Add condition and accessPolicyVersion to BQ dataset access (#12475)

obada-ab · web-flow · commit 8dd1c9d4e77b · 2024-12-16T13:36:50.000-08:00
diff --git a/mmv1/products/bigquery/Dataset.yaml b/mmv1/products/bigquery/Dataset.yaml
@@ -28,6 +28,8 @@ docs:
 base_url: 'projects/{{project}}/datasets'
 self_link: 'projects/{{project}}/datasets/{{dataset_id}}'
 has_self_link: true
+create_url: 'projects/{{project}}/datasets?accessPolicyVersion=3'
+update_url: 'projects/{{project}}/datasets/{{dataset_id}}?accessPolicyVersion=3'
 delete_url: 'projects/{{project}}/datasets/{{dataset_id}}?deleteContents={{delete_contents_on_destroy}}'
 import_format:
   - 'projects/{{project}}/datasets/{{dataset_id}}'
@@ -37,6 +39,7 @@ timeouts:
   delete_minutes: 20
 custom_code:
   constants: 'templates/terraform/constants/bigquery_dataset.go.tmpl'
+  pre_read: 'templates/terraform/pre_read/bigquery_dataset.go.tmpl'
 exclude_sweeper: true
 examples:
   - name: 'bigquery_dataset_basic'
@@ -83,11 +86,6 @@ examples:
       dataset_id: 'example_dataset'
       account_name: 'bqowner'
     exclude_docs: true
-  - name: 'bigquery_dataset_external_reference_aws_test'
-    primary_resource_id: 'dataset'
-    vars:
-      dataset_id: 'example_dataset'
-    exclude_docs: true
   - name: 'bigquery_dataset_external_reference_aws'
     primary_resource_id: 'dataset'
     vars:
@@ -242,6 +240,32 @@ properties:
                 A-Z), numbers (0-9), or underscores (_). The maximum length
                 is 256 characters.
               required: true
+        - name: 'condition'
+          type: NestedObject
+          description: |
+            Condition for the binding. If CEL expression in this field is true, this
+            access binding will be considered.
+          properties:
+            - name: expression
+              type: String
+              required: true
+              description: |
+                Textual representation of an expression in Common Expression Language syntax.
+            - name: title
+              type: String
+              description: |
+                Title for the expression, i.e. a short string describing its purpose.
+                This can be used e.g. in UIs which allow to enter the expression.
+            - name: description
+              type: String
+              description: |
+                Description of the expression. This is a longer text which describes the expression,
+                e.g. when hovered over it in a UI.
+            - name: location
+              type: String
+              description: |
+                String indicating the location of the expression for error reporting, e.g. a file
+                name and a position in the file.
   - name: 'creationTime'
     type: Integer
     description: |
diff --git a/mmv1/products/bigquery/DatasetAccess.yaml b/mmv1/products/bigquery/DatasetAccess.yaml
@@ -33,7 +33,8 @@ docs:
     The API does accept both formats but it will always return the legacy format which results in Terraform
     showing permanent diff on each plan and apply operation.
 base_url: 'projects/{{project}}/datasets/{{dataset_id}}'
-self_link: 'projects/{{project}}/datasets/{{dataset_id}}'
+id_format: 'projects/{{project}}/datasets/{{dataset_id}}'
+self_link: 'projects/{{project}}/datasets/{{dataset_id}}?accessPolicyVersion=3'
 create_verb: 'PATCH'
 delete_verb: 'PATCH'
 immutable: true
@@ -301,3 +302,29 @@ properties:
           A-Z), numbers (0-9), or underscores (_). The maximum length
           is 256 characters.
         required: true
+  - name: 'condition'
+    type: NestedObject
+    description: |
+      Condition for the binding. If CEL expression in this field is true, this
+      access binding will be considered.
+    properties:
+      - name: expression
+        type: String
+        required: true
+        description: |
+          Textual representation of an expression in Common Expression Language syntax.
+      - name: title
+        type: String
+        description: |
+          Title for the expression, i.e. a short string describing its purpose.
+          This can be used e.g. in UIs which allow to enter the expression.
+      - name: description
+        type: String
+        description: |
+          Description of the expression. This is a longer text which describes the expression,
+          e.g. when hovered over it in a UI.
+      - name: location
+        type: String
+        description: |
+          String indicating the location of the expression for error reporting, e.g. a file
+          name and a position in the file.
diff --git a/mmv1/templates/terraform/examples/bigquery_dataset_external_reference_aws_test.tf.tmpl b/mmv1/templates/terraform/examples/bigquery_dataset_external_reference_aws_test.tf.tmpl
diff --git a/mmv1/templates/terraform/pre_read/bigquery_dataset.go.tmpl b/mmv1/templates/terraform/pre_read/bigquery_dataset.go.tmpl
@@ -0,0 +1,13 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+    url = url + "?accessPolicyVersion=3";
diff --git a/mmv1/third_party/terraform/services/bigquery/resource_bigquery_dataset_access_test.go b/mmv1/third_party/terraform/services/bigquery/resource_bigquery_dataset_access_test.go
@@ -292,6 +292,40 @@ func TestAccBigQueryDatasetAccess_userByEmailWithMixedCase(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryDatasetAccess_withCondition(t *testing.T) {
+	t.Parallel()
+
+	datasetID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
+	saID := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+
+	expected := map[string]interface{}{
+		"condition": map[string]interface{}{
+			"description": "Request after midnight of 2019-12-31",
+			"expression":  "request.time > timestamp(\"2020-01-01T00:00:00Z\")",
+			"location":    "any.file.anywhere",
+			"title":       "test-condition",
+		},
+		"role":        "OWNER",
+		"userByEmail": fmt.Sprintf("%s@%s.iam.gserviceaccount.com", saID, envvar.GetTestProjectFromEnv()),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDatasetAccess_withCondition(datasetID, saID),
+				Check:  testAccCheckBigQueryDatasetAccessPresent(t, "google_bigquery_dataset.dataset", expected),
+			},
+			{
+				// Destroy step instead of CheckDestroy so we can check the access is removed without deleting the dataset
+				Config: testAccBigQueryDatasetAccess_destroy(datasetID, "dataset"),
+				Check:  testAccCheckBigQueryDatasetAccessAbsent(t, "google_bigquery_dataset.dataset", expected),
+			},
+		},
+	})
+}
+
 func TestAccBigQueryDatasetAccess_groupByEmailWithMixedCase(t *testing.T) {
 	t.Parallel()
 
@@ -575,3 +609,27 @@ resource "google_bigquery_dataset" "dataset" {
 }
 `, accessType, email, datasetID)
 }
+
+func testAccBigQueryDatasetAccess_withCondition(datasetID, saID string) string {
+	return fmt.Sprintf(`
+resource "google_bigquery_dataset_access" "withCondition" {
+  dataset_id    = google_bigquery_dataset.dataset.dataset_id
+  role          = "OWNER"
+  user_by_email = google_service_account.bqowner.email
+  condition {
+    title       = "test-condition"
+    description = "Request after midnight of 2019-12-31"
+    expression  = "request.time > timestamp(\"2020-01-01T00:00:00Z\")"
+    location    = "any.file.anywhere"
+  }
+}
+
+resource "google_bigquery_dataset" "dataset" {
+  dataset_id = "%s"
+}
+
+resource "google_service_account" "bqowner" {
+  account_id = "%s"
+}
+`, datasetID, saID)
+}
diff --git a/mmv1/third_party/terraform/services/bigquery/resource_bigquery_dataset_test.go.tmpl b/mmv1/third_party/terraform/services/bigquery/resource_bigquery_dataset_test.go.tmpl
@@ -297,6 +297,15 @@ func TestAccBigQueryDataset_access(t *testing.T) {
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
 			},
+			{
+				Config: testAccBigQueryDatasetWithConditionAccess(datasetID),
+			},
+			{
+				ResourceName:            "google_bigquery_dataset.access_test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
 			{
 				Config: testAccBigQueryDatasetWithViewAccess(datasetID, otherDatasetID, otherTableID),
 			},
@@ -454,6 +463,31 @@ func TestAccBigQueryDataset_bigqueryDatasetResourceTags_update(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryDataset_bigqueryDatasetExternalReferenceAws(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryDatasetDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDataset_bigqueryDatasetExternalReferenceAws(context),
+			},
+			{
+				ResourceName:            "google_bigquery_dataset.dataset",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels", "etag", "last_modified_time"},
+			},
+		},
+	})
+}
+
 {{- if ne $.TargetVersionName "ga" }}
 func TestAccBigQueryDataset_externalCatalogDatasetOptions_update(t *testing.T) {
 	t.Parallel()
@@ -706,6 +740,35 @@ resource "google_bigquery_dataset" "access_test" {
 `, datasetID)
 }
 
+func testAccBigQueryDatasetWithConditionAccess(datasetID string) string {
+	return fmt.Sprintf(`
+resource "google_bigquery_dataset" "access_test" {
+  dataset_id = "%s"
+
+  access {
+    role          = "OWNER"
+    user_by_email = "Joe@example.com"
+  }
+
+  access {
+    role          = "READER"
+    user_by_email = "Joe@example.com"
+    condition {
+        title       = "test-condition"
+        description = "Request after midnight of 2019-12-31"
+        expression  = "request.time > timestamp(\"2020-01-01T00:00:00Z\")"
+        location    = "any.file.anywhere"
+    }
+  }
+
+  labels = {
+    env                         = "foo"
+    default_table_expiration_ms = 3600000
+  }
+}
+`, datasetID)
+}
+
 func testAccBigQueryDatasetWithThreeAccess(datasetID string) string {
 	return fmt.Sprintf(`
 resource "google_bigquery_dataset" "access_test" {
@@ -939,3 +1002,19 @@ resource "google_bigquery_dataset" "dataset" {
 }
 `, context)
 }
+
+func testAccBigQueryDataset_bigqueryDatasetExternalReferenceAws(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_bigquery_dataset" "dataset" {
+  dataset_id                  = "dataset%{random_suffix}"
+  friendly_name               = "test"
+  description                 = "This is a test description"
+  location                    = "aws-us-east-1"
+
+  external_dataset_reference {
+    external_source = "aws-glue://arn:aws:glue:us-east-1:772042918353:database/db_other_formats_external"
+    connection      = "projects/bigquerytestdefault/locations/aws-us-east-1/connections/external_test-connection"
+  }
+}
+`, context)
+}
