Add new resource ProjectKajPolicyConfig (#15257)

Author: chengliwm

mmv1/products/kms/ProjectKajPolicyConfig.yaml

@@ -0,0 +1,95 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'ProjectKajPolicyConfig'
+api_resource_type_kind: KeyAccessJustificationsPolicyConfig
+api_variant_patterns:
+  - 'projects/{{project}}/kajPolicyConfig'
+description: |
+  `ProjectKajPolicyConfig` is a project-level singleton resource
+  used to configure the default KAJ policy of newly created key.
+
+  ~> **Note:**  ProjectKajPolicyConfig cannot be deleted from Google Cloud Platform.
+  Destroying a Terraform-managed  ProjectKajPolicyConfig will remove it from state but
+  *will not delete the resource from Google Cloud Platform.*
+min_version: 'beta'
+references:
+  guides:
+    'Set default Key Access Justifications policy': 'https://cloud.google.com/assured-workloads/key-access-justifications/docs/set-default-policy'
+  api: 'https://cloud.google.com/kms/docs/reference/rest/v1/KeyAccessJustificationsPolicyConfig'
+docs:
+id_format: 'projects/{{project}}/kajPolicyConfig'
+base_url: 'projects/{{project}}/kajPolicyConfig'
+self_link: 'projects/{{project}}/kajPolicyConfig'
+# This is a singleton resource that is already created, so create
+# is really an update, and therefore should be PATCHed.
+create_url: 'projects/{{project}}/kajPolicyConfig?updateMask=defaultKeyAccessJustificationPolicy'
+create_verb: 'PATCH'
+update_url: 'projects/{{project}}/kajPolicyConfig?updateMask=defaultKeyAccessJustificationPolicy'
+update_verb: 'PATCH'
+# This is a singleton resource that cannot be deleted.
+exclude_delete: true
+exclude_sweeper: true
+import_format:
+  - 'projects/{{project}}/kajPolicyConfig'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_code:
+  post_create: 'templates/terraform/post_create/sleep_1_min.go.tmpl'
+  post_update: 'templates/terraform/post_create/sleep_1_min.go.tmpl'
+examples:
+  - name: 'kms_project_kaj_policy_config_basic'
+    primary_resource_id: 'example'
+    min_version: 'beta'
+    vars:
+      project_id: 'my-project'
+    test_env_vars:
+      org_id: 'ORG_ID'
+      billing_account: 'BILLING_ACCT'
+    external_providers: ["time"]
+parameters:
+properties:
+  - name: 'defaultKeyAccessJustificationPolicy'
+    type: NestedObject
+    description: |
+      The default key access justification policy used when a CryptoKey is
+      created in this project. This is only used when a Key Access Justifications
+      policy is not provided in the CreateCryptoKeyRequest.
+    properties:
+      - name: 'allowedAccessReasons'
+        type: Array
+        description: |
+          A KeyAccessJustificationsPolicy specifies zero or more allowed
+          AccessReason values for encrypt, decrypt, and sign operations on a
+          CryptoKey.
+        item_type:
+          type: Enum
+          description: |
+            Describes the reason for a data access. Please refer to
+            https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+            for the detailed semantic meaning of justification reason codes.
+          enum_values:
+            - 'CUSTOMER_INITIATED_SUPPORT'
+            - 'GOOGLE_INITIATED_SERVICE'
+            - 'THIRD_PARTY_DATA_REQUEST'
+            - 'GOOGLE_INITIATED_REVIEW'
+            - 'CUSTOMER_INITIATED_ACCESS'
+            - 'GOOGLE_INITIATED_SYSTEM_OPERATION'
+            - 'REASON_NOT_EXPECTED'
+            - 'MODIFIED_CUSTOMER_INITIATED_ACCESS'
+            - 'MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION'
+            - 'GOOGLE_RESPONSE_TO_PRODUCTION_ALERT'
+            - 'CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING'

mmv1/templates/terraform/examples/kms_project_kaj_policy_config_basic.tf.tmpl

@@ -0,0 +1,35 @@
+# Create a project
+resource "google_project" "kms_project" {
+  provider        = google-beta
+  project_id      = "{{index $.Vars "project_id"}}"
+  name            = "{{index $.Vars "project_id"}}"
+  org_id      	  = "{{index $.TestEnvVars "org_id"}}"
+  billing_account = "{{index $.TestEnvVars "billing_account"}}"
+  deletion_policy = "DELETE"
+}
+
+# Enable the Cloud KMS API.
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.kms_project.project_id
+  disable_dependent_services = true
+  depends_on                 = [google_project.kms_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+	depends_on	= [google_project_service.kms_api_service]
+	create_duration	= "30s"
+}
+
+resource "google_kms_project_kaj_policy_config" "{{$.PrimaryResourceId}}" {
+	provider 				= google-beta
+	project 				= google_project.kms_project.project_id
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+			"GOOGLE_INITIATED_SYSTEM_OPERATION",
+		]
+	}
+  	depends_on                 		= [time_sleep.wait_enable_service_api]
+}

mmv1/third_party/terraform/services/kms/resource_kms_project_kaj_policy_config_test.go.tmpl

@@ -0,0 +1,133 @@
+package kms_test
+
+{{- if ne $.TargetVersionName "ga" }}
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccKMSProjectKajPolicyConfig_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+                "billing_account": envvar.GetTestBillingAccountFromEnv(t),
+                "org_id":          envvar.GetTestOrgFromEnv(t),
+                "random_suffix":   acctest.RandString(t, 10),
+        }
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+                        "time": {},
+                },
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKMSProjectKajPolicyConfig_basic(context),
+			},
+			{
+				ResourceName:      "google_kms_project_kaj_policy_config.example",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccKMSProjectKajPolicyConfig_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_kms_project_kaj_policy_config.example", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:      "google_kms_project_kaj_policy_config.example",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccKMSProjectKajPolicyConfig_basic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+# Create a project
+resource "google_project" "kms_project" {
+  provider        = google-beta
+  project_id      = "tf-test-my-project%{random_suffix}"
+  name            = "tf-test-my-project%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+  deletion_policy = "DELETE"
+}
+
+# Enable the Cloud KMS API.
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.kms_project.project_id
+  disable_dependent_services = true
+  depends_on                 = [google_project.kms_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+        depends_on      = [google_project_service.kms_api_service]
+        create_duration = "30s"
+}
+
+resource "google_kms_project_kaj_policy_config" "example" {
+        provider                                = google-beta
+        project                                 = google_project.kms_project.project_id
+        default_key_access_justification_policy {
+                allowed_access_reasons = [
+                        "CUSTOMER_INITIATED_ACCESS",
+                        "GOOGLE_INITIATED_SYSTEM_OPERATION",
+                ]
+        }
+	depends_on                              = [time_sleep.wait_enable_service_api]
+}
+`, context)
+}
+
+func testAccKMSProjectKajPolicyConfig_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+# Create a project
+resource "google_project" "kms_project" {
+  provider        = google-beta
+  project_id      = "tf-test-my-project%{random_suffix}"
+  name            = "tf-test-my-project%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+  deletion_policy = "DELETE"
+}
+
+# Enable the Cloud KMS API.
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.kms_project.project_id
+  disable_dependent_services = true
+  depends_on                 = [google_project.kms_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+        depends_on      = [google_project_service.kms_api_service]
+        create_duration = "30s"
+}
+
+resource "google_kms_project_kaj_policy_config" "example" {
+        provider                                = google-beta
+        project                                 = google_project.kms_project.project_id
+        default_key_access_justification_policy {
+                allowed_access_reasons = [
+                        "CUSTOMER_INITIATED_ACCESS",
+                ]
+        }
+	depends_on                              = [time_sleep.wait_enable_service_api]
+}
+`, context)
+}
+{{- end}}