Added a magic modules resource definition for IcebergCatalog resource (#15924)

Co-authored-by: Ning Kang <[email protected]>

Author: nika-qubit

mmv1/products/biglakeiceberg/IcebergCatalog.yaml

@@ -0,0 +1,129 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'IcebergCatalog'
+description: |
+  IcebergCatalogs are top-level containers for Apache Iceberg REST Catalog served Namespaces and Tables.
+references:
+  guides:
+    'Use the BigLake metastore Iceberg REST catalog': 'https://docs.cloud.google.com/biglake/docs/blms-rest-catalog'
+base_url: 'restcatalog/extensions/projects/{{project}}/catalogs'
+self_link: 'restcatalog/extensions/projects/{{project}}/catalogs/{{name}}'
+immutable: false
+create_url: 'restcatalog/extensions/projects/{{project}}/catalogs?iceberg-catalog-id={{name}}'
+custom_code:
+  custom_update:
+    templates/terraform/custom_update/biglake_iceberg_catalog_update.go.tmpl
+examples:
+  - name: 'biglake_iceberg_catalog'
+    primary_resource_id: 'my_iceberg_catalog'
+    vars:
+      name: 'my_iceberg_catalog'
+parameters:
+  - name: 'name'
+    type: String
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The name of the IcebergCatalog. Format:
+      projects/{project_id_or_number}/catalogs/{iceberg_catalog_id}
+properties:
+  - name: 'credential_mode'
+    api_name: 'credential-mode'
+    type: Enum
+    description: The credential mode used for the catalog.
+      CREDENTIAL_MODE_END_USER - End user credentials, default. The authenticating
+      user must have access to the catalog resources and the corresponding Google
+      Cloud Storage files. CREDENTIAL_MODE_VENDED_CREDENTIALS - Use credential
+      vending. The authenticating user must have access to the catalog resources
+      and the system will provide the caller with downscoped credentials to access
+      the Google Cloud Storage files. All table operations in this mode would
+      require `X-Iceberg-Access-Delegation` header with `vended-credentials` value
+      included. System will generate a service account and the catalog
+      administrator must grant the service account appropriate permissions.
+    required: false
+    immutable: false
+    output: false
+    enum_values:
+      - 'CREDENTIAL_MODE_END_USER'
+      - 'CREDENTIAL_MODE_VENDED_CREDENTIALS'
+    default_from_api: true
+  - name: 'biglake_service_account'
+    api_name: 'biglake-service-account'
+    type: String
+    description: Output only. The service account used for credential vending. It
+      might be empty if credential vending was never enabled for the catalog.
+    output: true
+  - name: 'catalog_type'
+    api_name: 'catalog-type'
+    type: Enum
+    description: The catalog type of the IcebergCatalog. Currently only supports
+      the type for Google Cloud Storage Buckets.
+    required: true
+    immutable: true
+    output: false
+    enum_values:
+      - 'CATALOG_TYPE_GCS_BUCKET'
+  - name: 'default_location'
+    api_name: 'default-location'
+    type: String
+    description: Output only. The default storage location for the catalog, e.g.,
+      `gs://my-bucket`.
+    output: true
+  - name: 'storage_regions'
+    api_name: 'storage-regions'
+    type: Array
+    item_type:
+      type: String
+    description: Output only. The GCP region(s) where the physical metadata for
+      the tables is stored, e.g. `us-central1`, `nam4` or `us`. This will contain
+      one value for all locations, except for the catalogs that are configured to
+      use custom dual region buckets.
+    output: true
+  - name: 'create_time'
+    api_name: 'create-time'
+    type: String
+    description: Output only. The creation time of the IcebergCatalog.
+    output: true
+  - name: 'update_time'
+    api_name: 'update-time'
+    type: String
+    description: Output only. The last modification time of the IcebergCatalog.
+    output: true
+  - name: 'replicas'
+    type: Array
+    item_type:
+      type: NestedObject
+      properties:
+        - name: 'region'
+          type: String
+          description: The region of the replica, e.g., `us-east1`.
+          output: true
+        - name: 'state'
+          type: Enum
+          description: If the IcebergCatalog is replicated to multiple regions, this
+            describes the current state of the replica. STATE_UNKNOWN - The replica
+            state is unknown. STATE_PRIMARY - The replica is the writable primary.
+            STATE_PRIMARY_IN_PROGRESS - The replica has been recently assigned as
+            the primary, but not all namespaces are writeable yet. STATE_SECONDARY -
+            The replica is a read-only secondary replica.
+          output: true
+          enum_values:
+            - 'STATE_UNKNOWN'
+            - 'STATE_PRIMARY'
+            - 'STATE_PRIMARY_IN_PROGRESS'
+            - 'STATE_SECONDARY'
+    description: Output only. The replicas for the catalog metadata.
+    output: true

mmv1/products/biglakeiceberg/product.yaml

@@ -0,0 +1,23 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'BiglakeIceberg'
+legacy_name: 'biglake'
+display_name: 'Biglake'
+versions:
+  - name: 'ga'
+    base_url: 'https://biglake.googleapis.com/iceberg/v1/'
+scopes:
+  - 'https://www.googleapis.com/auth/bigquery'
+  - 'https://www.googleapis.com/auth/cloud-platform'

mmv1/templates/terraform/custom_update/biglake_iceberg_catalog_update.go.tmpl

@@ -0,0 +1,70 @@
+userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+if err != nil {
+  return err
+}
+
+billingProject := ""
+
+project, err := tpgresource.GetProject(d, config)
+if err != nil {
+  return fmt.Errorf("Error fetching project for IcebergCatalog: %s", err)
+}
+billingProject = project
+
+obj := make(map[string]interface{})
+credentialModeProp, err := expandBiglakeIcebergIcebergCatalogCredentialMode(d.Get("credential_mode"), d, config)
+if err != nil {
+  return err
+} else if v, ok := d.GetOkExists("credential_mode"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, credentialModeProp)) {
+  obj["credential-mode"] = credentialModeProp
+}
+
+url, err := tpgresource.ReplaceVars(d, config, "{{"{{"}}BiglakeIcebergBasePath{{"}}"}}restcatalog/extensions/projects/{{"{{"}}project{{"}}"}}/catalogs/{{"{{"}}name{{"}}"}}")
+if err != nil {
+  return err
+}
+
+log.Printf("[DEBUG] Updating IcebergCatalog %q: %#v", d.Id(), obj)
+headers := make(http.Header)
+updateMask := []string{}
+
+// The custom logic is that server only respects property name not the json name for updateMask.
+// This will apply to all future updateable fields if they have a kebab-case json name override.
+// This does not apply to any field with a camelCase or snake_case name.
+if d.HasChange("credential_mode") {
+  updateMask = append(updateMask, "credential_mode")
+}
+// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+// won't set it
+url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+if err != nil {
+  return err
+}
+
+// err == nil indicates that the billing_project value was found
+if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+  billingProject = bp
+}
+
+// if updateMask is empty we are not updating anything so skip the post
+if len(updateMask) > 0 {
+  res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+    Config:    config,
+    Method:    "PATCH",
+    Project:   billingProject,
+    RawURL:    url,
+    UserAgent: userAgent,
+    Body:      obj,
+    Timeout:   d.Timeout(schema.TimeoutUpdate),
+    Headers:   headers,
+  })
+
+  if err != nil {
+    return fmt.Errorf("Error updating IcebergCatalog %q: %s", d.Id(), err)
+  } else {
+    log.Printf("[DEBUG] Finished updating IcebergCatalog %q: %#v", d.Id(), res)
+  }
+
+}
+
+return resourceBiglakeIcebergIcebergCatalogRead(d, meta)

mmv1/templates/terraform/examples/biglake_iceberg_catalog.tf.tmpl

@@ -0,0 +1,14 @@
+resource "google_storage_bucket" "bucket_for_{{$.PrimaryResourceId}}" {
+  name          = "{{index $.Vars "name"}}"
+  location      = "us-central1"
+  force_destroy = true
+  uniform_bucket_level_access = true
+}
+
+resource "google_biglake_iceberg_catalog" "{{$.PrimaryResourceId}}" {
+    name = "{{index $.Vars "name"}}"
+    catalog_type = "CATALOG_TYPE_GCS_BUCKET"
+    depends_on = [
+      google_storage_bucket.bucket_for_{{$.PrimaryResourceId}}
+    ]
+}

mmv1/third_party/terraform/.teamcity/components/inputs/services_beta.kt

@@ -91,6 +91,11 @@ var ServicesListBeta = mapOf(
         "displayName" to "Biglake",
         "path" to "./google-beta/services/biglake"
     ),
+    "biglakeiceberg" to mapOf(
+        "name" to "biglakeiceberg",
+        "displayName" to "BiglakeIceberg",
+        "path" to "./google-beta/services/biglakeiceberg"
+    ),
     "bigquery" to mapOf(
         "name" to "bigquery",
         "displayName" to "Bigquery",

mmv1/third_party/terraform/.teamcity/components/inputs/services_ga.kt

@@ -91,6 +91,11 @@ var ServicesListGa = mapOf(
         "displayName" to "Biglake",
         "path" to "./google/services/biglake"
     ),
+    "biglakeiceberg" to mapOf(
+        "name" to "biglakeiceberg",
+        "displayName" to "BiglakeIceberg",
+        "path" to "./google/services/biglakeiceberg"
+    ),
     "bigquery" to mapOf(
         "name" to "bigquery",
         "displayName" to "Bigquery",

mmv1/third_party/terraform/services/biglakeiceberg/resource_biglake_iceberg_catalog_test.go

@@ -0,0 +1,111 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package biglakeiceberg_test
+
+import (
+	"fmt"
+	"log"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+
+	"google.golang.org/api/googleapi"
+)
+
+var (
+	_ = fmt.Sprintf
+	_ = log.Print
+	_ = strconv.Atoi
+	_ = strings.Trim
+	_ = time.Now
+	_ = resource.TestMain
+	_ = terraform.NewState
+	_ = envvar.TestEnvVar
+	_ = tpgresource.SetLabels
+	_ = transport_tpg.Config{}
+	_ = googleapi.Error{}
+)
+
+func TestAccBiglakeIcebergIcebergCatalog_biglakeIcebergCatalog_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBiglakeIcebergIcebergCatalogDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBiglakeIcebergIcebergCatalog_biglakeIcebergCatalogExample(context),
+			},
+			{
+				ResourceName:            "google_biglake_iceberg_catalog.my_iceberg_catalog",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name"},
+			},
+			{
+				Config: testAccBiglakeIcebergIcebergCatalog_biglakeIcebergCatalog_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_biglake_iceberg_catalog.my_iceberg_catalog", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_biglake_iceberg_catalog.my_iceberg_catalog",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name"},
+			},
+		},
+	})
+}
+
+func testAccBiglakeIcebergIcebergCatalog_biglakeIcebergCatalog_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_storage_bucket" "bucket_for_my_iceberg_catalog" {
+  name          = "tf_test_my_iceberg_catalog%{random_suffix}"
+  location      = "us-central1"
+  force_destroy = true
+  uniform_bucket_level_access = true
+}
+
+resource "google_biglake_iceberg_catalog" "my_iceberg_catalog" {
+    name = "tf_test_my_iceberg_catalog%{random_suffix}"
+    catalog_type = "CATALOG_TYPE_GCS_BUCKET"
+		credential_mode = "CREDENTIAL_MODE_VENDED_CREDENTIALS"
+    depends_on = [
+      google_storage_bucket.bucket_for_my_iceberg_catalog
+    ]
+}
+`, context)
+}