Add a custom role field for the Scope RBACRolebindings (#14168) (#23183)

[upstream:2ad216bee6112a0486dd78173451f99120e3c2d6]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14168.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+gkehub: added `custom_role` field to `google_gke_hub_scope_rbac_role_binding` resource
+```

google/services/gkehub2/resource_gke_hub_scope_rbac_role_binding.go

@@ -65,11 +65,18 @@ func ResourceGKEHub2ScopeRBACRoleBinding() *schema.Resource {
 				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"custom_role": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Description:  `CustomRole is the custom Kubernetes ClusterRole to be used. The custom role format must be allowlisted in the rbacrolebindingactuation feature and RFC 1123 compliant.`,
+							ExactlyOneOf: []string{"role.0.predefined_role", "role.0.custom_role"},
+						},
 						"predefined_role": {
 							Type:         schema.TypeString,
 							Optional:     true,
 							ValidateFunc: verify.ValidateEnum([]string{"UNKNOWN", "ADMIN", "EDIT", "VIEW", ""}),
 							Description:  `PredefinedRole is an ENUM representation of the default Kubernetes Roles Possible values: ["UNKNOWN", "ADMIN", "EDIT", "VIEW"]`,
+							ExactlyOneOf: []string{"role.0.predefined_role", "role.0.custom_role"},
 						},
 					},
 				},
@@ -587,12 +594,18 @@ func flattenGKEHub2ScopeRBACRoleBindingRole(v interface{}, d *schema.ResourceDat
 	transformed := make(map[string]interface{})
 	transformed["predefined_role"] =
 		flattenGKEHub2ScopeRBACRoleBindingRolePredefinedRole(original["predefinedRole"], d, config)
+	transformed["custom_role"] =
+		flattenGKEHub2ScopeRBACRoleBindingRoleCustomRole(original["customRole"], d, config)
 	return []interface{}{transformed}
 }
 func flattenGKEHub2ScopeRBACRoleBindingRolePredefinedRole(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
 
+func flattenGKEHub2ScopeRBACRoleBindingRoleCustomRole(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenGKEHub2ScopeRBACRoleBindingLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -651,13 +664,24 @@ func expandGKEHub2ScopeRBACRoleBindingRole(v interface{}, d tpgresource.Terrafor
 		transformed["predefinedRole"] = transformedPredefinedRole
 	}
 
+	transformedCustomRole, err := expandGKEHub2ScopeRBACRoleBindingRoleCustomRole(original["custom_role"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedCustomRole); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["customRole"] = transformedCustomRole
+	}
+
 	return transformed, nil
 }
 
 func expandGKEHub2ScopeRBACRoleBindingRolePredefinedRole(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
 
+func expandGKEHub2ScopeRBACRoleBindingRoleCustomRole(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandGKEHub2ScopeRBACRoleBindingEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

google/services/gkehub2/resource_gke_hub_scope_rbac_role_binding_generated_meta.yaml

@@ -12,6 +12,7 @@ fields:
   - field: 'group'
   - field: 'labels'
   - field: 'name'
+  - field: 'role.custom_role'
   - field: 'role.predefined_role'
   - field: 'scope_id'
     provider_only: true

google/services/gkehub2/resource_gke_hub_scope_rbac_role_binding_generated_test.go

@@ -73,7 +73,6 @@ resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_role_binding" {
   labels = {
       key = "value" 
   }
-  depends_on = [google_gke_hub_scope.scope]
 }
 `, context)
 }

google/services/gkehub2/resource_gke_hub_scope_rbac_role_binding_test.go

@@ -20,7 +20,6 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 	"github.com/hashicorp/terraform-provider-google/google/envvar"
 )
@@ -29,13 +28,16 @@ func TestAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacRoleBindingBasicExample_u
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"project":       envvar.GetTestProjectFromEnv(),
-		"random_suffix": acctest.RandString(t, 10),
+		"project":         envvar.GetTestProjectFromEnv(),
+		"random_suffix":   acctest.RandString(t, 10),
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckGKEHub2ScopeRBACRoleBindingDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
 				Config: testAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacRoleBindingBasicExample_basic(context),
@@ -67,15 +69,14 @@ resource "google_gke_hub_scope" "scoperbacrolebinding" {
 
 resource "google_gke_hub_scope_rbac_role_binding" "scoperbacrolebinding" {
   scope_rbac_role_binding_id = "tf-test-scope-rbac-role-binding%{random_suffix}"
-  scope_id = "tf-test-scope%{random_suffix}"
+  scope_id = google_gke_hub_scope.scoperbacrolebinding.scope_id
   user = "[email protected]"
   role {
     predefined_role = "ADMIN"
   }
   labels = {
       key = "value" 
   }
-  depends_on = [google_gke_hub_scope.scoperbacrolebinding]
 }
 `, context)
 }
@@ -88,15 +89,141 @@ resource "google_gke_hub_scope" "scoperbacrolebinding" {
 
 resource "google_gke_hub_scope_rbac_role_binding" "scoperbacrolebinding" {
   scope_rbac_role_binding_id = "tf-test-scope-rbac-role-binding%{random_suffix}"
-  scope_id = "tf-test-scope%{random_suffix}"
+  scope_id = google_gke_hub_scope.scoperbacrolebinding.scope_id
   group = "[email protected]"
   role {
     predefined_role = "VIEW"
   }
   labels = {
       key = "updated_value" 
   }
-  depends_on = [google_gke_hub_scope.scoperbacrolebinding]
+}
+`, context)
+}
+
+func TestAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacCustomRoleBindingBasicExample_update(t *testing.T) {
+	// VCR fails to handle batched project services
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project":         envvar.GetTestProjectFromEnv(),
+		"random_suffix":   acctest.RandString(t, 10),
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckGKEHub2ScopeRBACRoleBindingDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacCustomRoleBindingBasicExample_basic(context),
+			},
+			{
+				ResourceName:            "google_gke_hub_scope_rbac_role_binding.scope_rbac_custom_role_binding",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "scope_id", "scope_rbac_role_binding_id", "terraform_labels"},
+			},
+			{
+				Config: testAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacCustomRoleBindingBasicExample_update(context),
+			},
+			{
+				ResourceName:            "google_gke_hub_scope_rbac_role_binding.scope_rbac_custom_role_binding",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"scope_rbac_role_binding_id", "scope_id", "labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacCustomRoleBindingBasicExample_basic(context map[string]interface{}) string {
+	return gkeHubRRBActuationProjectSetupForGA(context) + acctest.Nprintf(`
+resource "google_gke_hub_scope" "scope" {
+  scope_id = "tf-test-scope%{random_suffix}"
+  depends_on = [google_project_service.anthos, google_project_service.gkehub]
+}
+
+resource "google_gke_hub_feature" "rbacrolebindingactuation" {
+  name = "rbacrolebindingactuation"
+  location = "global"
+  spec {
+    rbacrolebindingactuation {
+      allowed_custom_roles = ["my-custom-role", "my-custom-role-2"]
+    }
+  }
+  depends_on = [google_project_service.anthos, google_project_service.gkehub]
+}
+
+resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_custom_role_binding" {
+  scope_rbac_role_binding_id = "tf-test-scope-rbac-role-binding%{random_suffix}"
+  scope_id = google_gke_hub_scope.scope.scope_id
+  user = "[email protected]"
+  role {
+    custom_role = "my-custom-role"
+  }
+  labels = {
+      key = "value" 
+  }
+  depends_on = [google_gke_hub_feature.rbacrolebindingactuation]
+}
+`, context)
+}
+
+func testAccGKEHub2ScopeRBACRoleBinding_gkehubScopeRbacCustomRoleBindingBasicExample_update(context map[string]interface{}) string {
+	return gkeHubRRBActuationProjectSetupForGA(context) + acctest.Nprintf(`
+resource "google_gke_hub_scope" "scope" {
+  scope_id = "tf-test-scope%{random_suffix}"
+}
+
+resource "google_gke_hub_feature" "rbacrolebindingactuation" {
+  name = "rbacrolebindingactuation"
+  location = "global"
+  spec {
+    rbacrolebindingactuation {
+      allowed_custom_roles = ["my-custom-role", "my-custom-role-2"]
+    }
+  }
+  depends_on = [google_project_service.anthos, google_project_service.gkehub]
+}
+
+resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_custom_role_binding" {
+  scope_rbac_role_binding_id = "tf-test-scope-rbac-role-binding%{random_suffix}"
+  scope_id = google_gke_hub_scope.scope.scope_id
+  user = "[email protected]"
+  role {
+    custom_role = "my-custom-role-2"
+  }
+  labels = {
+      key = "value" 
+  }
+  depends_on = [google_gke_hub_feature.rbacrolebindingactuation]
+}
+`, context)
+}
+
+func gkeHubRRBActuationProjectSetupForGA(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_project" "project" {
+  name            = "tf-test-gkehub%{random_suffix}"
+  project_id      = "tf-test-gkehub%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+  deletion_policy = "DELETE"
+}
+
+resource "google_project_service" "anthos" {
+  project = google_project.project.project_id
+  service = "anthos.googleapis.com"
+}
+
+resource "google_project_service" "gkehub" {
+  project = google_project.project.project_id
+  service = "gkehub.googleapis.com"
+  disable_on_destroy = false
 }
 `, context)
 }

website/docs/r/gke_hub_scope_rbac_role_binding.html.markdown

@@ -48,7 +48,37 @@ resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_role_binding" {
   labels = {
       key = "value" 
   }
-  depends_on = [google_gke_hub_scope.scope]
+}
+```
+## Example Usage - Gkehub Scope Rbac Custom Role Binding Basic
+
+
+```hcl
+resource "google_gke_hub_scope" "scope" {
+  scope_id = "tf-test-scope%{random_suffix}"
+}
+
+resource "google_gke_hub_feature" "rbacrolebindingactuation" {
+  name = "rbacrolebindingactuation"
+  location = "global"
+  spec {
+    rbacrolebindingactuation {
+      allowed_custom_roles = ["my-custom-role"]
+    }
+  }
+}
+
+resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_role_binding" {
+  scope_rbac_role_binding_id = "tf-test-scope-rbac-role-binding%{random_suffix}"
+  scope_id = google_gke_hub_scope.scope.scope_id
+  user = "[email protected]"
+  role {
+    custom_role = "my-custom-role"
+  }
+  labels = {
+      key = "value" 
+  }
+  depends_on = [google_gke_hub_feature.rbacrolebindingactuation]
 }
 ```
 
@@ -78,6 +108,10 @@ The following arguments are supported:
   PredefinedRole is an ENUM representation of the default Kubernetes Roles
   Possible values are: `UNKNOWN`, `ADMIN`, `EDIT`, `VIEW`.
 
+* `custom_role` -
+  (Optional)
+  CustomRole is the custom Kubernetes ClusterRole to be used. The custom role format must be allowlisted in the rbacrolebindingactuation feature and RFC 1123 compliant.
+
 - - -