.iam.gserviceaccount.com", account, getTestProjectFromEnv()), }), }, + { + ResourceName: "google_storage_bucket_iam_binding.foo", + ImportStateId: fmt.Sprintf("%s %s", bucket, role), + ImportState: true, + ImportStateVerify: true, + }, { // Test IAM Binding update - Config: testAccStorageBucketIamBinding_update(bucket, account), + Config: testAccStorageBucketIamBinding_update(bucket, account, role), Check: testAccCheckGoogleStorageBucketIam(bucket, "roles/storage.objectViewer", []string{ fmt.Sprintf("serviceAccount:%s-1@%s.iam.gserviceaccount.com", account, getTestProjectFromEnv()), fmt.Sprintf("serviceAccount:%s-2@%s.iam.gserviceaccount.com", account, getTestProjectFromEnv()), @@ -58,6 +65,12 @@ func TestAccStorageBucketIamPolicy(t *testing.T) { fmt.Sprintf("serviceAccount:%s-1@%s.iam.gserviceaccount.com", account, getTestProjectFromEnv()), }), }, + { + ResourceName: "google_storage_bucket_iam_policy.bucket-binding", + ImportStateId: bucket, + ImportState: true, + ImportStateVerify: true, + }, { // Test IAM Policy update Config: testAccStorageBucketIamPolicy_update(bucket, account, serviceAcct), @@ -75,6 +88,8 @@ func TestAccStorageBucketIamMember(t *testing.T) { bucket := acctest.RandomWithPrefix("tf-test") account := acctest.RandomWithPrefix("tf-test") + role := "roles/storage.admin" + member := fmt.Sprintf("serviceAccount:%s-1@%s.iam.gserviceaccount.com", account, getTestProjectFromEnv()) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -82,10 +97,14 @@ func TestAccStorageBucketIamMember(t *testing.T) { Steps: []resource.TestStep{ { // Test Iam Member creation (no update for member, no need to test) - Config: testAccStorageBucketIamMember_basic(bucket, account), - Check: testAccCheckGoogleStorageBucketIam(bucket, "roles/storage.admin", []string{ - fmt.Sprintf("serviceAccount:%s-1@%s.iam.gserviceaccount.com", account, getTestProjectFromEnv()), - }), + Config: testAccStorageBucketIamMember_basic(bucket, account, role), + Check: testAccCheckGoogleStorageBucketIam(bucket, role, []string{member}), + }, + { + ResourceName: "google_storage_bucket_iam_member.foo", + ImportStateId: fmt.Sprintf("%s %s %s", bucket, role, member), + ImportState: true, + ImportStateVerify: true, }, }, }) @@ -197,7 +216,7 @@ resource "google_storage_bucket_iam_policy" "bucket-binding" { `, bucket, account, serviceAcct) } -func testAccStorageBucketIamBinding_basic(bucket, account string) string { +func testAccStorageBucketIamBinding_basic(bucket, account, role string) string { return fmt.Sprintf(` resource "google_storage_bucket" "bucket" { name = "%s" @@ -210,15 +229,15 @@ resource "google_service_account" "test-account-1" { resource "google_storage_bucket_iam_binding" "foo" { bucket = "${google_storage_bucket.bucket.name}" - role = "roles/storage.objectViewer" + role = "%s" members = [ "serviceAccount:${google_service_account.test-account-1.email}", ] } -`, bucket, account) +`, bucket, account, role) } -func testAccStorageBucketIamBinding_update(bucket, account string) string { +func testAccStorageBucketIamBinding_update(bucket, account, role string) string { return fmt.Sprintf(` resource "google_storage_bucket" "bucket" { name = "%s" @@ -236,16 +255,16 @@ resource "google_service_account" "test-account-2" { resource "google_storage_bucket_iam_binding" "foo" { bucket = "${google_storage_bucket.bucket.name}" - role = "roles/storage.objectViewer" + role = "%s" members = [ "serviceAccount:${google_service_account.test-account-1.email}", "serviceAccount:${google_service_account.test-account-2.email}", ] } -`, bucket, account, account) +`, bucket, account, account, role) } -func testAccStorageBucketIamMember_basic(bucket, account string) string { +func testAccStorageBucketIamMember_basic(bucket, account, role string) string { return fmt.Sprintf(` resource "google_storage_bucket" "bucket" { name = "%s" @@ -258,8 +277,8 @@ resource "google_service_account" "test-account-1" { resource "google_storage_bucket_iam_member" "foo" { bucket = "${google_storage_bucket.bucket.name}" - role = "roles/storage.admin" + role = "%s" member = "serviceAccount:${google_service_account.test-account-1.email}" } -`, bucket, account) +`, bucket, account, role) } diff --git a/website/docs/r/storage_bucket_iam.html.markdown b/website/docs/r/storage_bucket_iam.html.markdown index 89374a694f8..85920247e0e 100644 --- a/website/docs/r/storage_bucket_iam.html.markdown +++ b/website/docs/r/storage_bucket_iam.html.markdown @@ -88,3 +88,18 @@ In addition to the arguments listed above, the following computed attributes are exported: * `etag` - (Computed) The etag of the storage bucket's IAM policy. + + +## Import + +For `google_storage_bucket_iam_policy`: + +IAM member imports use space-delimited identifiers - generally the resource in question, the role, and the member identity (i.e. `serviceAccount: my-sa@my-project.iam.gserviceaccount.com` or `user:foo@example.com`). Policies, bindings, and members can be respectively imported as follows: + +``` +$ terraform import google_storage_bucket_iam_policy.policy "my-bucket user:foo@example.com" + +$ terraform import google_storage_bucket_iam_binding.binding "my-bucket roles/my-role " + +$ terraform import google_storage_bucket_iam_member.member "my-bucket roles/my-role user:foo@example.com" +```