Add named binary authorization policy support for cloud run v2 resources (#11229) (#18995)

[upstream:2c134e22300ecea2f8c3c2b0ca8619fce0fd2fc1]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/11229.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+cloudrunv2: added field `binary_authorization.policy` to resource `google_cloud_run_v2_job` and resource `google_cloud_run_v2_service` to support named binary authorization policy.
+```

google/services/cloudrunv2/resource_cloud_run_v2_job.go

@@ -461,10 +461,17 @@ Please refer to the field 'effective_annotations' for all of the annotations pre
 							Optional:    true,
 							Description: `If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass`,
 						},
+						"policy": {
+							Type:          schema.TypeString,
+							Optional:      true,
+							Description:   `The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name}`,
+							ConflictsWith: []string{},
+						},
 						"use_default": {
-							Type:        schema.TypeBool,
-							Optional:    true,
-							Description: `If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.`,
+							Type:          schema.TypeBool,
+							Optional:      true,
+							Description:   `If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.`,
+							ConflictsWith: []string{},
 						},
 					},
 				},
@@ -1226,6 +1233,8 @@ func flattenCloudRunV2JobBinaryAuthorization(v interface{}, d *schema.ResourceDa
 		flattenCloudRunV2JobBinaryAuthorizationBreakglassJustification(original["breakglassJustification"], d, config)
 	transformed["use_default"] =
 		flattenCloudRunV2JobBinaryAuthorizationUseDefault(original["useDefault"], d, config)
+	transformed["policy"] =
+		flattenCloudRunV2JobBinaryAuthorizationPolicy(original["policy"], d, config)
 	return []interface{}{transformed}
 }
 func flattenCloudRunV2JobBinaryAuthorizationBreakglassJustification(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -1236,6 +1245,10 @@ func flattenCloudRunV2JobBinaryAuthorizationUseDefault(v interface{}, d *schema.
 	return v
 }
 
+func flattenCloudRunV2JobBinaryAuthorizationPolicy(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenCloudRunV2JobTemplate(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return nil
@@ -1966,6 +1979,13 @@ func expandCloudRunV2JobBinaryAuthorization(v interface{}, d tpgresource.Terrafo
 		transformed["useDefault"] = transformedUseDefault
 	}
 
+	transformedPolicy, err := expandCloudRunV2JobBinaryAuthorizationPolicy(original["policy"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPolicy); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["policy"] = transformedPolicy
+	}
+
 	return transformed, nil
 }
 
@@ -1977,6 +1997,10 @@ func expandCloudRunV2JobBinaryAuthorizationUseDefault(v interface{}, d tpgresour
 	return v, nil
 }
 
+func expandCloudRunV2JobBinaryAuthorizationPolicy(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandCloudRunV2JobTemplate(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {

google/services/cloudrunv2/resource_cloud_run_v2_job_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
 )
 
 func TestAccCloudRunV2Job_cloudrunv2JobFullUpdate(t *testing.T) {
@@ -214,6 +215,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobWithDirectVPCUpdate(t *testing.T) {
 	jobName := fmt.Sprintf("tf-test-cloudrun-service%s", acctest.RandString(t, 10))
 	context := map[string]interface{}{
 		"job_name": jobName,
+		"project":  envvar.GetTestProjectFromEnv(),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -231,7 +233,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobWithDirectVPCUpdate(t *testing.T) {
 				ImportStateVerifyIgnore: []string{"location", "launch_stage"},
 			},
 			{
-				Config: testAccCloudRunV2Job_cloudrunv2JobWithDirectVPCUpdate(context),
+				Config: testAccCloudRunV2Job_cloudrunv2JobWithDirectVPCAndNamedBinAuthPolicyUpdate(context),
 			},
 			{
 				ResourceName:            "google_cloud_run_v2_job.default",
@@ -248,7 +250,6 @@ func testAccCloudRunV2Job_cloudrunv2JobWithDirectVPC(context map[string]interfac
   resource "google_cloud_run_v2_job" "default" {
     name     = "%{job_name}"
     location = "us-central1"
-    launch_stage = "BETA"
     template {
       template {
         containers {
@@ -271,12 +272,15 @@ func testAccCloudRunV2Job_cloudrunv2JobWithDirectVPC(context map[string]interfac
 `, context)
 }
 
-func testAccCloudRunV2Job_cloudrunv2JobWithDirectVPCUpdate(context map[string]interface{}) string {
+func testAccCloudRunV2Job_cloudrunv2JobWithDirectVPCAndNamedBinAuthPolicyUpdate(context map[string]interface{}) string {
 	return acctest.Nprintf(`
   resource "google_cloud_run_v2_job" "default" {
     name     = "%{job_name}"
     location = "us-central1"
-    launch_stage = "BETA"
+    binary_authorization {
+      policy = "projects/%{project}/platforms/cloudRun/policies/my-policy"
+      breakglass_justification = "Some justification"
+    }
     template {
       template {
         containers {

google/services/cloudrunv2/resource_cloud_run_v2_service.go

@@ -774,10 +774,17 @@ Please refer to the field 'effective_annotations' for all of the annotations pre
 							Optional:    true,
 							Description: `If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass`,
 						},
+						"policy": {
+							Type:          schema.TypeString,
+							Optional:      true,
+							Description:   `The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name}`,
+							ConflictsWith: []string{},
+						},
 						"use_default": {
-							Type:        schema.TypeBool,
-							Optional:    true,
-							Description: `If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.`,
+							Type:          schema.TypeBool,
+							Optional:      true,
+							Description:   `If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.`,
+							ConflictsWith: []string{},
 						},
 					},
 				},
@@ -1680,6 +1687,8 @@ func flattenCloudRunV2ServiceBinaryAuthorization(v interface{}, d *schema.Resour
 		flattenCloudRunV2ServiceBinaryAuthorizationBreakglassJustification(original["breakglassJustification"], d, config)
 	transformed["use_default"] =
 		flattenCloudRunV2ServiceBinaryAuthorizationUseDefault(original["useDefault"], d, config)
+	transformed["policy"] =
+		flattenCloudRunV2ServiceBinaryAuthorizationPolicy(original["policy"], d, config)
 	return []interface{}{transformed}
 }
 func flattenCloudRunV2ServiceBinaryAuthorizationBreakglassJustification(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -1690,6 +1699,10 @@ func flattenCloudRunV2ServiceBinaryAuthorizationUseDefault(v interface{}, d *sch
 	return v
 }
 
+func flattenCloudRunV2ServiceBinaryAuthorizationPolicy(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenCloudRunV2ServiceCustomAudiences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -3024,6 +3037,13 @@ func expandCloudRunV2ServiceBinaryAuthorization(v interface{}, d tpgresource.Ter
 		transformed["useDefault"] = transformedUseDefault
 	}
 
+	transformedPolicy, err := expandCloudRunV2ServiceBinaryAuthorizationPolicy(original["policy"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPolicy); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["policy"] = transformedPolicy
+	}
+
 	return transformed, nil
 }
 
@@ -3035,6 +3055,10 @@ func expandCloudRunV2ServiceBinaryAuthorizationUseDefault(v interface{}, d tpgre
 	return v, nil
 }
 
+func expandCloudRunV2ServiceBinaryAuthorizationPolicy(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandCloudRunV2ServiceCustomAudiences(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google/services/cloudrunv2/resource_cloud_run_v2_service_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
 	"github.com/hashicorp/terraform-provider-google/google/services/cloudrunv2"
 )
 
@@ -597,6 +598,7 @@ func TestAccCloudRunV2Service_cloudrunv2ServiceWithDirectVPCUpdate(t *testing.T)
 	serviceName := fmt.Sprintf("tf-test-cloudrun-service%s", acctest.RandString(t, 10))
 	context := map[string]interface{}{
 		"service_name": serviceName,
+		"project":      envvar.GetTestProjectFromEnv(),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -614,7 +616,7 @@ func TestAccCloudRunV2Service_cloudrunv2ServiceWithDirectVPCUpdate(t *testing.T)
 				ImportStateVerifyIgnore: []string{"name", "location"},
 			},
 			{
-				Config: testAccCloudRunV2Service_cloudRunServiceWithDirectVPCUpdate(context),
+				Config: testAccCloudRunV2Service_cloudRunServiceWithDirectVPCAndNamedBinAuthPolicyUpdate(context),
 			},
 			{
 				ResourceName:            "google_cloud_run_v2_service.default",
@@ -646,12 +648,16 @@ resource "google_cloud_run_v2_service" "default" {
 `, context)
 }
 
-func testAccCloudRunV2Service_cloudRunServiceWithDirectVPCUpdate(context map[string]interface{}) string {
+func testAccCloudRunV2Service_cloudRunServiceWithDirectVPCAndNamedBinAuthPolicyUpdate(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_cloud_run_v2_service" "default" {
   name     = "%{service_name}"
   location = "us-central1"
   launch_stage = "GA"
+  binary_authorization {
+    policy = "projects/%{project}/platforms/cloudRun/policies/my-policy"
+    breakglass_justification = "Some justification"
+  }
   template {
     containers {
       image = "us-docker.pkg.dev/cloudrun/container/hello"

website/docs/r/cloud_run_v2_job.html.markdown

@@ -761,6 +761,10 @@ The following arguments are supported:
   (Optional)
   If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
 
+* `policy` -
+  (Optional)
+  The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name}
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported:

website/docs/r/cloud_run_v2_service.html.markdown

@@ -1091,6 +1091,10 @@ The following arguments are supported:
   (Optional)
   If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
 
+* `policy` -
+  (Optional)
+  The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name}
+
 <a name="nested_scaling"></a>The `scaling` block supports:
 
 * `min_instance_count` -