Merge pull request GoogleCloudPlatform#2798 from 600lyy/add-bqcc-aws

Add Support for Bigqueryconnection AWS

apis/bigqueryconnection/v1alpha1/connection_types.go

@@ -51,10 +51,8 @@ type BigQueryConnectionConnectionSpec struct {
 	// Cloud SQL properties.
 	CloudSQLSpec *CloudSqlPropertiesSpec `json:"cloudSql,omitempty"`
 
-	/* NOTYET
 	// Amazon Web Services (AWS) properties.
-	Aws *AwsProperties `json:"aws,omitempty"`
-	*/
+	AwsSpec *AwsPropertiesSpec `json:"aws,omitempty"`
 
 	/* NOTYET
 	// Azure properties.
@@ -101,6 +99,8 @@ type BigQueryConnectionConnectionStatus struct {
 // BigQueryConnectionConnectionSpec defines the desired state of BigQueryConnectionConnection
 // +kcc:proto=google.cloud.bigquery.connection.v1.Connection
 type BigQueryConnectionConnectionObservedState struct {
+	Aws *AwsPropertiesStatus `json:"aws,omitempty"`
+
 	CloudResource *CloudResourcePropertiesStatus `json:"cloudResource,omitempty"`
 
 	CloudSql *CloudSqlPropertiesStatus `json:"cloudSql,omitempty"`
@@ -137,6 +137,18 @@ type BigQueryConnectionConnectionObservedState struct {
 	HasCredential *bool `json:"hasCredential,omitempty"`
 }
 
+type AwsPropertiesSpec struct {
+	// Authentication using Google owned service account to assume into
+	//  customer's AWS IAM Role.
+	AccessRole *AwsAccessRoleSpec `json:"accessRole,omitempty"`
+}
+
+type AwsAccessRoleSpec struct {
+	// The user’s AWS IAM Role that trusts the Google-owned AWS IAM user
+	//  Connection.
+	IamRoleID *string `json:"iamRoleID,omitempty"`
+}
+
 type CloudResourcePropertiesSpec struct{}
 
 type CloudSqlPropertiesSpec struct {
@@ -153,6 +165,18 @@ type CloudSqlPropertiesSpec struct {
 	Credential *CloudSqlCredential `json:"credential,omitempty"`
 }
 
+// +kcc:proto=google.cloud.bigquery.connection.v1.AwsProperties
+type AwsPropertiesStatus struct {
+	AccessRole *AwsAccessRoleStatus `json:"accessRole,omitempty"`
+}
+
+// +kcc:proto=google.cloud.bigquery.connection.v1.AwsAccessRole
+type AwsAccessRoleStatus struct {
+	// A unique Google-owned and Google-generated identity for the Connection.
+	//  This identity will be used to access the user's AWS IAM Role.
+	Identity *string `json:"identity,omitempty"`
+}
+
 // +kcc:proto=google.cloud.bigquery.connection.v1.CloudSqlProperties
 type CloudSqlPropertiesStatus struct {
 	// The account ID of the service used for the purpose of this connection.

config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_bigqueryconnectionconnections.bigqueryconnection.cnrm.cloud.google.com.yaml

@@ -61,6 +61,19 @@ spec:
             description: BigQueryConnectionConnectionSpec defines the desired state
               to connect BigQuery to external resources
             properties:
+              aws:
+                description: Amazon Web Services (AWS) properties.
+                properties:
+                  accessRole:
+                    description: Authentication using Google owned service account
+                      to assume into customer's AWS IAM Role.
+                    properties:
+                      iamRoleID:
+                        description: The user’s AWS IAM Role that trusts the Google-owned
+                          AWS IAM user Connection.
+                        type: string
+                    type: object
+                type: object
               cloudResource:
                 description: Use Cloud Resource properties.
                 type: object
@@ -212,6 +225,17 @@ spec:
                 description: ObservedState is the state of the resource as most recently
                   observed in GCP.
                 properties:
+                  aws:
+                    properties:
+                      accessRole:
+                        properties:
+                          identity:
+                            description: A unique Google-owned and Google-generated
+                              identity for the Connection. This identity will be used
+                              to access the user's AWS IAM Role.
+                            type: string
+                        type: object
+                    type: object
                   cloudResource:
                     properties:
                       serviceAccountID:

mockgcp/mockbigqueryconnection/connection.go

@@ -98,6 +98,30 @@ func (s *ConnectionV1) CreateConnection(ctx context.Context, req *pb.CreateConne
 		return fmt.Sprintf("service-%[email protected]", req.GetParent())
 	}
 
+	buildAwsAccessRoleIdentity := func() string {
+		letterRunes := []rune("0123456789")
+		b := make([]rune, 21)
+		for i := range b {
+			b[i] = letterRunes[rand.Intn(len(letterRunes))]
+		}
+		return string(b)
+	}
+
+	if _, ok := (req.Connection.Properties).(*pb.Connection_Aws); ok {
+		if aws := req.Connection.GetAws(); aws != nil {
+			obj.Properties = &pb.Connection_Aws{
+				Aws: &pb.AwsProperties{
+					AuthenticationMethod: &pb.AwsProperties_AccessRole{
+						AccessRole: &pb.AwsAccessRole{
+							IamRoleId: aws.GetAccessRole().GetIamRoleId(),
+							Identity:  buildAwsAccessRoleIdentity(),
+						},
+					},
+				},
+			}
+		}
+	}
+
 	if _, ok := (req.Connection.Properties).(*pb.Connection_CloudResource); ok {
 		obj.Properties = &pb.Connection_CloudResource{
 			CloudResource: &pb.CloudResourceProperties{
@@ -152,6 +176,13 @@ func (s *ConnectionV1) UpdateConnection(ctx context.Context, req *pb.UpdateConne
 		}
 	}
 	obj.LastModifiedTime = now.Unix()
+
+	if _, ok := (req.Connection.Properties).(*pb.Connection_Aws); ok {
+		if mod := req.Connection.GetAws(); mod != nil {
+			obj.GetAws().GetAccessRole().IamRoleId = mod.GetAccessRole().IamRoleId
+		}
+	}
+
 	if err := s.storage.Update(ctx, fqn, obj); err != nil {
 		return nil, err
 	}