diff --git a/.changelog/14048.txt b/.changelog/14048.txt new file mode 100644 index 00000000000..117a1cf6a82 --- /dev/null +++ b/.changelog/14048.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +`google_iam_workload_identity_pool_managed_identity` (beta) +``` \ No newline at end of file diff --git a/google-beta/provider/provider_mmv1_resources.go b/google-beta/provider/provider_mmv1_resources.go index cb59e145023..7091d394d3f 100644 --- a/google-beta/provider/provider_mmv1_resources.go +++ b/google-beta/provider/provider_mmv1_resources.go @@ -586,9 +586,9 @@ var handwrittenIAMDatasources = map[string]*schema.Resource{ } // Resources -// Generated resources: 665 +// Generated resources: 666 // Generated IAM resources: 339 -// Total generated resources: 1004 +// Total generated resources: 1005 var generatedResources = map[string]*schema.Resource{ "google_folder_access_approval_settings": accessapproval.ResourceAccessApprovalFolderSettings(), "google_organization_access_approval_settings": accessapproval.ResourceAccessApprovalOrganizationSettings(), @@ -1211,6 +1211,7 @@ var generatedResources = map[string]*schema.Resource{ "google_iam_workload_identity_pool_iam_binding": tpgiamresource.ResourceIamBinding(iambeta.IAMBetaWorkloadIdentityPoolIamSchema, iambeta.IAMBetaWorkloadIdentityPoolIamUpdaterProducer, iambeta.IAMBetaWorkloadIdentityPoolIdParseFunc), "google_iam_workload_identity_pool_iam_member": tpgiamresource.ResourceIamMember(iambeta.IAMBetaWorkloadIdentityPoolIamSchema, iambeta.IAMBetaWorkloadIdentityPoolIamUpdaterProducer, iambeta.IAMBetaWorkloadIdentityPoolIdParseFunc), "google_iam_workload_identity_pool_iam_policy": tpgiamresource.ResourceIamPolicy(iambeta.IAMBetaWorkloadIdentityPoolIamSchema, iambeta.IAMBetaWorkloadIdentityPoolIamUpdaterProducer, iambeta.IAMBetaWorkloadIdentityPoolIdParseFunc), + "google_iam_workload_identity_pool_managed_identity": iambeta.ResourceIAMBetaWorkloadIdentityPoolManagedIdentity(), "google_iam_workload_identity_pool_namespace": iambeta.ResourceIAMBetaWorkloadIdentityPoolNamespace(), "google_iam_workload_identity_pool_provider": iambeta.ResourceIAMBetaWorkloadIdentityPoolProvider(), "google_iam_oauth_client": iamworkforcepool.ResourceIAMWorkforcePoolOauthClient(), diff --git a/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity.go b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity.go new file mode 100644 index 00000000000..70f49c8b76c --- /dev/null +++ b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity.go @@ -0,0 +1,518 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This code is generated by Magic Modules using the following: +// +// Configuration: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/products/iambeta/WorkloadIdentityPoolManagedIdentity.yaml +// Template: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/terraform/resource.go.tmpl +// +// DO NOT EDIT this file directly. Any changes made to this file will be +// overwritten during the next generation cycle. +// +// ---------------------------------------------------------------------------- + +package iambeta + +import ( + "fmt" + "log" + "net/http" + "reflect" + "regexp" + "strings" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" +) + +const workloadIdentityPoolManagedIdentityIdRegexp = `^[0-9a-z-]+$` + +func ValidateWorkloadIdentityPoolManagedIdentityId(v interface{}, k string) (ws []string, errors []error) { + value := v.(string) + + if !regexp.MustCompile(workloadIdentityPoolManagedIdentityIdRegexp).MatchString(value) { + errors = append(errors, fmt.Errorf( + "%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k)) + } + + if len(value) < 2 { + errors = append(errors, fmt.Errorf( + "%q cannot be less than 2 characters", k)) + return + } + + if len(value) > 63 { + errors = append(errors, fmt.Errorf( + "%q cannot be greater than 63 characters", k)) + } + + isLowerAlphaNumeric := func(r byte) bool { + return (r >= '0' && r <= '9') || (r >= 'a' && r <= 'z') + } + + firstChar := value[0] + if !isLowerAlphaNumeric(firstChar) { + errors = append(errors, fmt.Errorf( + "%q must start with an alphanumeric character", k)) + } + + lastChar := value[len(value)-1] + if !isLowerAlphaNumeric(lastChar) { + errors = append(errors, fmt.Errorf( + "%q must end with an alphanumeric character", k)) + } + + if strings.HasPrefix(value, "gcp-") { + errors = append(errors, fmt.Errorf( + "%q (%q) can not start with \"gcp-\"", k, value)) + } + + return +} + +func ResourceIAMBetaWorkloadIdentityPoolManagedIdentity() *schema.Resource { + return &schema.Resource{ + Create: resourceIAMBetaWorkloadIdentityPoolManagedIdentityCreate, + Read: resourceIAMBetaWorkloadIdentityPoolManagedIdentityRead, + Update: resourceIAMBetaWorkloadIdentityPoolManagedIdentityUpdate, + Delete: resourceIAMBetaWorkloadIdentityPoolManagedIdentityDelete, + + Importer: &schema.ResourceImporter{ + State: resourceIAMBetaWorkloadIdentityPoolManagedIdentityImport, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(20 * time.Minute), + Update: schema.DefaultTimeout(20 * time.Minute), + Delete: schema.DefaultTimeout(20 * time.Minute), + }, + + CustomizeDiff: customdiff.All( + tpgresource.DefaultProviderProject, + ), + + Schema: map[string]*schema.Schema{ + "workload_identity_pool_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `The ID to use for the pool, which becomes the final component of the resource name. This +value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix +'gcp-' is reserved for use by Google, and may not be specified.`, + }, + "workload_identity_pool_managed_identity_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `The ID to use for the managed identity. This value must: +* contain at most 63 characters +* contain only lowercase alphanumeric characters or '-' +* start with an alphanumeric character +* end with an alphanumeric character + + +The prefix 'gcp-' will be reserved for future uses.`, + }, + "workload_identity_pool_namespace_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `The ID to use for the namespace. This value must: +* contain at most 63 characters +* contain only lowercase alphanumeric characters or '-' +* start with an alphanumeric character +* end with an alphanumeric character + + +The prefix 'gcp-' will be reserved for future uses.`, + }, + "description": { + Type: schema.TypeString, + Optional: true, + Description: `A description of the managed identity. Cannot exceed 256 characters.`, + }, + "disabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Whether the managed identity is disabled. If disabled, credentials may no longer be issued for +the identity, however existing credentials will still be accepted until they expire.`, + }, + "name": { + Type: schema.TypeString, + Computed: true, + Description: `The resource name of the managed identity as +'projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/namespaces/{workload_identity_pool_namespace_id}/managedIdentities/{workload_identity_pool_managed_identity_id}'.`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `The current state of the managed identity. +* 'ACTIVE': The managed identity is active. +* 'DELETED': The managed identity is soft-deleted. Soft-deleted managed identities are +permanently deleted after approximately 30 days. You can restore a soft-deleted managed +identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a +soft-deleted managed identity until it is permanently deleted.`, + }, + "project": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + }, + }, + UseJSONNumber: true, + } +} + +func resourceIAMBetaWorkloadIdentityPoolManagedIdentityCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + obj := make(map[string]interface{}) + descriptionProp, err := expandIAMBetaWorkloadIdentityPoolManagedIdentityDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + disabledProp, err := expandIAMBetaWorkloadIdentityPoolManagedIdentityDisabled(d.Get("disabled"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("disabled"); !tpgresource.IsEmptyValue(reflect.ValueOf(disabledProp)) && (ok || !reflect.DeepEqual(v, disabledProp)) { + obj["disabled"] = disabledProp + } + + url, err := tpgresource.ReplaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities?workloadIdentityPoolManagedIdentityId={{workload_identity_pool_managed_identity_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new WorkloadIdentityPoolManagedIdentity: %#v", obj) + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolManagedIdentity: %s", err) + } + billingProject = project + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "POST", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutCreate), + Headers: headers, + }) + if err != nil { + return fmt.Errorf("Error creating WorkloadIdentityPoolManagedIdentity: %s", err) + } + + // Store the ID now + id, err := tpgresource.ReplaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + err = IAMBetaOperationWaitTime( + config, res, project, "Creating WorkloadIdentityPoolManagedIdentity", userAgent, + d.Timeout(schema.TimeoutCreate)) + + if err != nil { + // The resource didn't actually create + d.SetId("") + return fmt.Errorf("Error waiting to create WorkloadIdentityPoolManagedIdentity: %s", err) + } + + log.Printf("[DEBUG] Finished creating WorkloadIdentityPoolManagedIdentity %q: %#v", d.Id(), res) + + return resourceIAMBetaWorkloadIdentityPoolManagedIdentityRead(d, meta) +} + +func resourceIAMBetaWorkloadIdentityPoolManagedIdentityRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + url, err := tpgresource.ReplaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}") + if err != nil { + return err + } + + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolManagedIdentity: %s", err) + } + billingProject = project + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("IAMBetaWorkloadIdentityPoolManagedIdentity %q", d.Id())) + } + + res, err = resourceIAMBetaWorkloadIdentityPoolManagedIdentityDecoder(d, meta, res) + if err != nil { + return err + } + + if res == nil { + // Decoding the object has resulted in it being gone. It may be marked deleted + log.Printf("[DEBUG] Removing IAMBetaWorkloadIdentityPoolManagedIdentity because it no longer exists.") + d.SetId("") + return nil + } + + if err := d.Set("project", project); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolManagedIdentity: %s", err) + } + + if err := d.Set("name", flattenIAMBetaWorkloadIdentityPoolManagedIdentityName(res["name"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolManagedIdentity: %s", err) + } + if err := d.Set("description", flattenIAMBetaWorkloadIdentityPoolManagedIdentityDescription(res["description"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolManagedIdentity: %s", err) + } + if err := d.Set("state", flattenIAMBetaWorkloadIdentityPoolManagedIdentityState(res["state"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolManagedIdentity: %s", err) + } + if err := d.Set("disabled", flattenIAMBetaWorkloadIdentityPoolManagedIdentityDisabled(res["disabled"], d, config)); err != nil { + return fmt.Errorf("Error reading WorkloadIdentityPoolManagedIdentity: %s", err) + } + + return nil +} + +func resourceIAMBetaWorkloadIdentityPoolManagedIdentityUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolManagedIdentity: %s", err) + } + billingProject = project + + obj := make(map[string]interface{}) + descriptionProp, err := expandIAMBetaWorkloadIdentityPoolManagedIdentityDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + disabledProp, err := expandIAMBetaWorkloadIdentityPoolManagedIdentityDisabled(d.Get("disabled"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("disabled"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, disabledProp)) { + obj["disabled"] = disabledProp + } + + url, err := tpgresource.ReplaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating WorkloadIdentityPoolManagedIdentity %q: %#v", d.Id(), obj) + headers := make(http.Header) + updateMask := []string{} + + if d.HasChange("description") { + updateMask = append(updateMask, "description") + } + + if d.HasChange("disabled") { + updateMask = append(updateMask, "disabled") + } + // updateMask is a URL parameter but not present in the schema, so ReplaceVars + // won't set it + url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")}) + if err != nil { + return err + } + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + // if updateMask is empty we are not updating anything so skip the post + if len(updateMask) > 0 { + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "PATCH", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutUpdate), + Headers: headers, + }) + + if err != nil { + return fmt.Errorf("Error updating WorkloadIdentityPoolManagedIdentity %q: %s", d.Id(), err) + } else { + log.Printf("[DEBUG] Finished updating WorkloadIdentityPoolManagedIdentity %q: %#v", d.Id(), res) + } + + err = IAMBetaOperationWaitTime( + config, res, project, "Updating WorkloadIdentityPoolManagedIdentity", userAgent, + d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return err + } + } + + return resourceIAMBetaWorkloadIdentityPoolManagedIdentityRead(d, meta) +} + +func resourceIAMBetaWorkloadIdentityPoolManagedIdentityDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for WorkloadIdentityPoolManagedIdentity: %s", err) + } + billingProject = project + + url, err := tpgresource.ReplaceVars(d, config, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}") + if err != nil { + return err + } + + var obj map[string]interface{} + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + + log.Printf("[DEBUG] Deleting WorkloadIdentityPoolManagedIdentity %q", d.Id()) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutDelete), + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, "WorkloadIdentityPoolManagedIdentity") + } + + err = IAMBetaOperationWaitTime( + config, res, project, "Deleting WorkloadIdentityPoolManagedIdentity", userAgent, + d.Timeout(schema.TimeoutDelete)) + + if err != nil { + return err + } + + log.Printf("[DEBUG] Finished deleting WorkloadIdentityPoolManagedIdentity %q: %#v", d.Id(), res) + return nil +} + +func resourceIAMBetaWorkloadIdentityPoolManagedIdentityImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*transport_tpg.Config) + if err := tpgresource.ParseImportId([]string{ + "^projects/(?P[^/]+)/locations/global/workloadIdentityPools/(?P[^/]+)/namespaces/(?P[^/]+)/managedIdentities/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)/(?P[^/]+)/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)/(?P[^/]+)$", + }, d, config); err != nil { + return nil, err + } + + // Replace import id for the resource id + id, err := tpgresource.ReplaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenIAMBetaWorkloadIdentityPoolManagedIdentityName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolManagedIdentityDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolManagedIdentityState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenIAMBetaWorkloadIdentityPoolManagedIdentityDisabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func expandIAMBetaWorkloadIdentityPoolManagedIdentityDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandIAMBetaWorkloadIdentityPoolManagedIdentityDisabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func resourceIAMBetaWorkloadIdentityPoolManagedIdentityDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) { + if v := res["state"]; v == "DELETED" { + return nil, nil + } + + return res, nil +} diff --git a/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_generated_meta.yaml b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_generated_meta.yaml new file mode 100644 index 00000000000..a266a0a8a7c --- /dev/null +++ b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_generated_meta.yaml @@ -0,0 +1,17 @@ +resource: 'google_iam_workload_identity_pool_managed_identity' +generation_type: 'mmv1' +source_file: 'products/iambeta/WorkloadIdentityPoolManagedIdentity.yaml' +api_service_name: 'iam.googleapis.com' +api_version: 'v1' +api_resource_type_kind: 'WorkloadIdentityPoolManagedIdentity' +fields: + - field: 'description' + - field: 'disabled' + - field: 'name' + - field: 'state' + - field: 'workload_identity_pool_id' + provider_only: true + - field: 'workload_identity_pool_managed_identity_id' + provider_only: true + - field: 'workload_identity_pool_namespace_id' + provider_only: true diff --git a/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_generated_test.go b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_generated_test.go new file mode 100644 index 00000000000..13eb68cc944 --- /dev/null +++ b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_generated_test.go @@ -0,0 +1,173 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package iambeta_test + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/terraform" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" +) + +func TestAccIAMBetaWorkloadIdentityPoolManagedIdentity_iamWorkloadIdentityPoolManagedIdentityBasicExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolManagedIdentityDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolManagedIdentity_iamWorkloadIdentityPoolManagedIdentityBasicExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_managed_identity.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_managed_identity_id", "workload_identity_pool_namespace_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolManagedIdentity_iamWorkloadIdentityPoolManagedIdentityBasicExample(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "tf-test-example-namespace%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "tf-test-example-managed-identity%{random_suffix}" +} +`, context) +} + +func TestAccIAMBetaWorkloadIdentityPoolManagedIdentity_iamWorkloadIdentityPoolManagedIdentityFullExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolManagedIdentityDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolManagedIdentity_iamWorkloadIdentityPoolManagedIdentityFullExample(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_managed_identity.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_managed_identity_id", "workload_identity_pool_namespace_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolManagedIdentity_iamWorkloadIdentityPoolManagedIdentityFullExample(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "tf-test-example-namespace%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "tf-test-example-managed-identity%{random_suffix}" + description = "Example Managed Identity in a Workload Identity Pool Namespace" + disabled = true +} +`, context) +} + +func testAccCheckIAMBetaWorkloadIdentityPoolManagedIdentityDestroyProducer(t *testing.T) func(s *terraform.State) error { + return func(s *terraform.State) error { + for name, rs := range s.RootModule().Resources { + if rs.Type != "google_iam_workload_identity_pool_managed_identity" { + continue + } + if strings.HasPrefix(name, "data.") { + continue + } + + config := acctest.GoogleProviderConfig(t) + + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}") + if err != nil { + return err + } + + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + RawURL: url, + UserAgent: config.UserAgent, + }) + if err != nil { + return nil + } + + if v := res["state"]; v == "DELETED" { + return nil + } + + return fmt.Errorf("IAMBetaWorkloadIdentityPoolManagedIdentity still exists at %s", url) + } + + return nil + } +} diff --git a/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_test.go b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_test.go new file mode 100644 index 00000000000..ab18175af71 --- /dev/null +++ b/google-beta/services/iambeta/resource_iam_workload_identity_pool_managed_identity_test.go @@ -0,0 +1,186 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: Handwritten *** +// +// ---------------------------------------------------------------------------- +// +// This code is generated by Magic Modules using the following: +// +// Source file: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/third_party/terraform/services/iambeta/resource_iam_workload_identity_pool_managed_identity_test.go.tmpl +// +// DO NOT EDIT this file directly. Any changes made to this file will be +// overwritten during the next generation cycle. +// +// ---------------------------------------------------------------------------- +package iambeta_test + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/plancheck" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest" +) + +func TestAccIAMBetaWorkloadIdentityPoolManagedIdentity_minimal(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolManagedIdentityDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolManagedIdentity_minimal(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_managed_identity.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_namespace_id", "workload_identity_pool_managed_identity_id"}, + }, + { + Config: testAccIAMBetaWorkloadIdentityPoolManagedIdentity_updated(context), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("google_iam_workload_identity_pool_managed_identity.example", plancheck.ResourceActionUpdate), + }, + }, + }, + { + ResourceName: "google_iam_workload_identity_pool_managed_identity.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_namespace_id", "workload_identity_pool_managed_identity_id"}, + }, + }, + }) +} + +func TestAccIAMBetaWorkloadIdentityPoolManagedIdentity_full(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolManagedIdentityDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolManagedIdentity_full(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_managed_identity.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_namespace_id", "workload_identity_pool_managed_identity_id"}, + }, + { + Config: testAccIAMBetaWorkloadIdentityPoolManagedIdentity_updated(context), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("google_iam_workload_identity_pool_managed_identity.example", plancheck.ResourceActionUpdate), + }, + }, + }, + { + ResourceName: "google_iam_workload_identity_pool_managed_identity.example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_namespace_id", "workload_identity_pool_managed_identity_id"}, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolManagedIdentity_minimal(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "tf-test-example-namespace%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "tf-test-example-managed-identity%{random_suffix}" +} +`, context) +} + +func testAccIAMBetaWorkloadIdentityPoolManagedIdentity_full(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "tf-test-example-namespace%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "tf-test-example-managed-identity%{random_suffix}" + description = "Example Managed Identity in a Workload Identity Pool Namespace" + disabled = true +} +`, context) +} + +func testAccIAMBetaWorkloadIdentityPoolManagedIdentity_updated(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "tf-test-example-pool%{random_suffix}" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "tf-test-example-namespace%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "tf-test-example-managed-identity%{random_suffix}" + description = "Updated Managed Identity in a Workload Identity Pool Namespace" + disabled = false +} +`, context) +} diff --git a/website/docs/r/iam_workload_identity_pool_managed_identity.html.markdown b/website/docs/r/iam_workload_identity_pool_managed_identity.html.markdown new file mode 100644 index 00000000000..b84fe8ead40 --- /dev/null +++ b/website/docs/r/iam_workload_identity_pool_managed_identity.html.markdown @@ -0,0 +1,206 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This code is generated by Magic Modules using the following: +# +# Configuration: https:#github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/products/iambeta/WorkloadIdentityPoolManagedIdentity.yaml +# Template: https:#github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/terraform/resource.html.markdown.tmpl +# +# DO NOT EDIT this file directly. Any changes made to this file will be +# overwritten during the next generation cycle. +# +# ---------------------------------------------------------------------------- +subcategory: "Cloud IAM" +description: |- + Represents a managed identity for a workload identity pool namespace. +--- + +# google_iam_workload_identity_pool_managed_identity + +Represents a managed identity for a workload identity pool namespace. + +~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. +See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. + +To get more information about WorkloadIdentityPoolManagedIdentity, see: + +* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces.managedIdentities) +* How-to Guides + * [Configure managed workload identity authentication for Compute Engine](https://cloud.google.com/iam/docs/create-managed-workload-identities) + * [Configure managed workload identity authentication for GKE](https://cloud.google.com/iam/docs/create-managed-workload-identities-gke) + +
+ + Open in Cloud Shell + +
+## Example Usage - Iam Workload Identity Pool Managed Identity Basic + + +```hcl +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "example-pool" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "example-namespace" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "example-managed-identity" +} +``` +
+ + Open in Cloud Shell + +
+## Example Usage - Iam Workload Identity Pool Managed Identity Full + + +```hcl +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + + workload_identity_pool_id = "example-pool" + mode = "TRUST_DOMAIN" +} + +resource "google_iam_workload_identity_pool_namespace" "ns" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = "example-namespace" +} + +resource "google_iam_workload_identity_pool_managed_identity" "example" { + provider = google-beta + + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id + workload_identity_pool_managed_identity_id = "example-managed-identity" + description = "Example Managed Identity in a Workload Identity Pool Namespace" + disabled = true +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `workload_identity_pool_id` - + (Required) + The ID to use for the pool, which becomes the final component of the resource name. This + value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + +* `workload_identity_pool_namespace_id` - + (Required) + The ID to use for the namespace. This value must: + * contain at most 63 characters + * contain only lowercase alphanumeric characters or `-` + * start with an alphanumeric character + * end with an alphanumeric character + + The prefix `gcp-` will be reserved for future uses. + +* `workload_identity_pool_managed_identity_id` - + (Required) + The ID to use for the managed identity. This value must: + * contain at most 63 characters + * contain only lowercase alphanumeric characters or `-` + * start with an alphanumeric character + * end with an alphanumeric character + + The prefix `gcp-` will be reserved for future uses. + + +- - - + + +* `description` - + (Optional) + A description of the managed identity. Cannot exceed 256 characters. + +* `disabled` - + (Optional) + Whether the managed identity is disabled. If disabled, credentials may no longer be issued for + the identity, however existing credentials will still be accepted until they expire. + +* `project` - (Optional) The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + +* `id` - an identifier for the resource with format `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}` + +* `name` - + The resource name of the managed identity as + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/namespaces/{workload_identity_pool_namespace_id}/managedIdentities/{workload_identity_pool_managed_identity_id}`. + +* `state` - + The current state of the managed identity. + * `ACTIVE`: The managed identity is active. + * `DELETED`: The managed identity is soft-deleted. Soft-deleted managed identities are + permanently deleted after approximately 30 days. You can restore a soft-deleted managed + identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a + soft-deleted managed identity until it is permanently deleted. + + +## Timeouts + +This resource provides the following +[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options: + +- `create` - Default is 20 minutes. +- `update` - Default is 20 minutes. +- `delete` - Default is 20 minutes. + +## Import + + +WorkloadIdentityPoolManagedIdentity can be imported using any of these accepted formats: + +* `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}` +* `{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}}` +* `{{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}}` + + +In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import WorkloadIdentityPoolManagedIdentity using one of the formats above. For example: + +```tf +import { + id = "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}" + to = google_iam_workload_identity_pool_managed_identity.default +} +``` + +When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), WorkloadIdentityPoolManagedIdentity can be imported using one of the formats above. For example: + +``` +$ terraform import google_iam_workload_identity_pool_managed_identity.default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}} +$ terraform import google_iam_workload_identity_pool_managed_identity.default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}} +$ terraform import google_iam_workload_identity_pool_managed_identity.default {{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}} +``` + +## User Project Overrides + +This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).