Add support for ACM Scoped Policies and Access Policy IAM (#5785) (#11409)

Co-authored-by: Charles Leon <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: Charles Leon <[email protected]>

Author: modular-magician

.changelog/5785.txt

@@ -0,0 +1,12 @@
+```release-note:enhancement
+access context manager: Added support for scoped policies in `google_access_context_manager_access_policy`
+```
+```release-note:new-resource
+`google_access_context_manager_access_policy_iam_policy`
+```
+```release-note:new-resource
+`google_access_context_manager_access_policy_iam_binding`
+```
+```release-note:new-resource
+`google_access_context_manager_access_policy_iam_member`
+```

google/iam_access_context_manager_access_policy.go

@@ -0,0 +1,166 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+package google
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+var AccessContextManagerAccessPolicyIamSchema = map[string]*schema.Schema{
+	"name": {
+		Type:             schema.TypeString,
+		Required:         true,
+		ForceNew:         true,
+		DiffSuppressFunc: compareSelfLinkOrResourceName,
+	},
+}
+
+type AccessContextManagerAccessPolicyIamUpdater struct {
+	name   string
+	d      TerraformResourceData
+	Config *Config
+}
+
+func AccessContextManagerAccessPolicyIamUpdaterProducer(d TerraformResourceData, config *Config) (ResourceIamUpdater, error) {
+	values := make(map[string]string)
+
+	if v, ok := d.GetOk("name"); ok {
+		values["name"] = v.(string)
+	}
+
+	// We may have gotten either a long or short name, so attempt to parse long name if possible
+	m, err := getImportIdQualifiers([]string{"accessPolicies/(?P<name>[^/]+)", "(?P<name>[^/]+)"}, d, config, d.Get("name").(string))
+	if err != nil {
+		return nil, err
+	}
+
+	for k, v := range m {
+		values[k] = v
+	}
+
+	u := &AccessContextManagerAccessPolicyIamUpdater{
+		name:   values["name"],
+		d:      d,
+		Config: config,
+	}
+
+	if err := d.Set("name", u.GetResourceId()); err != nil {
+		return nil, fmt.Errorf("Error setting name: %s", err)
+	}
+
+	return u, nil
+}
+
+func AccessContextManagerAccessPolicyIdParseFunc(d *schema.ResourceData, config *Config) error {
+	values := make(map[string]string)
+
+	m, err := getImportIdQualifiers([]string{"accessPolicies/(?P<name>[^/]+)", "(?P<name>[^/]+)"}, d, config, d.Id())
+	if err != nil {
+		return err
+	}
+
+	for k, v := range m {
+		values[k] = v
+	}
+
+	u := &AccessContextManagerAccessPolicyIamUpdater{
+		name:   values["name"],
+		d:      d,
+		Config: config,
+	}
+	if err := d.Set("name", u.GetResourceId()); err != nil {
+		return fmt.Errorf("Error setting name: %s", err)
+	}
+	d.SetId(u.GetResourceId())
+	return nil
+}
+
+func (u *AccessContextManagerAccessPolicyIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
+	url, err := u.qualifyAccessPolicyUrl("getIamPolicy")
+	if err != nil {
+		return nil, err
+	}
+
+	var obj map[string]interface{}
+
+	userAgent, err := generateUserAgentString(u.d, u.Config.userAgent)
+	if err != nil {
+		return nil, err
+	}
+
+	policy, err := sendRequest(u.Config, "POST", "", url, userAgent, obj)
+	if err != nil {
+		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	out := &cloudresourcemanager.Policy{}
+	err = Convert(policy, out)
+	if err != nil {
+		return nil, errwrap.Wrapf("Cannot convert a policy to a resource manager policy: {{err}}", err)
+	}
+
+	return out, nil
+}
+
+func (u *AccessContextManagerAccessPolicyIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
+	json, err := ConvertToMap(policy)
+	if err != nil {
+		return err
+	}
+
+	obj := make(map[string]interface{})
+	obj["policy"] = json
+
+	url, err := u.qualifyAccessPolicyUrl("setIamPolicy")
+	if err != nil {
+		return err
+	}
+
+	userAgent, err := generateUserAgentString(u.d, u.Config.userAgent)
+	if err != nil {
+		return err
+	}
+
+	_, err = sendRequestWithTimeout(u.Config, "POST", "", url, userAgent, obj, u.d.Timeout(schema.TimeoutCreate))
+	if err != nil {
+		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	return nil
+}
+
+func (u *AccessContextManagerAccessPolicyIamUpdater) qualifyAccessPolicyUrl(methodIdentifier string) (string, error) {
+	urlTemplate := fmt.Sprintf("{{AccessContextManagerBasePath}}%s:%s", fmt.Sprintf("accessPolicies/%s", u.name), methodIdentifier)
+	url, err := replaceVars(u.d, u.Config, urlTemplate)
+	if err != nil {
+		return "", err
+	}
+	return url, nil
+}
+
+func (u *AccessContextManagerAccessPolicyIamUpdater) GetResourceId() string {
+	return fmt.Sprintf("accessPolicies/%s", u.name)
+}
+
+func (u *AccessContextManagerAccessPolicyIamUpdater) GetMutexKey() string {
+	return fmt.Sprintf("iam-accesscontextmanager-accesspolicy-%s", u.GetResourceId())
+}
+
+func (u *AccessContextManagerAccessPolicyIamUpdater) DescribeResource() string {
+	return fmt.Sprintf("accesscontextmanager accesspolicy %q", u.GetResourceId())
+}

google/provider.go

@@ -830,8 +830,8 @@ func Provider() *schema.Provider {
 }
 
 // Generated resources: 217
-// Generated IAM resources: 102
-// Total generated resources: 319
+// Generated IAM resources: 105
+// Total generated resources: 322
 func ResourceMap() map[string]*schema.Resource {
 	resourceMap, _ := ResourceMapWithErrors()
 	return resourceMap
@@ -844,6 +844,9 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_project_access_approval_settings":                      resourceAccessApprovalProjectSettings(),
 			"google_organization_access_approval_settings":                 resourceAccessApprovalOrganizationSettings(),
 			"google_access_context_manager_access_policy":                  resourceAccessContextManagerAccessPolicy(),
+			"google_access_context_manager_access_policy_iam_binding":      ResourceIamBinding(AccessContextManagerAccessPolicyIamSchema, AccessContextManagerAccessPolicyIamUpdaterProducer, AccessContextManagerAccessPolicyIdParseFunc),
+			"google_access_context_manager_access_policy_iam_member":       ResourceIamMember(AccessContextManagerAccessPolicyIamSchema, AccessContextManagerAccessPolicyIamUpdaterProducer, AccessContextManagerAccessPolicyIdParseFunc),
+			"google_access_context_manager_access_policy_iam_policy":       ResourceIamPolicy(AccessContextManagerAccessPolicyIamSchema, AccessContextManagerAccessPolicyIamUpdaterProducer, AccessContextManagerAccessPolicyIdParseFunc),
 			"google_access_context_manager_access_level":                   resourceAccessContextManagerAccessLevel(),
 			"google_access_context_manager_access_levels":                  resourceAccessContextManagerAccessLevels(),
 			"google_access_context_manager_access_level_condition":         resourceAccessContextManagerAccessLevelCondition(),

google/resource_access_context_manager_access_policy.go

@@ -54,6 +54,16 @@ Format: organizations/{organization_id}`,
 				Required:    true,
 				Description: `Human readable title. Does not affect behavior.`,
 			},
+			"scopes": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Description: `Folder or project on which this policy is applicable.
+Format: folders/{{folder_id}} or projects/{{project_id}}`,
+				MaxItems: 1,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"create_time": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -94,6 +104,12 @@ func resourceAccessContextManagerAccessPolicyCreate(d *schema.ResourceData, meta
 	} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
 		obj["title"] = titleProp
 	}
+	scopesProp, err := expandAccessContextManagerAccessPolicyScopes(d.Get("scopes"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("scopes"); !isEmptyValue(reflect.ValueOf(scopesProp)) && (ok || !reflect.DeepEqual(v, scopesProp)) {
+		obj["scopes"] = scopesProp
+	}
 
 	url, err := replaceVars(d, config, "{{AccessContextManagerBasePath}}accessPolicies")
 	if err != nil {
@@ -199,6 +215,9 @@ func resourceAccessContextManagerAccessPolicyRead(d *schema.ResourceData, meta i
 	if err := d.Set("title", flattenAccessContextManagerAccessPolicyTitle(res["title"], d, config)); err != nil {
 		return fmt.Errorf("Error reading AccessPolicy: %s", err)
 	}
+	if err := d.Set("scopes", flattenAccessContextManagerAccessPolicyScopes(res["scopes"], d, config)); err != nil {
+		return fmt.Errorf("Error reading AccessPolicy: %s", err)
+	}
 
 	return nil
 }
@@ -219,6 +238,12 @@ func resourceAccessContextManagerAccessPolicyUpdate(d *schema.ResourceData, meta
 	} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
 		obj["title"] = titleProp
 	}
+	scopesProp, err := expandAccessContextManagerAccessPolicyScopes(d.Get("scopes"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("scopes"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, scopesProp)) {
+		obj["scopes"] = scopesProp
+	}
 
 	url, err := replaceVars(d, config, "{{AccessContextManagerBasePath}}accessPolicies/{{name}}")
 	if err != nil {
@@ -231,6 +256,10 @@ func resourceAccessContextManagerAccessPolicyUpdate(d *schema.ResourceData, meta
 	if d.HasChange("title") {
 		updateMask = append(updateMask, "title")
 	}
+
+	if d.HasChange("scopes") {
+		updateMask = append(updateMask, "scopes")
+	}
 	// updateMask is a URL parameter but not present in the schema, so replaceVars
 	// won't set it
 	url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -342,10 +371,18 @@ func flattenAccessContextManagerAccessPolicyTitle(v interface{}, d *schema.Resou
 	return v
 }
 
+func flattenAccessContextManagerAccessPolicyScopes(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
 func expandAccessContextManagerAccessPolicyParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
 
 func expandAccessContextManagerAccessPolicyTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandAccessContextManagerAccessPolicyScopes(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}