Add ControlPlaneAccess support for Apigee

Akshay Pai · Akshay Pai · commit 7be75908bfa1 · 2025-01-21T23:23:02.000Z
diff --git a/mmv1/products/apigee/ControlPlaneAccess.yaml b/mmv1/products/apigee/ControlPlaneAccess.yaml
@@ -0,0 +1,83 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'ControlPlaneAccess'
+api_resource_type_kind: Organization
+description: |
+  Authorize the Runtime components to access directly with Apigee Control Plane.
+references:
+  guides:
+    'Enable ControlPlane access': 'https://cloud.google.com/apigee/docs/hybrid/v1.14/install-enable-control-plane-access'
+  api: 'https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations/updateControlPlaneAccess'
+docs:
+id_format: 'organizations/{{name}}/controlPlaneAccess'
+base_url: ''
+self_link: 'organizations/{{name}}/controlPlaneAccess'
+create_url: 'organizations/{{name}}/controlPlaneAccess'
+update_url: 'organizations/{{name}}/controlPlaneAccess'
+create_verb: 'PATCH'
+update_verb: 'PATCH'
+update_mask: true
+exclude_delete: true
+import_format:
+  - 'organizations/{{name}}/controlPlaneAccess'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_code:
+examples:
+  - name: 'apigee_control_plane_access_basic_test'
+    primary_resource_id: 'apigee_control_plane_access'
+    vars:
+      account_id: 'my-account'
+      project_id: 'my-project'
+    test_env_vars:
+      org_id: 'ORG_ID'
+      billing_account: 'BILLING_ACCT'
+parameters:
+  - name: 'name'
+    type: String
+    description: |
+      Name of the Apigee organization.
+    url_param_only: true
+    required: true
+    immutable: true
+properties:
+  - name: 'synchronizer_identities'
+    type: Array
+    description: |
+      Array of service accounts to grant access to control plane resources (for the Synchronizer component), each specified using the following format: `serviceAccount:service-account-name`.
+
+      The `service-account-name` is formatted like an email address. For example: serviceAccount@my_project_id.iam.gserviceaccount.com
+
+      You might specify multiple service accounts, for example, if you have multiple environments and wish to assign a unique service account to each one.
+
+      The service accounts must have **Apigee Synchronizer Manager** role. See also [Create service accounts](https://cloud.google.com/apigee/docs/hybrid/v1.8/sa-about#create-the-service-accounts).
+    required: false
+    send_empty_value: true
+    item_type:
+      type: String
+  - name: 'analytics_publisher_identities'
+    type: Array
+    description: |
+      Array of service accounts authorized to publish analytics data to the control plane, each specified using the following format: `serviceAccount:service-account-name`.
+
+      The `service-account-name` is formatted like an email address. For example: serviceAccount@my_project_id.iam.gserviceaccount.com
+
+      You might specify multiple service accounts, for example, if you have multiple environments and wish to assign a unique service account to each one.
+    required: false
+    send_empty_value: true
+    item_type:
+      type: String
diff --git a/mmv1/templates/terraform/examples/apigee_control_plane_access_basic_test.tf.tmpl b/mmv1/templates/terraform/examples/apigee_control_plane_access_basic_test.tf.tmpl
@@ -0,0 +1,42 @@
+resource "google_project" "project" {
+  project_id      = "{{index $.Vars "project_id"}}"
+  name            = "{{index $.Vars "project_id"}}"
+  org_id          = "{{index $.TestEnvVars "org_id"}}"
+  billing_account = "{{index $.TestEnvVars "billing_account"}}"
+  deletion_policy = "DELETE"
+}
+
+resource "google_project_service" "apigee" {
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_apigee_organization" "apigee_org" {
+  analytics_region   = "us-central1"
+  project_id         = google_project.project.project_id
+
+  runtime_type       = "HYBRID"
+  depends_on         = [google_project_service.apigee]
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "{{index $.Vars "account_id"}}"
+  display_name = "Service Account"
+}
+
+resource "google_project_iam_member" "synchronizer-iam" {
+  project = google_project.project.project_id
+  role    = "roles/apigee.synchronizerManager"
+  member = "serviceAccount:${google_service_account.service_account.email}"
+}
+
+resource "google_apigee_control_plane_access" "{{$.PrimaryResourceId}}" {
+  name       = google_apigee_organization.apigee_org.name
+  synchronizer_identities = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+  analytics_publisher_identities = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+  depends_on = [google_project_iam_member.synchronizer-iam]
+}
