hashicorp · modular-magician · Nov 8, 2024 · Nov 8, 2024
@@ -0,0 +1,3 @@
+```release-note: enhancement
+backupdr: added `access_restriction` field to`google_backup_dr_backup_vault` resource (beta)
+```
@@ -30,6 +30,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
 	transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
+	"github.com/hashicorp/terraform-provider-google-beta/google-beta/verify"
 )
 
 func ResourceBackupDRBackupVault() *schema.Resource {
@@ -73,6 +74,14 @@ func ResourceBackupDRBackupVault() *schema.Resource {
 				ForceNew:    true,
 				Description: `The GCP location for the backup vault.`,
 			},
+			"access_restriction": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"ACCESS_RESTRICTION_UNSPECIFIED", "WITHIN_PROJECT", "WITHIN_ORGANIZATION", "UNRESTRICTED", "WITHIN_ORG_BUT_UNRESTRICTED_FOR_BA", ""}),
+				Description:  `Access restriction for the backup vault. Default value is 'WITHIN_ORGANIZATION' if not provided during creation. Default value: "WITHIN_ORGANIZATION" Possible values: ["ACCESS_RESTRICTION_UNSPECIFIED", "WITHIN_PROJECT", "WITHIN_ORGANIZATION", "UNRESTRICTED", "WITHIN_ORG_BUT_UNRESTRICTED_FOR_BA"]`,
+				Default:      "WITHIN_ORGANIZATION",
+			},
 			"allow_missing": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -254,6 +263,12 @@ func resourceBackupDRBackupVaultCreate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("effective_time"); !tpgresource.IsEmptyValue(reflect.ValueOf(effectiveTimeProp)) && (ok || !reflect.DeepEqual(v, effectiveTimeProp)) {
 		obj["effectiveTime"] = effectiveTimeProp
 	}
+	accessRestrictionProp, err := expandBackupDRBackupVaultAccessRestriction(d.Get("access_restriction"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("access_restriction"); !tpgresource.IsEmptyValue(reflect.ValueOf(accessRestrictionProp)) && (ok || !reflect.DeepEqual(v, accessRestrictionProp)) {
+		obj["accessRestriction"] = accessRestrictionProp
+	}
 	labelsProp, err := expandBackupDRBackupVaultEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -424,6 +439,9 @@ func resourceBackupDRBackupVaultRead(d *schema.ResourceData, meta interface{}) e
 	if err := d.Set("annotations", flattenBackupDRBackupVaultAnnotations(res["annotations"], d, config)); err != nil {
 		return fmt.Errorf("Error reading BackupVault: %s", err)
 	}
+	if err := d.Set("access_restriction", flattenBackupDRBackupVaultAccessRestriction(res["accessRestriction"], d, config)); err != nil {
+		return fmt.Errorf("Error reading BackupVault: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenBackupDRBackupVaultTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading BackupVault: %s", err)
 	}
@@ -737,6 +755,10 @@ func flattenBackupDRBackupVaultAnnotations(v interface{}, d *schema.ResourceData
 	return transformed
 }
 
+func flattenBackupDRBackupVaultAccessRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenBackupDRBackupVaultTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -772,6 +794,10 @@ func expandBackupDRBackupVaultEffectiveTime(v interface{}, d tpgresource.Terrafo
 	return v, nil
 }
 
+func expandBackupDRBackupVaultAccessRestriction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandBackupDRBackupVaultEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

@@ -74,6 +74,7 @@ resource "google_backup_dr_backup_vault" "backup-vault-test" {
     annotations2 = "baz1"
   }
   force_update = "true"
+  access_restriction = "WITHIN_ORGANIZATION"
   ignore_inactive_datasources = "true"
   ignore_backup_plan_references = "true"
   allow_missing = "true"

@@ -33,7 +33,7 @@ func TestAccBackupDRBackupVault_fullUpdate(t *testing.T) {
 				ResourceName:            "google_backup_dr_backup_vault.backup-vault-test",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"allow_missing", "annotations", "backup_vault_id", "force_delete", "force_update", "ignore_backup_plan_references", "ignore_inactive_datasources", "labels", "location", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"allow_missing", "annotations", "backup_vault_id", "force_delete", "force_update", "ignore_backup_plan_references", "ignore_inactive_datasources", "access_restriction", "labels", "location", "terraform_labels"},
 			},
 			{
 				Config: testAccBackupDRBackupVault_fullUpdate(context),
@@ -42,7 +42,7 @@ func TestAccBackupDRBackupVault_fullUpdate(t *testing.T) {
 				ResourceName:            "google_backup_dr_backup_vault.backup-vault-test",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"allow_missing", "annotations", "backup_vault_id", "force_delete", "force_update", "ignore_backup_plan_references", "ignore_inactive_datasources", "labels", "location", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"allow_missing", "annotations", "backup_vault_id", "force_delete", "force_update", "ignore_backup_plan_references", "ignore_inactive_datasources", "access_restriction", "labels", "location", "terraform_labels"},
 			},
 		},
 	})
@@ -67,6 +67,7 @@ resource "google_backup_dr_backup_vault" "backup-vault-test" {
   }
   force_update = "true"
   ignore_inactive_datasources = "true"
+  access_restriction = "WITHIN_ORGANIZATION"
   ignore_backup_plan_references = "true"
   allow_missing = "true"
 }
@@ -91,6 +92,7 @@ resource "google_backup_dr_backup_vault" "backup-vault-test" {
 	annotations2 = "baz1"
   }
   force_update = "true"
+  access_restriction = "WITHIN_ORGANIZATION"
   ignore_inactive_datasources = "true"
   ignore_backup_plan_references = "true"
   allow_missing = "true"

@@ -44,6 +44,7 @@ resource "google_backup_dr_backup_vault" "backup-vault-test" {
     annotations2 = "baz1"
   }
   force_update = "true"
+  access_restriction = "WITHIN_ORGANIZATION"
   ignore_inactive_datasources = "true"
   ignore_backup_plan_references = "true"
   allow_missing = "true"
@@ -92,6 +93,12 @@ The following arguments are supported:
   **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration.
   Please refer to the field `effective_annotations` for all of the annotations present on the resource.
 
+* `access_restriction` -
+  (Optional)
+  Access restriction for the backup vault. Default value is `WITHIN_ORGANIZATION` if not provided during creation.
+  Default value is `WITHIN_ORGANIZATION`.
+  Possible values are: `ACCESS_RESTRICTION_UNSPECIFIED`, `WITHIN_PROJECT`, `WITHIN_ORGANIZATION`, `UNRESTRICTED`, `WITHIN_ORG_BUT_UNRESTRICTED_FOR_BA`.
+
 * `force_update` -
   (Optional)
   If set, allow update to extend the minimum enforced retention for backup vault. This overrides