Artifact Registry: implement VPC SC Config

[Subserial]

Implements VPC SC Config resource in beta provider.
Fixes hashicorp/terraform-provider-google#15622

The example cannot run as a test because the resource requires enabling VPC SC on the organization.

If this PR is for Terraform, I acknowledge that I have:

• Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• Generated Terraform providers, and ran make test and make lint in the generated providers to ensure it passes unit and linter tests.
• Ran relevant acceptance tests using my own Google Cloud project and credentials (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• Read Write release notes before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

`google_artifact_registry_vpcsc_config`

[modular-magician]

Hello! I am a robot. It looks like you are a: Community Contributor Googler Core Contributor. Tests will require approval to run.

@SarahFrench, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 1 file changed, 101 insertions(+))
Terraform Beta: Diff ( 3 files changed, 411 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 1 file changed, 84 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_artifact_registry_vpcsc_config (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_artifact_registry_vpcsc_config" "primary" {
  location     = # value needed
  vpcsc_policy = # value needed
}

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 1 file changed, 101 insertions(+))
Terraform Beta: Diff ( 3 files changed, 411 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 1 file changed, 84 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_artifact_registry_vpcsc_config (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_artifact_registry_vpcsc_config" "primary" {
  location     = # value needed
  vpcsc_policy = # value needed
}

[modular-magician]

Tests analytics

Total tests: 2996
Passed tests 2700
Skipped tests: 296
Affected tests: 0

$\textcolor{green}{\textsf{All tests passed in REPLAYING mode.}}$
View the build log

[Subserial]

One moment, manually running the requests in the disabled test is succeeding.

[Subserial]

The resource works in that it sends the correct request, but I cannot figure out the correct permissions for the service account for the request to succeed. I'm hoping the tests work on github.

[SarahFrench]

@Subserial Thanks for making that change to remove skip_test - that will allow a test to be generated, but it may not run on this PR because the automated tests on PRs are a bit weird around tests for Beta-only features. If that happens I can trigger manual tests and I'll post the results here. Once we have some test output I can try to help with the permissions stuff.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 1 file changed, 106 insertions(+))
Terraform Beta: Diff ( 4 files changed, 476 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 1 file changed, 84 insertions(+))
TF OiCS: Diff ( 4 files changed, 106 insertions(+))

[modular-magician]

Tests analytics

Total tests: 3008
Passed tests 2711
Skipped tests: 296
Affected tests: 1

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccArtifactRegistryVPCSCConfig_artifactRegistryVpcscConfigExample

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccArtifactRegistryVPCSCConfig_artifactRegistryVpcscConfigExample[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[SarahFrench]

Here's the error for the test failure above - it looks like there would need to be changes in our organization that the automated tests from PRs run in.

Error: Error creating VPCSCConfig: googleapi: Error 403: there are no ancestors configured for the project: <project name>, organizations: [projects/<project id> organizations/<org id>], recent error: failed VPC SC Policy check for folder: organizations/<org id>, error: generic::permission_denied: VPC SC Policy is not configured for the organization

[Subserial]

I am currently working out the requirements for a service account to change these settings.

[Subserial]

An account needs roles/accesscontextmanager.policyEditor or roles/accesscontextmanager.policyAdmin set at the organization level. Looking at accesscontextmanager/AccessPolicy.yaml, it seems that tests involving organization-level resources are skipped. I believe this means this test should be skipped.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 1 file changed, 101 insertions(+))
Terraform Beta: Diff ( 3 files changed, 411 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 1 file changed, 84 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_artifact_registry_vpcsc_config (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_artifact_registry_vpcsc_config" "primary" {
  location     = # value needed
  vpcsc_policy = # value needed
}

[modular-magician]

Tests analytics

Total tests: 3008
Passed tests 2709
Skipped tests: 296
Affected tests: 3

Action taken

Found 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccBigQueryDataTable_bigtable|TestAccDataprocClusterIamPolicy|TestAccDataSourceGoogleServiceAccountJwt

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccBigQueryDataTable_bigtable[Debug log]
TestAccDataprocClusterIamPolicy[Debug log]
TestAccDataSourceGoogleServiceAccountJwt[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{green}{\textsf{All tests passed!}}$
View the build log or the debug log for each test

[Subserial]

Anything necessary to merge?

[SarahFrench]

Sorry for the delay - the fields look correct compared to the API docs, so LGTM. It's a shame we can't run the acceptance tests due to needing organization-level permissions, but it makes sense why that's not possible currently.