Terraform integration for adding output only RoleBinding ID to entitlement resource (#14218)

ankitprsad99 · web-flow · commit f3d23903ca4d · 2025-09-18T18:55:49.000Z
diff --git a/mmv1/products/privilegedaccessmanager/Entitlement.yaml b/mmv1/products/privilegedaccessmanager/Entitlement.yaml
@@ -225,6 +225,12 @@ properties:
                   description: |
                     The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request.
                     https://cloud.google.com/iam/docs/conditions-overview#attributes.
+                - name: 'id'
+                  type: String
+                  description: |
+                    Output Only. The ID corresponding to this role binding in the policy binding. This will be unique within an entitlement across time. Gets re-generated each time the entitlement is updated.
+                  min_version: beta
+                  output: true
   - name: 'maxRequestDuration'
     type: String
     description: |
diff --git a/mmv1/third_party/terraform/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_test.go.tmpl b/mmv1/third_party/terraform/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_test.go.tmpl
@@ -44,6 +44,79 @@ func TestAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlemen
 	})
 }
 
+{{ if ne $.TargetVersionName `ga` -}}
+func TestAccPrivilegedAccessManagerEntitlement_roleBindingId_beta(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+		"project_name":  envvar.GetTestProjectFromEnv(),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckPrivilegedAccessManagerEntitlementDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlementBasicExample_basic_beta(context),
+				Check: resource.ComposeTestCheckFunc(
+					// Checks the output-only role binding id field
+					resource.TestCheckResourceAttrSet(
+						"google_privileged_access_manager_entitlement.tfentitlement",
+						"privileged_access.0.gcp_iam_access.0.role_bindings.0.id",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlementBasicExample_basic_beta(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_privileged_access_manager_entitlement" "tfentitlement" {
+    provider =  google-beta
+    entitlement_id = "tf-test-example-entitlement%{random_suffix}"
+    location = "global"
+    max_request_duration = "43200s"
+    parent = "projects/%{project_name}"
+    requester_justification_config {
+      unstructured{}
+    }
+    eligible_users {
+      principals = ["group:test@google.com"]
+    }
+    privileged_access{
+      gcp_iam_access{
+        role_bindings{
+          role = "roles/storage.admin"
+          condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"
+        }
+        resource = "//cloudresourcemanager.googleapis.com/projects/%{project_name}"
+        resource_type = "cloudresourcemanager.googleapis.com/Project"
+      }
+    }
+    additional_notification_targets {
+      admin_email_recipients     = ["user@example.com"]
+      requester_email_recipients = ["user@example.com"]
+    }
+    approval_workflow {
+    manual_approvals {
+      require_approver_justification = true
+      steps {
+        approvals_needed          = 1
+          approver_email_recipients = ["user@example.com"]
+          approvers {
+            principals = ["group:test@google.com"]
+        }
+      }
+    }
+  }
+}
+`, context)
+}
+{{- end }}
+
 func testAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlementBasicExample_basic(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_privileged_access_manager_entitlement" "tfentitlement" {
