Sync main nov 24 feature branch resource identity (#15803)

Author: BBBmau

.ci/infra/terraform/README.md

@@ -48,9 +48,10 @@ After applying this configuration:
 - Enroll in Cloud Armor Managed Protection Plus tier
 - Add Cloud Identity Premium Plan to the Google Workspace domain
 - Perform the Privileged Access Manager set-up https://pantheon.corp.google.com/iam-admin/pam/setup
-- (Org only) Enroll the org in the Premium tier of Security Control Center
 - Upload a model with the name `tf-static-1` to the Vertex AI model registry
   - This should only be necessary until uploading new models is supported in the provider.
+- (Org only) Enroll the org in the Premium tier of Security Control Center
+- (Org only) Enable Compliance Manager https://cloud.google.com/security-command-center/docs/compliance-manager-enable
 
 Quotas that will need to be adjusted to support all tests:
 - Project quota for the new service account

.ci/infra/terraform/main.tf

@@ -249,6 +249,7 @@ module "project-services" {
     "cloudquotas.googleapis.com",
     "cloudresourcemanager.googleapis.com",
     "cloudscheduler.googleapis.com",
+    "cloudsecuritycompliance.googleapis.com",
     "cloudtasks.googleapis.com",
     "cloudtrace.googleapis.com",
     "composer.googleapis.com",

.ci/magician/cmd/create_test_failure_ticket.go

@@ -523,10 +523,23 @@ func init() {
 var (
 	// TODO: add all mismatch resource names
 	resourceNameConverter = map[string]string{
-		"google_iam3_projects_policy_binding":        "google_iam_projects_policy_binding",
-		"google_iam3_organizations_policy_binding":   "google_iam_organizations_policy_binding",
-		"google_cloud_backup_dr_data_source":         "google_backup_dr_data_source",
-		"google_cloud_backup_dr_backup":              "google_backup_dr_backup",
-		"google_security_posture_posture_deployment": "google_securityposture_posture_deployment",
+		"google_iam3_projects_policy_binding":             "google_iam_projects_policy_binding",
+		"google_iam3_organizations_policy_binding":        "google_iam_organizations_policy_binding",
+		"google_cloud_backup_dr_data_source":              "google_backup_dr_data_source",
+		"google_cloud_backup_dr_backup":                   "google_backup_dr_backup",
+		"google_security_posture_posture_deployment":      "google_securityposture_posture_deployment",
+		"google_container_cluster_custom_service_account": "google_container_cluster",
+		"iap_client":                                                      "google_iap_client",
+		"compute_node_types":                                              "google_compute_node_types",
+		"google_big_query_table":                                          "google_bigquery_table",
+		"google_sql_user_fw":                                              "google_fw_sql_user",
+		"google_resource_fw_pubsub_lite_reservation":                      "google_fwprovider_pubsub_lite_reservation",
+		"google_compute_router_bgp_peer":                                  "google_compute_router_peer",
+		"google_resource_manager3_capability":                             "google_resource_manager_capability",
+		"google_datafusion_instance":                                      "google_data_fusion_instance",
+		"google_iam_beta_workload_identity_pool_iam_policy":               "google_iam_workload_identity_pool_iam_policy",
+		"google_resource_google_project_default_service_accounts_disable": "google_project_default_service_accounts",
+		"google_datasource_google_service_networking_peered_dns_domain":   "google_service_networking_peered_dns_domain",
+		"google_resource_google_project_default_service_accounts_delete":  "google_project_default_service_accounts",
 	}
 )

.ci/magician/cmd/parse_comment.go

@@ -0,0 +1,127 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+
+	"magician/github"
+
+	"github.com/spf13/cobra"
+)
+
+// This regex captures the entire line starting with @modular-magician
+// Example: "@modular-magician reassign-reviewer user1" or "@modular-magician assign review @user2"
+var magicianInvocationRegex = regexp.MustCompile(`@modular-magician\s+([^\n\r]+)`)
+
+// Command patterns for reassign-reviewer with flexible syntax
+// Supports: assign-reviewer, reassign-reviewer, assign reviewer, reassign review, etc.
+// Captures only valid GitHub usernames: [a-zA-Z0-9-_]
+var reassignReviewerRegex = regexp.MustCompile(`^(?:re)?assign[- ]?review(?:er)?\s*@?([a-zA-Z0-9-_]*)`)
+
+var parseCommentCmd = &cobra.Command{
+	Use:   "parse-comment PR_NUMBER COMMENT_AUTHOR",
+	Short: "Parses a comment from the COMMENT_BODY env var to execute magician commands",
+	Long: `This command parses GitHub PR comments for @modular-magician invocations.
+	
+	It supports flexible command syntax including:
+	- Commands with hyphens: reassign-reviewer
+	- Commands with spaces: reassign reviewer
+	- Optional prefixes and suffixes: assign-review, reassign-reviewer
+	- Optional @ prefix for usernames
+	
+	The command expects the comment body to be provided in the COMMENT_BODY environment variable and also requires:
+	1. PR_NUMBER - The pull request number
+	2. COMMENT_AUTHOR - The GitHub username who made the comment`,
+	Args: cobra.ExactArgs(2),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		prNumber := args[0]
+		author := args[1]
+
+		githubToken, ok := os.LookupEnv("GITHUB_TOKEN")
+		if !ok {
+			return fmt.Errorf("did not provide GITHUB_TOKEN environment variable")
+		}
+		gh := github.NewClient(githubToken)
+
+		if gh.GetUserType(author) != github.CoreContributorUserType {
+			return fmt.Errorf("comment author %s is not a core contributor", author)
+		}
+
+		comment, ok := os.LookupEnv("COMMENT_BODY")
+		if !ok {
+			return fmt.Errorf("did not provide COMMENT_BODY environment variable")
+		}
+		if comment == "" {
+			fmt.Println("COMMENT_BODY is empty. Ignoring.")
+			return nil
+		}
+
+		return execParseComment(prNumber, comment, gh)
+	},
+}
+
+// execParseComment is the main router that finds and executes the first command
+func execParseComment(prNumber, comment string, gh GithubClient) error {
+	// Find the first @modular-magician invocation in the comment
+	match := magicianInvocationRegex.FindStringSubmatch(comment)
+
+	if match == nil {
+		fmt.Println("No @modular-magician invocation found. Ignoring comment.")
+		return nil
+	}
+
+	if len(match) < 2 {
+		fmt.Printf("Invalid match structure. Ignoring.\n")
+		return nil
+	}
+
+	commandLine := strings.TrimSpace(match[1])
+	if commandLine == "" {
+		fmt.Printf("Empty command after @modular-magician. Ignoring.\n")
+		return nil
+	}
+
+	fmt.Printf("Processing command: %q\n", commandLine)
+
+	// Route to appropriate handler based on command pattern
+	return routeCommand(prNumber, commandLine, gh)
+}
+
+// routeCommand determines which command handler to call based on the command pattern
+func routeCommand(prNumber, commandLine string, gh GithubClient) error {
+	// Check for reassign-reviewer command variants
+	if matches := reassignReviewerRegex.FindStringSubmatch(commandLine); matches != nil {
+		reviewer := strings.TrimSpace(matches[1])
+		return handleReassignReviewer(prNumber, reviewer, gh)
+	}
+
+	// Add more command patterns here as needed
+	// Example for future commands:
+	// if matches := cherryPickRegex.FindStringSubmatch(commandLine); matches != nil {
+	//     return handleCherryPick(prNumber, matches[1:], gh)
+	// }
+
+	fmt.Printf("Unknown command format: %q\n", commandLine)
+	return nil
+}
+
+// handleReassignReviewer processes the reassign-reviewer command
+func handleReassignReviewer(prNumber, reviewer string, gh GithubClient) error {
+	// The regex already extracted just the username without @
+	// and only allows valid GitHub username characters [a-zA-Z0-9-_]
+
+	fmt.Printf("Reassigning reviewer for PR #%s", prNumber)
+	if reviewer != "" {
+		fmt.Printf(" to @%s", reviewer)
+	} else {
+		fmt.Printf(" (selecting random reviewer)")
+	}
+	fmt.Println()
+	return execReassignReviewer(prNumber, reviewer, gh)
+}
+
+func init() {
+	rootCmd.AddCommand(parseCommentCmd)
+}