Add new resource OrganizationKajPolicyConfig (#15219)

Author: chengliwm

mmv1/products/kms/OrganizationKajPolicyConfig.yaml

@@ -0,0 +1,99 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'OrganizationKajPolicyConfig'
+api_resource_type_kind: KeyAccessJustificationsPolicyConfig
+api_variant_patterns:
+  - 'organizations/{{organization}}/kajPolicyConfig'
+description: |
+  `OrganizationKajPolicyConfig` is a organization-level singleton resource
+  used to configure the default KAJ policy of newly created key.
+
+  ~> **Note:** OrganizationKajPolicyConfig cannot be deleted from Google Cloud Platform.
+  Destroying a Terraform-managed OrganizationKajPolicyConfig will remove it from state but
+  *will not delete the resource from Google Cloud Platform.*
+min_version: 'beta'
+references:
+  guides:
+    'Set default Key Access Justifications policy': 'https://cloud.google.com/assured-workloads/key-access-justifications/docs/set-default-policy'
+  api: 'https://cloud.google.com/kms/docs/reference/rest/v1/KeyAccessJustificationsPolicyConfig'
+docs:
+id_format: 'organizations/{{organization}}/kajPolicyConfig'
+base_url: 'organizations/{{organization}}/kajPolicyConfig'
+self_link: 'organizations/{{organization}}/kajPolicyConfig'
+# This is a singleton resource that is already created, so create
+# is really an update, and therefore should be PATCHed.
+create_url: 'organizations/{{organization}}/kajPolicyConfig?updateMask=defaultKeyAccessJustificationPolicy'
+create_verb: 'PATCH'
+update_url: 'organizations/{{organization}}/kajPolicyConfig?updateMask=defaultKeyAccessJustificationPolicy'
+update_verb: 'PATCH'
+# This is a singleton resource that cannot be deleted.
+exclude_delete: true
+exclude_sweeper: true
+import_format:
+  - 'organizations/{{organization}}/kajPolicyConfig'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_code:
+  post_create: 'templates/terraform/post_create/sleep_1_min.go.tmpl'
+  post_update: 'templates/terraform/post_create/sleep_1_min.go.tmpl'
+examples:
+  - name: 'kms_organization_kaj_policy_config_basic'
+    primary_resource_id: "example"
+    min_version: 'beta'
+    test_env_vars:
+      org_id: 'ORG_ID'
+parameters:
+  - name: 'organization'
+    type: String
+    description: |
+      The organization number for which to retrieve config.
+    min_version: 'beta'
+    url_param_only: true
+    required: true
+    immutable: true
+properties:
+  - name: 'defaultKeyAccessJustificationPolicy'
+    type: NestedObject
+    description: |
+      The default key access justification policy used when a CryptoKey is
+      created in this organization. This is only used when a Key Access Justifications
+      policy is not provided in the CreateCryptoKeyRequest.
+    properties:
+      - name: 'allowedAccessReasons'
+        type: Array
+        description: |
+          A KeyAccessJustificationsPolicy specifies zero or more allowed
+          AccessReason values for encrypt, decrypt, and sign operations on a
+          CryptoKey.
+        item_type:
+          type: Enum
+          description: |
+            Describes the reason for a data access. Please refer to
+            https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+            for the detailed semantic meaning of justification reason codes.
+          enum_values:
+            - 'CUSTOMER_INITIATED_SUPPORT'
+            - 'GOOGLE_INITIATED_SERVICE'
+            - 'THIRD_PARTY_DATA_REQUEST'
+            - 'GOOGLE_INITIATED_REVIEW'
+            - 'CUSTOMER_INITIATED_ACCESS'
+            - 'GOOGLE_INITIATED_SYSTEM_OPERATION'
+            - 'REASON_NOT_EXPECTED'
+            - 'MODIFIED_CUSTOMER_INITIATED_ACCESS'
+            - 'MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION'
+            - 'GOOGLE_RESPONSE_TO_PRODUCTION_ALERT'
+            - 'CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING'

mmv1/templates/terraform/examples/kms_organization_kaj_policy_config_basic.tf.tmpl

@@ -0,0 +1,10 @@
+resource "google_kms_organization_kaj_policy_config" "{{$.PrimaryResourceId}}" {
+	provider 				= google-beta
+	organization 				= "{{index $.TestEnvVars "org_id"}}"
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+			"GOOGLE_INITIATED_SYSTEM_OPERATION",
+		]
+	}
+}

mmv1/templates/terraform/post_create/sleep_1_min.go.tmpl

@@ -0,0 +1,4 @@
+// This is useful if the resource in question doesn't have a perfectly consistent API
+// That is, the Operation for Create might return before the Get operation shows the
+// completed state of the resource.
+time.Sleep(1 * time.Minute)

mmv1/third_party/terraform/services/kms/resource_kms_organization_kaj_policy_config_test.go.tmpl

@@ -0,0 +1,84 @@
+package kms_test
+
+{{- if ne $.TargetVersionName "ga" }}
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccKMSOrganizationKajPolicyConfig_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+                        "time": {},
+                },
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKMSOrganizationKajPolicyConfig_basic(context),
+			},
+			{
+				ResourceName:            "google_kms_organization_kaj_policy_config.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"organization"},
+			},
+			{
+				Config: testAccKMSOrganizationKajPolicyConfig_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply:	[]plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_kms_organization_kaj_policy_config.example", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_kms_organization_kaj_policy_config.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"organization"},
+			},
+		},
+	})
+}
+
+func testAccKMSOrganizationKajPolicyConfig_basic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_kms_organization_kaj_policy_config" "example" {
+	provider 				= google-beta
+	organization 				= "%{org_id}"
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+			"GOOGLE_INITIATED_SYSTEM_OPERATION",
+		]
+	}
+}
+`, context)
+}
+
+func testAccKMSOrganizationKajPolicyConfig_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_kms_organization_kaj_policy_config" "example" {
+	provider 				= google-beta
+	organization 				= "%{org_id}"
+	default_key_access_justification_policy {
+		allowed_access_reasons = [
+			"CUSTOMER_INITIATED_ACCESS",
+		]
+	}
+}
+`, context)
+}
+{{- end }}