Merge pull request #1386 from terraform-providers/paddy_spanner_database_iam

Add IAM resources for Spanner databases.
2024-10-01 16:21:06 +00:00 · 2018-05-02 11:35:59 -07:00 · 2018-05-02 11:35:59 -07:00 · 008316fcd8
commit 008316fcd8
parent 363f85a057 fa7b326792
5 changed files with 529 additions and 4 deletions
--- a/google/iam_spanner_database.go
+++ b/google/iam_spanner_database.go
@ -0,0 +1,141 @@
+package google
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/terraform/helper/schema"
+	"google.golang.org/api/cloudresourcemanager/v1"
+	spanner "google.golang.org/api/spanner/v1"
+)
+
+var IamSpannerDatabaseSchema = map[string]*schema.Schema{
+	"instance": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+	"database": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+
+	"project": {
+		Type:     schema.TypeString,
+		Optional: true,
+		Computed: true,
+		ForceNew: true,
+	},
+}
+
+type SpannerDatabaseIamUpdater struct {
+	project  string
+	instance string
+	database string
+	Config   *Config
+}
+
+func NewSpannerDatabaseIamUpdater(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
+	project, err := getProject(d, config)
+	if err != nil {
+		return nil, err
+	}
+
+	return &SpannerDatabaseIamUpdater{
+		project:  project,
+		instance: d.Get("instance").(string),
+		database: d.Get("database").(string),
+		Config:   config,
+	}, nil
+}
+
+func SpannerDatabaseIdParseFunc(d *schema.ResourceData, config *Config) error {
+	id, err := extractSpannerDatabaseId(d.Id())
+	if err != nil {
+		return err
+	}
+	d.Set("instance", id.Instance)
+	d.Set("project", id.Project)
+	d.Set("database", id.Database)
+
+	// Explicitly set the id so imported resources have the same ID format as non-imported ones.
+	d.SetId(id.terraformId())
+	return nil
+}
+
+func (u *SpannerDatabaseIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
+	p, err := u.Config.clientSpanner.Projects.Instances.Databases.GetIamPolicy(spannerDatabaseId{
+		Project:  u.project,
+		Database: u.database,
+		Instance: u.instance,
+	}.databaseUri(), &spanner.GetIamPolicyRequest{}).Do()
+
+	if err != nil {
+		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	cloudResourcePolicy, err := spannerToResourceManagerPolicy(p)
+
+	if err != nil {
+		return nil, errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	return cloudResourcePolicy, nil
+}
+
+func (u *SpannerDatabaseIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
+	spannerPolicy, err := resourceManagerToSpannerPolicy(policy)
+
+	if err != nil {
+		return errwrap.Wrapf(fmt.Sprintf("Invalid IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	_, err = u.Config.clientSpanner.Projects.Instances.Databases.SetIamPolicy(spannerDatabaseId{
+		Project:  u.project,
+		Database: u.database,
+		Instance: u.instance,
+	}.databaseUri(), &spanner.SetIamPolicyRequest{
+		Policy: spannerPolicy,
+	}).Do()
+
+	if err != nil {
+		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	return nil
+}
+
+func (u *SpannerDatabaseIamUpdater) GetResourceId() string {
+	return spannerDatabaseId{
+		Project:  u.project,
+		Instance: u.instance,
+		Database: u.database,
+	}.terraformId()
+}
+
+func (u *SpannerDatabaseIamUpdater) GetMutexKey() string {
+	return fmt.Sprintf("iam-spanner-database-%s-%s-%s", u.project, u.instance, u.database)
+}
+
+func (u *SpannerDatabaseIamUpdater) DescribeResource() string {
+	return fmt.Sprintf("Spanner Database: %s/%s/%s", u.project, u.instance, u.database)
+}
+
+func resourceManagerToSpannerPolicy(p *cloudresourcemanager.Policy) (*spanner.Policy, error) {
+	out := &spanner.Policy{}
+	err := Convert(p, out)
+	if err != nil {
+		return nil, errwrap.Wrapf("Cannot convert a resourcemanager policy to a spanner policy: {{err}}", err)
+	}
+	return out, nil
+}
+
+func spannerToResourceManagerPolicy(p *spanner.Policy) (*cloudresourcemanager.Policy, error) {
+	out := &cloudresourcemanager.Policy{}
+	err := Convert(p, out)
+	if err != nil {
+		return nil, errwrap.Wrapf("Cannot convert a spanner policy to a resourcemanager policy: {{err}}", err)
+	}
+	return out, nil
+}
--- a/google/provider.go
+++ b/google/provider.go
@ -169,6 +169,9 @@ func Provider() terraform.ResourceProvider {
 				"google_sourcerepo_repository":                 resourceSourceRepoRepository(),
 				"google_spanner_instance":                      resourceSpannerInstance(),
 				"google_spanner_database":                      resourceSpannerDatabase(),
+				"google_spanner_database_iam_binding":          ResourceIamBindingWithImport(IamSpannerDatabaseSchema, NewSpannerDatabaseIamUpdater, SpannerDatabaseIdParseFunc),
+				"google_spanner_database_iam_member":           ResourceIamMemberWithImport(IamSpannerDatabaseSchema, NewSpannerDatabaseIamUpdater, SpannerDatabaseIdParseFunc),
+				"google_spanner_database_iam_policy":           ResourceIamPolicyWithImport(IamSpannerDatabaseSchema, NewSpannerDatabaseIamUpdater, SpannerDatabaseIdParseFunc),
 				"google_sql_database":                          resourceSqlDatabase(),
 				"google_sql_database_instance":                 resourceSqlDatabaseInstance(),
 				"google_sql_user":                              resourceSqlUser(),
--- a/google/resource_spanner_database_iam_test.go
+++ b/google/resource_spanner_database_iam_test.go
@ -0,0 +1,246 @@
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccSpannerDatabaseIamBinding(t *testing.T) {
+	t.Parallel()
+
+	account := acctest.RandomWithPrefix("tf-test")
+	role := "roles/spanner.databaseAdmin"
+	project := getTestProjectFromEnv()
+	database := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+	instance := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSpannerDatabaseIamBinding_basic(account, instance, database, role),
+			},
+			resource.TestStep{
+				ResourceName: "google_spanner_database_iam_binding.foo",
+				ImportStateId: fmt.Sprintf("%s %s", spannerDatabaseId{
+					Project:  project,
+					Instance: instance,
+					Database: database,
+				}.terraformId(), role),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Test Iam Binding update
+				Config: testAccSpannerDatabaseIamBinding_update(account, instance, database, role),
+			},
+			resource.TestStep{
+				ResourceName: "google_spanner_database_iam_binding.foo",
+				ImportStateId: fmt.Sprintf("%s %s", spannerDatabaseId{
+					Project:  project,
+					Instance: instance,
+					Database: database,
+				}.terraformId(), role),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccSpannerDatabaseIamMember(t *testing.T) {
+	t.Parallel()
+
+	project := getTestProjectFromEnv()
+	account := acctest.RandomWithPrefix("tf-test")
+	role := "roles/spanner.databaseAdmin"
+	database := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+	instance := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				// Test Iam Member creation (no update for member, no need to test)
+				Config: testAccSpannerDatabaseIamMember_basic(account, instance, database, role),
+			},
+			resource.TestStep{
+				ResourceName: "google_spanner_database_iam_member.foo",
+				ImportStateId: fmt.Sprintf("%s %s serviceAccount:%s@%s.iam.gserviceaccount.com", spannerDatabaseId{
+					Instance: instance,
+					Database: database,
+					Project:  project,
+				}.terraformId(), role, account, project),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccSpannerDatabaseIamPolicy(t *testing.T) {
+	t.Parallel()
+
+	project := getTestProjectFromEnv()
+	account := acctest.RandomWithPrefix("tf-test")
+	role := "roles/spanner.databaseAdmin"
+	database := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+	instance := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSpannerDatabaseIamPolicy_basic(account, instance, database, role),
+			},
+			// Test a few import formats
+			resource.TestStep{
+				ResourceName: "google_spanner_database_iam_policy.foo",
+				ImportStateId: fmt.Sprintf("%s", spannerDatabaseId{
+					Instance: instance,
+					Database: database,
+					Project:  project,
+				}.terraformId()),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccSpannerDatabaseIamBinding_basic(account, instance, database, roleId string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "test_account" {
+  account_id   = "%s"
+  display_name = "Spanner Iam Testing Account"
+}
+
+resource "google_spanner_instance" "instance" {
+  name         = "%s"
+  config       = "regional-us-central1"
+  display_name = "%s"
+  num_nodes    = 1
+}
+
+resource "google_spanner_database" "database" {
+  instance = "${google_spanner_instance.instance.name}"
+  name     = "%s"
+}
+
+resource "google_spanner_database_iam_binding" "foo" {
+  project     = "${google_spanner_database.database.project}"
+  database    = "${google_spanner_database.database.name}"
+  instance    = "${google_spanner_database.database.instance}"
+  role        = "%s"
+  members     = ["serviceAccount:${google_service_account.test_account.email}"]
+}
+`, account, instance, instance, database, roleId)
+}
+
+func testAccSpannerDatabaseIamBinding_update(account, instance, database, roleId string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "test_account" {
+  account_id   = "%s"
+  display_name = "Spanner Iam Testing Account"
+}
+
+resource "google_service_account" "test_account_2" {
+  account_id   = "%s-2"
+  display_name = "Spanner Iam Testing Account"
+}
+
+resource "google_spanner_instance" "instance" {
+  name         = "%s"
+  config       = "regional-us-central1"
+  display_name = "%s"
+  num_nodes    = 1
+}
+
+resource "google_spanner_database" "database" {
+  instance = "${google_spanner_instance.instance.name}"
+  name     = "%s"
+}
+
+resource "google_spanner_database_iam_binding" "foo" {
+  project      = "${google_spanner_database.database.project}"
+  database     = "${google_spanner_database.database.name}"
+  instance     = "${google_spanner_database.database.instance}"
+  role         = "%s"
+  members      = [
+    "serviceAccount:${google_service_account.test_account.email}",
+    "serviceAccount:${google_service_account.test_account_2.email}"
+  ]
+}
+`, account, account, instance, instance, database, roleId)
+}
+
+func testAccSpannerDatabaseIamMember_basic(account, instance, database, roleId string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "test_account" {
+  account_id   = "%s"
+  display_name = "Spanner Iam Testing Account"
+}
+
+resource "google_spanner_instance" "instance" {
+  name         = "%s"
+  config       = "regional-us-central1"
+  display_name = "%s"
+  num_nodes    = 1
+}
+
+resource "google_spanner_database" "database" {
+  instance = "${google_spanner_instance.instance.name}"
+  name     = "%s"
+}
+
+resource "google_spanner_database_iam_member" "foo" {
+  project     = "${google_spanner_database.database.project}"
+  database    = "${google_spanner_database.database.name}"
+  instance    = "${google_spanner_database.database.instance}"
+  role        = "%s"
+  member      = "serviceAccount:${google_service_account.test_account.email}"
+}
+`, account, instance, instance, database, roleId)
+}
+
+func testAccSpannerDatabaseIamPolicy_basic(account, instance, database, roleId string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "test_account" {
+  account_id   = "%s"
+  display_name = "Spanner Iam Testing Account"
+}
+
+resource "google_spanner_instance" "instance" {
+  name         = "%s"
+  config       = "regional-us-central1"
+  display_name = "%s"
+  num_nodes    = 1
+}
+
+resource "google_spanner_database" "database" {
+  instance = "${google_spanner_instance.instance.name}"
+  name     = "%s"
+}
+
+data "google_iam_policy" "foo" {
+	binding {
+		role = "%s"
+
+		members = ["serviceAccount:${google_service_account.test_account.email}"]
+	}
+}
+
+resource "google_spanner_database_iam_policy" "foo" {
+  project     = "${google_spanner_database.database.project}"
+  database    = "${google_spanner_database.database.name}"
+  instance    = "${google_spanner_database.database.instance}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, account, instance, instance, database, roleId)
+}
--- a/website/docs/r/spanner_database_iam.html.markdown
+++ b/website/docs/r/spanner_database_iam.html.markdown
@ -0,0 +1,126 @@
+---
+layout: "google"
+page_title: "Google: google_spanner_database_iam"
+sidebar_current: "docs-google-spanner-database-iam"
+description: |-
+ Collection of resources to manage IAM policy for a Spanner database.
+---
+
+# IAM policy for Spanner databases
+
+Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case:
+
+* `google_spanner_database_iam_policy`: Authoritative. Sets the IAM policy for the database and replaces any existing policy already attached.
+
+~> **Warning:** It's entirely possibly to lock yourself out of your database using `google_spanner_database_iam_policy`. Any permissions granted by default will be removed unless you include them in your config.
+
+* `google_spanner_database_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the database are preserved.
+* `google_spanner_database_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the database are preserved.
+
+~> **Note:** `google_spanner_database_iam_policy` **cannot** be used in conjunction with `google_spanner_database_iam_binding` and `google_spanner_database_iam_member` or they will fight over what your policy should be.
+
+~> **Note:** `google_spanner_database_iam_binding` resources **can be** used in conjunction with `google_spanner_database_iam_member` resources **only if** they do not grant privilege to the same role.
+
+## google\_spanner\_database\_iam\_policy
+
+```hcl
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/editor"
+
+    members = [
+      "user:jane@example.com",
+    ]
+  }
+}
+
+resource "google_spanner_database_iam_policy" "database" {
+  instance    = "your-instance-name"
+  database    = "your-database-name"
+  policy_data = "${data.google_iam_policy.admin.policy_data}"
+}
+```
+
+## google\_spanner\_database\_iam\_binding
+
+```hcl
+resource "google_spanner_database_iam_binding" "database" {
+  instance   = "your-instance-name"
+  database   = "your-database-name"
+  role       = "roles/compute.networkUser"
+
+  members = [
+    "user:jane@example.com",
+  ]
+}
+```
+
+## google\_spanner\_database\_iam\_member
+
+```hcl
+resource "google_spanner_database_iam_member" "database" {
+  instance   = "your-instance-name"
+  database   = "your-database-name"
+  role       = "roles/compute.networkUser"
+  member     = "user:jane@example.com"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `database` - (Required) The name of the Spanner database.
+
+* `instance` - (Required) The name of the Spanner instance the database belongs to.
+
+* `member/members` - (Required) Identities that will be granted the privilege in `role`.
+  Each entry can have one of the following values:
+  * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
+  * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
+  * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
+  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
+  * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
+  * **domain:{domain}**: A Google Apps domain name that represents all the users of that domain. For example, google.com or example.com.
+
+* `role` - (Required) The role that should be applied. Only one
+    `google_spanner_database_iam_binding` can be used per role. Note that custom roles must be of the format
+    `[projects|organizations]/{parent-name}/roles/{role-name}`.
+
+* `policy_data` - (Required only by `google_spanner_database_iam_policy`) The policy data generated by
+  a `google_iam_policy` data source.
+
+* `project` - (Optional) The ID of the project in which the resource belongs. If it
+    is not provided, the provider project is used.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are
+exported:
+
+* `etag` - (Computed) The etag of the database's IAM policy.
+
+## Import
+
+For all import syntaxes, the "resource in question" can take any of the following forms:
+
+* {{project}}/{{instance}}/{{database}}
+* {{instance}}/{{database}} (project is taken from provider project)
+
+IAM member imports use space-delimited identifiers; the resource in question, the role, and the account, e.g.
+
+```
+$ terraform import google_spanner_database_iam_member.database "project-name/instance-name/database-name roles/viewer foo@example.com"
+```
+
+IAM binding imports use space-delimited identifiers; the resource in question and the role, e.g.
+
+```
+$ terraform import google_spanner_database_iam_binding.database "project-name/instance-name/database-name roles/viewer"
+```
+
+IAM policy imports use the identifier of the resource in question, e.g.
+
+```
+$ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name
+```
--- a/website/google.erb
+++ b/website/google.erb
@ -520,13 +520,22 @@
    <li<%= sidebar_current("docs-google-spanner") %>>
    <a href="#">Google Spanner Resources</a>
    <ul class="nav nav-visible">
-      <li<%= sidebar_current("docs-google-spanner-instance") %>>
-      <a href="/docs/providers/google/r/spanner_instance.html">google_spanner_instance</a>
-      </li>
-
      <li<%= sidebar_current("docs-google-spanner-database") %>>
      <a href="/docs/providers/google/r/spanner_database.html">google_spanner_database</a>
      </li>
+      <li<%= sidebar_current("docs-google-spanner-database-iam") %>>
+      <a href="/docs/providers/google/r/spanner_database_iam.html">google_spanner_database_iam_binding</a>
+      </li>
+      <li<%= sidebar_current("docs-google-spanner-database-iam") %>>
+      <a href="/docs/providers/google/r/spanner_database_iam.html">google_spanner_database_iam_member</a>
+      </li>
+      <li<%= sidebar_current("docs-google-spanner-database-iam") %>>
+      <a href="/docs/providers/google/r/spanner_database_iam.html">google_spanner_database_iam_policy</a>
+      </li>
+
+      <li<%= sidebar_current("docs-google-spanner-instance") %>>
+      <a href="/docs/providers/google/r/spanner_instance.html">google_spanner_instance</a>
+      </li>
    </ul>
    </li>