Terraform integration for adding output only RoleBinding ID to entitlement resource (#14218) (#10743)

modular-magician · web-flow · commit 0003f63f115a · 2025-09-18T12:18:48.000-07:00
[upstream:f3d23903ca4d8a4b2eb104a8f9294946ddf71af3]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/14218.txt b/.changelog/14218.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+privilegedaccessmanager: added  RoleBinding `id` field to `google_privileged_access_manager_entitlement` resource
+```
diff --git a/google-beta/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement.go b/google-beta/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement.go
@@ -164,6 +164,11 @@ Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours =
 													Description: `The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request.
 https://cloud.google.com/iam/docs/conditions-overview#attributes.`,
 												},
+												"id": {
+													Type:        schema.TypeString,
+													Computed:    true,
+													Description: `Output Only. The ID corresponding to this role binding in the policy binding. This will be unique within an entitlement across time. Gets re-generated each time the entitlement is updated.`,
+												},
 											},
 										},
 									},
@@ -909,6 +914,7 @@ func flattenPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBi
 		transformed = append(transformed, map[string]interface{}{
 			"role":                 flattenPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBindingsRole(original["role"], d, config),
 			"condition_expression": flattenPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBindingsConditionExpression(original["conditionExpression"], d, config),
+			"id":                   flattenPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBindingsId(original["id"], d, config),
 		})
 	}
 	return transformed
@@ -921,6 +927,10 @@ func flattenPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBi
 	return v
 }
 
+func flattenPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBindingsId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenPrivilegedAccessManagerEntitlementMaxRequestDuration(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1219,6 +1229,13 @@ func expandPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBin
 			transformed["conditionExpression"] = transformedConditionExpression
 		}
 
+		transformedId, err := expandPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBindingsId(original["id"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedId); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["id"] = transformedId
+		}
+
 		req = append(req, transformed)
 	}
 	return req, nil
@@ -1232,6 +1249,10 @@ func expandPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBin
 	return v, nil
 }
 
+func expandPrivilegedAccessManagerEntitlementPrivilegedAccessGcpIamAccessRoleBindingsId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandPrivilegedAccessManagerEntitlementMaxRequestDuration(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
diff --git a/google-beta/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_generated_meta.yaml b/google-beta/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_generated_meta.yaml
@@ -29,6 +29,7 @@ fields:
   - field: 'privileged_access.gcp_iam_access.resource'
   - field: 'privileged_access.gcp_iam_access.resource_type'
   - field: 'privileged_access.gcp_iam_access.role_bindings.condition_expression'
+  - field: 'privileged_access.gcp_iam_access.role_bindings.id'
   - field: 'privileged_access.gcp_iam_access.role_bindings.role'
   - field: 'requester_justification_config.not_mandatory'
   - field: 'requester_justification_config.unstructured'
diff --git a/google-beta/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_test.go b/google-beta/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_test.go
@@ -8,7 +8,7 @@
 //
 //	This code is generated by Magic Modules using the following:
 //
-//	Source file: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/third_party/terraform/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_test.go
+//	Source file: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/third_party/terraform/services/privilegedaccessmanager/resource_privileged_access_manager_entitlement_test.go.tmpl
 //
 //	DO NOT EDIT this file directly. Any changes made to this file will be
 //	overwritten during the next generation cycle.
@@ -60,6 +60,77 @@ func TestAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlemen
 	})
 }
 
+func TestAccPrivilegedAccessManagerEntitlement_roleBindingId_beta(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+		"project_name":  envvar.GetTestProjectFromEnv(),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckPrivilegedAccessManagerEntitlementDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlementBasicExample_basic_beta(context),
+				Check: resource.ComposeTestCheckFunc(
+					// Checks the output-only role binding id field
+					resource.TestCheckResourceAttrSet(
+						"google_privileged_access_manager_entitlement.tfentitlement",
+						"privileged_access.0.gcp_iam_access.0.role_bindings.0.id",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlementBasicExample_basic_beta(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_privileged_access_manager_entitlement" "tfentitlement" {
+    provider =  google-beta
+    entitlement_id = "tf-test-example-entitlement%{random_suffix}"
+    location = "global"
+    max_request_duration = "43200s"
+    parent = "projects/%{project_name}"
+    requester_justification_config {
+      unstructured{}
+    }
+    eligible_users {
+      principals = ["group:test@google.com"]
+    }
+    privileged_access{
+      gcp_iam_access{
+        role_bindings{
+          role = "roles/storage.admin"
+          condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"
+        }
+        resource = "//cloudresourcemanager.googleapis.com/projects/%{project_name}"
+        resource_type = "cloudresourcemanager.googleapis.com/Project"
+      }
+    }
+    additional_notification_targets {
+      admin_email_recipients     = ["user@example.com"]
+      requester_email_recipients = ["user@example.com"]
+    }
+    approval_workflow {
+    manual_approvals {
+      require_approver_justification = true
+      steps {
+        approvals_needed          = 1
+          approver_email_recipients = ["user@example.com"]
+          approvers {
+            principals = ["group:test@google.com"]
+        }
+      }
+    }
+  }
+}
+`, context)
+}
+
 func testAccPrivilegedAccessManagerEntitlement_privilegedAccessManagerEntitlementBasicExample_basic(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_privileged_access_manager_entitlement" "tfentitlement" {
diff --git a/website/docs/r/privileged_access_manager_entitlement.html.markdown b/website/docs/r/privileged_access_manager_entitlement.html.markdown
@@ -180,6 +180,10 @@ The following arguments are supported:
   The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request.
   https://cloud.google.com/iam/docs/conditions-overview#attributes.
 
+* `id` -
+  (Output, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+  Output Only. The ID corresponding to this role binding in the policy binding. This will be unique within an entitlement across time. Gets re-generated each time the entitlement is updated.
+
 <a name="nested_requester_justification_config"></a>The `requester_justification_config` block supports:
 
 * `not_mandatory` -

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+privilegedaccessmanager: added RoleBinding `id` field to `google_privileged_access_manager_entitlement` resource
	`3`	+```