Add workload identity pool namespace.

Author: stevenyang72

mmv1/products/iambeta/WorkloadIdentityPoolNamespace.yaml

@@ -0,0 +1,135 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'WorkloadIdentityPoolNamespace'
+description: |
+  Represents a namespace for a workload identity pool. Namespaces are used to segment identities
+  within the pool.
+references:
+  guides:
+    'Configure managed workload identity authentication for Compute Engine': 'https://cloud.google.com/iam/docs/create-managed-workload-identities'
+    'Configure managed workload identity authentication for GKE': 'https://cloud.google.com/iam/docs/create-managed-workload-identities-gke'
+  api: 'https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces'
+min_version: beta
+base_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces'
+self_link: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}'
+create_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces?workloadIdentityPoolNamespaceId={{workload_identity_pool_namespace_id}}'
+create_verb: 'POST'
+update_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}'
+update_verb: 'PATCH'
+update_mask: true
+delete_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}'
+delete_verb: 'DELETE'
+import_format:
+  - 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+autogen_async: true
+async:
+  actions: ['create', 'delete', 'update']
+  type: 'OpAsync'
+  operation:
+    base_url: '{{op_id}}'
+  result:
+    resource_inside_response: false
+custom_code:
+  constants: 'templates/terraform/constants/iam_workload_identity_pool_namespace.go.tmpl'
+  decoder: 'templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
+  test_check_destroy: 'templates/terraform/custom_check_destroy/iam_workload_identity_pool_namespace.go.tmpl'
+examples:
+  - name: 'iam_workload_identity_pool_namespace_basic'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_namespace_id: 'example-nmspc'
+  - name: 'iam_workload_identity_pool_namespace_full'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_namespace_id: 'example-nmspc'
+parameters:
+  - name: 'workload_identity_pool_id'
+    type: String
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The ID to use for the pool, which becomes the final component of the resource name. This
+      value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
+      `gcp-` is reserved for use by Google, and may not be specified.
+  - name: 'workload_identity_pool_namespace_id'
+    type: String
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The ID to use for the namespace. This value must:
+      * contain at most 63 characters
+      * contain only lowercase alphanumeric characters or `-`
+      * start with an alphanumeric character
+      * end with an alphanumeric character
+
+
+      The prefix `gcp-` will be reserved for future uses.
+    validation:
+      function: 'ValidateWorkloadIdentityPoolNamespaceId'
+properties:
+  - name: 'name'
+    type: String
+    description: |
+      The resource name of the namespace as
+      `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/namespaces/{workload_identity_pool_namespace_id}`.
+    output: true
+  - name: 'description'
+    type: String
+    description: |
+      A description of the namespace. Cannot exceed 256 characters.
+    validation:
+      function: 'ValidateWorkloadIdentityPoolNamespaceDescription'
+  - name: 'state'
+    type: Enum
+    description: |
+      The current state of the namespace.
+      * `STATE_UNSPECIFIED`: State unspecified.
+      * `ACTIVE`: The namespace is active.
+      * `DELETED`: The namespace is soft-deleted. Soft-deleted namespaces are permanently deleted
+      after approximately 30 days. You can restore a soft-deleted namespace using
+      UndeleteWorkloadIdentityPoolNamespace. You cannot reuse the ID of a soft-deleted namespace
+      until it is permanently deleted.
+    output: true
+    enum_values:
+      - 'STATE_UNSPECIFIED'
+      - 'ACTIVE'
+      - 'DELETED'
+  - name: 'disabled'
+    type: Boolean
+    description: |
+      Whether the namespace is disabled. If disabled, credentials may no longer be issued for
+      identities within this namespace, however existing credentials will still be accepted until
+      they expire.
+  - name: 'ownerService'
+    type: NestedObject
+    description: |
+      Defines the owner that is allowed to mutate this resource. If present, this resource can only
+      be mutated by the owner.
+    output: true
+    properties:
+      - name: 'principalSubject'
+        type: String
+        description: |
+           The service agent principal subject, e.g.
+           `serviceAccount:[email protected]`.
+        required: true

mmv1/templates/terraform/constants/iam_workload_identity_pool_namespace.go.tmpl

@@ -0,0 +1,55 @@
+const workloadIdentityPoolNamespaceIdRegexp = `^[0-9a-z-]+$`
+
+func ValidateWorkloadIdentityPoolNamespaceId(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+
+	if !regexp.MustCompile(workloadIdentityPoolNamespaceIdRegexp).MatchString(value) {
+		errors = append(errors, fmt.Errorf(
+			"%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k))
+	}
+
+	if len(value) < 2 {
+		errors = append(errors, fmt.Errorf(
+			"%q cannot be less than 2 characters", k))
+		return
+	}
+
+	if len(value) > 63 {
+		errors = append(errors, fmt.Errorf(
+			"%q cannot be greater than 63 characters", k))
+	}
+
+	isLowerAlphaNumeric := func(r byte) bool {
+		return (r >= '0' && r <= '9') || (r >= 'a' && r <= 'z')
+	}
+
+	firstChar := value[0]
+	if !isLowerAlphaNumeric(firstChar) {
+		errors = append(errors, fmt.Errorf(
+			"%q must start with an alphanumeric character", k))
+	}
+	
+	lastChar := value[len(value) - 1]
+	if !isLowerAlphaNumeric(lastChar) {
+		errors = append(errors, fmt.Errorf(
+			"%q must end with an alphanumeric character", k))
+	}
+
+	if strings.HasPrefix(value, "gcp-") {
+		errors = append(errors, fmt.Errorf(
+			"%q (%q) can not start with \"gcp-\"", k, value))
+	}
+
+	return
+}
+
+func ValidateWorkloadIdentityPoolNamespaceDescription(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+
+	if len(value) > 256 {
+		errors = append(errors, fmt.Errorf(
+			"%q cannot be greater than 256 characters", k))
+	}
+
+	return
+}

mmv1/templates/terraform/custom_check_destroy/iam_workload_identity_pool_namespace.go.tmpl

@@ -0,0 +1,22 @@
+config := acctest.GoogleProviderConfig(t)
+
+url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{"{{"}}IAMBetaBasePath{{"}}"}}projects/{{"{{"}}project{{"}}"}}/locations/global/workloadIdentityPools/{{"{{"}}workload_identity_pool_id{{"}}"}}/namespaces/{{"{{"}}workload_identity_pool_namespace_id{{"}}"}}")
+if err != nil {
+  return err
+}
+
+res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+	Config: config,
+	Method: "GET",
+	RawURL: url,
+	UserAgent: config.UserAgent,
+})
+if err != nil {
+  return nil
+}
+
+if v := res["state"]; v == "DELETED" {
+	return nil
+}
+
+return fmt.Errorf("IAMBetaWorkloadIdentityPoolNamespace still exists at %s", url)

mmv1/templates/terraform/examples/iam_workload_identity_pool_namespace_basic.tf.tmpl

@@ -0,0 +1,13 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+  mode                      = "TRUST_DOMAIN"
+}
+
+resource "google_iam_workload_identity_pool_namespace" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id           = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_namespace_id = "{{index $.Vars "workload_identity_pool_namespace_id"}}"
+}

mmv1/templates/terraform/examples/iam_workload_identity_pool_namespace_full.tf.tmpl

@@ -0,0 +1,15 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+  mode                      = "TRUST_DOMAIN"
+}
+
+resource "google_iam_workload_identity_pool_namespace" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id           = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_namespace_id = "{{index $.Vars "workload_identity_pool_namespace_id"}}"
+  description                         = "Example Namespace in a Workload Identity Pool"
+  disabled                            = false
+}

mmv1/third_party/terraform/services/iambeta/resource_iam_workload_identity_pool_namespace_description_test.go.tmpl

@@ -0,0 +1,30 @@
+{{- if ne $.TargetVersionName "ga" -}}
+package iambeta_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-provider-google/google/services/iambeta"
+	"github.com/hashicorp/terraform-provider-google/google/verify"
+)
+
+func TestValidateWorkloadIdentityPoolNamespaceDescription(t *testing.T) {
+	x := []verify.StringValidationTestCase{
+		// No errors
+		{TestName: "basic", Value: "foobar"},
+		{TestName: "with numbers", Value: "foobar123"},
+		{TestName: "short", Value: "foos"},
+		{TestName: "long", Value: "12345678901234567890123456789012"},
+		{TestName: "has a hyphen", Value: "foo-bar"},
+
+		// With errors
+		{TestName: "too long", Value: strings.Repeat("f", 257), ExpectError: true},
+	}
+
+	es := verify.TestStringValidationCases(x, iambeta.ValidateWorkloadIdentityPoolNamespaceDescription)
+	if len(es) > 0 {
+		t.Errorf("Failed to validate WorkloadIdentityPool Namespace descriptions: %v", es)
+	}
+}
+{{- end -}}

mmv1/third_party/terraform/services/iambeta/resource_iam_workload_identity_pool_namespace_id_test.go.tmpl

@@ -0,0 +1,38 @@
+{{- if ne $.TargetVersionName "ga" -}}
+package iambeta_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-provider-google/google/services/iambeta"
+	"github.com/hashicorp/terraform-provider-google/google/verify"
+)
+
+func TestValidateWorkloadIdentityPoolNamespaceId(t *testing.T) {
+	x := []verify.StringValidationTestCase{
+		// No errors
+		{TestName: "basic", Value: "foobar"},
+		{TestName: "with numbers", Value: "foobar123"},
+		{TestName: "short", Value: "foos"},
+		{TestName: "long", Value: "12345678901234567890123456789012"},
+		{TestName: "has a hyphen", Value: "foo-bar"},
+
+		// With errors
+		{TestName: "empty", Value: "", ExpectError: true},
+		{TestName: "starts with a gcp-", Value: "gcp-foobar", ExpectError: true},
+		{TestName: "with uppercase", Value: "fooBar", ExpectError: true},
+		{TestName: "has an slash", Value: "foo/bar", ExpectError: true},
+		{TestName: "has an backslash", Value: "foo\bar", ExpectError: true},
+		{TestName: "too short", Value: "f", ExpectError: true},
+		{TestName: "too long", Value: strings.Repeat("f", 64), ExpectError: true},
+        {TestName: "starts with non-alphanumeric", Value: "-foobar", ExpectError: true},
+        {TestName: "ends with non-alphanumeric", Value: "foobar-", ExpectError: true},
+	}
+
+	es := verify.TestStringValidationCases(x, iambeta.ValidateWorkloadIdentityPoolNamespaceId)
+	if len(es) > 0 {
+		t.Errorf("Failed to validate WorkloadIdentityPoolNamespace names: %v", es)
+	}
+}
+{{- end -}}