Add new resource IAM OAuth Client for Workforce Identity Federation. (GoogleCloudPlatform#13209)

Author: plus-1s

mmv1/products/iamworkforcepool/OauthClient.yaml

@@ -0,0 +1,158 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: OauthClient
+description: |
+  Represents an OAuth Client. Used to access Google Cloud resources on behalf of a
+  Workforce Identity Federation user by using OAuth 2.0 Protocol to obtain an access
+  token from Google Cloud.
+references:
+  guides:
+    "Managing OAuth clients": "https://cloud.google.com/iam/docs/workforce-manage-oauth-app#manage-clients"
+  api: "https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.oauthClients"
+base_url: projects/{{project}}/locations/{{location}}/oauthClients
+update_mask: true
+self_link: projects/{{project}}/locations/{{location}}/oauthClients/{{oauth_client_id}}
+create_url: projects/{{project}}/locations/{{location}}/oauthClients?oauthClientId={{oauth_client_id}}
+update_verb: PATCH
+id_format: projects/{{project}}/locations/{{location}}/oauthClients/{{oauth_client_id}}
+import_format:
+  - projects/{{project}}/locations/{{location}}/oauthClients/{{oauth_client_id}}
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_code:
+  constants: "templates/terraform/constants/iam_oauth_client.go.tmpl"
+  decoder: "templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl"
+  test_check_destroy: "templates/terraform/custom_check_destroy/iam_oauth_client.go.tmpl"
+  post_create: "templates/terraform/post_create/sleep.go.tmpl"
+  post_update: "templates/terraform/post_create/sleep.go.tmpl"
+  post_delete: "templates/terraform/post_create/sleep.go.tmpl"
+exclude_sweeper: true
+examples:
+  - name: "iam_oauth_client_basic"
+    primary_resource_id: "example"
+    vars:
+      oauth_client_id: "example-client-id"
+  - name: "iam_oauth_client_full"
+    primary_resource_id: "example"
+    vars:
+      oauth_client_id: "example-client-id"
+parameters:
+  - name: location
+    type: String
+    description: Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
+    immutable: true
+    url_param_only: true
+    required: true
+  - name: oauthClientId
+    type: String
+    description: |-
+      Required. The ID to use for the OauthClient, which becomes the final component of
+      the resource name. This value should be a string of 6 to 63 lowercase
+      letters, digits, or hyphens. It must start with a letter, and cannot have a
+      trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may
+      not be specified.
+    immutable: true
+    url_param_only: true
+    required: true
+properties:
+  - name: allowedScopes
+    type: Array
+    description: |-
+      Required. The list of scopes that the OauthClient is allowed to request during
+      OAuth flows.
+
+      The following scopes are supported:
+
+      * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure,
+      and delete your Google Cloud data and see the email address for your Google
+      Account.
+      * `openid`: The OAuth client can associate you with your personal
+      information on Google Cloud.
+      * `email`: The OAuth client can read a federated identity's email address.
+      * `groups`: The OAuth client can read a federated identity's groups.
+    required: true
+    item_type:
+      type: String
+  - name: name
+    type: String
+    description: |-
+      Immutable. Identifier. The resource name of the OauthClient.
+
+      Format:`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
+    output: true
+    immutable: true
+  - name: state
+    type: String
+    description: |-
+      Output only. The state of the OauthClient.
+      Possible values:
+      STATE_UNSPECIFIED
+      ACTIVE
+      DELETED
+    output: true
+  - name: disabled
+    type: Boolean
+    description: |-
+      Optional. Whether the OauthClient is disabled. You cannot use a disabled OAuth
+      client.
+  - name: clientId
+    type: String
+    description: Output only. The system-generated OauthClient id.
+    output: true
+  - name: displayName
+    type: String
+    description: |-
+      Optional. A user-specified display name of the OauthClient.
+
+      Cannot exceed 32 characters.
+  - name: description
+    type: String
+    description: |-
+      Optional. A user-specified description of the OauthClient.
+
+      Cannot exceed 256 characters.
+  - name: allowedGrantTypes
+    type: Array
+    description: Required. The list of OAuth grant types is allowed for the OauthClient.
+    required: true
+    item_type:
+      type: String
+  - name: expireTime
+    type: String
+    description: |-
+      Output only. Time after which the OauthClient will be permanently purged and cannot
+      be recovered.
+    output: true
+  - name: clientType
+    type: String
+    description: |-
+      Immutable. The type of OauthClient. Either public or private.
+      For private clients, the client secret can be managed using the dedicated
+      OauthClientCredential resource.
+      Possible values:
+      CLIENT_TYPE_UNSPECIFIED
+      PUBLIC_CLIENT
+      CONFIDENTIAL_CLIENT
+    immutable: true
+  - name: allowedRedirectUris
+    type: Array
+    description: |-
+      Required. The list of redirect uris that is allowed to redirect back
+      when authorization process is completed.
+    required: true
+    item_type:
+      type: String

mmv1/products/iamworkforcepool/product.yaml

@@ -22,9 +22,3 @@ versions:
     base_url: 'https://iam.googleapis.com/v1/'
 scopes:
   - 'https://www.googleapis.com/auth/iam'
-async:
-  type: "OpAsync"
-  operation:
-    base_url: '{{op_id}}'
-  result:
-    resource_inside_response: false

mmv1/templates/terraform/constants/iam_oauth_client.go.tmpl

@@ -0,0 +1,20 @@
+const oauthClientIdRegexp = `^[a-z][a-z0-9-]{4,61}[a-z0-9]$`
+
+func ValidateOauthClientId(v interface{}, k string) (ws []string, errors []error) {
+    value := v.(string)
+
+    if strings.HasPrefix(value, "gcp-") {
+        errors = append(errors, fmt.Errorf(
+            "%q (%q) can not start with \"gcp-\". " +
+            "The prefix `gcp-` is reserved for use by Google, and may not be specified.", k, value))
+    }
+
+    if !regexp.MustCompile(oauthClientIdRegexp).MatchString(value) {
+        errors = append(errors, fmt.Errorf(
+            "%q (%q) must contain only lowercase letters [a-z], digits [0-9], and hyphens " +
+            "[-]. The OauthClient ID must be between 6 and 63 characters, begin " +
+            "with a letter, and cannot have a trailing hyphen.", k, value))
+    }
+
+    return
+}

mmv1/templates/terraform/custom_check_destroy/iam_oauth_client.go.tmpl

@@ -0,0 +1,22 @@
+config := acctest.GoogleProviderConfig(t)
+
+url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{"{{"}}IAMWorkforcePoolBasePath{{"}}"}}projects/{{"{{"}}project{{"}}"}}/locations/global/oauthClients/{{"{{"}}oauth_client_id{{"}}"}}")
+if err != nil {
+  return err
+}
+
+res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+	Config: config,
+	Method: "GET",
+	RawURL: url,
+	UserAgent: config.UserAgent,
+})
+if err != nil {
+  return nil
+}
+
+if v := res["state"]; v == "DELETED" {
+	return nil
+}
+
+return fmt.Errorf("IAMOAuthCLient still exists at %s", url)

mmv1/templates/terraform/examples/iam_oauth_client_basic.tf.tmpl

@@ -0,0 +1,8 @@
+resource "google_iam_oauth_client" "{{$.PrimaryResourceId}}" {
+  oauth_client_id = "{{index $.Vars "oauth_client_id"}}"
+  location                  = "global"
+  allowed_grant_types       = ["AUTHORIZATION_CODE_GRANT"]
+  allowed_redirect_uris     = ["https://www.example.com"]
+  allowed_scopes            = ["https://www.googleapis.com/auth/cloud-platform"]
+  client_type               = "CONFIDENTIAL_CLIENT"
+}

mmv1/templates/terraform/examples/iam_oauth_client_full.tf.tmpl

@@ -0,0 +1,11 @@
+resource "google_iam_oauth_client" "{{$.PrimaryResourceId}}" {
+  oauth_client_id = "{{index $.Vars "oauth_client_id"}}"
+  display_name              = "Display Name of OAuth client"
+  description               = "A sample OAuth client"
+  location                  = "global"
+  disabled                  = false
+  allowed_grant_types       = ["AUTHORIZATION_CODE_GRANT"]
+  allowed_redirect_uris     = ["https://www.example.com"]
+  allowed_scopes            = ["https://www.googleapis.com/auth/cloud-platform"]
+  client_type               = "CONFIDENTIAL_CLIENT"
+}

mmv1/third_party/terraform/services/iamworkforcepool/resource_iam_oauth_client_test.go.tmpl

@@ -0,0 +1,135 @@
+package iamworkforcepool_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+)
+
+func TestAccIAMWorkforcePoolOauthClient_basic(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIAMWorkforcePoolOauthClientDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMWorkforcePoolOauthClient_basic(context),
+			},
+			{
+				ResourceName:            "google_iam_oauth_client.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"location", "oauth_client_id"},
+			},
+            {
+				Config: testAccIAMWorkforcePoolOauthClient_basic_update(context),
+			},
+			{
+				ResourceName:            "google_iam_oauth_client.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"location", "oauth_client_id"},
+			},
+		},
+	})
+}
+
+func testAccIAMWorkforcePoolOauthClient_basic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_oauth_client" "example" {
+  oauth_client_id = "tf-test-example-client-id%{random_suffix}"
+  location                  = "global"
+  allowed_grant_types       = ["AUTHORIZATION_CODE_GRANT"]
+  allowed_redirect_uris     = ["https://www.example.com"]
+  allowed_scopes            = ["https://www.googleapis.com/auth/cloud-platform"]
+  client_type               = "CONFIDENTIAL_CLIENT"
+}
+`, context)
+}
+
+func testAccIAMWorkforcePoolOauthClient_basic_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_oauth_client" "example" {
+  oauth_client_id = "tf-test-example-client-id%{random_suffix}"
+  location                  = "global"
+  allowed_grant_types       = ["AUTHORIZATION_CODE_GRANT"]
+  allowed_redirect_uris     = ["https://www.update.com"]
+  allowed_scopes            = ["https://www.googleapis.com/auth/cloud-platform", "openid"]
+  client_type               = "CONFIDENTIAL_CLIENT"
+}
+`, context)
+}
+
+func TestAccIAMWorkforcePoolOauthClient_full(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIAMWorkforcePoolOauthClientDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMWorkforcePoolOauthClient_full(context),
+			},
+			{
+				ResourceName:            "google_iam_oauth_client.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"location", "oauth_client_id"},
+			},
+            {
+				Config: testAccIAMWorkforcePoolOauthClient_full_update(context),
+			},
+			{
+				ResourceName:            "google_iam_oauth_client.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"location", "oauth_client_id"},
+			},
+		},
+	})
+}
+
+func testAccIAMWorkforcePoolOauthClient_full(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_oauth_client" "example" {
+  oauth_client_id = "tf-test-example-client-id%{random_suffix}"
+  display_name              = "Display Name of OAuth client"
+  description               = "A sample OAuth client"
+  location                  = "global"
+  disabled                  = false
+  allowed_grant_types       = ["AUTHORIZATION_CODE_GRANT"]
+  allowed_redirect_uris     = ["https://www.example.com"]
+  allowed_scopes            = ["https://www.googleapis.com/auth/cloud-platform"]
+  client_type               = "CONFIDENTIAL_CLIENT"
+}
+`, context)
+}
+
+func testAccIAMWorkforcePoolOauthClient_full_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_oauth_client" "example" {
+  oauth_client_id = "tf-test-example-client-id%{random_suffix}"
+  display_name              = "Updated displayName"
+  description               = "Updated description"
+  location                  = "global"
+  disabled                  = true
+  allowed_grant_types       = ["AUTHORIZATION_CODE_GRANT", ]
+  allowed_redirect_uris     = ["https://www.update.com"]
+  allowed_scopes            = ["https://www.googleapis.com/auth/cloud-platform", "openid"]
+  client_type               = "CONFIDENTIAL_CLIENT"
+}
+`, context)
+}