Create a terraform resource for the Fleet RBACRolebindingActuation Feature for supporting custom roles in scope RBACRoleBindings (#14046) (#23102)

[upstream:62b710d65caa332fcf3c61d33c46508d20c4e662]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14046.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+gkehub2: added field `spec.rbacrolebindingactuation` to resource `google_gke_hub_feature`
+```

google/services/gkehub2/resource_gke_hub_feature.go

@@ -640,6 +640,24 @@ Please refer to the field 'effective_labels' for all of the labels present on th
 								},
 							},
 						},
+						"rbacrolebindingactuation": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `RBACRolebinding Actuation feature spec.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"allowed_custom_roles": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: `The list of allowed custom roles (ClusterRoles). If a custom role is not part of this list, it cannot be used in a fleet scope RBACRoleBinding. If a custom role in this list is in use, it cannot be removed from the list until the scope RBACRolebindings using it are deleted.`,
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -781,6 +799,31 @@ func resourceGKEHub2FeatureCreate(d *schema.ResourceData, meta interface{}) erro
 	}
 
 	headers := make(http.Header)
+	// Check if the fleet feature already exists. Do an update if so.
+
+	getUrl, err := tpgresource.ReplaceVars(d, config, "{{GKEHub2BasePath}}projects/{{project}}/locations/{{location}}/features/{{name}}")
+	if err != nil {
+		return err
+	}
+	_, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "GET",
+		Project:   billingProject,
+		RawURL:    getUrl,
+		UserAgent: userAgent,
+		Headers:   headers,
+	})
+
+	if err == nil {
+		// Fleet feature already exists
+		log.Printf("[DEBUG] Fleet feature already exists %s", d.Get("name"))
+		id, err := tpgresource.ReplaceVars(d, config, "projects/{{project}}/locations/{{location}}/features/{{name}}")
+		if err != nil {
+			return fmt.Errorf("Error constructing id: %s", err)
+		}
+		d.SetId(id)
+		return resourceGKEHub2FeatureUpdate(d, meta)
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "POST",
@@ -1019,6 +1062,61 @@ func resourceGKEHub2FeatureDelete(d *schema.ResourceData, meta interface{}) erro
 	}
 
 	headers := make(http.Header)
+	// Special handling for the mandatory 'rbacrolebindingactuation' feature.
+	// Instead of deleting it, we reset it to a default state by sending a PATCH request.
+	if d.Get("name").(string) == "rbacrolebindingactuation" {
+		log.Printf("[DEBUG] Mandatory feature 'rbacrolebindingactuation' detected. Resetting instead of deleting.")
+
+		patchUrl, err := tpgresource.ReplaceVarsForId(d, config, "{{GKEHub2BasePath}}projects/{{project}}/locations/{{location}}/features/{{name}}")
+		if err != nil {
+			return err
+		}
+
+		// Construct the request body to clear the desired field.
+		obj := map[string]interface{}{
+			"spec": map[string]interface{}{
+				"rbacrolebindingactuation": map[string]interface{}{
+					"allowedCustomRoles": []string{},
+				},
+			},
+		}
+
+		// A specific updateMask is required for a PATCH request.
+		updateMask := "spec.rbacrolebindingactuation.allowedCustomRoles"
+		url, err := transport_tpg.AddQueryParams(patchUrl, map[string]string{"updateMask": updateMask})
+		if err != nil {
+			return err
+		}
+
+		log.Printf("[DEBUG] Sending PATCH to reset Feature %q: %#v", d.Id(), obj)
+
+		// Send the raw PATCH request.
+		res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+			Config:    config,
+			Method:    "PATCH",
+			Project:   billingProject,
+			RawURL:    url,
+			UserAgent: userAgent,
+			Body:      obj,
+			Timeout:   d.Timeout(schema.TimeoutDelete), // Use the delete timeout for this reset operation.
+			Headers:   headers,
+		})
+		if err != nil {
+			return fmt.Errorf("error resetting Feature %q: %s", d.Id(), err)
+		}
+
+		// Wait for the long-running operation to complete.
+		err = GKEHub2OperationWaitTime(
+			config, res, tpgresource.GetResourceNameFromSelfLink(project), "Resetting Feature", userAgent,
+			d.Timeout(schema.TimeoutDelete))
+
+		if err != nil {
+			return fmt.Errorf("error waiting to reset Feature %q: %s", d.Id(), err)
+		}
+
+		log.Printf("[DEBUG] Finished resetting Feature %q", d.Id())
+		return nil
+	}
 
 	log.Printf("[DEBUG] Deleting Feature %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
@@ -1120,6 +1218,8 @@ func flattenGKEHub2FeatureSpec(v interface{}, d *schema.ResourceData, config *tr
 		flattenGKEHub2FeatureSpecFleetobservability(original["fleetobservability"], d, config)
 	transformed["clusterupgrade"] =
 		flattenGKEHub2FeatureSpecClusterupgrade(original["clusterupgrade"], d, config)
+	transformed["rbacrolebindingactuation"] =
+		flattenGKEHub2FeatureSpecRbacrolebindingactuation(original["rbacrolebindingactuation"], d, config)
 	return []interface{}{transformed}
 }
 func flattenGKEHub2FeatureSpecMulticlusteringress(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -1298,6 +1398,23 @@ func flattenGKEHub2FeatureSpecClusterupgradeGkeUpgradeOverridesPostConditionsSoa
 	return v
 }
 
+func flattenGKEHub2FeatureSpecRbacrolebindingactuation(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["allowed_custom_roles"] =
+		flattenGKEHub2FeatureSpecRbacrolebindingactuationAllowedCustomRoles(original["allowedCustomRoles"], d, config)
+	return []interface{}{transformed}
+}
+func flattenGKEHub2FeatureSpecRbacrolebindingactuationAllowedCustomRoles(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenGKEHub2FeatureFleetDefaultMemberConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return nil
@@ -1914,6 +2031,13 @@ func expandGKEHub2FeatureSpec(v interface{}, d tpgresource.TerraformResourceData
 		transformed["clusterupgrade"] = transformedClusterupgrade
 	}
 
+	transformedRbacrolebindingactuation, err := expandGKEHub2FeatureSpecRbacrolebindingactuation(original["rbacrolebindingactuation"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedRbacrolebindingactuation); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["rbacrolebindingactuation"] = transformedRbacrolebindingactuation
+	}
+
 	return transformed, nil
 }
 
@@ -2177,6 +2301,29 @@ func expandGKEHub2FeatureSpecClusterupgradeGkeUpgradeOverridesPostConditionsSoak
 	return v, nil
 }
 
+func expandGKEHub2FeatureSpecRbacrolebindingactuation(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedAllowedCustomRoles, err := expandGKEHub2FeatureSpecRbacrolebindingactuationAllowedCustomRoles(original["allowed_custom_roles"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAllowedCustomRoles); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["allowedCustomRoles"] = transformedAllowedCustomRoles
+	}
+
+	return transformed, nil
+}
+
+func expandGKEHub2FeatureSpecRbacrolebindingactuationAllowedCustomRoles(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandGKEHub2FeatureFleetDefaultMemberConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {

google/services/gkehub2/resource_gke_hub_feature_generated_meta.yaml

@@ -70,6 +70,7 @@ fields:
   - field: 'spec.fleetobservability.logging_config.default_config.mode'
   - field: 'spec.fleetobservability.logging_config.fleet_scope_logs_config.mode'
   - field: 'spec.multiclusteringress.config_membership'
+  - field: 'spec.rbacrolebindingactuation.allowed_custom_roles'
   - field: 'state.state.code'
   - field: 'state.state.description'
   - field: 'state.state.update_time'

google/services/gkehub2/resource_gke_hub_feature_test.go

@@ -934,6 +934,76 @@ resource "google_gke_hub_feature" "feature" {
 `, context)
 }
 
+func TestAccGKEHubFeature_Rbacrolebindingactuation(t *testing.T) {
+	// VCR fails to handle batched project services
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(t, 10),
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckGKEHubFeatureDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGKEHubFeature_Rbacrolebindingactuation(context),
+			},
+			{
+				ResourceName:            "google_gke_hub_feature.feature",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"project", "labels", "terraform_labels"},
+			},
+			{
+				Config: testAccGKEHubFeature_RbacrolebindingactuationUpdate(context),
+			},
+			{
+				ResourceName:            "google_gke_hub_feature.feature",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccGKEHubFeature_Rbacrolebindingactuation(context map[string]interface{}) string {
+	return gkeHubFeatureProjectSetupForGA(context) + acctest.Nprintf(`
+resource "google_gke_hub_feature" "feature" {
+  name = "rbacrolebindingactuation"
+  location = "global"
+  spec {
+    rbacrolebindingactuation {
+	allowed_custom_roles = ["custom-role1","custom-role2","custom-role3"]
+    }
+  }
+  depends_on = [google_project_service.anthos, google_project_service.gkehub]
+  project = google_project.project.project_id
+}
+`, context)
+}
+
+func testAccGKEHubFeature_RbacrolebindingactuationUpdate(context map[string]interface{}) string {
+	return gkeHubFeatureProjectSetupForGA(context) + acctest.Nprintf(`
+resource "google_gke_hub_feature" "feature" {
+  name = "rbacrolebindingactuation"
+  location = "global"
+  spec {
+    rbacrolebindingactuation {
+	allowed_custom_roles = ["custom-role1","custom-role2","custom-role3","custom-role4"]
+    }
+  }
+  depends_on = [google_project_service.anthos, google_project_service.gkehub]
+  project = google_project.project.project_id
+}
+`, context)
+}
+
 func gkeHubFeatureProjectSetupForGA(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_project" "project" {

website/docs/r/gke_hub_feature.html.markdown

@@ -301,6 +301,20 @@ resource "google_gke_hub_feature" "feature" {
   }
 }
 ```
+## Example Usage - Gkehub Feature Rbacrolebinding Actuation
+
+
+```hcl
+resource "google_gke_hub_feature" "feature" {
+  name = "rbacrolebindingactuation"
+  location = "global"
+  spec {
+    rbacrolebindingactuation {
+      allowed_custom_roles = ["custom-role1","custom-role2","custom-role3"]
+    }
+  }
+}
+```
 
 ## Argument Reference
 
@@ -356,6 +370,11 @@ The following arguments are supported:
   Clusterupgrade feature spec.
   Structure is [documented below](#nested_spec_clusterupgrade).
 
+* `rbacrolebindingactuation` -
+  (Optional)
+  RBACRolebinding Actuation feature spec.
+  Structure is [documented below](#nested_spec_rbacrolebindingactuation).
+
 
 <a name="nested_spec_multiclusteringress"></a>The `multiclusteringress` block supports:
 
@@ -450,6 +469,12 @@ The following arguments are supported:
   (Required)
   Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days.
 
+<a name="nested_spec_rbacrolebindingactuation"></a>The `rbacrolebindingactuation` block supports:
+
+* `allowed_custom_roles` -
+  (Optional)
+  The list of allowed custom roles (ClusterRoles). If a custom role is not part of this list, it cannot be used in a fleet scope RBACRoleBinding. If a custom role in this list is in use, it cannot be removed from the list until the scope RBACRolebindings using it are deleted.
+
 <a name="nested_fleet_default_member_config"></a>The `fleet_default_member_config` block supports:
 
 * `mesh` -