From 954b02f2c0cf3f4ae6712425b72a7dfde3e6987b Mon Sep 17 00:00:00 2001 From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Date: Fri, 21 Jan 2022 13:30:54 -0800 Subject: [PATCH] secrets/gcp: update plugin to v0.9.1 (#13735) --- changelog/13735.txt | 3 ++ go.mod | 2 +- go.sum | 4 +- .../plugin/iamutil/dataset_resource.go | 42 +++++++++++++++++-- .../plugin/iamutil/resource_parser.go | 2 +- vendor/modules.txt | 2 +- 6 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 changelog/13735.txt diff --git a/changelog/13735.txt b/changelog/13735.txt new file mode 100644 index 000000000000..0edc831c5c30 --- /dev/null +++ b/changelog/13735.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/gcp: Fixes role bindings for BigQuery dataset resources. +``` diff --git a/go.mod b/go.mod index 7bc7aab7787b..cf3666adceb7 100644 --- a/go.mod +++ b/go.mod @@ -96,7 +96,7 @@ require ( github.com/hashicorp/vault-plugin-secrets-ad v0.9.1 github.com/hashicorp/vault-plugin-secrets-alicloud v0.8.0 github.com/hashicorp/vault-plugin-secrets-azure v0.9.1 - github.com/hashicorp/vault-plugin-secrets-gcp v0.9.0 + github.com/hashicorp/vault-plugin-secrets-gcp v0.9.1 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.8.0 github.com/hashicorp/vault-plugin-secrets-kv v0.8.0 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.3.0 diff --git a/go.sum b/go.sum index 9571fd83072a..1524ce718fe6 100644 --- a/go.sum +++ b/go.sum @@ -708,8 +708,8 @@ github.com/hashicorp/vault-plugin-secrets-alicloud v0.8.0 h1:dg1vrZl+XwGipfjet7M github.com/hashicorp/vault-plugin-secrets-alicloud v0.8.0/go.mod h1:SSkKpSTOMnX84PfgYiWHgwVg+YMhxHNjo+YCJGNBoZk= github.com/hashicorp/vault-plugin-secrets-azure v0.9.1 h1:vZhWEafEedxLS7t906QSYFKT+jiNM6Mv6fDHxOX6O5I= github.com/hashicorp/vault-plugin-secrets-azure v0.9.1/go.mod h1:4jCVjTG809NCQ8mrSnbBtX17gX1Iush+558BVO6MJeo= -github.com/hashicorp/vault-plugin-secrets-gcp v0.9.0 h1:gfaTe+QNNk+wZLec0k9pUt2VSBKPB237F/Dh0a1u8ic= -github.com/hashicorp/vault-plugin-secrets-gcp v0.9.0/go.mod h1:psRQ/dm5XatoUKLDUeWrpP9icMJNtu/jmscUr37YGK4= +github.com/hashicorp/vault-plugin-secrets-gcp v0.9.1 h1:bRrjxNBh1fu8exJsrWC6VHxdlxk4WGkwTHV4vZc0XVc= +github.com/hashicorp/vault-plugin-secrets-gcp v0.9.1/go.mod h1:psRQ/dm5XatoUKLDUeWrpP9icMJNtu/jmscUr37YGK4= github.com/hashicorp/vault-plugin-secrets-gcpkms v0.8.0 h1:yoMAcYkdvuo0LMiPaD4OCNRO8ekkYVMhSo+GswZrgb4= github.com/hashicorp/vault-plugin-secrets-gcpkms v0.8.0/go.mod h1:hhwps56f2ATeC4Smgghrc5JH9dXR31b4ehSf1HblP5Q= github.com/hashicorp/vault-plugin-secrets-kv v0.8.0 h1:9AWMN1+n4z6p/YX6d5/gaD5QulymrP11Q2XlNa4TXT0= diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/dataset_resource.go b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/dataset_resource.go index 519032841ba1..0242a11ec99f 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/dataset_resource.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/dataset_resource.go @@ -118,6 +118,18 @@ func datasetAsPolicy(ds *Dataset) *Policy { for _, accessBinding := range ds.Access { var iamMember string + // Role mapping must be applied for datasets in order to properly + // detect when to change bindings (via RemoveBindings()) after a + // modification or deletion occurs. This is due to BigQuery + // access roles accepting both legacy (e.g., OWNER) and current + // (e.g., roles/bigquery.dataOwner) role references. The API will + // only return the legacy format, so this mapping allows us to properly + // diff the current and desired roles to set the access policy. + // + // See the access[].role description in the following document for details + // https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets#Dataset + role := mapLegacyRoles(accessBinding.Role) + //NOTE: Can either have GroupByEmail or UserByEmail but not both if accessBinding.GroupByEmail != "" { iamMember = fmt.Sprintf("group:%s", accessBinding.GroupByEmail) @@ -126,11 +138,11 @@ func datasetAsPolicy(ds *Dataset) *Policy { } else { iamMember = fmt.Sprintf("user:%s", accessBinding.UserByEmail) } - if binding, ok := bindingMap[accessBinding.Role]; ok { + if binding, ok := bindingMap[role]; ok { binding.Members = append(binding.Members, iamMember) } else { - bindingMap[accessBinding.Role] = &Binding{ - Role: accessBinding.Role, + bindingMap[role] = &Binding{ + Role: role, Members: []string{iamMember}, } } @@ -140,3 +152,27 @@ func datasetAsPolicy(ds *Dataset) *Policy { } return policy } + +// mapLegacyRoles returns a current role name given a legacy role name. +// +// The following role mappings will be applied: +// - OWNER -> roles/bigquery.dataOwner +// - WRITER -> roles/bigquery.dataEditor +// - READER -> roles/bigquery.dataViewer +// +// See the access[].role description in the following document for details +// https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets#Dataset +// +// Returns the given role if no mapping applies. +func mapLegacyRoles(role string) string { + switch role { + case "OWNER": + return "roles/bigquery.dataOwner" + case "WRITER": + return "roles/bigquery.dataEditor" + case "READER": + return "roles/bigquery.dataViewer" + default: + return role + } +} diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/resource_parser.go b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/resource_parser.go index a8c7589dc3b7..0d2fb19f97f1 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/resource_parser.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/resource_parser.go @@ -125,7 +125,7 @@ func (apis GeneratedResources) Parse(rawName string) (Resource, error) { return nil, err } switch cfg.TypeKey { - case "projects/dataset": + case "projects/datasets": return &DatasetResource{relativeId: relName, config: cfg}, nil default: return &IamResource{relativeId: relName, config: cfg}, nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 25708559ca1c..f14f4944d351 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -684,7 +684,7 @@ github.com/hashicorp/vault-plugin-secrets-alicloud/clients # github.com/hashicorp/vault-plugin-secrets-azure v0.9.1 ## explicit github.com/hashicorp/vault-plugin-secrets-azure -# github.com/hashicorp/vault-plugin-secrets-gcp v0.9.0 +# github.com/hashicorp/vault-plugin-secrets-gcp v0.9.1 ## explicit github.com/hashicorp/vault-plugin-secrets-gcp/plugin github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil