From 30fc9ec3f90658a91c070b0ea6b2ae010cf6fbf0 Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 29 Oct 2018 17:40:56 -0700 Subject: [PATCH] Generate DefaultObjectAccessControl in Terraform (#2358) /cc @rileykarson --- google/provider_storage_gen.go | 3 +- ...e_storage_default_object_access_control.go | 333 ++++++++++++++++++ ...lt_object_access_control_generated_test.go | 82 +++++ ...rage_default_object_access_control_test.go | 110 ++++++ ...ge_object_access_control_generated_test.go | 88 +++++ ...urce_storage_object_access_control_test.go | 125 +++++++ google/test-fixtures/header-logo.png | Bin 0 -> 3368 bytes ...efault_object_access_control.html.markdown | 139 ++++++++ .../storage_default_object_acl.html.markdown | 4 +- ...torage_object_access_control.html.markdown | 7 +- 10 files changed, 888 insertions(+), 3 deletions(-) create mode 100644 google/resource_storage_default_object_access_control.go create mode 100644 google/resource_storage_default_object_access_control_generated_test.go create mode 100644 google/resource_storage_default_object_access_control_test.go create mode 100644 google/resource_storage_object_access_control_generated_test.go create mode 100644 google/resource_storage_object_access_control_test.go create mode 100644 google/test-fixtures/header-logo.png create mode 100644 website/docs/r/storage_default_object_access_control.html.markdown diff --git a/google/provider_storage_gen.go b/google/provider_storage_gen.go index dd76002a..3cef3869 100644 --- a/google/provider_storage_gen.go +++ b/google/provider_storage_gen.go @@ -17,5 +17,6 @@ package google import "github.com/hashicorp/terraform/helper/schema" var GeneratedStorageResourcesMap = map[string]*schema.Resource{ - "google_storage_object_access_control": resourceStorageObjectAccessControl(), + "google_storage_object_access_control": resourceStorageObjectAccessControl(), + "google_storage_default_object_access_control": resourceStorageDefaultObjectAccessControl(), } diff --git a/google/resource_storage_default_object_access_control.go b/google/resource_storage_default_object_access_control.go new file mode 100644 index 00000000..5ae86adb --- /dev/null +++ b/google/resource_storage_default_object_access_control.go @@ -0,0 +1,333 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "log" + "reflect" + "strconv" + + "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" +) + +func resourceStorageDefaultObjectAccessControl() *schema.Resource { + return &schema.Resource{ + Create: resourceStorageDefaultObjectAccessControlCreate, + Read: resourceStorageDefaultObjectAccessControlRead, + Update: resourceStorageDefaultObjectAccessControlUpdate, + Delete: resourceStorageDefaultObjectAccessControlDelete, + + Importer: &schema.ResourceImporter{ + State: resourceStorageDefaultObjectAccessControlImport, + }, + + Schema: map[string]*schema.Schema{ + "bucket": { + Type: schema.TypeString, + Required: true, + DiffSuppressFunc: compareSelfLinkOrResourceName, + }, + "entity": { + Type: schema.TypeString, + Required: true, + }, + "role": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice([]string{"OWNER", "READER"}, false), + }, + "object": { + Type: schema.TypeString, + Optional: true, + }, + "domain": { + Type: schema.TypeString, + Computed: true, + }, + "email": { + Type: schema.TypeString, + Computed: true, + }, + "entity_id": { + Type: schema.TypeString, + Computed: true, + }, + "generation": { + Type: schema.TypeInt, + Computed: true, + }, + "project_team": { + Type: schema.TypeList, + Computed: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "project_number": { + Type: schema.TypeString, + Optional: true, + }, + "team": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"editors", "owners", "viewers", ""}, false), + }, + }, + }, + }, + }, + } +} + +func resourceStorageDefaultObjectAccessControlCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + obj := make(map[string]interface{}) + bucketProp, err := expandStorageDefaultObjectAccessControlBucket(d.Get("bucket"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("bucket"); !isEmptyValue(reflect.ValueOf(bucketProp)) && (ok || !reflect.DeepEqual(v, bucketProp)) { + obj["bucket"] = bucketProp + } + entityProp, err := expandStorageDefaultObjectAccessControlEntity(d.Get("entity"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("entity"); !isEmptyValue(reflect.ValueOf(entityProp)) && (ok || !reflect.DeepEqual(v, entityProp)) { + obj["entity"] = entityProp + } + objectProp, err := expandStorageDefaultObjectAccessControlObject(d.Get("object"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("object"); !isEmptyValue(reflect.ValueOf(objectProp)) && (ok || !reflect.DeepEqual(v, objectProp)) { + obj["object"] = objectProp + } + roleProp, err := expandStorageDefaultObjectAccessControlRole(d.Get("role"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("role"); !isEmptyValue(reflect.ValueOf(roleProp)) && (ok || !reflect.DeepEqual(v, roleProp)) { + obj["role"] = roleProp + } + + url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new DefaultObjectAccessControl: %#v", obj) + res, err := sendRequest(config, "POST", url, obj) + if err != nil { + return fmt.Errorf("Error creating DefaultObjectAccessControl: %s", err) + } + + // Store the ID now + id, err := replaceVars(d, config, "{{bucket}}/{{entity}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + log.Printf("[DEBUG] Finished creating DefaultObjectAccessControl %q: %#v", d.Id(), res) + + return resourceStorageDefaultObjectAccessControlRead(d, meta) +} + +func resourceStorageDefaultObjectAccessControlRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}") + if err != nil { + return err + } + + res, err := sendRequest(config, "GET", url, nil) + if err != nil { + return handleNotFoundError(err, d, fmt.Sprintf("StorageDefaultObjectAccessControl %q", d.Id())) + } + + if err := d.Set("domain", flattenStorageDefaultObjectAccessControlDomain(res["domain"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("email", flattenStorageDefaultObjectAccessControlEmail(res["email"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("entity", flattenStorageDefaultObjectAccessControlEntity(res["entity"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("entity_id", flattenStorageDefaultObjectAccessControlEntityId(res["entityId"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("generation", flattenStorageDefaultObjectAccessControlGeneration(res["generation"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("object", flattenStorageDefaultObjectAccessControlObject(res["object"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("project_team", flattenStorageDefaultObjectAccessControlProjectTeam(res["projectTeam"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + if err := d.Set("role", flattenStorageDefaultObjectAccessControlRole(res["role"])); err != nil { + return fmt.Errorf("Error reading DefaultObjectAccessControl: %s", err) + } + + return nil +} + +func resourceStorageDefaultObjectAccessControlUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + obj := make(map[string]interface{}) + bucketProp, err := expandStorageDefaultObjectAccessControlBucket(d.Get("bucket"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("bucket"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, bucketProp)) { + obj["bucket"] = bucketProp + } + entityProp, err := expandStorageDefaultObjectAccessControlEntity(d.Get("entity"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("entity"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, entityProp)) { + obj["entity"] = entityProp + } + objectProp, err := expandStorageDefaultObjectAccessControlObject(d.Get("object"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("object"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, objectProp)) { + obj["object"] = objectProp + } + roleProp, err := expandStorageDefaultObjectAccessControlRole(d.Get("role"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("role"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, roleProp)) { + obj["role"] = roleProp + } + + url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating DefaultObjectAccessControl %q: %#v", d.Id(), obj) + _, err = sendRequest(config, "PUT", url, obj) + + if err != nil { + return fmt.Errorf("Error updating DefaultObjectAccessControl %q: %s", d.Id(), err) + } + + return resourceStorageDefaultObjectAccessControlRead(d, meta) +} + +func resourceStorageDefaultObjectAccessControlDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + url, err := replaceVars(d, config, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}") + if err != nil { + return err + } + + var obj map[string]interface{} + log.Printf("[DEBUG] Deleting DefaultObjectAccessControl %q", d.Id()) + res, err := sendRequest(config, "DELETE", url, obj) + if err != nil { + return handleNotFoundError(err, d, "DefaultObjectAccessControl") + } + + log.Printf("[DEBUG] Finished deleting DefaultObjectAccessControl %q: %#v", d.Id(), res) + return nil +} + +func resourceStorageDefaultObjectAccessControlImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*Config) + parseImportId([]string{"(?P[^/]+)/(?P[^/]+)"}, d, config) + + // Replace import id for the resource id + id, err := replaceVars(d, config, "{{bucket}}/{{entity}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenStorageDefaultObjectAccessControlDomain(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlEmail(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlEntity(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlEntityId(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlGeneration(v interface{}) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := strconv.ParseInt(strVal, 10, 64); err == nil { + return intVal + } // let terraform core handle it if we can't convert the string to an int. + } + return v +} + +func flattenStorageDefaultObjectAccessControlObject(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlProjectTeam(v interface{}) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + transformed := make(map[string]interface{}) + transformed["project_number"] = + flattenStorageDefaultObjectAccessControlProjectTeamProjectNumber(original["projectNumber"]) + transformed["team"] = + flattenStorageDefaultObjectAccessControlProjectTeamTeam(original["team"]) + return []interface{}{transformed} +} +func flattenStorageDefaultObjectAccessControlProjectTeamProjectNumber(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlProjectTeamTeam(v interface{}) interface{} { + return v +} + +func flattenStorageDefaultObjectAccessControlRole(v interface{}) interface{} { + return v +} + +func expandStorageDefaultObjectAccessControlBucket(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandStorageDefaultObjectAccessControlEntity(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandStorageDefaultObjectAccessControlObject(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandStorageDefaultObjectAccessControlRole(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} diff --git a/google/resource_storage_default_object_access_control_generated_test.go b/google/resource_storage_default_object_access_control_generated_test.go new file mode 100644 index 00000000..67bd4b5f --- /dev/null +++ b/google/resource_storage_default_object_access_control_generated_test.go @@ -0,0 +1,82 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccStorageDefaultObjectAccessControl_StorageDefaultObjectAccessControlPublicExample(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckStorageDefaultObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testAccStorageDefaultObjectAccessControl_StorageDefaultObjectAccessControlPublicExample(acctest.RandString(10)), + }, + { + ResourceName: "google_storage_default_object_access_control.public_rule", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"bucket"}, + }, + }, + }) +} + +func testAccStorageDefaultObjectAccessControl_StorageDefaultObjectAccessControlPublicExample(val string) string { + return fmt.Sprintf(` +resource "google_storage_default_object_access_control" "public_rule" { + bucket = "${google_storage_bucket.bucket.name}" + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "static-content-bucket-%s" +} +`, val, + ) +} + +func testAccCheckStorageDefaultObjectAccessControlDestroy(s *terraform.State) error { + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_storage_default_object_access_control" { + continue + } + + config := testAccProvider.Meta().(*Config) + + url, err := replaceVarsForTest(rs, "https://www.googleapis.com/storage/v1/b/{{bucket}}/defaultObjectAcl/{{entity}}") + if err != nil { + return err + } + + _, err = sendRequest(config, "GET", url, nil) + if err == nil { + return fmt.Errorf("StorageDefaultObjectAccessControl still exists at %s", url) + } + } + + return nil +} diff --git a/google/resource_storage_default_object_access_control_test.go b/google/resource_storage_default_object_access_control_test.go new file mode 100644 index 00000000..a3fca09c --- /dev/null +++ b/google/resource_storage_default_object_access_control_test.go @@ -0,0 +1,110 @@ +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccStorageDefaultObjectAccessControl_basic(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccStorageDefaultObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_default_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccStorageDefaultObjectAccessControl_update(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccStorageDefaultObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_default_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testGoogleStorageDefaultObjectAccessControlBasic(bucketName, "OWNER", "allUsers"), + }, + { + ResourceName: "google_storage_default_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccStorageDefaultObjectAccessControlDestroy(s *terraform.State) error { + config := testAccProvider.Meta().(*Config) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_storage_bucket_acl" { + continue + } + + bucket := rs.Primary.Attributes["bucket"] + entity := rs.Primary.Attributes["entity"] + + rePairs, err := config.clientStorage.DefaultObjectAccessControls.List(bucket).Do() + if err != nil { + return fmt.Errorf("Can't list role entity acl for bucket %s", bucket) + } + + for _, v := range rePairs.Items { + if v.Entity == entity { + return fmt.Errorf("found entity %s as role entity acl entry in bucket %s", entity, bucket) + } + } + + } + + return nil +} + +func testGoogleStorageDefaultObjectAccessControlBasic(bucketName, role, entity string) string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "%s" +} + +resource "google_storage_default_object_access_control" "default" { + bucket = "${google_storage_bucket.bucket.name}" + role = "%s" + entity = "%s" +} +`, bucketName, role, entity) +} diff --git a/google/resource_storage_object_access_control_generated_test.go b/google/resource_storage_object_access_control_generated_test.go new file mode 100644 index 00000000..1a051d92 --- /dev/null +++ b/google/resource_storage_object_access_control_generated_test.go @@ -0,0 +1,88 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccStorageObjectAccessControl_StorageObjectAccessControlPublicObjectExample(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckStorageObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testAccStorageObjectAccessControl_StorageObjectAccessControlPublicObjectExample(acctest.RandString(10)), + }, + { + ResourceName: "google_storage_object_access_control.public_rule", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccStorageObjectAccessControl_StorageObjectAccessControlPublicObjectExample(val string) string { + return fmt.Sprintf(` +resource "google_storage_object_access_control" "public_rule" { + object = "${google_storage_bucket_object.object.name}" + bucket = "${google_storage_bucket.bucket.name}" + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "static-content-bucket-%s" +} + + resource "google_storage_bucket_object" "object" { + name = "public-object-%s" + bucket = "${google_storage_bucket.bucket.name}" + source = "test-fixtures/header-logo.png" +} +`, val, val, + ) +} + +func testAccCheckStorageObjectAccessControlDestroy(s *terraform.State) error { + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_storage_object_access_control" { + continue + } + + config := testAccProvider.Meta().(*Config) + + url, err := replaceVarsForTest(rs, "https://www.googleapis.com/storage/v1/b/{{bucket}}/o/{{object}}/acl/{{entity}}") + if err != nil { + return err + } + + _, err = sendRequest(config, "GET", url, nil) + if err == nil { + return fmt.Errorf("StorageObjectAccessControl still exists at %s", url) + } + } + + return nil +} diff --git a/google/resource_storage_object_access_control_test.go b/google/resource_storage_object_access_control_test.go new file mode 100644 index 00000000..cb2985f8 --- /dev/null +++ b/google/resource_storage_object_access_control_test.go @@ -0,0 +1,125 @@ +package google + +import ( + "fmt" + "io/ioutil" + "testing" + + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccStorageObjectAccessControl_basic(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + objectName := testAclObjectName() + objectData := []byte("data data data") + ioutil.WriteFile(tfObjectAcl.Name(), objectData, 0644) + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccStorageObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageObjectAccessControlBasic(bucketName, objectName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccStorageObjectAccessControl_update(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + objectName := testAclObjectName() + objectData := []byte("data data data") + ioutil.WriteFile(tfObjectAcl.Name(), objectData, 0644) + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccStorageObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageObjectAccessControlBasic(bucketName, objectName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testGoogleStorageObjectAccessControlBasic(bucketName, objectName, "OWNER", "allUsers"), + }, + { + ResourceName: "google_storage_object_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccStorageObjectAccessControlDestroy(s *terraform.State) error { + config := testAccProvider.Meta().(*Config) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_storage_bucket_acl" { + continue + } + + bucket := rs.Primary.Attributes["bucket"] + object := rs.Primary.Attributes["object"] + entity := rs.Primary.Attributes["entity"] + + rePairs, err := config.clientStorage.ObjectAccessControls.List(bucket, object).Do() + if err != nil { + return fmt.Errorf("Can't list role entity acl for object %s in bucket %s", object, bucket) + } + + for _, v := range rePairs.Items { + if v.Entity == entity { + return fmt.Errorf("found entity %s as role entity acl entry for object %s in bucket %s", entity, object, bucket) + } + } + + } + + return nil +} + +func testGoogleStorageObjectAccessControlBasic(bucketName, objectName, role, entity string) string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "%s" +} + +resource "google_storage_bucket_object" "object" { + name = "%s" + bucket = "${google_storage_bucket.bucket.name}" + source = "%s" +} + +resource "google_storage_object_access_control" "default" { + object = "${google_storage_bucket_object.object.name}" + bucket = "${google_storage_bucket.bucket.name}" + role = "%s" + entity = "%s" +} +`, bucketName, objectName, tfObjectAcl.Name(), role, entity) +} diff --git a/google/test-fixtures/header-logo.png b/google/test-fixtures/header-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..7d65c7a1554ac20ed40231fc67ae5d5a1f46d123 GIT binary patch literal 3368 zcmZ`*c|6qX8vl)yEiuK|_bm=HmN3KEN7n4JXB~`X#xgZhjD3w{i^(BLkv&P0Em_LG z6*ZQM2HBUQ43|3h-1GU|d*9FJ-Ja+9KHK;G<4rU((PL)hW&{9$*+3sht3bT zo!6&{Ijy5@R#PaP+L|CNOrzvthH5jHl!v^Eiq$d){iNkWWd>FYN=f~U5bIwGZ~VFZ znhF&yf`(=tvPKWm_{lAPk&^g^|Fm zhV9jjLKe-DuTGl_wg>w^iR@QT*}OUdFzUi1Mcf{WT<0EwKGn=&0Ho+@zE<|K83!}J zOwzuu8RPH}fyr)sfN;$gQ&0!H=F_*(0j8ccF$MtUIM^Pd%8;n@K*;YkWo?JvlyVs@ zQ46PE)f|^r3+p&npgVr{BP=j|AEKbeozY>KzTpQ`i2D91krq=vc0dW-!x@;K8JHW? z&CHYDV$!*owGeFN1QtYxYX@}mZo(Dz74oFNCFi+6?N-31BBZN;g{dbqtq7CZUD@J5 z`CM?Yv?EwNWq|!^{D7R%j@oUwV!BXY58BY(Q$i0l5D0-ug{111egsX2A&ajR!j0{N z?+xm`cYi()3tP{zIOv_F*TCE?U#$z&l^f=UJHl|Ke+o!$gFQm^KQj$$7w?nLIhQ(R zvO_2DB);&Q{vKyIAQ3w!pwiXK5hEzz%u4?P#Jm&j;&QAUB$Cl675p4Dz#cWGeaRw7 zJSCDW2u*qI<&ZN}E>kfN7*BUibWvCKd)1;d*Qfonj6n2Uw15s3TdRA854G`ToWZ`;E&%L!T)EAEkcl6}z)4fp%DDrG3(>#SVoP8w z)wWMl_h7Ws!FRK7#L*PWo`odErwgi!#=X_PQ%F<7DHVT8>+;~hAlJMwo^LUdU-Q@? z{TAfM$s!l|a(ds^6Kga%rxa!YIL#$Si8ihPr938Fe9w&34k!7fa}4ffQ#Eb)@tZ|J zQjEoUOi`~nK2t)9mOb7O#bEx`e7D5Hiv1C2EN&4sscT?XRATBaO-g!D*f-Sgt$`OM zrSxl7>2cia8PXf`V7?7 zdqP98oLa_0SkY`SPl8Rt&BRrG(ezWVZ#_wPB{G-xMqfhzo&K@=rXI&1GfZT>h>;e@ zNeGD7X9%QCo1bMnmZU0{nr<**Qd;DA4_SOYv+#{=w=5bi&*LHGK|-%|zsMHrUhI+g zxc%C*C;Lr)dXt!{lwO)b+GeKv>x$cDX{sXcV9HR_ton48Tc)>RnHo|=r~OzOlQzvZ zhsdI|GP8;R1J|^qdy5uorGAT^KFr&Um-WGA-X+~u#^%yy$jb2w_=Ed*J<8aMpBR>E zFXW}8xQhMm_F9=(LM_xw$q)Cg=651Hkt;9!H@Uw|<|-G;J9jw6mZet>mkgI}*kwIf ztROvlZds?hoycw9hw{Jm-ms49V>5c5@<%@*e;~g=<6w3#ezE#_Vrb3}?rooK=yo9U z1!iaF$j(bCM%+cDH>4GkBuR`!QPg`H5Z}UgxMiWOT?vIpgqHdQMy}K|fGqgO&H!?EJH0)4jQ}x}f;I8RA)3?(_)1?}& zF5ayE)nj)%W?~DIghpgPR8OtdfIGVT&bF7lna`Jdn}f~sc`>l_l)=xP8 zsZMz=cST`Yu001qTJL+*`=jsmmy?^)o1vQ^CUml9@&$+tq>5u+Cc&XPSc?*c%f6D0 z$yUt1S?}2IKDIPSBh9~)Q#XmbHl6Cj;ZZ+U*}hWN z6x}q~+!p>yYd~nKaJaCbQlF)mW4H?8#;eAw49~y3H|w#Qxqu&DF!c(iSW$}lVGwTU zEVSGXK7a4?%OJ$8aA0vmXCps8>lvo8hWv<}-|+Q$Fxhu9o~!c)Tc=#7FN+aNpyL&;mJU)oI1%<#5gxpykhSsxhHUy~jbHRBwI(9-SFEi;DlmJ9TI>Q zn|Iu!xL$PiZC7b8{n*ofGme=_>-fE) z9auT*MRs3gWUg7RZ09$RRo9kJ&w>r%B90tbIRbo0tOmZWn{G5*dHwd z-gog1*qr7Yl#l-6$I;R!^G`bQ*F&%W;A*DP$Rb{i{gPz;M=0%sC}gB)yQDjzGe=g_ z_Kzr(k#0q9QuoY=n9^w+n8l;P)7m4 z?!B*aC7*4VEx}vuiMnf8*NI8y2A;T}>%pmhqFCd}ov-3O7dq}t;Zmo_*=4uxWT-yt zAQ*+^8|TYb5z98;9@Dr>oS_aj^?81n@}J&7>?$)#GZ`{9vpr_Q?RjszPu#TpaHgKX zF~PAs9XZ)HJybv9Pr2o``)TP@o0C=}$;ex5S8SC4n+|IleY(}k|A~K{-@wkr?(3zd zCe?4@lBUqrinS8&a;qxxMMTZb+SUH>?^I^GbEnvNcdn-q*7k*_b^5GNSQn3tFP1M- z6wMX?)EFW@Dzh$=DWQhu5N(4*m%8Uv;-5b+TGUHk{1_TY?XD5)!U}v>nR@Rs6;NW{ zP%}dd7gAr}pzIXWnk+aDUH!C6-n8U+47*X!^j;4p?!>!fJGDM<(OZ1&Hiy$n^XY)O_tphv zw^g|Q;xU5L^`R;33A4b@eiFc@|=fl-+OD`daUCaF) zjh6^jQ|?oZ6FlS(BODWi7NSARtU6^snGVA;h3pN5@1CW|eF@w@(;!i7I#zIz>bd7o z^y*R&w$=CUSG%2Bz38Pjo0jD81NqFKc^fbAw!Y6+Vz-lPMbt&=ouT1~EyFdRpmVD% zyBbo?JWcA}-nBxBXZ!$9=sw|7dY-R=tugoq8LHUA_CY(dMVLb26_OX zp}|<$;%zS&tGMI*p{^b{H#9WFKj83l3joLvmBXVy8t*C?;_rtIRtZrP{$-(Zcs>%t zgav<@;CfnOVf{M^{P+4JhMnOSAWRQoaiUsQYU+}}5ny@z>AD{w*5eNh* zK>>;j@`A}B5D1v8JWO6*=FmbW_$n6f8X|)Y7WwVu-+oZ&VD}(Q03L(G3Lg1&b;Di8 zs|gDq1^RpZ&J!Ji`A;Nl@Ly#e76?1iz~rE^u>S?aV?6&4>`3z)_N%Vn;gCnpRLn3T zXg@m?#vhFhK1@wrP6_!d%6}>TljlExw*L?K55+%#M|r5224T>LEjnt1x*QVrU$VdK zk+7pK{iAEYDfuNm&GFZ*O;#c!Ci)b3C-oUXR(u jg_AjYNESfHMVit96Ya-#!dax_j^2oYt_iAA+a>B>-**I5 literal 0 HcmV?d00001 diff --git a/website/docs/r/storage_default_object_access_control.html.markdown b/website/docs/r/storage_default_object_access_control.html.markdown new file mode 100644 index 00000000..17881b23 --- /dev/null +++ b/website/docs/r/storage_default_object_access_control.html.markdown @@ -0,0 +1,139 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. +# +# ---------------------------------------------------------------------------- +layout: "google" +page_title: "Google: google_storage_default_object_access_control" +sidebar_current: "docs-google-storage-default-object-access-control" +description: |- + The DefaultObjectAccessControls resources represent the Access Control + Lists (ACLs) applied to a new object within a Google Cloud Storage bucket + when no ACL was provided for that object. +--- + +# google\_storage\_default\_object\_access\_control + +The DefaultObjectAccessControls resources represent the Access Control +Lists (ACLs) applied to a new object within a Google Cloud Storage bucket +when no ACL was provided for that object. ACLs let you specify who has +access to your bucket contents and to what extent. + +There are two roles that can be assigned to an entity: + +READERs can get an object, though the acl property will not be revealed. +OWNERs are READERs, and they can get the acl property, update an object, +and call all objectAccessControls methods on the object. The owner of an +object is always an OWNER. +For more information, see Access Control, with the caveat that this API +uses READER and OWNER instead of READ and FULL_CONTROL. + + +To get more information about DefaultObjectAccessControl, see: + +* [API documentation](https://cloud.google.com/storage/docs/json_api/v1/defaultObjectAccessControls) +* How-to Guides + * [Official Documentation](https://cloud.google.com/storage/docs/access-control/create-manage-lists) + +
+ + Open in Cloud Shell + +
+## Example Usage - Storage Default Object Access Control Public + + +```hcl +resource "google_storage_default_object_access_control" "public_rule" { + bucket = "${google_storage_bucket.bucket.name}" + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "static-content-bucket" +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `bucket` - + (Required) + The name of the bucket. + +* `entity` - + (Required) + The entity holding the permission, in one of the following forms: + * user-{{userId}} + * user-{{email}} (such as "user-liz@example.com") + * group-{{groupId}} + * group-{{email}} (such as "group-example@googlegroups.com") + * domain-{{domain}} (such as "domain-example.com") + * project-team-{{projectId}} + * allUsers + * allAuthenticatedUsers + +* `role` - + (Required) + The access permission for the entity. + + +- - - + + +* `object` - + (Optional) + The name of the object, if applied to an object. + + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + + +* `domain` - + The domain associated with the entity. + +* `email` - + The email address associated with the entity. + +* `entity_id` - + The ID for the entity + +* `generation` - + The content generation of the object, if applied to an object. + +* `project_team` - + The project team associated with the entity Structure is documented below. + + +The `project_team` block contains: + +* `project_number` - + (Optional) + The project team associated with the entity + +* `team` - + (Optional) + The team. + + +## Import + +DefaultObjectAccessControl can be imported using any of these accepted formats: + +``` +$ terraform import google_storage_default_object_access_control.default {{bucket}}/{{entity}} +``` diff --git a/website/docs/r/storage_default_object_acl.html.markdown b/website/docs/r/storage_default_object_acl.html.markdown index 9295575f..413715d3 100644 --- a/website/docs/r/storage_default_object_acl.html.markdown +++ b/website/docs/r/storage_default_object_acl.html.markdown @@ -14,12 +14,14 @@ without managing the bucket itself. -> Note that for each object, its creator will have the `"OWNER"` role in addition to the default ACL that has been defined. - For more information see [the official documentation](https://cloud.google.com/storage/docs/access-control/lists) and [API](https://cloud.google.com/storage/docs/json_api/v1/defaultObjectAccessControls). +-> Want fine-grained control over default object ACLs? Use `google_storage_default_object_access_control` +to control individual role entity pairs. + ## Example Usage Example creating a default object ACL on a bucket with one owner, and one reader. diff --git a/website/docs/r/storage_object_access_control.html.markdown b/website/docs/r/storage_object_access_control.html.markdown index 31faa226..a2179234 100644 --- a/website/docs/r/storage_object_access_control.html.markdown +++ b/website/docs/r/storage_object_access_control.html.markdown @@ -42,6 +42,11 @@ To get more information about ObjectAccessControl, see: * How-to Guides * [Official Documentation](https://cloud.google.com/storage/docs/access-control/create-manage-lists) +
+ + Open in Cloud Shell + +
## Example Usage - Storage Object Access Control Public Object @@ -60,7 +65,7 @@ resource "google_storage_bucket" "bucket" { resource "google_storage_bucket_object" "object" { name = "public-object" bucket = "${google_storage_bucket.bucket.name}" - source = "../static/img/header-logo.jpg" + source = "../static/img/header-logo.png" } ```