Add support for access boundaries (#7144) (#13565)

* Add support for access boundaries

* Use IAM v2 API

* Use handwritten test to avoid parallelism

* Add update step to tests

* gofmt

Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/7144.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+`google_iam_access_boundary_policy`
+```

google/config.go

@@ -220,6 +220,7 @@ type Config struct {
 	GKEBackupBasePath            string
 	GKEHubBasePath               string
 	HealthcareBasePath           string
+	IAM2BasePath                 string
 	IAMBetaBasePath              string
 	IAMWorkforcePoolBasePath     string
 	IapBasePath                  string
@@ -323,6 +324,7 @@ const GameServicesBasePathKey = "GameServices"
 const GKEBackupBasePathKey = "GKEBackup"
 const GKEHubBasePathKey = "GKEHub"
 const HealthcareBasePathKey = "Healthcare"
+const IAM2BasePathKey = "IAM2"
 const IAMBetaBasePathKey = "IAMBeta"
 const IAMWorkforcePoolBasePathKey = "IAMWorkforcePool"
 const IapBasePathKey = "Iap"
@@ -420,6 +422,7 @@ var DefaultBasePaths = map[string]string{
 	GKEBackupBasePathKey:            "https://gkebackup.googleapis.com/v1/",
 	GKEHubBasePathKey:               "https://gkehub.googleapis.com/v1/",
 	HealthcareBasePathKey:           "https://healthcare.googleapis.com/v1/",
+	IAM2BasePathKey:                 "https://iam.googleapis.com/v2/",
 	IAMBetaBasePathKey:              "https://iam.googleapis.com/v1/",
 	IAMWorkforcePoolBasePathKey:     "https://iam.googleapis.com/v1/",
 	IapBasePathKey:                  "https://iap.googleapis.com/v1/",
@@ -1279,6 +1282,7 @@ func ConfigureBasePaths(c *Config) {
 	c.GKEBackupBasePath = DefaultBasePaths[GKEBackupBasePathKey]
 	c.GKEHubBasePath = DefaultBasePaths[GKEHubBasePathKey]
 	c.HealthcareBasePath = DefaultBasePaths[HealthcareBasePathKey]
+	c.IAM2BasePath = DefaultBasePaths[IAM2BasePathKey]
 	c.IAMBetaBasePath = DefaultBasePaths[IAMBetaBasePathKey]
 	c.IAMWorkforcePoolBasePath = DefaultBasePaths[IAMWorkforcePoolBasePathKey]
 	c.IapBasePath = DefaultBasePaths[IapBasePathKey]

google/config_test_utils.go

@@ -67,6 +67,7 @@ func configureTestBasePaths(c *Config, url string) {
 	c.GKEBackupBasePath = url
 	c.GKEHubBasePath = url
 	c.HealthcareBasePath = url
+	c.IAM2BasePath = url
 	c.IAMBetaBasePath = url
 	c.IAMWorkforcePoolBasePath = url
 	c.IapBasePath = url

google/iam2_operation.go

@@ -0,0 +1,60 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"fmt"
+	"time"
+)
+
+type IAM2OperationWaiter struct {
+	Config    *Config
+	UserAgent string
+	CommonOperationWaiter
+}
+
+func (w *IAM2OperationWaiter) QueryOp() (interface{}, error) {
+	if w == nil {
+		return nil, fmt.Errorf("Cannot query operation, it's unset or nil.")
+	}
+	// Returns the proper get.
+	url := fmt.Sprintf("%s%s", w.Config.IAM2BasePath, w.CommonOperationWaiter.Op.Name)
+
+	return sendRequest(w.Config, "GET", "", url, w.UserAgent, nil)
+}
+
+func createIAM2Waiter(config *Config, op map[string]interface{}, activity, userAgent string) (*IAM2OperationWaiter, error) {
+	w := &IAM2OperationWaiter{
+		Config:    config,
+		UserAgent: userAgent,
+	}
+	if err := w.CommonOperationWaiter.SetOp(op); err != nil {
+		return nil, err
+	}
+	return w, nil
+}
+
+func iAM2OperationWaitTime(config *Config, op map[string]interface{}, activity, userAgent string, timeout time.Duration) error {
+	if val, ok := op["name"]; !ok || val == "" {
+		// This was a synchronous call - there is no operation to wait for.
+		return nil
+	}
+	w, err := createIAM2Waiter(config, op, activity, userAgent)
+	if err != nil {
+		// If w is nil, the op was synchronous.
+		return err
+	}
+	return OperationWait(w, activity, timeout, config.PollInterval)
+}

google/provider.go

@@ -541,6 +541,14 @@ func Provider() *schema.Provider {
 					"GOOGLE_HEALTHCARE_CUSTOM_ENDPOINT",
 				}, DefaultBasePaths[HealthcareBasePathKey]),
 			},
+			"iam2_custom_endpoint": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validateCustomEndpoint,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"GOOGLE_IAM2_CUSTOM_ENDPOINT",
+				}, DefaultBasePaths[IAM2BasePathKey]),
+			},
 			"iam_beta_custom_endpoint": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -972,9 +980,9 @@ func Provider() *schema.Provider {
 	return provider
 }
 
-// Generated resources: 258
+// Generated resources: 259
 // Generated IAM resources: 168
-// Total generated resources: 426
+// Total generated resources: 427
 func ResourceMap() map[string]*schema.Resource {
 	resourceMap, _ := ResourceMapWithErrors()
 	return resourceMap
@@ -1252,6 +1260,7 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_healthcare_consent_store_iam_binding":                  ResourceIamBinding(HealthcareConsentStoreIamSchema, HealthcareConsentStoreIamUpdaterProducer, HealthcareConsentStoreIdParseFunc),
 			"google_healthcare_consent_store_iam_member":                   ResourceIamMember(HealthcareConsentStoreIamSchema, HealthcareConsentStoreIamUpdaterProducer, HealthcareConsentStoreIdParseFunc),
 			"google_healthcare_consent_store_iam_policy":                   ResourceIamPolicy(HealthcareConsentStoreIamSchema, HealthcareConsentStoreIamUpdaterProducer, HealthcareConsentStoreIdParseFunc),
+			"google_iam_access_boundary_policy":                            resourceIAM2AccessBoundaryPolicy(),
 			"google_iam_workload_identity_pool":                            resourceIAMBetaWorkloadIdentityPool(),
 			"google_iam_workload_identity_pool_provider":                   resourceIAMBetaWorkloadIdentityPoolProvider(),
 			"google_iam_workforce_pool":                                    resourceIAMWorkforcePoolWorkforcePool(),
@@ -1669,6 +1678,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData, p *schema.Pr
 	config.GKEBackupBasePath = d.Get("gke_backup_custom_endpoint").(string)
 	config.GKEHubBasePath = d.Get("gke_hub_custom_endpoint").(string)
 	config.HealthcareBasePath = d.Get("healthcare_custom_endpoint").(string)
+	config.IAM2BasePath = d.Get("iam2_custom_endpoint").(string)
 	config.IAMBetaBasePath = d.Get("iam_beta_custom_endpoint").(string)
 	config.IAMWorkforcePoolBasePath = d.Get("iam_workforce_pool_custom_endpoint").(string)
 	config.IapBasePath = d.Get("iap_custom_endpoint").(string)