Init Storage IAM policy #493
Conversation
|
Tested OK for Bucket Iam Policy |
|
sebglon
force-pushed
the
storage-iam-policy
branch
6 times, most recently
from
d9413e2 to
7e436a5
Compare
There was a problem hiding this comment.
Hey @sebglon, this looks fantastic, thanks for the PR! I have some minor, nitpicky comments, and it looks like we're missing documentation for object policy, but other than that, this looks amazing. Thanks so much for the hard work. Do let me know if you have any questions.
| @@ -0,0 +1,122 @@ | |||
| package google | |||
There was a problem hiding this comment.
This is definitely a nitpick, but I'd love to see a _ between iam and policy in the filename here.
| func resourceStorageBucketIAMPolicyCreate(d *schema.ResourceData, meta interface{}) error { | ||
| config := meta.(*Config) | ||
|
|
||
| if err := setBucketIamPolicy(d, config); err != nil { |
There was a problem hiding this comment.
We usually like to do a log.Printf("[DEBUG] Setting IAM policy for bucket %q", bucket) before we make an API call, and a log.Printf("[DEBUG] Set IAM policy for bucket %q", bucket) after the request completes, to help debug.
| } | ||
|
|
||
| func marshalStorageIamPolicy(policy *storagev1.Policy) string { | ||
| pdBytes, _ := json.Marshal(&storagev1.Policy{ |
There was a problem hiding this comment.
I know it seems impossible, but I'd really be much more comfortable if we checked this error here.
| ) | ||
|
|
||
| func testBucketIamName() string { | ||
| return fmt.Sprintf("%s-%d", "tf-test-iam-bucket", acctest.RandInt()) |
There was a problem hiding this comment.
You can just use acctest.RandomWithPrefix("tf-test-iam-bucket") which is a little less convoluted.
|
|
||
| func resourceStorageObjectIAMPolicyCreate(d *schema.ResourceData, meta interface{}) error { | ||
| config := meta.(*Config) | ||
|
|
There was a problem hiding this comment.
Again, debug logs here would be awesome.
There was a problem hiding this comment.
Actually, just before and after every API request would be 💯
| return err | ||
| } | ||
|
|
||
| d.SetId(d.Get("object").(string)) |
There was a problem hiding this comment.
Shouldn't this be a combination of bucket and object, to ensure uniqueness? Also, for future import, we'd need at least project, bucket, and object, I think. So I think setting it to a combination of the three would be really useful.
| return err | ||
| } | ||
|
|
||
| d.SetId(d.Get("bucket").(string)) |
There was a problem hiding this comment.
If we set this to a combination of project and bucket, we won't need to change IDs to support import.
There was a problem hiding this comment.
I don't understand exactly what you want. Actualy i do not have project var.
As seen in resource_storage_bucket_acl, ican set bucket+ "-iam_policy"?
There was a problem hiding this comment.
So what I'm suggesting here and why:
- When we make resources importable, we need to be able to identify the resources based on their ID. This means the ID needs to not only be unique, but contain all the information necessary to retrieve the resource.
- For this resource, it looks like we need both the project and the bucket ID to be able to retrieve the bucket.
- So ideally, our ID would be something like
{project}/{bucket}, which we could then parse into the info we need to be able to retrieve the resource given just its ID.
There was a problem hiding this comment.
On google Policy, i have etag parameter that is an entity ID (return by API). but this does not contain project.
I don't see how to make it.
vendor/vendor.json
Outdated
| @@ -852,10 +852,10 @@ | |||
| "revisionTime": "2016-12-14T09:25:55Z" | |||
| }, | |||
| { | |||
| "checksumSHA1": "FEzQdhqmb6aqGL1lKnjOcUHIGSY=", | |||
| "checksumSHA1": "F/N7JzfuHZAk1UXi2zw/62hFPpM=", | |||
| "path": "google.golang.org/api/bigquery/v2", | |||
There was a problem hiding this comment.
Seems like we're bringing in a lot of unnecessary vendor changes for this PR. Could we clean this up to just update storage, or is there a reason it needs to bring bigquery along?
There was a problem hiding this comment.
(Also, is a storage library update necessary to support this functionality?)
There was a problem hiding this comment.
Yes an update is necessary and this update bring bigquery lib with small change type
sebglon
force-pushed
the
storage-iam-policy
branch
from
2eb1c30 to
597e537
Compare
sebglon
force-pushed
the
storage-iam-policy
branch
from
3844afc to
e3c7096
Compare
|
@paddycarver I have cleaned dependencies with master change |
|
@danawillow and @paddycarver is itpossible to have status on this PR? |
| for _, member := range binding.Members { | ||
| bindingBuffer.WriteString(fmt.Sprintf("\"%s\",\n", member)) | ||
| } | ||
| bindingBuffer.WriteString("]}\n") |
There was a problem hiding this comment.
This part of the code scares me, to be honest.
There was a problem hiding this comment.
I don't understand Why?
There was a problem hiding this comment.
this is the same than resource_google_folder_iam_policy_test.go;
I have added Comment on source code
There was a problem hiding this comment.
Apologies, missed this response. It largely scares me because we're dynamically building the config string in a buffer, which is more complicated than tests usually require. I think this may be more generalized than is strictly necessary, but it's really not worth holding a merge over.
| return err | ||
| } | ||
|
|
||
| d.SetId(d.Get("bucket").(string) + "-" + d.Get("object").(string) + "-iam-policy") |
There was a problem hiding this comment.
If we could use a separator here that is an invalid character for a bucket name, that'd be awesome. (/ is a good choice, I believe.)
The idea is that we can then parse the ID to get the bucket and object back, which helps in a few places. As it stands, there's no real way to reliably turn this ID back into its constituent parts. In my-bucket-object-id-iam-policy, for example, we'd have no idea what was the bucket and what was the object.
| %s | ||
| } | ||
| resource "google_storage_Object_iam_policy" "test" { | ||
| Object = "${google_storage_Object.Object.name}" |
There was a problem hiding this comment.
Looks like a find and replace is doing some weird capitalising here.
| ) | ||
|
|
||
| func testObjectIamName() string { | ||
| return fmt.Sprintf("%s-%d", "tf-test-iam-Object", acctest.RandInt()) |
There was a problem hiding this comment.
Looks like a find and replace is doing some weird capitalising here.
| config := testAccProvider.Meta().(*Config) | ||
|
|
||
| for _, rs := range s.RootModule().Resources { | ||
| if rs.Type != "google_storage_Object_iam_policy" { |
There was a problem hiding this comment.
Looks like a find and replace is doing some weird capitalising here.
| @@ -0,0 +1,58 @@ | |||
| --- | |||
There was a problem hiding this comment.
Looks like you've duplicated the bucket docs here?
There was a problem hiding this comment.
Looks like you have both a google_storage_bucket_iam_policy.html.markdown and a nearly identical storage_bucket_iam_policy.html.markdown file (without the "google" prefix). I assume that's what @paddycarver is referring to.
There was a problem hiding this comment.
Yup, sorry. I'm seeing two different files here with almost the same name and can't tell what happened.
There was a problem hiding this comment.
FYI, @sebglon deleted the duplicate file. I think the only outstanding issue left is the "this part of the code scares me" section, if you can expand on that?
| Allows management of an IAM policy for a Google Storage Bucket Object. | ||
| --- | ||
|
|
||
| # google\_storage\-_object\_iam\_policy |
There was a problem hiding this comment.
Looks like you have an extra - in here that's messing things up.
|
|
||
| resource "google_storage_object" "object" { | ||
| display_name = "%s" | ||
| bucket = "${google_storage_bucket.bucket.name}" |
There was a problem hiding this comment.
Tabs/spaces problem. Generally we ask that documentation examples be run through terraform fmt.
|
|
||
| Changing this updates the policy. | ||
|
|
||
| Deleting this removes the policy, but leaves the original object policy |
There was a problem hiding this comment.
Is this true? Looking up at the code, it looks like the policy is just set to an empty policy on delete.
|
It looks like after 580b153, the code no longer builds. |
|
@paddycarver Compile is corrected. |
|
@danawillow , @paddycarver Can i have status on validation; this lock my project? |
|
Cc @rosbo who has been working on the IAM system |
<!-- This change is generated by MagicModules. --> /cc @rileykarson
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
refer to issue #481