Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Catch up to mm master, bucket labels #244

Merged
merged 3 commits into from
Apr 14, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/resources/google_access_context_manager_service_perimeter.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,22 @@ Properties that can be accessed from the `google_access_context_manager_service_

* `allowed_services`: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True.

* `spec`: Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the `useExplicitDryRunSpec` flag is set.

* `resources`: A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}

* `access_levels`: A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. For Service Perimeter Bridge, must be empty. Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}

* `restricted_services`: GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if `storage.googleapis.com` is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.

* `vpc_accessible_services`: Specifies how APIs are allowed to communicate within the Service Perimeter.

* `enable_restriction`: Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'.

* `allowed_services`: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True.

* `use_explicit_dry_run_spec`: Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. useExplicitDryRunSpec must bet set to True if any of the fields in the spec are set to non-default values.

* `parent`: The AccessPolicy this ServicePerimeter lives in. Format: accessPolicies/{policy_id}

* `name`: Resource name for the ServicePerimeter. The short_name component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ See [google_access_context_manager_service_perimeter.md](google_access_context_m
* `update_times`: an array of `google_access_context_manager_service_perimeter` update_time
* `perimeter_types`: an array of `google_access_context_manager_service_perimeter` perimeter_type
* `statuses`: an array of `google_access_context_manager_service_perimeter` status
* `specs`: an array of `google_access_context_manager_service_perimeter` spec
* `use_explicit_dry_run_specs`: an array of `google_access_context_manager_service_perimeter` use_explicit_dry_run_spec
* `parents`: an array of `google_access_context_manager_service_perimeter` parent
* `names`: an array of `google_access_context_manager_service_perimeter` name

Expand Down
4 changes: 4 additions & 0 deletions docs/resources/google_compute_health_check.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,10 @@ Properties that can be accessed from the `google_compute_health_check` resource:

* `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP2 health check follows behavior specified in `port` and `portName` fields.

* `log_config`: (Beta only) Configure logging on this health check.

* `enable`: Indicates whether or not to export logs. This is false by default, which means no health check logging will be done.


## GCP Permissions

Expand Down
1 change: 1 addition & 0 deletions docs/resources/google_compute_health_checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ See [google_compute_health_check.md](google_compute_health_check.md) for more de
* `tcp_health_checks`: an array of `google_compute_health_check` tcp_health_check
* `ssl_health_checks`: an array of `google_compute_health_check` ssl_health_check
* `http2_health_checks`: an array of `google_compute_health_check` http2_health_check
* `log_configs`: (Beta only) an array of `google_compute_health_check` log_config

## Filter Criteria
This resource supports all of the above properties as filter criteria, which can be used
Expand Down
2 changes: 1 addition & 1 deletion docs/resources/google_compute_network_endpoint_group.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Properties that can be accessed from the `google_compute_network_endpoint_group`

* `description`: An optional description of this resource. Provide this property when you create the resource.

* `network_endpoint_type`: Type of network endpoints in this network endpoint group. Currently the only supported value is GCE_VM_IP_PORT.
* `network_endpoint_type`: Type of network endpoints in this network endpoint group. The only supported value is GCE_VM_IP_PORT

* `size`: Number of network endpoints in the network endpoint group.

Expand Down
3 changes: 3 additions & 0 deletions docs/resources/google_storage_bucket.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ describe google_storage_bucket(name: bucket-name) do
its('location') { should cmp 'europe-west2'.upcase }

its('storage_class') { should eq "STANDARD" }
its('labels') { should include("key" => "value") }
end

describe google_storage_bucket(name: "nonexistent") do
Expand Down Expand Up @@ -166,6 +167,8 @@ Properties that can be accessed from the `google_storage_bucket` resource:

* `predefined_default_object_acl`: Apply a predefined set of default object access controls to this bucket. Acceptable values are: - "authenticatedRead": Object owner gets OWNER access, and allAuthenticatedUsers get READER access. - "bucketOwnerFullControl": Object owner gets OWNER access, and project team owners get OWNER access. - "bucketOwnerRead": Object owner gets OWNER access, and project team owners get READER access. - "private": Object owner gets OWNER access. - "projectPrivate": Object owner gets OWNER access, and project team members get access according to their roles. - "publicRead": Object owner gets OWNER access, and allUsers get READER access.

* `labels`: Labels applied to this bucket. A list of key->value pairs.


## GCP Permissions

Expand Down
1 change: 1 addition & 0 deletions docs/resources/google_storage_buckets.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ See [google_storage_bucket.md](google_storage_bucket.md) for more detailed infor
* `websites`: an array of `google_storage_bucket` website
* `projects`: an array of `google_storage_bucket` project
* `predefined_default_object_acls`: an array of `google_storage_bucket` predefined_default_object_acl
* `labels`: an array of `google_storage_bucket` labels

## Filter Criteria
This resource supports all of the above properties as filter criteria, which can be used
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
require 'google/accesscontextmanager/property/serviceperimeter_spec_vpc_accessible_services'
module GoogleInSpec
module AccessContextManager
module Property
class ServicePerimeterSpec
attr_reader :resources

attr_reader :access_levels

attr_reader :restricted_services

attr_reader :vpc_accessible_services

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@resources = args['resources']
@access_levels = args['accessLevels']
@restricted_services = args['restrictedServices']
@vpc_accessible_services = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecVPCAccessibleServices.new(args['vpcAccessibleServices'], to_s)
end

def to_s
"#{@parent_identifier} ServicePerimeterSpec"
end
end
end
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
module GoogleInSpec
module AccessContextManager
module Property
class ServicePerimeterSpecVPCAccessibleServices
attr_reader :enable_restriction

attr_reader :allowed_services

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@enable_restriction = args['enableRestriction']
@allowed_services = args['allowedServices']
end

def to_s
"#{@parent_identifier} ServicePerimeterSpecVPCAccessibleServices"
end
end
end
end
end
34 changes: 34 additions & 0 deletions libraries/google/compute/property/healthcheck_log_config.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
module GoogleInSpec
module Compute
module Property
class HealthCheckLogConfig
attr_reader :enable

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@enable = args['enable']
end

def to_s
"#{@parent_identifier} HealthCheckLogConfig"
end
end
end
end
end
6 changes: 6 additions & 0 deletions libraries/google_access_context_manager_service_perimeter.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
#
# ----------------------------------------------------------------------------
require 'gcp_backend'
require 'google/accesscontextmanager/property/serviceperimeter_spec'
require 'google/accesscontextmanager/property/serviceperimeter_spec_vpc_accessible_services'
require 'google/accesscontextmanager/property/serviceperimeter_status'
require 'google/accesscontextmanager/property/serviceperimeter_status_vpc_accessible_services'

Expand All @@ -30,6 +32,8 @@ class AccessContextManagerServicePerimeter < GcpResourceBase
attr_reader :update_time
attr_reader :perimeter_type
attr_reader :status
attr_reader :spec
attr_reader :use_explicit_dry_run_spec
attr_reader :parent
attr_reader :name

Expand All @@ -47,6 +51,8 @@ def parse
@update_time = parse_time_string(@fetched['updateTime'])
@perimeter_type = @fetched['perimeterType']
@status = GoogleInSpec::AccessContextManager::Property::ServicePerimeterStatus.new(@fetched['status'], to_s)
@spec = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpec.new(@fetched['spec'], to_s)
@use_explicit_dry_run_spec = @fetched['useExplicitDryRunSpec']
@parent = @fetched['parent']
@name = name_from_self_link(@fetched['name'])
end
Expand Down
4 changes: 4 additions & 0 deletions libraries/google_access_context_manager_service_perimeters.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ class AccessContextManagerServicePerimeters < GcpResourceBase
filter_table_config.add(:update_times, field: :update_time)
filter_table_config.add(:perimeter_types, field: :perimeter_type)
filter_table_config.add(:statuses, field: :status)
filter_table_config.add(:specs, field: :spec)
filter_table_config.add(:use_explicit_dry_run_specs, field: :use_explicit_dry_run_spec)
filter_table_config.add(:parents, field: :parent)
filter_table_config.add(:names, field: :name)

Expand Down Expand Up @@ -76,6 +78,8 @@ def transformers
'updateTime' => ->(obj) { return :update_time, parse_time_string(obj['updateTime']) },
'perimeterType' => ->(obj) { return :perimeter_type, obj['perimeterType'] },
'status' => ->(obj) { return :status, GoogleInSpec::AccessContextManager::Property::ServicePerimeterStatus.new(obj['status'], to_s) },
'spec' => ->(obj) { return :spec, GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpec.new(obj['spec'], to_s) },
'useExplicitDryRunSpec' => ->(obj) { return :use_explicit_dry_run_spec, obj['useExplicitDryRunSpec'] },
'parent' => ->(obj) { return :parent, obj['parent'] },
'name' => ->(obj) { return :name, name_from_self_link(obj['name']) },
}
Expand Down
3 changes: 3 additions & 0 deletions libraries/google_compute_health_check.rb
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
require 'google/compute/property/healthcheck_http2_health_check'
require 'google/compute/property/healthcheck_http_health_check'
require 'google/compute/property/healthcheck_https_health_check'
require 'google/compute/property/healthcheck_log_config'
require 'google/compute/property/healthcheck_ssl_health_check'
require 'google/compute/property/healthcheck_tcp_health_check'

Expand All @@ -41,6 +42,7 @@ class ComputeHealthCheck < GcpResourceBase
attr_reader :tcp_health_check
attr_reader :ssl_health_check
attr_reader :http2_health_check
attr_reader :log_config

def initialize(params)
super(params.merge({ use_http_transport: true }))
Expand All @@ -64,6 +66,7 @@ def parse
@tcp_health_check = GoogleInSpec::Compute::Property::HealthCheckTcpHealthCheck.new(@fetched['tcpHealthCheck'], to_s)
@ssl_health_check = GoogleInSpec::Compute::Property::HealthCheckSslHealthCheck.new(@fetched['sslHealthCheck'], to_s)
@http2_health_check = GoogleInSpec::Compute::Property::HealthCheckHttp2HealthCheck.new(@fetched['http2HealthCheck'], to_s)
@log_config = GoogleInSpec::Compute::Property::HealthCheckLogConfig.new(@fetched['logConfig'], to_s)
end

# Handles parsing RFC3339 time string
Expand Down
2 changes: 2 additions & 0 deletions libraries/google_compute_health_checks.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ class ComputeHealthChecks < GcpResourceBase
filter_table_config.add(:tcp_health_checks, field: :tcp_health_check)
filter_table_config.add(:ssl_health_checks, field: :ssl_health_check)
filter_table_config.add(:http2_health_checks, field: :http2_health_check)
filter_table_config.add(:log_configs, field: :log_config)

filter_table_config.connect(self, :table)

Expand Down Expand Up @@ -90,6 +91,7 @@ def transformers
'tcpHealthCheck' => ->(obj) { return :tcp_health_check, GoogleInSpec::Compute::Property::HealthCheckTcpHealthCheck.new(obj['tcpHealthCheck'], to_s) },
'sslHealthCheck' => ->(obj) { return :ssl_health_check, GoogleInSpec::Compute::Property::HealthCheckSslHealthCheck.new(obj['sslHealthCheck'], to_s) },
'http2HealthCheck' => ->(obj) { return :http2_health_check, GoogleInSpec::Compute::Property::HealthCheckHttp2HealthCheck.new(obj['http2HealthCheck'], to_s) },
'logConfig' => ->(obj) { return :log_config, GoogleInSpec::Compute::Property::HealthCheckLogConfig.new(obj['logConfig'], to_s) },
}
end

Expand Down
2 changes: 2 additions & 0 deletions libraries/google_storage_bucket.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ class StorageBucket < GcpResourceBase
attr_reader :website
attr_reader :project
attr_reader :predefined_default_object_acl
attr_reader :labels

def initialize(params)
super(params.merge({ use_http_transport: true }))
Expand Down Expand Up @@ -78,6 +79,7 @@ def parse
@website = GoogleInSpec::Storage::Property::BucketWebsite.new(@fetched['website'], to_s)
@project = @fetched['project']
@predefined_default_object_acl = @fetched['predefinedDefaultObjectAcl']
@labels = @fetched['labels']
end

# Handles parsing RFC3339 time string
Expand Down
2 changes: 2 additions & 0 deletions libraries/google_storage_buckets.rb
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ class StorageBuckets < GcpResourceBase
filter_table_config.add(:websites, field: :website)
filter_table_config.add(:projects, field: :project)
filter_table_config.add(:predefined_default_object_acls, field: :predefined_default_object_acl)
filter_table_config.add(:labels, field: :labels)

filter_table_config.connect(self, :table)

Expand Down Expand Up @@ -100,6 +101,7 @@ def transformers
'website' => ->(obj) { return :website, GoogleInSpec::Storage::Property::BucketWebsite.new(obj['website'], to_s) },
'project' => ->(obj) { return :project, obj['project'] },
'predefinedDefaultObjectAcl' => ->(obj) { return :predefined_default_object_acl, obj['predefinedDefaultObjectAcl'] },
'labels' => ->(obj) { return :labels, obj['labels'] },
}
end

Expand Down
4 changes: 4 additions & 0 deletions test/integration/build/gcp-mm.tf
Original file line number Diff line number Diff line change
Expand Up @@ -652,6 +652,10 @@ resource "google_storage_bucket" "bucket" {
project = var.gcp_project_id
location = var.gcp_location
force_destroy = true

labels = {
"key" = "value"
}
}

resource "google_storage_bucket_object" "object" {
Expand Down
1 change: 1 addition & 0 deletions test/integration/verify/controls/google_storage_bucket.rb
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
its('location') { should cmp gcp_location.upcase }

its('storage_class') { should eq "STANDARD" }
its('labels') { should include("key" => "value") }
end

describe google_storage_bucket(name: "nonexistent") do
Expand Down