terraform suport for google_folder_service_identity (#13462)

Author: yerniyazN

mmv1/third_party/terraform/provider/provider_mmv1_resources.go.tmpl

@@ -382,6 +382,7 @@ var handwrittenResources = map[string]*schema.Resource{
 	"google_endpoints_service":                     servicemanagement.ResourceEndpointsService(),
 	"google_folder":                                resourcemanager.ResourceGoogleFolder(),
 	"google_folder_organization_policy":            resourcemanager.ResourceGoogleFolderOrganizationPolicy(),
+	"google_folder_service_identity":               resourcemanager.ResourceFolderServiceIdentity(),
 	"google_logging_billing_account_sink":          logging.ResourceLoggingBillingAccountSink(),
 	"google_logging_billing_account_exclusion":     logging.ResourceLoggingExclusion(logging.BillingAccountLoggingExclusionSchema, logging.NewBillingAccountLoggingExclusionUpdater, logging.BillingAccountLoggingExclusionIdParseFunc),
 	"google_logging_billing_account_bucket_config": logging.ResourceLoggingBillingAccountBucketConfig(),

mmv1/third_party/terraform/services/resourcemanager/resource_folder_service_identity.go.tmpl

@@ -0,0 +1,132 @@
+package resourcemanager
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform-provider-google/google/services/serviceusage"
+	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func ResourceFolderServiceIdentity() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceFolderServiceIdentityCreate,
+		Read:   resourceFolderServiceIdentityRead,
+		Delete: resourceFolderServiceIdentityDelete,
+
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(20 * time.Minute),
+			Read:   schema.DefaultTimeout(10 * time.Minute),
+			Delete: schema.DefaultTimeout(20 * time.Minute),
+		},
+
+		CustomizeDiff: customdiff.All(
+			tpgresource.DefaultProviderProject,
+		),
+
+		Schema: map[string]*schema.Schema{
+			"service": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"folder": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"email": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"member": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `The Identity of the Google managed service account in the form 'serviceAccount:{email}'. This value is often used to refer to the service account in order to grant IAM permissions.`,
+			},
+		},
+		UseJSONNumber: true,
+	}
+}
+
+func resourceFolderServiceIdentityCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*transport_tpg.Config)
+	userAgent, err :=  tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	if err != nil {
+		return err
+	}
+
+	url, err := tpgresource.ReplaceVars(d, config, "{{"{{"}}ServiceUsageBasePath{{"}}"}}folders/{{"{{"}}folder{{"}}"}}/services/{{"{{"}}service{{"}}"}}:generateServiceIdentity")
+	if err != nil {
+		return err
+	}
+
+	billingProject := ""
+
+	// err == nil indicates that the billing_project value was found
+	if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	if err != nil {
+		return err
+	}
+
+	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config: config,
+		Method: "POST",
+		Project: billingProject,
+		RawURL: url,
+		UserAgent: userAgent,
+		Timeout: d.Timeout(schema.TimeoutCreate),
+	})
+	if err != nil {
+		return fmt.Errorf("Error creating Folder Service Identity: %s", err)
+	}
+
+	var opRes map[string]interface{}
+	err = serviceusage.ServiceUsageOperationWaitTimeWithResponse(
+		config, res, &opRes, billingProject, "Creating Folder Service Identity", userAgent,
+		d.Timeout(schema.TimeoutCreate))
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] Finished creating Folder Service Identity %q: %#v", d.Id(), res)
+
+	id, err := tpgresource.ReplaceVars(d, config, "folders/{{"{{"}}folder{{"}}"}}/services/{{"{{"}}service{{"}}"}}")
+	if err != nil {
+		return fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	// This API may not return the service identity's details, even if the relevant
+	// Google API is configured for service identities.
+	if emailVal, ok := opRes["email"]; ok {
+		email, ok := emailVal.(string)
+		if !ok {
+			return fmt.Errorf("unexpected type for email: got %T, want string", email)
+		}
+		if err := d.Set("email", email); err != nil {
+			return fmt.Errorf("Error setting email: %s", err)
+		}
+		if err := d.Set("member", "serviceAccount:"+email); err != nil {
+			return fmt.Errorf("Error setting member: %s", err)
+		}
+	}
+	return nil
+}
+
+// There is no read endpoint for this API.
+func resourceFolderServiceIdentityRead(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+
+// There is no delete endpoint for this API.
+func resourceFolderServiceIdentityDelete(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}

mmv1/third_party/terraform/services/resourcemanager/resource_folder_service_identity_meta.yaml.tmpl

@@ -0,0 +1,10 @@
+resource: 'google_folder_service_identity'
+generation_type: 'handwritten'
+api_service_name: 'serviceusage.googleapis.com'
+api_version: 'v1'
+api_resource_type_kind: 'Service'
+fields:
+  - field: 'email'
+  - field: 'member'
+  - field: 'folder'
+  - field: 'service'

mmv1/third_party/terraform/services/resourcemanager/resource_folder_service_identity_test.go.tmpl

@@ -0,0 +1,64 @@
+package resourcemanager_test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccFolderServiceIdentity_basic(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":         envvar.GetTestOrgFromEnv(t),
+		"random_suffix":  acctest.RandString(t, 5),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleFolderServiceIdentity_basic(context),
+				Check: resource.ComposeTestCheckFunc(
+					// Email field for osconfig service account should be non-empty and contain at least an "@".
+					resource.TestCheckResourceAttrWith("google_folder_service_identity.osconfig_sa", "email", func(value string) error {
+						if strings.Contains(value, "@") {
+							return nil
+						}
+						return fmt.Errorf("osconfig_sa service identity email value was %s, expected a valid email", value)
+					}),
+					// Member field for osconfig service account should start with "serviceAccount:service-folder-" and end with "@gcp-sa-osconfig.iam.gserviceaccount.com"
+					resource.TestCheckResourceAttrWith("google_folder_service_identity.osconfig_sa", "member", func(value string) error {
+						if !strings.HasPrefix(value, "serviceAccount:service-folder-") {
+							return fmt.Errorf("osconfig_sa folder service identity member value %q does not start with 'serviceAccount:service-folder-'", value)
+						}
+						if !strings.HasSuffix(value, "@gcp-sa-osconfig.iam.gserviceaccount.com") {
+							return fmt.Errorf("osconfig_sa folder service identity member value %q does not end with '@gcp-sa-osconfig.iam.gserviceaccount.com'", value)
+						}
+						return nil
+					}),
+				),
+			},
+		},
+	})
+}
+
+func testGoogleFolderServiceIdentity_basic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_folder" "folder" {
+  parent = "organizations/%{org_id}"
+  display_name = "test-folder-%{random_suffix}"
+  deletion_protection = false
+}
+
+resource "google_folder_service_identity" "osconfig_sa" {
+  folder = google_folder.folder.folder_id
+  service = "osconfig.googleapis.com"
+}
+`, context)
+}

mmv1/third_party/terraform/website/docs/r/folder_service_identity.html.markdown

@@ -0,0 +1,71 @@
+---
+subcategory: "Cloud Platform"
+description: |-
+ Generate folder service identity for a service.
+---
+
+# google_folder_service_identity
+
+Generate folder service identity for a service.
+
+~> **Note:** Once created, this resource cannot be updated or destroyed. These
+actions are a no-op.
+
+~> **Note:** This resource can be used to retrieve the emails of the [Google-managed folder service accounts](https://cloud.google.com/iam/docs/service-agents) 
+of the APIs that Google has configured with a Service Identity. You can run `gcloud beta services identity create --service SERVICE_NAME.googleapis.com --folder FOLDER` to
+verify if an API supports this.
+
+To get more information about Service Identity, see:
+
+* [API documentation](https://cloud.google.com/service-usage/docs/reference/rest/v1beta1/services/generateServiceIdentity)
+
+## Example Usage - Folder Service Identity Basic
+
+```hcl
+resource "google_folder" "my_folder" {
+  parent = "organizations/1234567"
+  display_name = "my-folder"
+}
+
+resource "google_folder_service_identity" "osconfig_sa" {
+  folder = google_folder.my_folder.folder_id
+  service = "osconfig.googleapis.com"
+}
+
+
+resource "google_folder_iam_member" "admin" {
+  folder = google_folder.my_folder.name
+  role   = "roles/osconfig.serviceAgent"
+  member = google_folder_service_identity.osconfig_sa.member
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `service` -
+  (Required)
+  The service to generate identity for.
+
+- - -
+
+* `folder` - (Required) The folder in which the resource belongs.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `email` - The email address of the Google managed service account.
+* `member` - The Identity of the Google managed service account in the form 'serviceAccount:{email}'. This value is often used to refer to the service account in order to grant IAM permissions.
+
+## Import
+
+This resource does not support import.
+
+## Timeouts
+
+This resource provides the following
+[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options: configuration options:
+
+* `create` - Default is 20 minutes.