tgc-revival: get cai asset name for iam resources (#15492)

Author: zli82016

mmv1/third_party/terraform/acctest/resource_inventory_reader.go

@@ -30,6 +30,12 @@ var (
 	cachePopulated = false
 	// Mutex to protect cache access
 	cacheMutex sync.RWMutex
+
+	iamSuffixes = []string{
+		"_iam_member",
+		"_iam_binding",
+		"_iam_policy",
+	}
 )
 
 // PopulateMetadataCache walks through all metadata files once and populates
@@ -77,14 +83,25 @@ func PopulateMetadataCache() error {
 				return nil
 			}
 
+			iamResources := make([]string, 0)
+			for _, suffix := range iamSuffixes {
+				iamResources = append(iamResources, fmt.Sprintf("%s%s", metadata.Resource, suffix))
+			}
+
 			// Store API service name in cache
 			if metadata.ApiServiceName != "" {
 				ApiServiceNameCache.Set(metadata.Resource, metadata.ApiServiceName)
+				for _, iamResource := range iamResources {
+					ApiServiceNameCache.Set(iamResource, metadata.ApiServiceName)
+				}
 				apiNameCount++
 			}
 
 			if metadata.CaiAssetNameFormat != "" {
 				CaiAssetNameFormatCache.Set(metadata.Resource, metadata.CaiAssetNameFormat)
+				for _, iamResource := range iamResources {
+					CaiAssetNameFormatCache.Set(iamResource, metadata.CaiAssetNameFormat)
+				}
 			}
 
 			// Extract and store service package in cache
@@ -100,6 +117,9 @@ func PopulateMetadataCache() error {
 			if servicesIndex >= 0 && len(pathParts) > servicesIndex+1 {
 				servicePackage := pathParts[servicesIndex+1] // The part after "services"
 				ServicePackageCache.Set(metadata.Resource, servicePackage)
+				for _, iamResource := range iamResources {
+					ServicePackageCache.Set(iamResource, servicePackage)
+				}
 				servicePkgCount++
 			}
 		}

mmv1/third_party/terraform/acctest/tgc_utils.go

@@ -21,6 +21,7 @@ type ResourceMetadata struct {
 	ResourceAddress string         `json:"resource_address"`
 	ImportMetadata  ImportMetadata `json:"import_metadata,omitempty"`
 	Service         string         `json:"service"`
+	CaiContentType  string         `json:"cai_content_type,omitempty"`
 }
 
 type ImportMetadata struct {
@@ -83,6 +84,14 @@ func CollectAllTgcMetadata(tgcPayload TgcMetadataPayload) resource.TestCheckFunc
 
 		// Process each resource to get CAI asset names and resolve auto IDs
 		for address, metadata := range tgcPayload.ResourceMetadata {
+			// https://cloud.google.com/asset-inventory/docs/reference/rest/v1/feeds#ContentType
+			isIamResource := IsIamResource(metadata.ResourceType)
+			if isIamResource {
+				metadata.CaiContentType = "IAM_POLICY"
+			} else {
+				metadata.CaiContentType = "RESOURCE"
+			}
+
 			// If there is import metadata update our primary resource
 			if metadata.ImportMetadata.Id != "" {
 				tgcPayload.PrimaryResource = address
@@ -116,6 +125,10 @@ func CollectAllTgcMetadata(tgcPayload TgcMetadataPayload) resource.TestCheckFunc
 						rName = strings.Replace(rName, projectId, projectNumber, 1)
 					}
 
+					if isIamResource {
+						rName = getIamResourceId(metadata.ResourceType, rName)
+					}
+
 					metadata.CaiAssetNames = []string{fmt.Sprintf("//%s/%s", apiServiceName, rName)}
 				}
 			} else {
@@ -320,3 +333,26 @@ func extendWithTGCData(t *testing.T, c resource.TestCase) resource.TestCase {
 	c.Steps = updatedSteps
 	return c
 }
+
+// Gets IAM resource Id by removing the IAM role and member binding information from id
+// id "projects/local-mediator-361721/zones/us-central1-a/instances/tf-test-my-instancev8xqssrek2/roles/compute.osLogin/user:[email protected]"
+// will become "projects/local-mediator-361721/zones/us-central1-a/instances/tf-test-my-instancev8xqssrek2"
+func getIamResourceId(resourceType, id string) string {
+	parts := strings.Split(id, "/roles/")
+
+	if len(parts) > 0 {
+		return parts[0]
+	}
+
+	return id
+}
+
+// Checks if a resource is an IAM resource
+func IsIamResource(resourceType string) bool {
+	for _, suffix := range iamSuffixes {
+		if strings.HasSuffix(resourceType, suffix) {
+			return true
+		}
+	}
+	return false
+}