Skip to content

Commit 19a78a7

Browse files
modular-magicianmodular-magician
authored
Fix identity type comparison for service perimeters (#12267) (#20221)
[upstream:343132cfcaa07a03a385461bfe261580d4624ac4] Signed-off-by: Modular Magician <[email protected]>
1 parent 738ea64 commit 19a78a7

7 files changed

+179
-28
lines changed

.changelog/12267.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note: bug
2+
accesscontextmanager: fixed comparison of `identity_type` in `ingress_from` and `egress_from` when the `IDENTITY_TYPE_UNSPECIFIED` is set
3+
```

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter.go

Lines changed: 68 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ import (
2222
"log"
2323
"net/http"
2424
"reflect"
25+
"slices"
26+
"sort"
2527
"strings"
2628
"time"
2729

@@ -32,6 +34,56 @@ import (
3234
"github.com/hashicorp/terraform-provider-google/google/verify"
3335
)
3436

37+
func AccessContextManagerServicePerimeterEgressToResourcesDiffSupressFunc(_, _, _ string, d *schema.ResourceData) bool {
38+
old, new := d.GetChange("egress_to.0.resources")
39+
40+
oldResources, err := tpgresource.InterfaceSliceToStringSlice(old)
41+
if err != nil {
42+
log.Printf("[ERROR] Failed to convert config value: %s", err)
43+
return false
44+
}
45+
46+
newResources, err := tpgresource.InterfaceSliceToStringSlice(new)
47+
if err != nil {
48+
log.Printf("[ERROR] Failed to convert config value: %s", err)
49+
return false
50+
}
51+
52+
sort.Strings(oldResources)
53+
sort.Strings(newResources)
54+
55+
return slices.Equal(oldResources, newResources)
56+
}
57+
58+
func AccessContextManagerServicePerimeterIngressToResourcesDiffSupressFunc(_, _, _ string, d *schema.ResourceData) bool {
59+
old, new := d.GetChange("ingress_to.0.resources")
60+
61+
oldResources, err := tpgresource.InterfaceSliceToStringSlice(old)
62+
if err != nil {
63+
log.Printf("[ERROR] Failed to convert config value: %s", err)
64+
return false
65+
}
66+
67+
newResources, err := tpgresource.InterfaceSliceToStringSlice(new)
68+
if err != nil {
69+
log.Printf("[ERROR] Failed to convert config value: %s", err)
70+
return false
71+
}
72+
73+
sort.Strings(oldResources)
74+
sort.Strings(newResources)
75+
76+
return slices.Equal(oldResources, newResources)
77+
}
78+
79+
func AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc(_, old, new string, _ *schema.ResourceData) bool {
80+
if old == "" && new == "IDENTITY_TYPE_UNSPECIFIED" {
81+
return true
82+
}
83+
84+
return old == new
85+
}
86+
3587
func ResourceAccessContextManagerServicePerimeter() *schema.Resource {
3688
return &schema.Resource{
3789
Create: resourceAccessContextManagerServicePerimeterCreate,
@@ -156,9 +208,10 @@ represent individual user or service account only.`,
156208
Set: schema.HashString,
157209
},
158210
"identity_type": {
159-
Type: schema.TypeString,
160-
Optional: true,
161-
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
211+
Type: schema.TypeString,
212+
Optional: true,
213+
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
214+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
162215
Description: `Specifies the type of identities that are allowed access to outside the
163216
perimeter. If left unspecified, then members of 'identities' field will
164217
be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,
@@ -295,9 +348,10 @@ individual user or service account only.`,
295348
Set: schema.HashString,
296349
},
297350
"identity_type": {
298-
Type: schema.TypeString,
299-
Optional: true,
300-
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
351+
Type: schema.TypeString,
352+
Optional: true,
353+
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
354+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
301355
Description: `Specifies the type of identities that are allowed access from outside the
302356
perimeter. If left unspecified, then members of 'identities' field will be
303357
allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,
@@ -520,9 +574,10 @@ represent individual user or service account only.`,
520574
Set: schema.HashString,
521575
},
522576
"identity_type": {
523-
Type: schema.TypeString,
524-
Optional: true,
525-
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
577+
Type: schema.TypeString,
578+
Optional: true,
579+
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
580+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
526581
Description: `Specifies the type of identities that are allowed access to outside the
527582
perimeter. If left unspecified, then members of 'identities' field will
528583
be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,
@@ -659,9 +714,10 @@ individual user or service account only.`,
659714
Set: schema.HashString,
660715
},
661716
"identity_type": {
662-
Type: schema.TypeString,
663-
Optional: true,
664-
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
717+
Type: schema.TypeString,
718+
Optional: true,
719+
ValidateFunc: verify.ValidateEnum([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
720+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
665721
Description: `Specifies the type of identities that are allowed access from outside the
666722
perimeter. If left unspecified, then members of 'identities' field will be
667723
allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy.go

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,14 @@ func AccessContextManagerServicePerimeterDryRunEgressPolicyIngressToResourcesDif
7575
return slices.Equal(oldResources, newResources)
7676
}
7777

78+
func AccessContextManagerServicePerimeterDryRunEgressPolicyIdentityTypeDiffSupressFunc(_, old, new string, _ *schema.ResourceData) bool {
79+
if old == "" && new == "IDENTITY_TYPE_UNSPECIFIED" {
80+
return true
81+
}
82+
83+
return old == new
84+
}
85+
7886
func ResourceAccessContextManagerServicePerimeterDryRunEgressPolicy() *schema.Resource {
7987
return &schema.Resource{
8088
Create: resourceAccessContextManagerServicePerimeterDryRunEgressPolicyCreate,
@@ -114,10 +122,11 @@ represent individual user or service account only.`,
114122
},
115123
},
116124
"identity_type": {
117-
Type: schema.TypeString,
118-
Optional: true,
119-
ForceNew: true,
120-
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
125+
Type: schema.TypeString,
126+
Optional: true,
127+
ForceNew: true,
128+
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
129+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
121130
Description: `Specifies the type of identities that are allowed access to outside the
122131
perimeter. If left unspecified, then members of 'identities' field will
123132
be allowed access. Possible values: ["ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy.go

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,14 @@ func AccessContextManagerServicePerimeterDryRunIngressPolicyIngressToResourcesDi
7575
return slices.Equal(oldResources, newResources)
7676
}
7777

78+
func AccessContextManagerServicePerimeterDryRunIngressPolicyIdentityTypeDiffSupressFunc(_, old, new string, _ *schema.ResourceData) bool {
79+
if old == "" && new == "IDENTITY_TYPE_UNSPECIFIED" {
80+
return true
81+
}
82+
83+
return old == new
84+
}
85+
7886
func ResourceAccessContextManagerServicePerimeterDryRunIngressPolicy() *schema.Resource {
7987
return &schema.Resource{
8088
Create: resourceAccessContextManagerServicePerimeterDryRunIngressPolicyCreate,
@@ -115,10 +123,11 @@ individual user or service account only.`,
115123
},
116124
},
117125
"identity_type": {
118-
Type: schema.TypeString,
119-
Optional: true,
120-
ForceNew: true,
121-
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
126+
Type: schema.TypeString,
127+
Optional: true,
128+
ForceNew: true,
129+
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
130+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
122131
Description: `Specifies the type of identities that are allowed access from outside the
123132
perimeter. If left unspecified, then members of 'identities' field will be
124133
allowed access. Possible values: ["ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy.go

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,14 @@ func AccessContextManagerServicePerimeterEgressPolicyIngressToResourcesDiffSupre
7575
return slices.Equal(oldResources, newResources)
7676
}
7777

78+
func AccessContextManagerServicePerimeterEgressPolicyIdentityTypeDiffSupressFunc(_, old, new string, _ *schema.ResourceData) bool {
79+
if old == "" && new == "IDENTITY_TYPE_UNSPECIFIED" {
80+
return true
81+
}
82+
83+
return old == new
84+
}
85+
7886
func ResourceAccessContextManagerServicePerimeterEgressPolicy() *schema.Resource {
7987
return &schema.Resource{
8088
Create: resourceAccessContextManagerServicePerimeterEgressPolicyCreate,
@@ -114,10 +122,11 @@ represent individual user or service account only.`,
114122
},
115123
},
116124
"identity_type": {
117-
Type: schema.TypeString,
118-
Optional: true,
119-
ForceNew: true,
120-
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
125+
Type: schema.TypeString,
126+
Optional: true,
127+
ForceNew: true,
128+
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
129+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
121130
Description: `Specifies the type of identities that are allowed access to outside the
122131
perimeter. If left unspecified, then members of 'identities' field will
123132
be allowed access. Possible values: ["ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_ingress_policy.go

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,14 @@ func AccessContextManagerServicePerimeterIngressPolicyIngressToResourcesDiffSupr
7575
return slices.Equal(oldResources, newResources)
7676
}
7777

78+
func AccessContextManagerServicePerimeterIngressPolicyIdentityTypeDiffSupressFunc(_, old, new string, _ *schema.ResourceData) bool {
79+
if old == "" && new == "IDENTITY_TYPE_UNSPECIFIED" {
80+
return true
81+
}
82+
83+
return old == new
84+
}
85+
7886
func ResourceAccessContextManagerServicePerimeterIngressPolicy() *schema.Resource {
7987
return &schema.Resource{
8088
Create: resourceAccessContextManagerServicePerimeterIngressPolicyCreate,
@@ -115,10 +123,11 @@ individual user or service account only.`,
115123
},
116124
},
117125
"identity_type": {
118-
Type: schema.TypeString,
119-
Optional: true,
120-
ForceNew: true,
121-
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
126+
Type: schema.TypeString,
127+
Optional: true,
128+
ForceNew: true,
129+
ValidateFunc: verify.ValidateEnum([]string{"ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}),
130+
DiffSuppressFunc: AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc,
122131
Description: `Specifies the type of identities that are allowed access from outside the
123132
perimeter. If left unspecified, then members of 'identities' field will be
124133
allowed access. Possible values: ["ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`,

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111

1212
"github.com/hashicorp/terraform-provider-google/google/acctest"
1313
"github.com/hashicorp/terraform-provider-google/google/envvar"
14+
"github.com/hashicorp/terraform-provider-google/google/services/accesscontextmanager"
1415
"github.com/hashicorp/terraform-provider-google/google/tpgresource"
1516
transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
1617
)
@@ -411,3 +412,58 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
411412
}
412413
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
413414
}
415+
416+
type IdentityTypeDiffSupressFuncDiffSuppressTestCase struct {
417+
Name string
418+
AreEqual bool
419+
Before string
420+
After string
421+
}
422+
423+
var identityTypeDiffSuppressTestCases = []IdentityTypeDiffSupressFuncDiffSuppressTestCase{
424+
{
425+
AreEqual: false,
426+
Before: "A",
427+
After: "B",
428+
},
429+
{
430+
AreEqual: true,
431+
Before: "A",
432+
After: "A",
433+
},
434+
{
435+
AreEqual: false,
436+
Before: "",
437+
After: "A",
438+
},
439+
{
440+
AreEqual: false,
441+
Before: "A",
442+
After: "",
443+
},
444+
{
445+
AreEqual: true,
446+
Before: "",
447+
After: "IDENTITY_TYPE_UNSPECIFIED",
448+
},
449+
{
450+
AreEqual: false,
451+
Before: "IDENTITY_TYPE_UNSPECIFIED",
452+
After: "",
453+
},
454+
}
455+
456+
func TestUnitAccessContextManagerServicePerimeter_identityTypeDiff(t *testing.T) {
457+
for _, tc := range identityTypeDiffSuppressTestCases {
458+
tc.Test(t)
459+
}
460+
}
461+
462+
func (tc *IdentityTypeDiffSupressFuncDiffSuppressTestCase) Test(t *testing.T) {
463+
actual := accesscontextmanager.AccessContextManagerServicePerimeterIdentityTypeDiffSupressFunc("", tc.Before, tc.After, nil)
464+
if actual != tc.AreEqual {
465+
t.Errorf(
466+
"Unexpected difference found. Before: \"%s\", after: \"%s\", actual: %t, expected: %t",
467+
tc.Before, tc.After, actual, tc.AreEqual)
468+
}
469+
}

0 commit comments

Comments
 (0)