Generate DefaultObjectAccessControl in Terraform (#2358)

<!-- This change is generated by MagicModules. -->
/cc @rileykarson

google/provider_storage_gen.go

@@ -17,5 +17,6 @@ package google
 import "github.com/hashicorp/terraform/helper/schema"
 
 var GeneratedStorageResourcesMap = map[string]*schema.Resource{
-	"google_storage_object_access_control": resourceStorageObjectAccessControl(),
+	"google_storage_object_access_control":         resourceStorageObjectAccessControl(),
+	"google_storage_default_object_access_control": resourceStorageDefaultObjectAccessControl(),
 }

google/resource_storage_default_object_access_control.go

@@ -0,0 +1,333 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"fmt"
+	"log"
+	"reflect"
+	"strconv"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
+)
+
+func resourceStorageDefaultObjectAccessControl() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceStorageDefaultObjectAccessControlCreate,
+		Read:   resourceStorageDefaultObjectAccessControlRead,
+		Update: resourceStorageDefaultObjectAccessControlUpdate,
+		Delete: resourceStorageDefaultObjectAccessControlDelete,
+
+		Importer: &schema.ResourceImporter{
+			State: resourceStorageDefaultObjectAccessControlImport,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"bucket": {
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: compareSelfLinkOrResourceName,
+			},
+			"entity": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"role": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringInSlice([]string{"OWNER", "READER"}, false),
+			},
+			"object": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"domain": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"email": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"entity_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"generation": {
+				Type:     schema.TypeInt,
+				Computed: true,
+			},
+			"project_team": {
+				Type:     schema.TypeList,
+				Computed: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"project_number": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"team": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validation.StringInSlice([]string{"editors", "owners", "viewers", ""}, false),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceStorageDefaultObjectAccessControlCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+
+	obj := make(map[string]interface{})
+	bucketProp, err := expandStorageDefaultObjectAccessControlBucket(d.Get("bucket"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("bucket"); !isEmptyValue(reflect.ValueOf(bucketProp)) && (ok || !reflect.DeepEqual(v, bucketProp)) {
+		obj["bucket"] = bucketProp
+	}
+	entityProp, err := expandStorageDefaultObjectAccessControlEntity(d.Get("entity"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("entity"); !isEmptyValue(reflect.ValueOf(entityProp)) && (ok || !reflect.DeepEqual(v, entityProp)) {
+		obj["entity"] = entityProp
+	}
+	objectProp, err := expandStorageDefaultObjectAccessControlObject(d.Get("object"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("object"); !isEmptyValue(reflect.ValueOf(objectProp)) && (ok || !reflect.DeepEqual(v, objectProp)) {
+		obj["object"] = objectProp
+	}
+	roleProp, err := expandStorageDefaultObjectAccessControlRole(d.Get("role"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("role"); !isEmptyValue(reflect.ValueOf(roleProp)) && (ok || !reflect.DeepEqual(v, roleProp)) {
+		obj["role"] = roleProp
+	}
+
+	url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl")
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] Creating new DefaultObjectAccessControl: %#v", obj)
+	res, err := sendRequest(config, "POST", url, obj)
+	if err != nil {
+		return fmt.Errorf("Error creating DefaultObjectAccessControl: %s", err)
+	}
+
+	// Store the ID now
+	id, err := replaceVars(d, config, "{{bucket}}/{{entity}}")
+	if err != nil {
+		return fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	log.Printf("[DEBUG] Finished creating DefaultObjectAccessControl %q: %#v", d.Id(), res)
+
+	return resourceStorageDefaultObjectAccessControlRead(d, meta)
+}
+
+func resourceStorageDefaultObjectAccessControlRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+
+	url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}")
+	if err != nil {
+		return err
+	}
+
+	res, err := sendRequest(config, "GET", url, nil)
+	if err != nil {
+		return handleNotFoundError(err, d, fmt.Sprintf("StorageDefaultObjectAccessControl %q", d.Id()))
+	}
+
+	if err := d.Set("domain", flattenStorageDefaultObjectAccessControlDomain(res["domain"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("email", flattenStorageDefaultObjectAccessControlEmail(res["email"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("entity", flattenStorageDefaultObjectAccessControlEntity(res["entity"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("entity_id", flattenStorageDefaultObjectAccessControlEntityId(res["entityId"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("generation", flattenStorageDefaultObjectAccessControlGeneration(res["generation"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("object", flattenStorageDefaultObjectAccessControlObject(res["object"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("project_team", flattenStorageDefaultObjectAccessControlProjectTeam(res["projectTeam"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+	if err := d.Set("role", flattenStorageDefaultObjectAccessControlRole(res["role"])); err != nil {
+		return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err)
+	}
+
+	return nil
+}
+
+func resourceStorageDefaultObjectAccessControlUpdate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+
+	obj := make(map[string]interface{})
+	bucketProp, err := expandStorageDefaultObjectAccessControlBucket(d.Get("bucket"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("bucket"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, bucketProp)) {
+		obj["bucket"] = bucketProp
+	}
+	entityProp, err := expandStorageDefaultObjectAccessControlEntity(d.Get("entity"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("entity"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, entityProp)) {
+		obj["entity"] = entityProp
+	}
+	objectProp, err := expandStorageDefaultObjectAccessControlObject(d.Get("object"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("object"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, objectProp)) {
+		obj["object"] = objectProp
+	}
+	roleProp, err := expandStorageDefaultObjectAccessControlRole(d.Get("role"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("role"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, roleProp)) {
+		obj["role"] = roleProp
+	}
+
+	url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}")
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] Updating DefaultObjectAccessControl %q: %#v", d.Id(), obj)
+	_, err = sendRequest(config, "PUT", url, obj)
+
+	if err != nil {
+		return fmt.Errorf("Error updating DefaultObjectAccessControl %q: %s", d.Id(), err)
+	}
+
+	return resourceStorageDefaultObjectAccessControlRead(d, meta)
+}
+
+func resourceStorageDefaultObjectAccessControlDelete(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+
+	url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}")
+	if err != nil {
+		return err
+	}
+
+	var obj map[string]interface{}
+	log.Printf("[DEBUG] Deleting DefaultObjectAccessControl %q", d.Id())
+	res, err := sendRequest(config, "DELETE", url, obj)
+	if err != nil {
+		return handleNotFoundError(err, d, "DefaultObjectAccessControl")
+	}
+
+	log.Printf("[DEBUG] Finished deleting DefaultObjectAccessControl %q: %#v", d.Id(), res)
+	return nil
+}
+
+func resourceStorageDefaultObjectAccessControlImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	config := meta.(*Config)
+	parseImportId([]string{"(?P<bucket>[^/]+)/(?P<entity>[^/]+)"}, d, config)
+
+	// Replace import id for the resource id
+	id, err := replaceVars(d, config, "{{bucket}}/{{entity}}")
+	if err != nil {
+		return nil, fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	return []*schema.ResourceData{d}, nil
+}
+
+func flattenStorageDefaultObjectAccessControlDomain(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlEmail(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlEntity(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlEntityId(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlGeneration(v interface{}) interface{} {
+	// Handles the string fixed64 format
+	if strVal, ok := v.(string); ok {
+		if intVal, err := strconv.ParseInt(strVal, 10, 64); err == nil {
+			return intVal
+		} // let terraform core handle it if we can't convert the string to an int.
+	}
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlObject(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlProjectTeam(v interface{}) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	transformed := make(map[string]interface{})
+	transformed["project_number"] =
+		flattenStorageDefaultObjectAccessControlProjectTeamProjectNumber(original["projectNumber"])
+	transformed["team"] =
+		flattenStorageDefaultObjectAccessControlProjectTeamTeam(original["team"])
+	return []interface{}{transformed}
+}
+func flattenStorageDefaultObjectAccessControlProjectTeamProjectNumber(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlProjectTeamTeam(v interface{}) interface{} {
+	return v
+}
+
+func flattenStorageDefaultObjectAccessControlRole(v interface{}) interface{} {
+	return v
+}
+
+func expandStorageDefaultObjectAccessControlBucket(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandStorageDefaultObjectAccessControlEntity(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandStorageDefaultObjectAccessControlObject(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandStorageDefaultObjectAccessControlRole(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}

google/resource_storage_default_object_access_control_generated_test.go

@@ -0,0 +1,82 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccStorageDefaultObjectAccessControl_StorageDefaultObjectAccessControlPublicExample(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckStorageDefaultObjectAccessControlDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccStorageDefaultObjectAccessControl_StorageDefaultObjectAccessControlPublicExample(acctest.RandString(10)),
+			},
+			{
+				ResourceName:            "google_storage_default_object_access_control.public_rule",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"bucket"},
+			},
+		},
+	})
+}
+
+func testAccStorageDefaultObjectAccessControl_StorageDefaultObjectAccessControlPublicExample(val string) string {
+	return fmt.Sprintf(`
+resource "google_storage_default_object_access_control" "public_rule" {
+  bucket = "${google_storage_bucket.bucket.name}"
+  role   = "READER"
+  entity = "allUsers"
+}
+
+resource "google_storage_bucket" "bucket" {
+	name = "static-content-bucket-%s"
+}
+`, val,
+	)
+}
+
+func testAccCheckStorageDefaultObjectAccessControlDestroy(s *terraform.State) error {
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "google_storage_default_object_access_control" {
+			continue
+		}
+
+		config := testAccProvider.Meta().(*Config)
+
+		url, err := replaceVarsForTest(rs, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}")
+		if err != nil {
+			return err
+		}
+
+		_, err = sendRequest(config, "GET", url, nil)
+		if err == nil {
+			return fmt.Errorf("StorageDefaultObjectAccessControl still exists at %s", url)
+		}
+	}
+
+	return nil
+}

google/resource_storage_default_object_access_control_test.go

@@ -0,0 +1,110 @@
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccStorageDefaultObjectAccessControl_basic(t *testing.T) {
+	t.Parallel()
+
+	bucketName := testBucketName()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			if errObjectAcl != nil {
+				panic(errObjectAcl)
+			}
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccStorageDefaultObjectAccessControlDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "READER", "allUsers"),
+			},
+			{
+				ResourceName:      "google_storage_default_object_access_control.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccStorageDefaultObjectAccessControl_update(t *testing.T) {
+	t.Parallel()
+
+	bucketName := testBucketName()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			if errObjectAcl != nil {
+				panic(errObjectAcl)
+			}
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccStorageDefaultObjectAccessControlDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "READER", "allUsers"),
+			},
+			{
+				ResourceName:      "google_storage_default_object_access_control.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "OWNER", "allUsers"),
+			},
+			{
+				ResourceName:      "google_storage_default_object_access_control.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccStorageDefaultObjectAccessControlDestroy(s *terraform.State) error {
+	config := testAccProvider.Meta().(*Config)
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "google_storage_bucket_acl" {
+			continue
+		}
+
+		bucket := rs.Primary.Attributes["bucket"]
+		entity := rs.Primary.Attributes["entity"]
+
+		rePairs, err := config.clientStorage.DefaultObjectAccessControls.List(bucket).Do()
+		if err != nil {
+			return fmt.Errorf("Can't list role entity acl for bucket %s", bucket)
+		}
+
+		for _, v := range rePairs.Items {
+			if v.Entity == entity {
+				return fmt.Errorf("found entity %s as role entity acl entry in bucket %s", entity, bucket)
+			}
+		}
+
+	}
+
+	return nil
+}
+
+func testGoogleStorageDefaultObjectAccessControlBasic(bucketName, role, entity string) string {
+	return fmt.Sprintf(`
+resource "google_storage_bucket" "bucket" {
+	name = "%s"
+}
+
+resource "google_storage_default_object_access_control" "default" {
+	bucket = "${google_storage_bucket.bucket.name}"
+	role   = "%s"
+	entity = "%s"
+}
+`, bucketName, role, entity)
+}

google/resource_storage_object_access_control_generated_test.go

@@ -0,0 +1,88 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccStorageObjectAccessControl_StorageObjectAccessControlPublicObjectExample(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckStorageObjectAccessControlDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccStorageObjectAccessControl_StorageObjectAccessControlPublicObjectExample(acctest.RandString(10)),
+			},
+			{
+				ResourceName:      "google_storage_object_access_control.public_rule",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccStorageObjectAccessControl_StorageObjectAccessControlPublicObjectExample(val string) string {
+	return fmt.Sprintf(`
+resource "google_storage_object_access_control" "public_rule" {
+  object = "${google_storage_bucket_object.object.name}"
+  bucket = "${google_storage_bucket.bucket.name}"
+  role   = "READER"
+  entity = "allUsers"
+}
+
+resource "google_storage_bucket" "bucket" {
+	name = "static-content-bucket-%s"
+}
+
+ resource "google_storage_bucket_object" "object" {
+	name   = "public-object-%s"
+	bucket = "${google_storage_bucket.bucket.name}"
+	source = "test-fixtures/header-logo.png"
+}
+`, val, val,
+	)
+}
+
+func testAccCheckStorageObjectAccessControlDestroy(s *terraform.State) error {
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "google_storage_object_access_control" {
+			continue
+		}
+
+		config := testAccProvider.Meta().(*Config)
+
+		url, err := replaceVarsForTest(rs, "https://www.googleapis.com/storage/v1/b/{{bucket}}/o/{{object}}/acl/{{entity}}")
+		if err != nil {
+			return err
+		}
+
+		_, err = sendRequest(config, "GET", url, nil)
+		if err == nil {
+			return fmt.Errorf("StorageObjectAccessControl still exists at %s", url)
+		}
+	}
+
+	return nil
+}

google/resource_storage_object_access_control_test.go

@@ -0,0 +1,125 @@
+package google
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccStorageObjectAccessControl_basic(t *testing.T) {
+	t.Parallel()
+
+	bucketName := testBucketName()
+	objectName := testAclObjectName()
+	objectData := []byte("data data data")
+	ioutil.WriteFile(tfObjectAcl.Name(), objectData, 0644)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			if errObjectAcl != nil {
+				panic(errObjectAcl)
+			}
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccStorageObjectAccessControlDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleStorageObjectAccessControlBasic(bucketName, objectName, "READER", "allUsers"),
+			},
+			{
+				ResourceName:      "google_storage_object_access_control.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccStorageObjectAccessControl_update(t *testing.T) {
+	t.Parallel()
+
+	bucketName := testBucketName()
+	objectName := testAclObjectName()
+	objectData := []byte("data data data")
+	ioutil.WriteFile(tfObjectAcl.Name(), objectData, 0644)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			if errObjectAcl != nil {
+				panic(errObjectAcl)
+			}
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccStorageObjectAccessControlDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleStorageObjectAccessControlBasic(bucketName, objectName, "READER", "allUsers"),
+			},
+			{
+				ResourceName:      "google_storage_object_access_control.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testGoogleStorageObjectAccessControlBasic(bucketName, objectName, "OWNER", "allUsers"),
+			},
+			{
+				ResourceName:      "google_storage_object_access_control.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccStorageObjectAccessControlDestroy(s *terraform.State) error {
+	config := testAccProvider.Meta().(*Config)
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "google_storage_bucket_acl" {
+			continue
+		}
+
+		bucket := rs.Primary.Attributes["bucket"]
+		object := rs.Primary.Attributes["object"]
+		entity := rs.Primary.Attributes["entity"]
+
+		rePairs, err := config.clientStorage.ObjectAccessControls.List(bucket, object).Do()
+		if err != nil {
+			return fmt.Errorf("Can't list role entity acl for object %s in bucket %s", object, bucket)
+		}
+
+		for _, v := range rePairs.Items {
+			if v.Entity == entity {
+				return fmt.Errorf("found entity %s as role entity acl entry for object %s in bucket %s", entity, object, bucket)
+			}
+		}
+
+	}
+
+	return nil
+}
+
+func testGoogleStorageObjectAccessControlBasic(bucketName, objectName, role, entity string) string {
+	return fmt.Sprintf(`
+resource "google_storage_bucket" "bucket" {
+	name = "%s"
+}
+
+resource "google_storage_bucket_object" "object" {
+	name = "%s"
+	bucket = "${google_storage_bucket.bucket.name}"
+	source = "%s"
+}
+
+resource "google_storage_object_access_control" "default" {
+	object = "${google_storage_bucket_object.object.name}"
+	bucket = "${google_storage_bucket.bucket.name}"
+	role   = "%s"
+	entity = "%s"
+}
+`, bucketName, objectName, tfObjectAcl.Name(), role, entity)
+}

website/docs/r/storage_default_object_access_control.html.markdown

@@ -0,0 +1,139 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+layout: "google"
+page_title: "Google: google_storage_default_object_access_control"
+sidebar_current: "docs-google-storage-default-object-access-control"
+description: |-
+  The DefaultObjectAccessControls resources represent the Access Control
+  Lists (ACLs) applied to a new object within a Google Cloud Storage bucket
+  when no ACL was provided for that object.
+---
+
+# google\_storage\_default\_object\_access\_control
+
+The DefaultObjectAccessControls resources represent the Access Control
+Lists (ACLs) applied to a new object within a Google Cloud Storage bucket
+when no ACL was provided for that object. ACLs let you specify who has
+access to your bucket contents and to what extent.
+
+There are two roles that can be assigned to an entity:
+
+READERs can get an object, though the acl property will not be revealed.
+OWNERs are READERs, and they can get the acl property, update an object,
+and call all objectAccessControls methods on the object. The owner of an
+object is always an OWNER.
+For more information, see Access Control, with the caveat that this API
+uses READER and OWNER instead of READ and FULL_CONTROL.
+
+
+To get more information about DefaultObjectAccessControl, see:
+
+* [API documentation](https://cloud.google.com/storage/docs/json_api/v1/defaultObjectAccessControls)
+* How-to Guides
+    * [Official Documentation](https://cloud.google.com/storage/docs/access-control/create-manage-lists)
+
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=storage_default_object_access_control_public&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Storage Default Object Access Control Public
+
+
+```hcl
+resource "google_storage_default_object_access_control" "public_rule" {
+  bucket = "${google_storage_bucket.bucket.name}"
+  role   = "READER"
+  entity = "allUsers"
+}
+
+resource "google_storage_bucket" "bucket" {
+	name = "static-content-bucket"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `bucket` -
+  (Required)
+  The name of the bucket.
+
+* `entity` -
+  (Required)
+  The entity holding the permission, in one of the following forms:
+    * user-{{userId}}
+    * user-{{email}} (such as "user-liz@example.com")
+    * group-{{groupId}}
+    * group-{{email}} (such as "group-example@googlegroups.com")
+    * domain-{{domain}} (such as "domain-example.com")
+    * project-team-{{projectId}}
+    * allUsers
+    * allAuthenticatedUsers
+
+* `role` -
+  (Required)
+  The access permission for the entity.
+
+
+- - -
+
+
+* `object` -
+  (Optional)
+  The name of the object, if applied to an object.
+
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+
+* `domain` -
+  The domain associated with the entity.
+
+* `email` -
+  The email address associated with the entity.
+
+* `entity_id` -
+  The ID for the entity
+
+* `generation` -
+  The content generation of the object, if applied to an object.
+
+* `project_team` -
+  The project team associated with the entity  Structure is documented below.
+
+
+The `project_team` block contains:
+
+* `project_number` -
+  (Optional)
+  The project team associated with the entity
+
+* `team` -
+  (Optional)
+  The team.
+
+
+## Import
+
+DefaultObjectAccessControl can be imported using any of these accepted formats:
+
+```
+$ terraform import google_storage_default_object_access_control.default {{bucket}}/{{entity}}
+```

website/docs/r/storage_default_object_acl.html.markdown

@@ -14,12 +14,14 @@ without managing the bucket itself.
 -> Note that for each object, its creator will have the `"OWNER"` role in addition
 to the default ACL that has been defined.
 
-
 For more information see
 [the official documentation](https://cloud.google.com/storage/docs/access-control/lists) 
 and 
 [API](https://cloud.google.com/storage/docs/json_api/v1/defaultObjectAccessControls).
 
+-> Want fine-grained control over default object ACLs? Use `google_storage_default_object_access_control`
+to control individual role entity pairs.
+
 ## Example Usage
 
 Example creating a default object ACL on a bucket with one owner, and one reader.

website/docs/r/storage_object_access_control.html.markdown

@@ -42,6 +42,11 @@ To get more information about ObjectAccessControl, see:
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/storage/docs/access-control/create-manage-lists)
 
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=storage_object_access_control_public_object&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
 ## Example Usage - Storage Object Access Control Public Object
 
 
@@ -60,7 +65,7 @@ resource "google_storage_bucket" "bucket" {
  resource "google_storage_bucket_object" "object" {
 	name   = "public-object"
 	bucket = "${google_storage_bucket.bucket.name}"
-	source = "../static/img/header-logo.jpg"
+	source = "../static/img/header-logo.png"
 }
 ```