Added IAM support for the IcebergCatalog resource. (#15950)

nika-qubit · Ning Kang · web-flow · commit 9e84eab93b21 · 2025-12-23T17:40:14.000Z
Co-authored-by: Ning Kang &lt;ningk@google.com&gt;
diff --git a/mmv1/products/biglakeiceberg/IcebergCatalog.yaml b/mmv1/products/biglakeiceberg/IcebergCatalog.yaml
@@ -18,18 +18,38 @@ description: |
 references:
   guides:
     'Use the BigLake metastore Iceberg REST catalog': 'https://docs.cloud.google.com/biglake/docs/blms-rest-catalog'
-base_url: 'restcatalog/extensions/projects/{{project}}/catalogs'
-self_link: 'restcatalog/extensions/projects/{{project}}/catalogs/{{name}}'
+docs:
+  warning: |
+    If you are using User ADCs (Application Default Credentials) with this resource's IAM,
+    you must specify a `billing_project` and set `user_project_override` to true
+    in the provider configuration. Otherwise the IAM API will return 403s.
+    Your account must have the `serviceusage.services.use` permission on the
+    `billing_project` you defined.
+supports_indirect_user_project_override: true
+base_url: 'iceberg/v1/restcatalog/extensions/projects/{{project}}/catalogs'
+self_link: 'iceberg/v1/restcatalog/extensions/projects/{{project}}/catalogs/{{name}}'
 immutable: false
-create_url: 'restcatalog/extensions/projects/{{project}}/catalogs?iceberg-catalog-id={{name}}'
+create_url: 'iceberg/v1/restcatalog/extensions/projects/{{project}}/catalogs?iceberg-catalog-id={{name}}'
 custom_code:
   custom_update:
     templates/terraform/custom_update/biglake_iceberg_catalog_update.go.tmpl
+iam_policy:
+  base_url: 'v1/projects/{{project}}/catalogs/{{name}}'
+  parent_resource_attribute: 'name'
+  method_name_separator: ":"
+  fetch_iam_policy_verb: 'GET'
+  import_format:
+    - 'projects/{{project}}/catalogs/{{name}}'
+    - '{{name}}'
+  allowed_iam_role: 'roles/biglake.editor'
 examples:
   - name: 'biglake_iceberg_catalog'
     primary_resource_id: 'my_iceberg_catalog'
     vars:
       name: 'my_iceberg_catalog'
+    test_env_vars:
+      GOOGLE_BILLING_PROJECT: 'PROJECT'
+      USER_PROJECT_OVERRIDE: 'true'
 parameters:
   - name: 'name'
     type: String
diff --git a/mmv1/products/biglakeiceberg/product.yaml b/mmv1/products/biglakeiceberg/product.yaml
@@ -17,7 +17,7 @@ legacy_name: 'biglake'
 display_name: 'Biglake'
 versions:
   - name: 'ga'
-    base_url: 'https://biglake.googleapis.com/iceberg/v1/'
+    base_url: 'https://biglake.googleapis.com/'
 scopes:
   - 'https://www.googleapis.com/auth/bigquery'
   - 'https://www.googleapis.com/auth/cloud-platform'
diff --git a/mmv1/templates/terraform/custom_update/biglake_iceberg_catalog_update.go.tmpl b/mmv1/templates/terraform/custom_update/biglake_iceberg_catalog_update.go.tmpl
@@ -19,7 +19,7 @@ if err != nil {
   obj["credential-mode"] = credentialModeProp
 }
 
-url, err := tpgresource.ReplaceVars(d, config, "{{"{{"}}BiglakeIcebergBasePath{{"}}"}}restcatalog/extensions/projects/{{"{{"}}project{{"}}"}}/catalogs/{{"{{"}}name{{"}}"}}")
+url, err := tpgresource.ReplaceVars(d, config, "{{"{{"}}BiglakeIcebergBasePath{{"}}"}}iceberg/v1/restcatalog/extensions/projects/{{"{{"}}project{{"}}"}}/catalogs/{{"{{"}}name{{"}}"}}")
 if err != nil {
   return err
 }
diff --git a/mmv1/third_party/tgc/resource_converters.go.tmpl b/mmv1/third_party/tgc/resource_converters.go.tmpl
@@ -36,6 +36,7 @@ import (
     "github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/appengine"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/artifactregistry"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/beyondcorp"
+	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/biglakeiceberg"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/bigquery"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/bigqueryanalyticshub"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/tfplan2cai/converters/google/resources/services/bigqueryconnection"

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ if err != nil {`
`19`	`19`	`obj["credential-mode"] = credentialModeProp`
`20`	`20`	`}`
`21`	`21`
`22`		`-url, err := tpgresource.ReplaceVars(d, config, "{{"{{"}}BiglakeIcebergBasePath{{"}}"}}restcatalog/extensions/projects/{{"{{"}}project{{"}}"}}/catalogs/{{"{{"}}name{{"}}"}}")`
	`22`	`+url, err := tpgresource.ReplaceVars(d, config, "{{"{{"}}BiglakeIcebergBasePath{{"}}"}}iceberg/v1/restcatalog/extensions/projects/{{"{{"}}project{{"}}"}}/catalogs/{{"{{"}}name{{"}}"}}")`
`23`	`23`	`if err != nil {`
`24`	`24`	`return err`
`25`	`25`	`}`