public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-08 19:18:30 +00:00
Code Issues Projects Releases Wiki Activity
3a945770e5
terraform-provider-google/google/resource_google_project_iam_binding.go

184 lines
4.5 KiB
Go
Raw Normal View History

Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
package google
import (
"fmt"
"log"
"github.com/hashicorp/terraform/helper/schema"
"google.golang.org/api/cloudresourcemanager/v1"
)
func resourceGoogleProjectIamBinding() *schema.Resource {
return &schema.Resource{
Create: resourceGoogleProjectIamBindingCreate,
Read: resourceGoogleProjectIamBindingRead,
Update: resourceGoogleProjectIamBindingUpdate,
Delete: resourceGoogleProjectIamBindingDelete,
Schema: map[string]*schema.Schema{
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that.
2017-07-27 20:39:23 +00:00
"project": {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that.
2017-07-27 20:39:23 +00:00
"role": {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
Type: schema.TypeString,
Required: true,
Fix reads, make ForceNew. Changing the role is ForceNew, because the role is part of the ID. Make reads go through to the Binding functions, not the Policy functions. That's embarrassing.
2017-07-04 02:36:55 +00:00
ForceNew: true,
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
},
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that.
2017-07-27 20:39:23 +00:00
"members": {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
Type: schema.TypeSet,
Required: true,
Return a type that was needed, rename a test function. Tests need to have unique names. Whoooops. Also, the Elem property accepts an interface I guess, which means we actually need the struct type repetition there.
2017-07-27 21:11:52 +00:00
Elem: &schema.Schema{
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
Type: schema.TypeString,
},
},
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that.
2017-07-27 20:39:23 +00:00
"etag": {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
Type: schema.TypeString,
Computed: true,
},
},
}
}
func resourceGoogleProjectIamBindingCreate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
pid, err := getProject(d, config)
if err != nil {
return err
}
// Get the binding in the template
log.Println("[DEBUG]: Reading google_project_iam_binding")
p := getResourceIamBinding(d)
mutexKV.Lock(projectIamBindingMutexKey(pid, p.Role))
defer mutexKV.Unlock(projectIamBindingMutexKey(pid, p.Role))
Create an iam policy read/modify/write helper. We were repeating that logic a lot, so this helper just reads a policy, calls the passed modify function on the policy, then writes the policy back and takes care of the optimistic concurrency logic for the caller. So now all the caller has to do is the unique part, which is the modify function.
2017-07-25 18:43:49 +00:00
err = projectIamPolicyReadModifyWrite(d, config, pid, func(ep *cloudresourcemanager.Policy) error {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
// Merge the bindings together
ep.Bindings = mergeBindings(append(ep.Bindings, p))
Create an iam policy read/modify/write helper. We were repeating that logic a lot, so this helper just reads a policy, calls the passed modify function on the policy, then writes the policy back and takes care of the optimistic concurrency logic for the caller. So now all the caller has to do is the unique part, which is the modify function.
2017-07-25 18:43:49 +00:00
return nil
})
if err != nil {
return err
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
Switch to / as separator. Switch to using / as a separator for IDs, instead of :.
2017-07-27 20:50:31 +00:00
d.SetId(pid + "/" + p.Role)
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
return resourceGoogleProjectIamBindingRead(d, meta)
}
func resourceGoogleProjectIamBindingRead(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
pid, err := getProject(d, config)
if err != nil {
return err
}
eBinding := getResourceIamBinding(d)
log.Println("[DEBUG]: Retrieving policy for project", pid)
p, err := getProjectIamPolicy(pid, config)
if err != nil {
return err
}
log.Printf("[DEBUG]: Retrieved policy for project %q: %+v\n", pid, p)
var binding *cloudresourcemanager.Binding
for _, b := range p.Bindings {
if b.Role != eBinding.Role {
continue
}
binding = b
break
}
if binding == nil {
Add logging statements, update : to / in IDs. Update member IDs to use / instead of :. Make sure we're logging any time we remove something from state.
2017-07-27 21:01:47 +00:00
log.Printf("[DEBUG]: Binding for role %q not found in policy for %q, removing from state file.\n", eBinding.Role, pid)
Remove ID when binding isn't found. It shouldn't be an error, we should just remove that binding from state.
2017-07-04 03:50:25 +00:00
d.SetId("")
return nil
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
d.Set("etag", p.Etag)
d.Set("members", binding.Members)
d.Set("role", binding.Role)
return nil
}
func resourceGoogleProjectIamBindingUpdate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
pid, err := getProject(d, config)
if err != nil {
return err
}
binding := getResourceIamBinding(d)
mutexKV.Lock(projectIamBindingMutexKey(pid, binding.Role))
defer mutexKV.Unlock(projectIamBindingMutexKey(pid, binding.Role))
Create an iam policy read/modify/write helper. We were repeating that logic a lot, so this helper just reads a policy, calls the passed modify function on the policy, then writes the policy back and takes care of the optimistic concurrency logic for the caller. So now all the caller has to do is the unique part, which is the modify function.
2017-07-25 18:43:49 +00:00
err = projectIamPolicyReadModifyWrite(d, config, pid, func(p *cloudresourcemanager.Policy) error {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
var found bool
for pos, b := range p.Bindings {
if b.Role != binding.Role {
continue
}
found = true
p.Bindings[pos] = binding
break
}
if !found {
p.Bindings = append(p.Bindings, binding)
}
Create an iam policy read/modify/write helper. We were repeating that logic a lot, so this helper just reads a policy, calls the passed modify function on the policy, then writes the policy back and takes care of the optimistic concurrency logic for the caller. So now all the caller has to do is the unique part, which is the modify function.
2017-07-25 18:43:49 +00:00
return nil
})
if err != nil {
return err
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
Fix reads, make ForceNew. Changing the role is ForceNew, because the role is part of the ID. Make reads go through to the Binding functions, not the Policy functions. That's embarrassing.
2017-07-04 02:36:55 +00:00
return resourceGoogleProjectIamBindingRead(d, meta)
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
func resourceGoogleProjectIamBindingDelete(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
pid, err := getProject(d, config)
if err != nil {
return err
}
binding := getResourceIamBinding(d)
mutexKV.Lock(projectIamBindingMutexKey(pid, binding.Role))
defer mutexKV.Unlock(projectIamBindingMutexKey(pid, binding.Role))
Create an iam policy read/modify/write helper. We were repeating that logic a lot, so this helper just reads a policy, calls the passed modify function on the policy, then writes the policy back and takes care of the optimistic concurrency logic for the caller. So now all the caller has to do is the unique part, which is the modify function.
2017-07-25 18:43:49 +00:00
err = projectIamPolicyReadModifyWrite(d, config, pid, func(p *cloudresourcemanager.Policy) error {
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
toRemove := -1
for pos, b := range p.Bindings {
if b.Role != binding.Role {
continue
}
toRemove = pos
break
}
if toRemove < 0 {
Don't set IDs in RMW loops. We don't need to set the ID to "" in read-modify-write helpers, because once they're done, we read anyways to update state based on the changes. And that read checks if the binding/member still exists, and does the SetId("") if it doesn't. This way, we stick with state only getting set based on the API state, not by what we think the state will be.
2017-07-27 21:29:25 +00:00
log.Printf("[DEBUG]: Policy bindings for project %q did not include a binding for role %q", pid, binding.Role)
Just remove deleted bindings not present in the API. We can just set the ID of bindings that are scheduled to be deleted but don't exist in the API, we don't need an entire separate read request.
2017-07-25 18:12:15 +00:00
return nil
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
p.Bindings = append(p.Bindings[:toRemove], p.Bindings[toRemove+1:]...)
Create an iam policy read/modify/write helper. We were repeating that logic a lot, so this helper just reads a policy, calls the passed modify function on the policy, then writes the policy back and takes care of the optimistic concurrency logic for the caller. So now all the caller has to do is the unique part, which is the modify function.
2017-07-25 18:43:49 +00:00
return nil
})
if err != nil {
return err
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
Fix reads, make ForceNew. Changing the role is ForceNew, because the role is part of the ID. Make reads go through to the Binding functions, not the Policy functions. That's embarrassing.
2017-07-04 02:36:55 +00:00
return resourceGoogleProjectIamBindingRead(d, meta)
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
}
// Get a cloudresourcemanager.Binding from a schema.ResourceData
func getResourceIamBinding(d *schema.ResourceData) *cloudresourcemanager.Binding {
members := d.Get("members").(*schema.Set).List()
return &cloudresourcemanager.Binding{
Use string slice conversion helper.
2017-07-25 18:52:38 +00:00
Members: convertStringArr(members),
Add google_project_iam_binding resource. Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2017-07-04 02:01:08 +00:00
Role: d.Get("role").(string),
}
}
func projectIamBindingMutexKey(pid, role string) string {
return fmt.Sprintf("google-project-iam-binding-%s-%s", pid, role)
}
Reference in New Issue Copy Permalink