From b3d483e460752a151195cca872899e7c50008d07 Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 23 Jan 2023 16:41:40 -0800 Subject: [PATCH] Support policy version 3 in google_spanner_database_iam_member and google_spanner_instance_iam_member (#6915) (#5125) * support policy version 3 in spanner_database_iam and spanner_instance_iam resources * re-trigger checks * update tests to have conditions * fix tests * fix tests Signed-off-by: Modular Magician Signed-off-by: Modular Magician --- .changelog/6915.txt | 3 +++ google-beta/iam_spanner_database.go | 8 +++++++- google-beta/iam_spanner_instance.go | 8 +++++++- google-beta/resource_spanner_database_iam_test.go | 9 +++++++-- google-beta/resource_spanner_instance_iam_test.go | 9 +++++++-- 5 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 .changelog/6915.txt diff --git a/.changelog/6915.txt b/.changelog/6915.txt new file mode 100644 index 0000000000..e031751d4c --- /dev/null +++ b/.changelog/6915.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +spanner: added support for IAM conditions with `google_spanner_database_iam_member` and `google_spanner_instance_iam_member` +``` diff --git a/google-beta/iam_spanner_database.go b/google-beta/iam_spanner_database.go index 8fc8f0830e..166d4b08a3 100644 --- a/google-beta/iam_spanner_database.go +++ b/google-beta/iam_spanner_database.go @@ -66,7 +66,9 @@ func (u *SpannerDatabaseIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage Project: u.project, Database: u.database, Instance: u.instance, - }.databaseUri(), &spanner.GetIamPolicyRequest{}).Do() + }.databaseUri(), &spanner.GetIamPolicyRequest{ + Options: &spanner.GetPolicyOptions{RequestedPolicyVersion: iamPolicyVersion}, + }).Do() if err != nil { return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err) @@ -78,6 +80,8 @@ func (u *SpannerDatabaseIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage return nil, errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err) } + cloudResourcePolicy.Version = iamPolicyVersion + return cloudResourcePolicy, nil } @@ -88,6 +92,8 @@ func (u *SpannerDatabaseIamUpdater) SetResourceIamPolicy(policy *cloudresourcema return errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err) } + spannerPolicy.Version = iamPolicyVersion + userAgent, err := generateUserAgentString(u.d, u.Config.userAgent) if err != nil { return err diff --git a/google-beta/iam_spanner_instance.go b/google-beta/iam_spanner_instance.go index 035d611539..2d70c8b2f8 100644 --- a/google-beta/iam_spanner_instance.go +++ b/google-beta/iam_spanner_instance.go @@ -73,7 +73,9 @@ func (u *SpannerInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage p, err := u.Config.NewSpannerClient(userAgent).Projects.Instances.GetIamPolicy(spannerInstanceId{ Project: u.project, Instance: u.instance, - }.instanceUri(), &spanner.GetIamPolicyRequest{}).Do() + }.instanceUri(), &spanner.GetIamPolicyRequest{ + Options: &spanner.GetPolicyOptions{RequestedPolicyVersion: iamPolicyVersion}, + }).Do() if err != nil { return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err) @@ -85,6 +87,8 @@ func (u *SpannerInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage return nil, errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err) } + cloudResourcePolicy.Version = iamPolicyVersion + return cloudResourcePolicy, nil } @@ -95,6 +99,8 @@ func (u *SpannerInstanceIamUpdater) SetResourceIamPolicy(policy *cloudresourcema return errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err) } + spannerPolicy.Version = iamPolicyVersion + userAgent, err := generateUserAgentString(u.d, u.Config.userAgent) if err != nil { return err diff --git a/google-beta/resource_spanner_database_iam_test.go b/google-beta/resource_spanner_database_iam_test.go index a3fe68987b..cbafe94dcf 100644 --- a/google-beta/resource_spanner_database_iam_test.go +++ b/google-beta/resource_spanner_database_iam_test.go @@ -59,6 +59,7 @@ func TestAccSpannerDatabaseIamMember(t *testing.T) { role := "roles/spanner.databaseAdmin" database := fmt.Sprintf("tf-test-%s", randString(t, 10)) instance := fmt.Sprintf("tf-test-%s", randString(t, 10)) + conditionTitle := "Access only database one" vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -70,11 +71,11 @@ func TestAccSpannerDatabaseIamMember(t *testing.T) { }, { ResourceName: "google_spanner_database_iam_member.foo", - ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com", spannerDatabaseId{ + ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com %s", spannerDatabaseId{ Instance: instance, Database: database, Project: project, - }.terraformId(), role, account, project), + }.terraformId(), role, account, project, conditionTitle), ImportState: true, ImportStateVerify: true, }, @@ -207,6 +208,10 @@ resource "google_spanner_database_iam_member" "foo" { instance = google_spanner_database.database.instance role = "%s" member = "serviceAccount:${google_service_account.test_account.email}" + condition { + title = "Access only database one" + expression = "resource.type == \"spanner.googleapis.com/DatabaseRole\" && resource.name.endsWith(\"/databaseRoles/parent\")" + } } `, account, instance, instance, database, roleId) } diff --git a/google-beta/resource_spanner_instance_iam_test.go b/google-beta/resource_spanner_instance_iam_test.go index e95dda15b1..6c47512f5e 100644 --- a/google-beta/resource_spanner_instance_iam_test.go +++ b/google-beta/resource_spanner_instance_iam_test.go @@ -55,6 +55,7 @@ func TestAccSpannerInstanceIamMember(t *testing.T) { account := fmt.Sprintf("tf-test-%d", randInt(t)) role := "roles/spanner.databaseAdmin" instance := fmt.Sprintf("tf-test-%s", randString(t, 10)) + conditionTitle := "Access only database one" vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -66,10 +67,10 @@ func TestAccSpannerInstanceIamMember(t *testing.T) { }, { ResourceName: "google_spanner_instance_iam_member.foo", - ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com", spannerInstanceId{ + ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com %s", spannerInstanceId{ Instance: instance, Project: project, - }.terraformId(), role, account, project), + }.terraformId(), role, account, project, conditionTitle), ImportState: true, ImportStateVerify: true, }, @@ -179,6 +180,10 @@ resource "google_spanner_instance_iam_member" "foo" { instance = google_spanner_instance.instance.name role = "%s" member = "serviceAccount:${google_service_account.test_account.email}" + condition { + title = "Access only database one" + expression = "resource.type == \"spanner.googleapis.com/DatabaseRole\" && resource.name.endsWith(\"/databaseRoles/parent\")" + } } `, account, instance, instance, roleId) }