Add new resource FolderKajPolicyConfig (#15228)

Co-authored-by: Cameron Thornton <[email protected]>

Author: chengliwm

mmv1/products/kms/FolderKajPolicyConfig.yaml

@@ -0,0 +1,105 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'FolderKajPolicyConfig'
+api_resource_type_kind: KeyAccessJustificationsPolicyConfig
+api_variant_patterns:
+  - 'folders/{{folder}}/kajPolicyConfig'
+description: |
+  `FolderKajPolicyConfigs` is a folder-level singleton resource
+  used to configure the default KAJ policy of newly created key.
+
+  ~> **Note:** FolderKajPolicyConfigs cannot be deleted from Google Cloud Platform.
+  Destroying a Terraform-managed FolderKajPolicyConfigs will remove it from state but
+  *will not delete the resource from Google Cloud Platform.*
+min_version: 'beta'
+references:
+  guides:
+    'Set default Key Access Justifications policy': 'https://cloud.google.com/assured-workloads/key-access-justifications/docs/set-default-policy'
+  api: 'https://cloud.google.com/kms/docs/reference/rest/v1/KeyAccessJustificationsPolicyConfig'
+docs:
+id_format: 'folders/{{folder}}/kajPolicyConfig'
+base_url: 'folders/{{folder}}/kajPolicyConfig'
+self_link: 'folders/{{folder}}/kajPolicyConfig'
+# This is a singleton resource that is already created, so create
+# is really an update, and therefore should be PATCHed.
+create_url: 'folders/{{folder}}/kajPolicyConfig?updateMask=defaultKeyAccessJustificationPolicy'
+create_verb: 'PATCH'
+update_url: 'folders/{{folder}}/kajPolicyConfig?updateMask=defaultKeyAccessJustificationPolicy'
+update_verb: 'PATCH'
+# This is a singleton resource that cannot be deleted.
+exclude_delete: true
+exclude_sweeper: true
+import_format:
+  - 'folders/{{folder}}/kajPolicyConfig'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_code:
+  post_create: 'templates/terraform/post_create/sleep_1_min.go.tmpl'
+  post_update: 'templates/terraform/post_create/sleep_1_min.go.tmpl'
+examples:
+  - name: 'kms_folder_kaj_policy_config_basic'
+    # random external provider
+    skip_vcr: true
+    primary_resource_id: "example"
+    min_version: 'beta'
+    vars:
+      folder_name: 'my-folder'
+    test_env_vars:
+      org_id: 'ORG_ID'
+      billing_account: 'BILLING_ACCT'
+    external_providers: ["random", "time"]
+parameters:
+  - name: 'folder'
+    type: String
+    description: |
+      The numeric folder number for which to retrieve config.
+    min_version: 'beta'
+    url_param_only: true
+    required: true
+    immutable: true
+properties:
+  - name: 'defaultKeyAccessJustificationPolicy'
+    type: NestedObject
+    description: |
+      The default key access justification policy used when a CryptoKey is
+      created in this folder. This is only used when a Key Access Justifications
+      policy is not provided in the CreateCryptoKeyRequest.
+    properties:
+      - name: 'allowedAccessReasons'
+        type: Array
+        description: |
+          A KeyAccessJustificationsPolicy specifies zero or more allowed
+          AccessReason values for encrypt, decrypt, and sign operations on a
+          CryptoKey.
+        item_type:
+          type: Enum
+          description: |
+            Describes the reason for a data access. Please refer to
+            https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+            for the detailed semantic meaning of justification reason codes.
+          enum_values:
+            - 'CUSTOMER_INITIATED_SUPPORT'
+            - 'GOOGLE_INITIATED_SERVICE'
+            - 'THIRD_PARTY_DATA_REQUEST'
+            - 'GOOGLE_INITIATED_REVIEW'
+            - 'CUSTOMER_INITIATED_ACCESS'
+            - 'GOOGLE_INITIATED_SYSTEM_OPERATION'
+            - 'REASON_NOT_EXPECTED'
+            - 'MODIFIED_CUSTOMER_INITIATED_ACCESS'
+            - 'MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION'
+            - 'GOOGLE_RESPONSE_TO_PRODUCTION_ALERT'
+            - 'CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING'

mmv1/templates/terraform/examples/kms_folder_kaj_policy_config_basic.tf.tmpl

@@ -0,0 +1,48 @@
+# Create Folder in GCP Organization.
+resource "google_folder" "kaj_folder" {
+	provider     = google-beta
+	display_name = "{{index $.Vars "folder_name"}}"
+	parent       = "organizations/{{index $.TestEnvVars "org_id"}}"
+	deletion_protection = false
+}
+
+resource "random_id" "project_suffix" {
+  byte_length = 4
+}
+
+# Create a project for enabling KMS API.
+resource "google_project" "kms_project" {
+  provider        = google-beta
+  project_id      = "kms-api-project${random_id.project_suffix.hex}"
+  name            = "kms-api-project${random_id.project_suffix.hex}"
+  folder_id       = google_folder.kaj_folder.folder_id
+  billing_account = "{{index $.TestEnvVars "billing_account"}}"
+  depends_on      = [google_folder.kaj_folder]
+  deletion_policy = "DELETE"
+}
+
+# Enable the Cloud KMS API.
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.kms_project.project_id
+  disable_dependent_services = true
+  depends_on                 = [google_project.kms_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+	depends_on	= [google_project_service.kms_api_service]
+	create_duration	= "30s"
+}
+# Update folder level KAJ default policy
+resource "google_kms_folder_kaj_policy_config" "{{$.PrimaryResourceId}}" {
+	provider 				= google-beta
+	folder 					= google_folder.kaj_folder.folder_id
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+			"GOOGLE_INITIATED_SYSTEM_OPERATION",
+		]
+	}
+	depends_on      = [time_sleep.wait_enable_service_api]
+}

mmv1/third_party/terraform/services/kms/resource_kms_folder_kaj_policy_config_test.go.tmpl

@@ -0,0 +1,163 @@
+package kms_test
+
+{{- if ne $.TargetVersionName "ga" }}
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccKMSFolderKajPolicyConfig_update(t *testing.T) {
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"random": {},
+			"time":   {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKMSFolderKajPolicyConfig_basic(context),
+			},
+			{
+				ResourceName:            "google_kms_folder_kaj_policy_config.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"folder"},
+			},
+			{
+				Config: testAccKMSFolderKajPolicyConfig_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply:	[]plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_kms_folder_kaj_policy_config.example", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_kms_folder_kaj_policy_config.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"folder"},
+			},
+		},
+	})
+}
+
+func testAccKMSFolderKajPolicyConfig_basic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+# Create Folder in GCP Organization.
+resource "google_folder" "kaj_folder" {
+	provider     = google-beta
+	display_name = "tf-test-my-folder%{random_suffix}"
+	parent       = "organizations/%{org_id}"
+	deletion_protection = false
+}
+
+resource "random_id" "project_suffix" {
+  byte_length = 4
+}
+
+# Create a project for enabling KMS API.
+resource "google_project" "kms_project" {
+  provider        = google-beta
+  project_id      = "kms-api-project${random_id.project_suffix.hex}"
+  name            = "kms-api-project${random_id.project_suffix.hex}"
+  folder_id       = google_folder.kaj_folder.folder_id
+  billing_account = "%{billing_account}"
+  depends_on      = [google_folder.kaj_folder]
+  deletion_policy = "DELETE"
+}
+
+# Enable the Cloud KMS API.
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.kms_project.project_id
+  disable_dependent_services = true
+  depends_on                 = [google_project.kms_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+	depends_on	= [google_project_service.kms_api_service]
+	create_duration	= "30s"
+}
+# Update folder level KAJ default policy
+resource "google_kms_folder_kaj_policy_config" "example" {
+	provider 				= google-beta
+	folder 					= google_folder.kaj_folder.folder_id
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+			"GOOGLE_INITIATED_SYSTEM_OPERATION",
+		]
+	}
+	depends_on      = [time_sleep.wait_enable_service_api]
+}
+`, context)
+}
+
+func testAccKMSFolderKajPolicyConfig_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+# Create Folder in GCP Organization.
+resource "google_folder" "kaj_folder" {
+	provider     = google-beta
+	display_name = "tf-test-my-folder%{random_suffix}"
+	parent       = "organizations/%{org_id}"
+	deletion_protection = false
+}
+
+resource "random_id" "project_suffix" {
+  byte_length = 4
+}
+
+# Create a project for enabling KMS API.
+resource "google_project" "kms_project" {
+  provider        = google-beta
+  project_id      = "kms-api-project${random_id.project_suffix.hex}"
+  name            = "kms-api-project${random_id.project_suffix.hex}"
+  folder_id       = google_folder.kaj_folder.folder_id
+  billing_account = "%{billing_account}"
+  depends_on      = [google_folder.kaj_folder]
+  deletion_policy = "DELETE"
+}
+
+# Enable the Cloud KMS API.
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.kms_project.project_id
+  disable_dependent_services = true
+  depends_on                 = [google_project.kms_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+	depends_on	= [google_project_service.kms_api_service]
+	create_duration	= "30s"
+}
+# Update folder level KAJ default policy
+resource "google_kms_folder_kaj_policy_config" "example" {
+	provider 				= google-beta
+	folder 					= google_folder.kaj_folder.folder_id
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+		]
+	}
+	depends_on      = [time_sleep.wait_enable_service_api]
+}
+`, context)
+}
+{{- end }}