add google_iam_principal_access_boundary_policy resource (#12044)

Co-authored-by: Sarah French <[email protected]>

Author: derekchu-google

mmv1/products/iam3/PrincipalAccessBoundaryPolicy.yaml

@@ -0,0 +1,161 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'PrincipalAccessBoundaryPolicy'
+description: An IAM Principal Access Boundary Policy resource
+references:
+  guides:
+    'Create and apply Principal Access Boundaries': 'https://cloud.google.com/iam/docs/principal-access-boundary-policies-create'
+  api: 'https://cloud.google.com/iam/docs/reference/rest/v3beta/organizations.locations.principalAccessBoundaryPolicies'
+min_version: 'beta'
+id_format: 'organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}'
+base_url: 'organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies'
+self_link: 'organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}'
+create_url: 'organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies?principalAccessBoundaryPolicyId={{principal_access_boundary_policy_id}}'
+update_verb: 'PATCH'
+update_mask: true
+import_format:
+  - 'organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+autogen_async: true
+async:
+  actions: ['create', 'delete', 'update']
+  type: 'OpAsync'
+  operation:
+    base_url: '{{op_id}}'
+    path: 'name'
+    wait_ms: 1000
+  result:
+    path: 'response'
+    resource_inside_response: true
+  error:
+    path: 'error'
+    message: 'message'
+examples:
+  - name: 'iam_principal_access_boundary_policy'
+    min_version: 'beta'
+    primary_resource_id: 'my-pab-policy'
+    test_env_vars:
+      org_id: 'ORG_ID'
+    vars:
+      display_name: 'test pab policy'
+      pab_id: 'test-pab-policy'
+parameters:
+  - name: 'organization'
+    type: String
+    description: |
+      The parent organization of the principal access boundary policy.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'location'
+    type: String
+    description: |
+      The location the principal access boundary policy is in.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'principalAccessBoundaryPolicyId'
+    type: String
+    description: |
+      The ID to use to create the principal access boundary policy.
+      This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.
+    url_param_only: true
+    required: true
+    immutable: true
+properties:
+  - name: 'name'
+    type: String
+    description: |
+      Identifier. The resource name of the principal access boundary policy.  The following format is supported:
+       `organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}`
+    output: true
+  - name: 'uid'
+    type: String
+    description: |
+      Output only. The globally unique ID of the principal access boundary policy.
+    output: true
+  - name: 'etag'
+    type: String
+    description: |
+      The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
+    output: true
+  - name: 'displayName'
+    type: String
+    description: |
+      The description of the principal access boundary policy. Must be less than or equal to 63 characters.
+  - name: 'annotations'
+    type: KeyValueAnnotations
+    description: |
+      User defined annotations. See https://google.aip.dev/148#annotations
+      for more details such as format and size limitations
+  - name: 'createTime'
+    type: String
+    description: |
+      Output only. The time when the principal access boundary policy was created.
+    output: true
+  - name: 'updateTime'
+    type: String
+    description: |
+      Output only. The time when the principal access boundary policy was most recently updated.
+    output: true
+  - name: 'details'
+    type: NestedObject
+    description: |
+      Principal access boundary policy details
+    default_from_api: true
+    properties:
+      - name: 'rules'
+        type: Array
+        description: |
+          A list of principal access boundary policy rules. The number of rules in a policy is limited to 500.
+        required: true
+        item_type:
+          type: NestedObject
+          properties:
+            - name: 'description'
+              type: String
+              description: |
+                The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.
+            - name: 'resources'
+              type: Array
+              description: |
+                A list of Cloud Resource Manager resources. The resource
+                and all the descendants are included. The number of resources in a policy
+                is limited to 500 across all rules.
+                The following resource types are supported:
+                * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`.
+                * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`.
+                * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123`
+                or `//cloudresourcemanager.googleapis.com/projects/my-project-id`.
+              required: true
+              item_type:
+                type: String
+            - name: 'effect'
+              type: String
+              description: |
+                The access relationship of principals to the resources in this rule.
+                Possible values: ALLOW
+              required: true
+      - name: 'enforcementVersion'
+        type: String
+        description: |
+          The version number that indicates which Google Cloud services
+          are included in the enforcement (e.g. \"latest\", \"1\", ...). If empty, the
+          PAB policy version will be set to the current latest version, and this version
+          won't get updated when new versions are released.
+        default_from_api: true

mmv1/products/iam3/product.yaml

@@ -0,0 +1,21 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+name: 'IAM3'
+legacy_name: 'iam'
+display_name: 'Cloud IAM'
+versions:
+  - name: 'beta'
+    base_url: 'https://iam.googleapis.com/v3beta/'
+scopes:
+  - 'https://www.googleapis.com/auth/iam'

mmv1/templates/terraform/examples/iam_principal_access_boundary_policy.tf.tmpl

@@ -0,0 +1,7 @@
+resource "google_iam_principal_access_boundary_policy" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+  organization   = "{{index $.TestEnvVars "org_id"}}"
+  location       = "global"
+  display_name   = "{{index $.Vars "display_name"}}"
+  principal_access_boundary_policy_id = "{{index $.Vars "pab_id"}}"
+}

mmv1/third_party/terraform/.teamcity/components/inputs/services_beta.kt

@@ -446,6 +446,11 @@ var ServicesListBeta = mapOf(
         "displayName" to "Iam2",
         "path" to "./google-beta/services/iam2"
     ),
+    "iam3" to mapOf(
+        "name" to "iam3",
+        "displayName" to "Iam3",
+        "path" to "./google-beta/services/iam3"
+    ),
     "iambeta" to mapOf(
         "name" to "iambeta",
         "displayName" to "Iambeta",

mmv1/third_party/terraform/.teamcity/components/inputs/services_ga.kt

@@ -441,6 +441,11 @@ var ServicesListGa = mapOf(
         "displayName" to "Iam2",
         "path" to "./google/services/iam2"
     ),
+    "iam3" to mapOf(
+        "name" to "iam3",
+        "displayName" to "Iam3",
+        "path" to "./google/services/iam3"
+    ),
     "iambeta" to mapOf(
         "name" to "iambeta",
         "displayName" to "Iambeta",

mmv1/third_party/terraform/services/iam3/resource_iam_principal_access_boundary_policy_test.go.tmpl

@@ -0,0 +1,88 @@
+package iam3_test
+{{- if ne $.TargetVersionName "ga" }}
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccIAM3PrincipalAccessBoundaryPolicy_iam3PrincipalAccessBoundaryPolicyExample_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckIAM3PrincipalAccessBoundaryPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAM3PrincipalAccessBoundaryPolicy_iam3PrincipalAccessBoundaryPolicyExample_full(context),
+			},
+			{
+				ResourceName:            "google_iam_principal_access_boundary_policy.my-pab-policy",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"annotations", "location", "organization", "principal_access_boundary_policy_id", "etag"},
+			},
+			{
+				Config: testAccIAM3PrincipalAccessBoundaryPolicy_iam3PrincipalAccessBoundaryPolicyExample_update(context),
+			},
+			{
+				ResourceName:            "google_iam_principal_access_boundary_policy.my-pab-policy",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"annotations", "location", "organization", "principal_access_boundary_policy_id", "etag"},
+			},
+		},
+	})
+}
+
+func testAccIAM3PrincipalAccessBoundaryPolicy_iam3PrincipalAccessBoundaryPolicyExample_full(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_principal_access_boundary_policy" "my-pab-policy" {
+  provider       = google-beta
+  organization   = "%{org_id}"
+  location       = "global"
+  display_name   = "test pab policy%{random_suffix}"
+  principal_access_boundary_policy_id = "test-pab-policy%{random_suffix}"
+}
+`, context)
+}
+
+func testAccIAM3PrincipalAccessBoundaryPolicy_iam3PrincipalAccessBoundaryPolicyExample_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+
+resource "google_project" "project" {
+  provider       = google-beta
+  project_id     = "tf-test%{random_suffix}"
+  name           = "tf-test%{random_suffix}"
+  org_id         = "%{org_id}"
+  deletion_policy = "DELETE"
+}
+
+resource "google_iam_principal_access_boundary_policy" "my-pab-policy" {
+  provider       = google-beta
+  organization   = "%{org_id}"
+  location       = "global"
+  display_name   = "test pab policy%{random_suffix}"
+  principal_access_boundary_policy_id = "test-pab-policy%{random_suffix}"
+  annotations    = {"foo": "bar"}
+  details {
+    rules {
+      description = "PAB rule%{random_suffix}"
+      effect      = "ALLOW"
+      resources   = ["//cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}"]
+    }
+    enforcement_version = "1"
+  }
+}
+`, context)
+}
+{{- end }}