diff --git a/google/resource_compute_instance_iam_test.go b/google/resource_compute_instance_iam_test.go index f81331cd..aeb4724a 100644 --- a/google/resource_compute_instance_iam_test.go +++ b/google/resource_compute_instance_iam_test.go @@ -12,11 +12,8 @@ func TestAccComputeInstanceIamBinding(t *testing.T) { t.Parallel() project := getTestProjectFromEnv() - account := acctest.RandomWithPrefix("tf-test") role := "roles/compute.osLogin" - region := getTestRegionFromEnv() zone := getTestZoneFromEnv() - subnetwork := fmt.Sprintf("tf-test-net-%s", acctest.RandString(10)) instanceName := fmt.Sprintf("tf-test-instance-%s", acctest.RandString(10)) resource.Test(t, resource.TestCase{ @@ -24,7 +21,7 @@ func TestAccComputeInstanceIamBinding(t *testing.T) { Providers: testAccProviders, Steps: []resource.TestStep{ { - Config: testAccComputeInstanceIamBinding_basic(project, account, region, zone, subnetwork, instanceName, role), + Config: testAccComputeInstanceIamBinding_basic(zone, instanceName, role), }, { ResourceName: "google_compute_instance_iam_binding.foo", @@ -34,7 +31,7 @@ func TestAccComputeInstanceIamBinding(t *testing.T) { }, { // Test Iam Binding update - Config: testAccComputeInstanceIamBinding_update(project, account, region, zone, subnetwork, instanceName, role), + Config: testAccComputeInstanceIamBinding_update(zone, instanceName, role), }, { ResourceName: "google_compute_instance_iam_binding.foo", @@ -50,23 +47,21 @@ func TestAccComputeInstanceIamMember(t *testing.T) { t.Parallel() project := getTestProjectFromEnv() - account := acctest.RandomWithPrefix("tf-test") role := "roles/compute.osLogin" - region := getTestRegionFromEnv() zone := getTestZoneFromEnv() - subnetwork := fmt.Sprintf("tf-test-net-%s", acctest.RandString(10)) instanceName := fmt.Sprintf("tf-test-instance-%s", acctest.RandString(10)) + resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, Steps: []resource.TestStep{ { // Test Iam Member creation (no update for member, no need to test) - Config: testAccComputeInstanceIamMember_basic(project, account, region, zone, subnetwork, instanceName, role), + Config: testAccComputeInstanceIamMember_basic(zone, instanceName, role), }, { ResourceName: "google_compute_instance_iam_member.foo", - ImportStateId: fmt.Sprintf("%s/%s/%s %s serviceAccount:%s@%s.iam.gserviceaccount.com", project, zone, instanceName, role, account, project), + ImportStateId: fmt.Sprintf("%s/%s/%s %s user:admin@hashicorptest.com", project, zone, instanceName, role), ImportState: true, ImportStateVerify: true, }, @@ -78,19 +73,16 @@ func TestAccComputeInstanceIamPolicy(t *testing.T) { t.Parallel() project := getTestProjectFromEnv() - account := acctest.RandomWithPrefix("tf-test") role := "roles/compute.osLogin" - region := getTestRegionFromEnv() zone := getTestZoneFromEnv() instanceName := fmt.Sprintf("tf-test-instance-%s", acctest.RandString(10)) - subnetwork := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, Steps: []resource.TestStep{ { - Config: testAccComputeInstanceIamPolicy_basic(project, account, region, zone, subnetwork, instanceName, role), + Config: testAccComputeInstanceIamPolicy_basic(zone, instanceName, role), }, // Test a few import formats { @@ -115,192 +107,124 @@ func TestAccComputeInstanceIamPolicy(t *testing.T) { }) } -func testAccComputeInstanceIamMember_basic(project, account, region, zone, subnetworkName, instanceName, roleId string) string { +func testAccComputeInstanceIamMember_basic(zone, instanceName, roleId string) string { return fmt.Sprintf(` -resource "google_service_account" "test_account" { - account_id = "%s" - display_name = "Iam Testing Account" -} + resource "google_compute_instance" "test_vm" { + zone = "%s" + name = "%s" + machine_type = "n1-standard-1" -resource "google_compute_network" "network" { - name = "%s" - auto_create_subnetworks = false -} + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } -resource "google_compute_subnetwork" "subnetwork" { - name = "%s" - region = "%s" - ip_cidr_range = "10.1.0.0/16" - network = "${google_compute_network.network.name}" -} - -resource "google_compute_instance" "test_vm" { - project = "%s" - zone = "%s" - name = "%s" - machine_type = "n1-standard-1" - boot_disk { - initialize_params { - image = "debian-cloud/debian-9" + network_interface { + network = "default" } } - network_interface { - subnetwork ="${google_compute_subnetwork.subnetwork.self_link}" + + resource "google_compute_instance_iam_member" "foo" { + project = "${google_compute_instance.test_vm.project}" + zone = "${google_compute_instance.test_vm.zone}" + instance_name = "${google_compute_instance.test_vm.name}" + role = "%s" + member = "user:admin@hashicorptest.com" } + +`, zone, instanceName, roleId) } -resource "google_compute_instance_iam_member" "foo" { - project = "${google_compute_instance.test_vm.project}" - zone = "${google_compute_instance.test_vm.zone}" - instance_name = "${google_compute_instance.test_vm.name}" - role = "%s" - member = "serviceAccount:${google_service_account.test_account.email}" -} -`, account, subnetworkName, subnetworkName, region, project, zone, instanceName, roleId) -} - -func testAccComputeInstanceIamPolicy_basic(project, account, region, zone, subnetworkName, instanceName, roleId string) string { +func testAccComputeInstanceIamPolicy_basic(zone, instanceName, roleId string) string { return fmt.Sprintf(` -resource "google_service_account" "test_account" { - account_id = "%s" - display_name = "Iam Testing Account" -} + resource "google_compute_instance" "test_vm" { + zone = "%s" + name = "%s" + machine_type = "n1-standard-1" -resource "google_compute_network" "network" { - name = "%s" - auto_create_subnetworks = false -} + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } -resource "google_compute_subnetwork" "subnetwork" { - name = "%s" - region = "%s" - ip_cidr_range = "10.1.0.0/16" - network = "${google_compute_network.network.name}" -} - -resource "google_compute_instance" "test_vm" { - project = "%s" - zone = "%s" - name = "%s" - machine_type = "n1-standard-1" - boot_disk { - initialize_params { - image = "debian-cloud/debian-9" + network_interface { + network = "default" } } - network_interface { - subnetwork ="${google_compute_subnetwork.subnetwork.self_link}" - } -} -data "google_iam_policy" "foo" { - binding { - role = "%s" - members = ["serviceAccount:${google_service_account.test_account.email}"] - } -} - -resource "google_compute_instance_iam_policy" "foo" { - project = "${google_compute_instance.test_vm.project}" - zone = "${google_compute_instance.test_vm.zone}" - instance_name = "${google_compute_instance.test_vm.name}" - policy_data = "${data.google_iam_policy.foo.policy_data}" -} -`, account, subnetworkName, subnetworkName, region, project, zone, instanceName, roleId) -} - -func testAccComputeInstanceIamBinding_basic(project, account, region, zone, subnetworkName, instanceName, roleId string) string { - return fmt.Sprintf(` -resource "google_service_account" "test_account" { - account_id = "%s" - display_name = "Iam Testing Account" -} - -resource "google_compute_network" "network" { - name = "%s" - auto_create_subnetworks = false -} - -resource "google_compute_subnetwork" "subnetwork" { - name = "%s" - region = "%s" - ip_cidr_range = "10.1.0.0/16" - network = "${google_compute_network.network.name}" -} - -resource "google_compute_instance" "test_vm" { - project = "%s" - zone = "%s" - name = "%s" - machine_type = "n1-standard-1" - boot_disk { - initialize_params { - image = "debian-cloud/debian-9" + data "google_iam_policy" "foo" { + binding { + role = "%s" + members = ["user:admin@hashicorptest.com"] } } - network_interface { - subnetwork ="${google_compute_subnetwork.subnetwork.self_link}" + + resource "google_compute_instance_iam_policy" "foo" { + project = "${google_compute_instance.test_vm.project}" + zone = "${google_compute_instance.test_vm.zone}" + instance_name = "${google_compute_instance.test_vm.name}" + policy_data = "${data.google_iam_policy.foo.policy_data}" } + +`, zone, instanceName, roleId) } -resource "google_compute_instance_iam_binding" "foo" { - project = "${google_compute_instance.test_vm.project}" - zone = "${google_compute_instance.test_vm.zone}" - instance_name = "${google_compute_instance.test_vm.name}" - role = "%s" - members = ["serviceAccount:${google_service_account.test_account.email}"] -} -`, account, subnetworkName, subnetworkName, region, project, zone, instanceName, roleId) -} - -func testAccComputeInstanceIamBinding_update(project, account, region, zone, subnetworkName, instanceName, roleId string) string { +func testAccComputeInstanceIamBinding_basic(zone, instanceName, roleId string) string { return fmt.Sprintf(` -resource "google_service_account" "test_account" { - account_id = "%s" - display_name = "Iam Testing Account" -} + resource "google_compute_instance" "test_vm" { + zone = "%s" + name = "%s" + machine_type = "n1-standard-1" -resource "google_service_account" "test_account_2" { - account_id = "%s-2" - display_name = "Iam Testing Account" -} + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } -resource "google_compute_network" "network" { - name = "%s" - auto_create_subnetworks = false -} - -resource "google_compute_subnetwork" "subnetwork" { - name = "%s" - region = "%s" - ip_cidr_range = "10.1.0.0/16" - network = "${google_compute_network.network.name}" -} - -resource "google_compute_instance" "test_vm" { - project = "%s" - zone = "%s" - name = "%s" - machine_type = "n1-standard-1" - boot_disk { - initialize_params { - image = "debian-cloud/debian-9" + network_interface { + network = "default" } } - network_interface { - subnetwork ="${google_compute_subnetwork.subnetwork.self_link}" + + resource "google_compute_instance_iam_binding" "foo" { + project = "${google_compute_instance.test_vm.project}" + zone = "${google_compute_instance.test_vm.zone}" + instance_name = "${google_compute_instance.test_vm.name}" + role = "%s" + members = ["user:admin@hashicorptest.com"] } + +`, zone, instanceName, roleId) } -resource "google_compute_instance_iam_binding" "foo" { - project = "${google_compute_instance.test_vm.project}" - zone = "${google_compute_instance.test_vm.zone}" - instance_name = "${google_compute_instance.test_vm.name}" - role = "%s" - members = [ - "serviceAccount:${google_service_account.test_account.email}", - "serviceAccount:${google_service_account.test_account_2.email}" - ] -} -`, account, account, subnetworkName, subnetworkName, region, project, zone, instanceName, roleId) +func testAccComputeInstanceIamBinding_update(zone, instanceName, roleId string) string { + return fmt.Sprintf(` + resource "google_compute_instance" "test_vm" { + zone = "%s" + name = "%s" + machine_type = "n1-standard-1" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + } + } + + resource "google_compute_instance_iam_binding" "foo" { + project = "${google_compute_instance.test_vm.project}" + zone = "${google_compute_instance.test_vm.zone}" + instance_name = "${google_compute_instance.test_vm.name}" + role = "%s" + members = ["user:admin@hashicorptest.com", "user:paddy@hashicorp.com"] + } + +`, zone, instanceName, roleId) } diff --git a/website/docs/r/compute_instance_iam.html.markdown b/website/docs/r/compute_instance_iam.html.markdown index e99533bd..a247f934 100644 --- a/website/docs/r/compute_instance_iam.html.markdown +++ b/website/docs/r/compute_instance_iam.html.markdown @@ -8,9 +8,6 @@ description: |- # IAM policy for GCE instance -~> **Warning:** These resources are in beta, and should be used with the terraform-provider-google-beta provider. -See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta resources. - Three different resources help you manage your IAM policy for GCE instance. Each of these resources serves a different use case: * `google_compute_instance_iam_policy`: Authoritative. Sets the IAM policy for the instance and replaces any existing policy already attached. @@ -26,7 +23,7 @@ Three different resources help you manage your IAM policy for GCE instance. Each ```hcl data "google_iam_policy" "admin" { binding { - role = "roles/editor" + role = "roles/compute.osLogin" members = [ "user:jane@example.com", @@ -35,8 +32,8 @@ data "google_iam_policy" "admin" { } resource "google_compute_instance_iam_policy" "instance" { - instance_name = "your-instance-id" - policy_data = "${data.google_iam_policy.admin.policy_data}" + instance_name = "your-instance-name" + policy_data = "${data.google_iam_policy.admin.policy_data}" } ``` @@ -44,8 +41,8 @@ resource "google_compute_instance_iam_policy" "instance" { ```hcl resource "google_compute_instance_iam_binding" "instance" { - instance_name = "your-instance-id" - role = "roles/compute.networkUser" + instance_name = "your-instance-name" + role = "roles/compute.osLoginr" members = [ "user:jane@example.com", @@ -57,8 +54,8 @@ resource "google_compute_instance_iam_binding" "instance" { ```hcl resource "google_compute_instance_iam_member" "instance" { - instance_name = "your-instance-id" - role = "roles/compute.networkUser" + instance_name = "your-instance-name" + role = "roles/compute.osLogin" member = "user:jane@example.com" } ```