Support policy version 3 in google_spanner_database_iam_member and google_spanner_instance_iam_member (#6915) (#5125)

* support policy version 3 in spanner_database_iam and spanner_instance_iam resources

* re-trigger checks

* update tests to have conditions

* fix tests

* fix tests

Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/6915.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+spanner: added support for IAM conditions with `google_spanner_database_iam_member` and `google_spanner_instance_iam_member`
+```

google-beta/iam_spanner_database.go

@@ -66,7 +66,9 @@ func (u *SpannerDatabaseIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		Project:  u.project,
 		Database: u.database,
 		Instance: u.instance,
-	}.databaseUri(), &spanner.GetIamPolicyRequest{}).Do()
+	}.databaseUri(), &spanner.GetIamPolicyRequest{
+		Options: &spanner.GetPolicyOptions{RequestedPolicyVersion: iamPolicyVersion},
+	}).Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
@@ -78,6 +80,8 @@ func (u *SpannerDatabaseIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		return nil, errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err)
 	}
 
+	cloudResourcePolicy.Version = iamPolicyVersion
+
 	return cloudResourcePolicy, nil
 }
 
@@ -88,6 +92,8 @@ func (u *SpannerDatabaseIamUpdater) SetResourceIamPolicy(policy *cloudresourcema
 		return errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err)
 	}
 
+	spannerPolicy.Version = iamPolicyVersion
+
 	userAgent, err := generateUserAgentString(u.d, u.Config.userAgent)
 	if err != nil {
 		return err

google-beta/iam_spanner_instance.go

@@ -73,7 +73,9 @@ func (u *SpannerInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 	p, err := u.Config.NewSpannerClient(userAgent).Projects.Instances.GetIamPolicy(spannerInstanceId{
 		Project:  u.project,
 		Instance: u.instance,
-	}.instanceUri(), &spanner.GetIamPolicyRequest{}).Do()
+	}.instanceUri(), &spanner.GetIamPolicyRequest{
+		Options: &spanner.GetPolicyOptions{RequestedPolicyVersion: iamPolicyVersion},
+	}).Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
@@ -85,6 +87,8 @@ func (u *SpannerInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		return nil, errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err)
 	}
 
+	cloudResourcePolicy.Version = iamPolicyVersion
+
 	return cloudResourcePolicy, nil
 }
 
@@ -95,6 +99,8 @@ func (u *SpannerInstanceIamUpdater) SetResourceIamPolicy(policy *cloudresourcema
 		return errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err)
 	}
 
+	spannerPolicy.Version = iamPolicyVersion
+
 	userAgent, err := generateUserAgentString(u.d, u.Config.userAgent)
 	if err != nil {
 		return err

google-beta/resource_spanner_database_iam_test.go

@@ -59,6 +59,7 @@ func TestAccSpannerDatabaseIamMember(t *testing.T) {
 	role := "roles/spanner.databaseAdmin"
 	database := fmt.Sprintf("tf-test-%s", randString(t, 10))
 	instance := fmt.Sprintf("tf-test-%s", randString(t, 10))
+	conditionTitle := "Access only database one"
 
 	vcrTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -70,11 +71,11 @@ func TestAccSpannerDatabaseIamMember(t *testing.T) {
 			},
 			{
 				ResourceName: "google_spanner_database_iam_member.foo",
-				ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com", spannerDatabaseId{
+				ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com %s", spannerDatabaseId{
 					Instance: instance,
 					Database: database,
 					Project:  project,
-				}.terraformId(), role, account, project),
+				}.terraformId(), role, account, project, conditionTitle),
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
@@ -207,6 +208,10 @@ resource "google_spanner_database_iam_member" "foo" {
   instance = google_spanner_database.database.instance
   role     = "%s"
   member   = "serviceAccount:${google_service_account.test_account.email}"
+  condition {
+    title      = "Access only database one"
+    expression = "resource.type == \"spanner.googleapis.com/DatabaseRole\" && resource.name.endsWith(\"/databaseRoles/parent\")"
+  }
 }
 `, account, instance, instance, database, roleId)
 }

google-beta/resource_spanner_instance_iam_test.go

@@ -55,6 +55,7 @@ func TestAccSpannerInstanceIamMember(t *testing.T) {
 	account := fmt.Sprintf("tf-test-%d", randInt(t))
 	role := "roles/spanner.databaseAdmin"
 	instance := fmt.Sprintf("tf-test-%s", randString(t, 10))
+	conditionTitle := "Access only database one"
 
 	vcrTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -66,10 +67,10 @@ func TestAccSpannerInstanceIamMember(t *testing.T) {
 			},
 			{
 				ResourceName: "google_spanner_instance_iam_member.foo",
-				ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com", spannerInstanceId{
+				ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com %s", spannerInstanceId{
 					Instance: instance,
 					Project:  project,
-				}.terraformId(), role, account, project),
+				}.terraformId(), role, account, project, conditionTitle),
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
@@ -179,6 +180,10 @@ resource "google_spanner_instance_iam_member" "foo" {
   instance = google_spanner_instance.instance.name
   role     = "%s"
   member   = "serviceAccount:${google_service_account.test_account.email}"
+  condition {
+    title      = "Access only database one"
+    expression = "resource.type == \"spanner.googleapis.com/DatabaseRole\" && resource.name.endsWith(\"/databaseRoles/parent\")"
+  }
 }
 `, account, instance, instance, roleId)
 }