Adding TF support for Tenancy APIs for Membership RBAC Role Bindings (G…

…oogleCloudPlatform#8440) Co-authored-by: hkundag <[email protected]>
joelkattapuram · Sep 20, 2023 · 038f3f3 · 038f3f3
1 parent 9d4ed6d
commit 038f3f3
Show file tree

Hide file tree

Showing 2 changed files with 178 additions and 0 deletions.
diff --git a/mmv1/products/gkehub2/MembershipRBACRoleBinding.yaml b/mmv1/products/gkehub2/MembershipRBACRoleBinding.yaml
@@ -0,0 +1,149 @@
+# Copyright 2023 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Resource
+name: 'MembershipRBACRoleBinding'
+base_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings'
+create_url: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/?rbacrolebinding_id={{membership_rbac_role_binding_id}}'
+self_link: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/{{membership_rbac_role_binding_id}}'
+immutable: true
+description: |
+  RBACRoleBinding represents a rbacrolebinding across the Fleet.
+references: !ruby/object:Api::Resource::ReferenceLinks
+  guides:
+    'Registering a Cluster': 'https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster#register_cluster'
+  api: 'https://cloud.google.com/anthos/fleet-management/docs/reference/rest/v1/projects.locations.memberships'
+async: !ruby/object:Api::OpAsync
+  operation: !ruby/object:Api::OpAsync::Operation
+    kind: 'gkehub#operation'
+    path: 'name'
+    base_url: '{{op_id}}'
+    wait_ms: 1000
+  result: !ruby/object:Api::OpAsync::Result
+    path: 'response'
+    resource_inside_response: true
+  status: !ruby/object:Api::OpAsync::Status
+    path: 'done'
+    complete: 'true'
+    allowed:
+      - 'true'
+      - 'false'
+  error: !ruby/object:Api::OpAsync::Error
+    path: 'error/errors'
+    message: 'message'
+autogen_async: true
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'gkehub_membership_rbac_role_binding_basic'
+    primary_resource_name: 'fmt.Sprintf(\"tf-test-membership%s\", context[\"random_suffix\"]), fmt.Sprintf(\"tf-test-rbac-role-binding%s\", context[\"random_suffix\"])'
+    primary_resource_id: 'membershiprbacrolebinding'
+    vars:
+      cluster_name: "basiccluster"
+    test_env_vars:
+      project: :PROJECT_NAME
+      location: 'global'
+# Skip sweeper gen since this is a child resource.
+skip_sweeper: true
+id_format: 'projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/{{membership_rbac_role_binding_id}}'
+import_format:
+  ['projects/{{project}}/locations/{{location}}/memberships/{{membership_id}}/rbacrolebindings/{{membership_rbac_role_binding_id}}']
+parameters:
+  - !ruby/object:Api::Type::String
+    name: 'membership_id'
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      Id of the membership
+  - !ruby/object:Api::Type::String
+    name: 'location'
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      Location of the Membership
+properties:
+  - !ruby/object:Api::Type::String
+    name: 'membershipRbacRoleBindingId'
+    description: |
+      The client-provided identifier of the RBAC Role Binding.
+    required: true
+    immutable: true
+    url_param_only: true
+  - !ruby/object:Api::Type::String
+    name: 'name'
+    output: true
+    description: |
+      The resource name for the RBAC Role Binding
+  - !ruby/object:Api::Type::String
+    name: 'uid'
+    output: true
+    description: |
+      Google-generated UUID for this resource.
+  - !ruby/object:Api::Type::Time
+    name: 'createTime'
+    description: |
+      Time the RBAC Role Binding was created in UTC.
+    output: true
+  - !ruby/object:Api::Type::Time
+    name: 'updateTime'
+    description: |
+      Time the RBAC Role Binding was updated in UTC.
+    output: true
+  - !ruby/object:Api::Type::Time
+    name: 'deleteTime'
+    description: |
+      Time the RBAC Role Binding was deleted in UTC.
+    output: true
+  - !ruby/object:Api::Type::NestedObject
+    name: 'state'
+    description: |
+      State of the RBAC Role Binding resource.
+    output: true
+    properties:
+      - !ruby/object:Api::Type::Enum
+        name: 'code'
+        description: |
+          Code describes the state of a RBAC Role Binding resource.
+        output: true
+        values:
+          - :CODE_UNSPECIFIED
+          - :CREATING
+          - :READY
+          - :DELETING
+          - :UPDATING
+  - !ruby/object:Api::Type::String
+    name: 'user'
+    description: |
+      Principal that is be authorized in the cluster (at least of one the oneof
+      is required). Updating one will unset the other automatically.
+      user is the name of the user as seen by the kubernetes cluster, example
+      "alice" or "[email protected]"
+    required: true
+  - !ruby/object:Api::Type::NestedObject
+    name: 'role'
+    description: |
+      Role to bind to the principal.
+    required: true
+    properties:
+      - !ruby/object:Api::Type::Enum
+        name: 'predefinedRole'
+        description: |
+          PredefinedRole is an ENUM representation of the default Kubernetes Roles
+        required: true
+        values:
+          - :UNKNOWN
+          - :ADMIN
+          - :EDIT
+          - :VIEW
+          - :ANTHOS_SUPPORT
diff --git a/mmv1/templates/terraform/examples/gkehub_membership_rbac_role_binding_basic.tf.erb b/mmv1/templates/terraform/examples/gkehub_membership_rbac_role_binding_basic.tf.erb
@@ -0,0 +1,29 @@
+resource "google_container_cluster" "primary" {
+  name               = "<%= ctx[:vars]['cluster_name'] %>"
+  location           = "us-central1-a"
+  initial_node_count = 1
+}
+
+resource "google_gke_hub_membership" "<%= ctx[:primary_resource_id] %>" {
+  membership_id = "tf-test-membership%{random_suffix}"
+  endpoint {
+    gke_cluster {
+      resource_link = "//container.googleapis.com/${google_container_cluster.primary.id}"
+    }
+  }
+
+  depends_on = [google_container_cluster.primary]
+}
+
+resource "google_gke_hub_membership_rbac_role_binding" "<%= ctx[:primary_resource_id] %>" {
+  membership_rbac_role_binding_id = "tf-test-membership-rbac-role-binding%{random_suffix}"
+  membership_id = "tf-test-membership%{random_suffix}"
+  user = "service-${data.google_project.project.number}@gcp-sa-anthossupport.iam.gserviceaccount.com"
+  role {
+    predefined_role = "ANTHOS_SUPPORT"
+  }
+  location = "global"
+  depends_on = [google_gke_hub_membership.<%= ctx[:primary_resource_id] %>]
+}
+
+data "google_project" "project" {}