Add "consumerAcceptList" and "serviceAttachment" to ApigeeInstance. (#5862) (#4260)

* Add support IAM policy for the Environment of Apigee X

* Add support IAM policy for the Environment of Apigee X

* Add support IAM policy for the Environment of Apigee X

* Add support IAM policy for the Environment of Apigee X

* Revert all changes to test files.

* Revert all changes to test files.

* Revert all changes to test files.

* Add primary_resource_name to fix tests.

* Update iam_attributes.tf.erb to honor skip_test.

* Don't reject skip_tests when example is nil.

* Update mmv1/products/apigee/api.yaml

Co-authored-by: Stephen Lewis (Burrows) <[email protected]>

* Fix primary_resource_name for apigee organization name.

* Add "consumerAcceptList" and "serviceAttachment" to ApigeeInstance.

* Fix new test

* Add tests

Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: Stephen Lewis (Burrows) <[email protected]>

Author: modular-magician

.changelog/5862.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+Add "consumerAcceptList" and "serviceAttachment" to ApigeeInstance.
+```

google-beta/resource_apigee_instance.go

@@ -59,6 +59,19 @@ func resourceApigeeInstance() *schema.Resource {
 				Description: `The Apigee Organization associated with the Apigee instance,
 in the format 'organizations/{{org_name}}'.`,
 			},
+			"consumer_accept_list": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Optional: true,
+				ForceNew: true,
+				Description: `Optional. Customer accept list represents the list of projects (id/number) on customer
+side that can privately connect to the service attachment. It is an optional field
+which the customers can provide during the instance creation. By default, the customer
+project associated with the Apigee organization will be included to the list.`,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"description": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -108,6 +121,13 @@ see [CidrRange](https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/
 				Computed:    true,
 				Description: `Output only. Port number of the exposed Apigee endpoint.`,
 			},
+			"service_attachment": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: `Output only. Resource name of the service attachment created for the instance in
+the format: projects/*/regions/*/serviceAttachments/* Apigee customers can privately
+forward traffic to this service attachment using the PSC endpoints.`,
+			},
 		},
 		UseJSONNumber: true,
 	}
@@ -163,6 +183,12 @@ func resourceApigeeInstanceCreate(d *schema.ResourceData, meta interface{}) erro
 	} else if v, ok := d.GetOkExists("disk_encryption_key_name"); !isEmptyValue(reflect.ValueOf(diskEncryptionKeyNameProp)) && (ok || !reflect.DeepEqual(v, diskEncryptionKeyNameProp)) {
 		obj["diskEncryptionKeyName"] = diskEncryptionKeyNameProp
 	}
+	consumerAcceptListProp, err := expandApigeeInstanceConsumerAcceptList(d.Get("consumer_accept_list"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("consumer_accept_list"); !isEmptyValue(reflect.ValueOf(consumerAcceptListProp)) && (ok || !reflect.DeepEqual(v, consumerAcceptListProp)) {
+		obj["consumerAcceptList"] = consumerAcceptListProp
+	}
 
 	lockName, err := replaceVars(d, config, "{{org_id}}/apigeeInstances")
 	if err != nil {
@@ -272,6 +298,12 @@ func resourceApigeeInstanceRead(d *schema.ResourceData, meta interface{}) error
 	if err := d.Set("port", flattenApigeeInstancePort(res["port"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Instance: %s", err)
 	}
+	if err := d.Set("consumer_accept_list", flattenApigeeInstanceConsumerAcceptList(res["consumerAcceptList"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Instance: %s", err)
+	}
+	if err := d.Set("service_attachment", flattenApigeeInstanceServiceAttachment(res["serviceAttachment"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Instance: %s", err)
+	}
 
 	return nil
 }
@@ -399,6 +431,14 @@ func flattenApigeeInstancePort(v interface{}, d *schema.ResourceData, config *Co
 	return v
 }
 
+func flattenApigeeInstanceConsumerAcceptList(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
+func flattenApigeeInstanceServiceAttachment(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
 func expandApigeeInstanceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
@@ -426,3 +466,7 @@ func expandApigeeInstanceDisplayName(v interface{}, d TerraformResourceData, con
 func expandApigeeInstanceDiskEncryptionKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandApigeeInstanceConsumerAcceptList(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}

google-beta/resource_apigee_instance_generated_test.go

@@ -459,6 +459,199 @@ resource "google_apigee_instance" "apigee_instance" {
 `, context)
 }
 
+func TestAccApigeeInstance_apigeeInstanceServiceAttachmentBasicTestExample(t *testing.T) {
+	skipIfVcr(t)
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+		"random_suffix":   randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckApigeeInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccApigeeInstance_apigeeInstanceServiceAttachmentBasicTestExample(context),
+			},
+			{
+				ResourceName:            "google_apigee_instance.apigee_instance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ip_range", "org_id"},
+			},
+		},
+	})
+}
+
+func testAccApigeeInstance_apigeeInstanceServiceAttachmentBasicTestExample(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+  project_id      = "tf-test%{random_suffix}"
+  name            = "tf-test%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "apigee" {
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_project_service" "compute" {
+  project = google_project.project.project_id
+  service = "compute.googleapis.com"
+}
+
+resource "google_project_service" "servicenetworking" {
+  project = google_project.project.project_id
+  service = "servicenetworking.googleapis.com"
+}
+
+resource "google_compute_network" "apigee_network" {
+  name       = "apigee-network"
+  project    = google_project.project.project_id
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_global_address" "apigee_range" {
+  name          = "apigee-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = google_compute_network.apigee_network.id
+  project       = google_project.project.project_id
+}
+
+resource "google_service_networking_connection" "apigee_vpc_connection" {
+  network                 = google_compute_network.apigee_network.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.apigee_range.name]
+  depends_on              = [google_project_service.servicenetworking]
+}
+
+resource "google_compute_address" "psc_ilb_consumer_address" {
+  name   = "psc-ilb-consumer-address"
+  region = "us-west2"
+
+  subnetwork   = "default"
+  address_type = "INTERNAL"
+
+  project    = google_project.project.project_id
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
+  name   = "psc-ilb-consumer-forwarding-rule"
+  region = "us-west2"
+
+  target                = google_compute_service_attachment.psc_ilb_service_attachment.id
+  load_balancing_scheme = "" # need to override EXTERNAL default when target is a service attachment
+  network               = "default"
+  ip_address            = google_compute_address.psc_ilb_consumer_address.id
+
+  project = google_project.project.project_id
+}
+
+resource "google_compute_forwarding_rule" "psc_ilb_target_service" {
+  name   = "producer-forwarding-rule"
+  region = "us-west2"
+
+  load_balancing_scheme = "INTERNAL"
+  backend_service       = google_compute_region_backend_service.producer_service_backend.id
+  all_ports             = true
+  network               = google_compute_network.psc_ilb_network.name
+  subnetwork            = google_compute_subnetwork.psc_ilb_producer_subnetwork.name
+
+  project = google_project.project.project_id
+}
+
+resource "google_compute_region_backend_service" "producer_service_backend" {
+  name   = "producer-service"
+  region = "us-west2"
+
+  health_checks = [google_compute_health_check.producer_service_health_check.id]
+
+  project = google_project.project.project_id
+}
+
+resource "google_compute_health_check" "producer_service_health_check" {
+  name = "producer-service-health-check"
+
+  check_interval_sec = 1
+  timeout_sec        = 1
+  tcp_health_check {
+    port = "80"
+  }
+
+  project    = google_project.project.project_id
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_network" "psc_ilb_network" {
+  name = "psc-ilb-network"
+  auto_create_subnetworks = false
+
+  project     = google_project.project.project_id
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_subnetwork" "psc_ilb_producer_subnetwork" {
+  name   = "psc-ilb-producer-subnetwork"
+  region = "us-west2"
+
+  network       = google_compute_network.psc_ilb_network.id
+  ip_cidr_range = "10.0.0.0/16"
+
+  project = google_project.project.project_id
+}
+
+resource "google_compute_subnetwork" "psc_ilb_nat" {
+  name   = "psc-ilb-nat"
+  region = "us-west2"
+
+  network       = google_compute_network.psc_ilb_network.id
+  purpose       =  "PRIVATE_SERVICE_CONNECT"
+  ip_cidr_range = "10.1.0.0/16"
+
+  project = google_project.project.project_id
+}
+
+resource "google_compute_service_attachment" "psc_ilb_service_attachment" {
+  name        = "my-psc-ilb"
+  region      = "us-west2"
+  description = "A service attachment configured with Terraform"
+
+  enable_proxy_protocol    = true
+  connection_preference    = "ACCEPT_AUTOMATIC"
+  nat_subnets              = [google_compute_subnetwork.psc_ilb_nat.id]
+  target_service           = google_compute_forwarding_rule.psc_ilb_target_service.id
+
+  project = google_project.project.project_id
+}
+
+resource "google_apigee_organization" "apigee_org" {
+  analytics_region   = "us-central1"
+  project_id         = google_project.project.project_id
+  authorized_network = google_compute_network.apigee_network.id
+  depends_on         = [
+    google_service_networking_connection.apigee_vpc_connection,
+    google_project_service.apigee,
+  ]
+}
+
+resource "google_apigee_instance" "apigee_instance" {
+  name                 = "tf-test%{random_suffix}"
+  location             = "us-central1"
+  org_id               = google_apigee_organization.apigee_org.id
+  consumer_accept_list = [123456, google_project.project.number]
+}
+`, context)
+}
+
 func testAccCheckApigeeInstanceDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/apigee_instance.html.markdown

@@ -271,6 +271,13 @@ The following arguments are supported:
   Customer Managed Encryption Key (CMEK) used for disk and volume encryption. Required for Apigee paid subscriptions only.
   Use the following format: `projects/([^/]+)/locations/([^/]+)/keyRings/([^/]+)/cryptoKeys/([^/]+)`
 
+* `consumer_accept_list` -
+  (Optional)
+  Optional. Customer accept list represents the list of projects (id/number) on customer
+  side that can privately connect to the service attachment. It is an optional field
+  which the customers can provide during the instance creation. By default, the customer
+  project associated with the Apigee organization will be included to the list.
+
 
 ## Attributes Reference
 
@@ -284,6 +291,11 @@ In addition to the arguments listed above, the following computed attributes are
 * `port` -
   Output only. Port number of the exposed Apigee endpoint.
 
+* `service_attachment` -
+  Output only. Resource name of the service attachment created for the instance in
+  the format: projects/*/regions/*/serviceAttachments/* Apigee customers can privately
+  forward traffic to this service attachment using the PSC endpoints.
+
 
 ## Timeouts