feat: added disabled_user_signup and disabled_user_deletion to google_identity_platform_tenant (#12841) (#21983)

[upstream:476221cc05616630037f9b592855caf18eced4d7]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12841.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+identityplatform: added `disabled_user_signup` and `disabled_user_deletion` to `google_identity_platform_tenant`
+```

google/services/identityplatform/resource_identity_platform_tenant.go

@@ -66,6 +66,36 @@ func ResourceIdentityPlatformTenant() *schema.Resource {
 				Optional:    true,
 				Description: `Whether to allow email/password user authentication.`,
 			},
+			"client": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `Options related to how clients making requests on behalf of a tenant should be configured.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"permissions": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `Configuration related to restricting a user's ability to affect their account.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"disabled_user_deletion": {
+										Type:        schema.TypeBool,
+										Optional:    true,
+										Description: `When true, end users cannot delete their account on the associated project through any of our API methods.`,
+									},
+									"disabled_user_signup": {
+										Type:        schema.TypeBool,
+										Optional:    true,
+										Description: `When true, end users cannot sign up for a new account on the associated project through any of our API methods.`,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			"disable_auth": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -126,6 +156,12 @@ func resourceIdentityPlatformTenantCreate(d *schema.ResourceData, meta interface
 	} else if v, ok := d.GetOkExists("disable_auth"); !tpgresource.IsEmptyValue(reflect.ValueOf(disableAuthProp)) && (ok || !reflect.DeepEqual(v, disableAuthProp)) {
 		obj["disableAuth"] = disableAuthProp
 	}
+	clientProp, err := expandIdentityPlatformTenantClient(d.Get("client"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("client"); !tpgresource.IsEmptyValue(reflect.ValueOf(clientProp)) && (ok || !reflect.DeepEqual(v, clientProp)) {
+		obj["client"] = clientProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{IdentityPlatformBasePath}}projects/{{project}}/tenants")
 	if err != nil {
@@ -248,6 +284,9 @@ func resourceIdentityPlatformTenantRead(d *schema.ResourceData, meta interface{}
 	if err := d.Set("disable_auth", flattenIdentityPlatformTenantDisableAuth(res["disableAuth"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Tenant: %s", err)
 	}
+	if err := d.Set("client", flattenIdentityPlatformTenantClient(res["client"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Tenant: %s", err)
+	}
 
 	return nil
 }
@@ -292,6 +331,12 @@ func resourceIdentityPlatformTenantUpdate(d *schema.ResourceData, meta interface
 	} else if v, ok := d.GetOkExists("disable_auth"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, disableAuthProp)) {
 		obj["disableAuth"] = disableAuthProp
 	}
+	clientProp, err := expandIdentityPlatformTenantClient(d.Get("client"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("client"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, clientProp)) {
+		obj["client"] = clientProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{IdentityPlatformBasePath}}projects/{{project}}/tenants/{{name}}")
 	if err != nil {
@@ -317,6 +362,10 @@ func resourceIdentityPlatformTenantUpdate(d *schema.ResourceData, meta interface
 	if d.HasChange("disable_auth") {
 		updateMask = append(updateMask, "disableAuth")
 	}
+
+	if d.HasChange("client") {
+		updateMask = append(updateMask, "client")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -444,6 +493,42 @@ func flattenIdentityPlatformTenantDisableAuth(v interface{}, d *schema.ResourceD
 	return v
 }
 
+func flattenIdentityPlatformTenantClient(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["permissions"] =
+		flattenIdentityPlatformTenantClientPermissions(original["permissions"], d, config)
+	return []interface{}{transformed}
+}
+func flattenIdentityPlatformTenantClientPermissions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["disabled_user_signup"] =
+		flattenIdentityPlatformTenantClientPermissionsDisabledUserSignup(original["disabledUserSignup"], d, config)
+	transformed["disabled_user_deletion"] =
+		flattenIdentityPlatformTenantClientPermissionsDisabledUserDeletion(original["disabledUserDeletion"], d, config)
+	return []interface{}{transformed}
+}
+func flattenIdentityPlatformTenantClientPermissionsDisabledUserSignup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenIdentityPlatformTenantClientPermissionsDisabledUserDeletion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandIdentityPlatformTenantDisplayName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -459,3 +544,56 @@ func expandIdentityPlatformTenantEnableEmailLinkSignin(v interface{}, d tpgresou
 func expandIdentityPlatformTenantDisableAuth(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandIdentityPlatformTenantClient(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedPermissions, err := expandIdentityPlatformTenantClientPermissions(original["permissions"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPermissions); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["permissions"] = transformedPermissions
+	}
+
+	return transformed, nil
+}
+
+func expandIdentityPlatformTenantClientPermissions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedDisabledUserSignup, err := expandIdentityPlatformTenantClientPermissionsDisabledUserSignup(original["disabled_user_signup"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedDisabledUserSignup); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["disabledUserSignup"] = transformedDisabledUserSignup
+	}
+
+	transformedDisabledUserDeletion, err := expandIdentityPlatformTenantClientPermissionsDisabledUserDeletion(original["disabled_user_deletion"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedDisabledUserDeletion); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["disabledUserDeletion"] = transformedDisabledUserDeletion
+	}
+
+	return transformed, nil
+}
+
+func expandIdentityPlatformTenantClientPermissionsDisabledUserSignup(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandIdentityPlatformTenantClientPermissionsDisabledUserDeletion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}

google/services/identityplatform/resource_identity_platform_tenant_generated_meta.yaml

@@ -6,6 +6,8 @@ api_version: 'v2'
 api_resource_type_kind: 'Tenant'
 fields:
   - field: 'allow_password_signup'
+  - field: 'client.permissions.disabled_user_deletion'
+  - field: 'client.permissions.disabled_user_signup'
   - field: 'disable_auth'
   - field: 'display_name'
   - field: 'enable_email_link_signin'

google/services/identityplatform/resource_identity_platform_tenant_test.go

@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 )
 
@@ -31,6 +32,11 @@ func TestAccIdentityPlatformTenant_identityPlatformTenantUpdate(t *testing.T) {
 			},
 			{
 				Config: testAccIdentityPlatformTenant_identityPlatformTenantUpdate(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_identity_platform_tenant.tenant", plancheck.ResourceActionUpdate),
+					},
+				},
 			},
 			{
 				ResourceName:      "google_identity_platform_tenant.tenant",
@@ -57,6 +63,12 @@ resource "google_identity_platform_tenant" "tenant" {
   allow_password_signup    = false
   enable_email_link_signin = true
   disable_auth             = true
+  client {
+    permissions {
+      disabled_user_signup   = true
+      disabled_user_deletion = true
+    }
+  }
 }
 `, context)
 }

website/docs/r/identity_platform_tenant.html.markdown

@@ -74,10 +74,33 @@ The following arguments are supported:
   the disabled tenant are not allowed to sign-in. Admins of the disabled tenant
   are not able to manage its users.
 
+* `client` -
+  (Optional)
+  Options related to how clients making requests on behalf of a tenant should be configured.
+  Structure is [documented below](#nested_client).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
 
+<a name="nested_client"></a>The `client` block supports:
+
+* `permissions` -
+  (Optional)
+  Configuration related to restricting a user's ability to affect their account.
+  Structure is [documented below](#nested_client_permissions).
+
+
+<a name="nested_client_permissions"></a>The `permissions` block supports:
+
+* `disabled_user_signup` -
+  (Optional)
+  When true, end users cannot sign up for a new account on the associated project through any of our API methods.
+
+* `disabled_user_deletion` -
+  (Optional)
+  When true, end users cannot delete their account on the associated project through any of our API methods.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: