Add ControlPlaneAccess support for Apigee (GoogleCloudPlatform#12825)

akspi · Akshay Pai · Dawid212 · commit 2a7aab7acc93 · 2025-04-09T22:04:52.000+02:00
Co-authored-by: Akshay Pai &lt;akshaypai@google.com&gt;
diff --git a/mmv1/products/apigee/ControlPlaneAccess.yaml b/mmv1/products/apigee/ControlPlaneAccess.yaml
@@ -0,0 +1,86 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'ControlPlaneAccess'
+description: |
+  Authorize the Runtime components to access directly with Apigee Control Plane.
+references:
+  guides:
+    'Enable ControlPlane access': 'https://cloud.google.com/apigee/docs/hybrid/v1.14/install-enable-control-plane-access'
+  api: 'https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations/updateControlPlaneAccess'
+docs:
+id_format: 'organizations/{{name}}/controlPlaneAccess'
+base_url: ''
+self_link: 'organizations/{{name}}/controlPlaneAccess'
+create_verb: 'PATCH'
+update_verb: 'PATCH'
+async:
+  actions: ['create', 'update']
+  type: 'OpAsync'
+  operation:
+    base_url: '{{op_id}}'
+  result:
+    resource_inside_response: true
+autogen_async: true
+update_mask: true
+exclude_delete: true
+import_format:
+  - 'organizations/{{name}}/controlPlaneAccess'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_code:
+examples:
+  - name: 'apigee_control_plane_access_basic_test'
+    primary_resource_id: 'apigee_control_plane_access'
+    vars:
+      account_id: 'my-account'
+      project_id: 'my-project'
+    test_env_vars:
+      org_id: 'ORG_ID'
+      billing_account: 'BILLING_ACCT'
+parameters:
+  - name: 'name'
+    type: String
+    description: |
+      Name of the Apigee organization.
+    url_param_only: true
+    required: true
+    immutable: true
+properties:
+  - name: 'synchronizerIdentities'
+    type: Array
+    description: |
+      Array of service accounts to grant access to control plane resources (for the Synchronizer component), each specified using the following format: `serviceAccount:service-account-name`.
+
+      The `service-account-name` is formatted like an email address. For example: serviceAccount@my_project_id.iam.gserviceaccount.com
+
+      You might specify multiple service accounts, for example, if you have multiple environments and wish to assign a unique service account to each one.
+
+      The service accounts must have **Apigee Synchronizer Manager** role. See also [Create service accounts](https://cloud.google.com/apigee/docs/hybrid/v1.8/sa-about#create-the-service-accounts).
+    send_empty_value: true
+    item_type:
+      type: String
+  - name: 'analyticsPublisherIdentities'
+    type: Array
+    description: |
+      Array of service accounts authorized to publish analytics data to the control plane, each specified using the following format: `serviceAccount:service-account-name`.
+
+      The `service-account-name` is formatted like an email address. For example: serviceAccount@my_project_id.iam.gserviceaccount.com
+
+      You might specify multiple service accounts, for example, if you have multiple environments and wish to assign a unique service account to each one.
+    send_empty_value: true
+    item_type:
+      type: String
diff --git a/mmv1/templates/terraform/examples/apigee_control_plane_access_basic_test.tf.tmpl b/mmv1/templates/terraform/examples/apigee_control_plane_access_basic_test.tf.tmpl
@@ -0,0 +1,41 @@
+resource "google_project" "project" {
+  project_id      = "{{index $.Vars "project_id"}}"
+  name            = "{{index $.Vars "project_id"}}"
+  org_id          = "{{index $.TestEnvVars "org_id"}}"
+  billing_account = "{{index $.TestEnvVars "billing_account"}}"
+  deletion_policy = "DELETE"
+}
+
+resource "google_project_service" "apigee" {
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_apigee_organization" "apigee_org" {
+  analytics_region   = "us-central1"
+  project_id         = google_project.project.project_id
+
+  runtime_type       = "HYBRID"
+  depends_on         = [google_project_service.apigee]
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "{{index $.Vars "account_id"}}"
+  display_name = "Service Account"
+}
+
+resource "google_project_iam_member" "synchronizer-iam" {
+  project = google_project.project.project_id
+  role    = "roles/apigee.synchronizerManager"
+  member = "serviceAccount:${google_service_account.service_account.email}"
+}
+
+resource "google_apigee_control_plane_access" "{{$.PrimaryResourceId}}" {
+  name       = google_apigee_organization.apigee_org.name
+  synchronizer_identities = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+  analytics_publisher_identities = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
diff --git a/mmv1/third_party/terraform/services/apigee/resource_apigee_control_plane_access_test.go b/mmv1/third_party/terraform/services/apigee/resource_apigee_control_plane_access_test.go
@@ -0,0 +1,122 @@
+package apigee_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccApigeeControlPlaneAccess_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"random_suffix":   acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccApigeeControlPlaneAccess_full(context),
+			},
+			{
+				ResourceName:            "google_apigee_control_plane_access.apigee_control_plane_access",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name"},
+			},
+			{
+				Config: testAccApigeeControlPlaneAccess_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_apigee_control_plane_access.apigee_control_plane_access", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_apigee_control_plane_access.apigee_control_plane_access",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name"},
+			},
+		},
+	})
+}
+
+func testAccApigeeControlPlaneAccess_full(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_project" "project" {
+  project_id      = "tf-test-my-project%{random_suffix}"
+  name            = "tf-test-my-project%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+  deletion_policy = "DELETE"
+}
+
+resource "google_project_service" "apigee" {
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_apigee_organization" "apigee_org" {
+  analytics_region   = "us-central1"
+  project_id         = google_project.project.project_id
+
+  runtime_type       = "HYBRID"
+  depends_on         = [google_project_service.apigee]
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "sa-%{random_suffix}"
+  display_name = "Service Account"
+}
+
+resource "google_apigee_control_plane_access" "apigee_control_plane_access" {
+  name       = google_apigee_organization.apigee_org.name
+  synchronizer_identities = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+  analytics_publisher_identities = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
+`, context)
+}
+
+func testAccApigeeControlPlaneAccess_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_project" "project" {
+  project_id      = "tf-test-my-project%{random_suffix}"
+  name            = "tf-test-my-project%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+  deletion_policy = "DELETE"
+}
+
+resource "google_project_service" "apigee" {
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_apigee_organization" "apigee_org" {
+  analytics_region   = "us-central1"
+  project_id         = google_project.project.project_id
+
+  runtime_type       = "HYBRID"
+  depends_on         = [google_project_service.apigee]
+}
+
+resource "google_apigee_control_plane_access" "apigee_control_plane_access" {
+  name       = google_apigee_organization.apigee_org.name
+  synchronizer_identities = []
+  analytics_publisher_identities = []
+}
+`, context)
+}
