bigquery: support for IAM conditions in all google_bigquery_dataset_iam_* resources (#15337)

Author: ramonvermeulen

mmv1/third_party/terraform/services/bigquery/iam_bigquery_dataset.go

@@ -14,6 +14,24 @@ import (
 	"google.golang.org/api/cloudresourcemanager/v1"
 )
 
+type conditionKey struct {
+	Description string
+	Expression  string
+	Title       string
+}
+
+type iamBindingKey struct {
+	Role      string
+	Condition conditionKey
+}
+
+func conditionKeyFromCondition(condition *cloudresourcemanager.Expr) conditionKey {
+	if condition == nil {
+		return conditionKey{}
+	}
+	return conditionKey{Description: condition.Description, Expression: condition.Expression, Title: condition.Title}
+}
+
 var IamBigqueryDatasetSchema = map[string]*schema.Schema{
 	"dataset_id": {
 		Type:     schema.TypeString,
@@ -77,8 +95,12 @@ func BigqueryDatasetIdParseFunc(d *schema.ResourceData, config *transport_tpg.Co
 	return nil
 }
 
+func (u *BigqueryDatasetIamUpdater) policyURL() string {
+	return fmt.Sprintf("%s%s?accessPolicyVersion=3", u.Config.BigQueryBasePath, u.GetResourceId())
+}
+
 func (u *BigqueryDatasetIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
-	url := fmt.Sprintf("%s%s", u.Config.BigQueryBasePath, u.GetResourceId())
+	url := u.policyURL()
 
 	userAgent, err := tpgresource.GenerateUserAgentString(u.d, u.Config.UserAgent)
 	if err != nil {
@@ -104,7 +126,7 @@ func (u *BigqueryDatasetIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 }
 
 func (u *BigqueryDatasetIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
-	url := fmt.Sprintf("%s%s", u.Config.BigQueryBasePath, u.GetResourceId())
+	url := u.policyURL()
 
 	access, err := policyToAccess(policy)
 	if err != nil {
@@ -138,7 +160,7 @@ func accessToPolicy(access interface{}) (*cloudresourcemanager.Policy, error) {
 	if access == nil {
 		return nil, nil
 	}
-	roleToBinding := make(map[string]*cloudresourcemanager.Binding)
+	roleToBinding := make(map[iamBindingKey]*cloudresourcemanager.Binding)
 
 	accessArr := access.([]interface{})
 	for _, v := range accessArr {
@@ -158,20 +180,32 @@ func accessToPolicy(access interface{}) (*cloudresourcemanager.Policy, error) {
 		if err != nil {
 			return nil, err
 		}
-		// We have to combine bindings manually
-		binding, ok := roleToBinding[role]
+
+		var condition *cloudresourcemanager.Expr
+		if rawCondition, ok := memberRole["condition"]; ok {
+			conditionMap := rawCondition.(map[string]interface{})
+			expr := conditionMap["expression"].(string)
+			condition = &cloudresourcemanager.Expr{Expression: expr}
+			if title, ok := conditionMap["title"].(string); ok {
+				condition.Title = title
+			}
+			if desc, ok := conditionMap["description"].(string); ok {
+				condition.Description = desc
+			}
+		}
+
+		key := iamBindingKey{Role: role, Condition: conditionKeyFromCondition(condition)}
+		binding, ok := roleToBinding[key]
 		if !ok {
-			binding = &cloudresourcemanager.Binding{Role: role, Members: []string{}}
+			binding = &cloudresourcemanager.Binding{Role: role, Members: []string{}, Condition: condition}
 		}
 		binding.Members = append(binding.Members, member)
-
-		roleToBinding[role] = binding
+		roleToBinding[key] = binding
 	}
-	bindings := make([]*cloudresourcemanager.Binding, 0)
+	bindings := make([]*cloudresourcemanager.Binding, 0, len(roleToBinding))
 	for _, v := range roleToBinding {
 		bindings = append(bindings, v)
 	}
-
 	return &cloudresourcemanager.Policy{Bindings: bindings}, nil
 }
 
@@ -181,9 +215,6 @@ func policyToAccess(policy *cloudresourcemanager.Policy) ([]map[string]interface
 		return nil, errors.New("Access policies not allowed on BigQuery Dataset IAM policies")
 	}
 	for _, binding := range policy.Bindings {
-		if binding.Condition != nil {
-			return nil, errors.New("IAM conditions not allowed on BigQuery Dataset IAM")
-		}
 		if fullRole, ok := bigqueryAccessPrimitiveToRoleMap[binding.Role]; ok {
 			return nil, fmt.Errorf("BigQuery Dataset legacy role %s is not allowed when using google_bigquery_dataset_iam resources. Please use the full form: %s", binding.Role, fullRole)
 		}
@@ -195,6 +226,9 @@ func policyToAccess(policy *cloudresourcemanager.Policy) ([]map[string]interface
 			access := map[string]interface{}{
 				"role": binding.Role,
 			}
+			if binding.Condition != nil {
+				access["condition"] = binding.Condition
+			}
 			memberType, member, err := iamMemberToAccess(member)
 			if err != nil {
 				return nil, err
@@ -263,11 +297,14 @@ func accessToIamMember(access map[string]interface{}) (string, error) {
 		return "", fmt.Errorf("Failed to convert BigQuery Dataset access to IAM member. To use views with a dataset, please use dataset_access")
 	}
 	if member, ok := access["userByEmail"]; ok {
-		// service accounts have "gservice" in their email. This is best guess due to lost information
-		if strings.Contains(member.(string), "gserviceaccount") {
-			return fmt.Sprintf("serviceAccount:%s", member.(string)), nil
+		ms := member.(string)
+		if strings.HasPrefix(ms, "deleted:serviceAccount:") {
+			return ms, nil
+		}
+		if strings.Contains(ms, "gserviceaccount") {
+			return fmt.Sprintf("serviceAccount:%s", ms), nil
 		}
-		return fmt.Sprintf("user:%s", member.(string)), nil
+		return fmt.Sprintf("user:%s", ms), nil
 	}
 	return "", fmt.Errorf("Failed to identify IAM member from BigQuery Dataset access: %v", access)
 }

mmv1/third_party/terraform/services/bigquery/iam_bigquery_member_dataset.go

@@ -65,8 +65,12 @@ func NewBigqueryDatasetIamMemberUpdater(d tpgresource.TerraformResourceData, con
 	}, nil
 }
 
+func (u *BigqueryDatasetIamMemberUpdater) policyURL() string {
+	return fmt.Sprintf("%s%s?accessPolicyVersion=3", u.Config.BigQueryBasePath, u.GetResourceId())
+}
+
 func (u *BigqueryDatasetIamMemberUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
-	url := fmt.Sprintf("%s%s", u.Config.BigQueryBasePath, u.GetResourceId())
+	url := u.policyURL()
 
 	userAgent, err := tpgresource.GenerateUserAgentString(u.d, u.Config.UserAgent)
 	if err != nil {
@@ -92,7 +96,7 @@ func (u *BigqueryDatasetIamMemberUpdater) GetResourceIamPolicy() (*cloudresource
 }
 
 func GetCurrentResourceAccess(u *BigqueryDatasetIamMemberUpdater) ([]interface{}, error) {
-	url := fmt.Sprintf("%s%s", u.Config.BigQueryBasePath, u.GetResourceId())
+	url := u.policyURL()
 
 	userAgent, err := tpgresource.GenerateUserAgentString(u.d, u.Config.UserAgent)
 	if err != nil {
@@ -141,7 +145,7 @@ func mergeAccess(newAccess []map[string]interface{}, currAccess []interface{}) [
 }
 
 func (u *BigqueryDatasetIamMemberUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
-	url := fmt.Sprintf("%s%s", u.Config.BigQueryBasePath, u.GetResourceId())
+	url := u.policyURL()
 
 	newAccess, err := policyToAccessForIamMember(policy)
 	if err != nil {
@@ -183,7 +187,7 @@ func accessToPolicyForIamMember(access interface{}) (*cloudresourcemanager.Polic
 	if access == nil {
 		return nil, nil
 	}
-	roleToBinding := make(map[string]*cloudresourcemanager.Binding)
+	roleToBinding := make(map[iamBindingKey]*cloudresourcemanager.Binding)
 
 	accessArr := access.([]interface{})
 	for _, v := range accessArr {
@@ -203,16 +207,29 @@ func accessToPolicyForIamMember(access interface{}) (*cloudresourcemanager.Polic
 		if err != nil {
 			return nil, err
 		}
-		// We have to combine bindings manually
-		binding, ok := roleToBinding[role]
+
+		var condition *cloudresourcemanager.Expr
+		if rawCondition, ok := memberRole["condition"]; ok {
+			conditionMap := rawCondition.(map[string]interface{})
+			expr := conditionMap["expression"].(string)
+			condition = &cloudresourcemanager.Expr{Expression: expr}
+			if title, ok := conditionMap["title"].(string); ok {
+				condition.Title = title
+			}
+			if desc, ok := conditionMap["description"].(string); ok {
+				condition.Description = desc
+			}
+		}
+
+		key := iamBindingKey{Role: role, Condition: conditionKeyFromCondition(condition)}
+		binding, ok := roleToBinding[key]
 		if !ok {
-			binding = &cloudresourcemanager.Binding{Role: role, Members: []string{}}
+			binding = &cloudresourcemanager.Binding{Role: role, Members: []string{}, Condition: condition}
 		}
 		binding.Members = append(binding.Members, member)
-
-		roleToBinding[role] = binding
+		roleToBinding[key] = binding
 	}
-	bindings := make([]*cloudresourcemanager.Binding, 0)
+	bindings := make([]*cloudresourcemanager.Binding, 0, len(roleToBinding))
 	for _, v := range roleToBinding {
 		bindings = append(bindings, v)
 	}
@@ -226,9 +243,6 @@ func policyToAccessForIamMember(policy *cloudresourcemanager.Policy) ([]map[stri
 		return nil, errors.New("Access policies not allowed on BigQuery Dataset IAM policies")
 	}
 	for _, binding := range policy.Bindings {
-		if binding.Condition != nil {
-			return nil, errors.New("IAM conditions not allowed on BigQuery Dataset IAM")
-		}
 		if fullRole, ok := bigqueryIamMemberAccessPrimitiveToRoleMap[binding.Role]; ok {
 			return nil, fmt.Errorf("BigQuery Dataset legacy role %s is not allowed when using google_bigquery_dataset_iam resources. Please use the full form: %s", binding.Role, fullRole)
 		}
@@ -240,6 +254,9 @@ func policyToAccessForIamMember(policy *cloudresourcemanager.Policy) ([]map[stri
 			access := map[string]interface{}{
 				"role": binding.Role,
 			}
+			if binding.Condition != nil {
+				access["condition"] = binding.Condition
+			}
 			memberType, member, err := iamMemberToAccessForIamMember(member)
 			if err != nil {
 				return nil, err
@@ -308,11 +325,14 @@ func accessToIamMemberForIamMember(access map[string]interface{}) (string, error
 		return "", fmt.Errorf("Failed to convert BigQuery Dataset access to IAM member. To use views with a dataset, please use dataset_access")
 	}
 	if member, ok := access["userByEmail"]; ok {
-		// service accounts have "gservice" in their email. This is best guess due to lost information
-		if strings.Contains(member.(string), "gserviceaccount") {
-			return fmt.Sprintf("serviceAccount:%s", member.(string)), nil
+		ms := member.(string)
+		if strings.HasPrefix(ms, "deleted:") || strings.Contains(ms, "?uid=") {
+			return ms, nil
+		}
+		if strings.Contains(ms, "gserviceaccount") {
+			return fmt.Sprintf("serviceAccount:%s", ms), nil
 		}
-		return fmt.Sprintf("user:%s", member.(string)), nil
+		return fmt.Sprintf("user:%s", ms), nil
 	}
 	return "", fmt.Errorf("Failed to identify IAM member from BigQuery Dataset access: %v", access)
 }

mmv1/third_party/terraform/services/bigquery/resource_bigquery_dataset_iam_member_test.go

@@ -14,6 +14,15 @@ import (
 	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
 )
 
+const (
+	condTitle2050 = "Expire access on 2050-12-31"
+	condExpr2050  = "request.time < timestamp('2050-12-31T23:59:59Z')"
+	condDesc2050  = "This condition will automatically remove access after 2050-12-31"
+	condTitle2040 = "Expire access on 2040-12-31"
+	condExpr2040  = "request.time < timestamp('2040-12-31T23:59:59Z')"
+	condDesc2040  = "This condition will automatically remove access after 2040-12-31"
+)
+
 func TestAccBigqueryDatasetIamMember_afterDatasetCreation(t *testing.T) {
 	t.Parallel()
 
@@ -110,6 +119,36 @@ func TestAccBigqueryDatasetIamMember_serviceAccount(t *testing.T) {
 	})
 }
 
+func TestAccBigqueryDatasetIamMember_iamMemberWithIAMCondition(t *testing.T) {
+	t.Parallel()
+
+	datasetID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
+	wifIDs := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigqueryDatasetIamMember_withServiceAccountAndIAMCondition(datasetID, wifIDs),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_bigquery_dataset_iam_member.access", "condition.0.title", condTitle2050),
+					resource.TestCheckResourceAttr("google_bigquery_dataset_iam_member.access", "condition.0.expression", condExpr2050),
+					resource.TestCheckResourceAttr("google_bigquery_dataset_iam_member.access", "condition.0.description", condDesc2050),
+				),
+			},
+			{
+				Config: testAccBigqueryDatasetIamMember_withServiceAccountAndIAMCondition_update(datasetID, wifIDs),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_bigquery_dataset_iam_member.access", "condition.0.title", condTitle2040),
+					resource.TestCheckResourceAttr("google_bigquery_dataset_iam_member.access", "condition.0.expression", condExpr2040),
+					resource.TestCheckResourceAttr("google_bigquery_dataset_iam_member.access", "condition.0.description", ""),
+				),
+			},
+		},
+	})
+}
+
 func TestAccBigqueryDatasetIamMember_iamMember(t *testing.T) {
 	t.Parallel()
 
@@ -405,3 +444,50 @@ resource "google_bigquery_dataset_iam_member" "access" {
 }
 `, datasetID, serviceAccountEmail)
 }
+
+func testAccBigqueryDatasetIamMember_withServiceAccountAndIAMCondition(datasetID, serviceAccountID string) string {
+	return fmt.Sprintf(`
+resource "google_bigquery_dataset" "dataset" {
+  dataset_id = "%s"
+}
+
+resource "google_service_account" "sa" {
+  account_id = "%s"
+}
+
+resource "google_bigquery_dataset_iam_member" "access" {
+  dataset_id = google_bigquery_dataset.dataset.dataset_id
+  role       = "roles/bigquery.dataViewer"
+  member     = "serviceAccount:${google_service_account.sa.email}"
+
+  condition {
+    title       = "%s"
+    description = "%s"
+    expression  = "%s"
+  }
+}
+`, datasetID, serviceAccountID, condTitle2050, condDesc2050, condExpr2050)
+}
+
+func testAccBigqueryDatasetIamMember_withServiceAccountAndIAMCondition_update(datasetID, serviceAccountID string) string {
+	return fmt.Sprintf(`
+resource "google_bigquery_dataset" "dataset" {
+  dataset_id = "%s"
+}
+
+resource "google_service_account" "sa" {
+  account_id = "%s"
+}
+
+resource "google_bigquery_dataset_iam_member" "access" {
+  dataset_id = google_bigquery_dataset.dataset.dataset_id
+  role       = "roles/bigquery.dataViewer"
+  member     = "serviceAccount:${google_service_account.sa.email}"
+
+  condition {
+    title       = "%s"
+    expression  = "%s"
+  }
+}
+`, datasetID, serviceAccountID, condTitle2040, condExpr2040)
+}