mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-06-29 06:42:36 +00:00
Bring Access Context Manager / VPC Service Controls to GA (#3358)
<!-- This change is generated by MagicModules. --> /cc @rileykarson
This commit is contained in:
parent
d1dbdb0252
commit
95191ed06e
46
google/access_context_manager_operation.go
Normal file
46
google/access_context_manager_operation.go
Normal file
|
@ -0,0 +1,46 @@
|
|||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// This file is automatically generated by Magic Modules and manual
|
||||
// changes will be clobbered when the file is regenerated.
|
||||
//
|
||||
// Please read more about how to change this file in
|
||||
// .github/CONTRIBUTING.md.
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
package google
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type AccessContextManagerOperationWaiter struct {
|
||||
Config *Config
|
||||
CommonOperationWaiter
|
||||
}
|
||||
|
||||
func (w *AccessContextManagerOperationWaiter) QueryOp() (interface{}, error) {
|
||||
if w == nil {
|
||||
return nil, fmt.Errorf("Cannot query operation, it's unset or nil.")
|
||||
}
|
||||
// Returns the proper get.
|
||||
url := fmt.Sprintf("https://accesscontextmanager.googleapis.com/v1/%s", w.CommonOperationWaiter.Op.Name)
|
||||
return sendRequest(w.Config, "GET", url, nil)
|
||||
}
|
||||
|
||||
func accessContextManagerOperationWaitTime(config *Config, op map[string]interface{}, activity string, timeoutMinutes int) error {
|
||||
if val, ok := op["name"]; !ok || val == "" {
|
||||
// This was a synchronous call - there is no operation to wait for.
|
||||
return nil
|
||||
}
|
||||
w := &AccessContextManagerOperationWaiter{
|
||||
Config: config,
|
||||
}
|
||||
if err := w.CommonOperationWaiter.SetOp(op); err != nil {
|
||||
return err
|
||||
}
|
||||
return OperationWait(w, activity, timeoutMinutes)
|
||||
}
|
23
google/provider_access_context_manager_gen.go
Normal file
23
google/provider_access_context_manager_gen.go
Normal file
|
@ -0,0 +1,23 @@
|
|||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// This file is automatically generated by Magic Modules and manual
|
||||
// changes will be clobbered when the file is regenerated.
|
||||
//
|
||||
// Please read more about how to change this file in
|
||||
// .github/CONTRIBUTING.md.
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
package google
|
||||
|
||||
import "github.com/hashicorp/terraform/helper/schema"
|
||||
|
||||
var GeneratedAccessContextManagerResourcesMap = map[string]*schema.Resource{
|
||||
"google_access_context_manager_access_policy": resourceAccessContextManagerAccessPolicy(),
|
||||
"google_access_context_manager_access_level": resourceAccessContextManagerAccessLevel(),
|
||||
"google_access_context_manager_service_perimeter": resourceAccessContextManagerServicePerimeter(),
|
||||
}
|
706
google/resource_access_context_manager_access_level.go
Normal file
706
google/resource_access_context_manager_access_level.go
Normal file
|
@ -0,0 +1,706 @@
|
|||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// This file is automatically generated by Magic Modules and manual
|
||||
// changes will be clobbered when the file is regenerated.
|
||||
//
|
||||
// Please read more about how to change this file in
|
||||
// .github/CONTRIBUTING.md.
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
package google
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
"github.com/hashicorp/terraform/helper/validation"
|
||||
)
|
||||
|
||||
func resourceAccessContextManagerAccessLevel() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Create: resourceAccessContextManagerAccessLevelCreate,
|
||||
Read: resourceAccessContextManagerAccessLevelRead,
|
||||
Update: resourceAccessContextManagerAccessLevelUpdate,
|
||||
Delete: resourceAccessContextManagerAccessLevelDelete,
|
||||
|
||||
Importer: &schema.ResourceImporter{
|
||||
State: resourceAccessContextManagerAccessLevelImport,
|
||||
},
|
||||
|
||||
Timeouts: &schema.ResourceTimeout{
|
||||
Create: schema.DefaultTimeout(360 * time.Second),
|
||||
Update: schema.DefaultTimeout(360 * time.Second),
|
||||
Delete: schema.DefaultTimeout(360 * time.Second),
|
||||
},
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"name": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
"parent": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
"title": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
"basic": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
MaxItems: 1,
|
||||
Elem: &schema.Resource{
|
||||
Schema: map[string]*schema.Schema{
|
||||
"conditions": {
|
||||
Type: schema.TypeList,
|
||||
Required: true,
|
||||
MinItems: 1,
|
||||
Elem: &schema.Resource{
|
||||
Schema: map[string]*schema.Schema{
|
||||
"device_policy": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
MaxItems: 1,
|
||||
Elem: &schema.Resource{
|
||||
Schema: map[string]*schema.Schema{
|
||||
"allowed_device_management_levels": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
"allowed_encryption_statuses": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
"os_constraints": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Resource{
|
||||
Schema: map[string]*schema.Schema{
|
||||
"minimum_version": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
},
|
||||
"os_type": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ValidateFunc: validation.StringInSlice([]string{"OS_UNSPECIFIED", "DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX", "DESKTOP_CHROME_OS", ""}, false),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"require_screen_lock": {
|
||||
Type: schema.TypeBool,
|
||||
Optional: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"ip_subnetworks": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
"members": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
"negate": {
|
||||
Type: schema.TypeBool,
|
||||
Optional: true,
|
||||
},
|
||||
"required_access_levels": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"combining_function": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ValidateFunc: validation.StringInSlice([]string{"AND", "OR", ""}, false),
|
||||
Default: "AND",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"description": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessLevelCreate(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
obj := make(map[string]interface{})
|
||||
titleProp, err := expandAccessContextManagerAccessLevelTitle(d.Get("title"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
|
||||
obj["title"] = titleProp
|
||||
}
|
||||
descriptionProp, err := expandAccessContextManagerAccessLevelDescription(d.Get("description"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
|
||||
obj["description"] = descriptionProp
|
||||
}
|
||||
basicProp, err := expandAccessContextManagerAccessLevelBasic(d.Get("basic"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("basic"); !isEmptyValue(reflect.ValueOf(basicProp)) && (ok || !reflect.DeepEqual(v, basicProp)) {
|
||||
obj["basic"] = basicProp
|
||||
}
|
||||
parentProp, err := expandAccessContextManagerAccessLevelParent(d.Get("parent"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("parent"); !isEmptyValue(reflect.ValueOf(parentProp)) && (ok || !reflect.DeepEqual(v, parentProp)) {
|
||||
obj["parent"] = parentProp
|
||||
}
|
||||
nameProp, err := expandAccessContextManagerAccessLevelName(d.Get("name"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("name"); !isEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) {
|
||||
obj["name"] = nameProp
|
||||
}
|
||||
|
||||
obj, err = resourceAccessContextManagerAccessLevelEncoder(d, meta, obj)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{parent}}/accessLevels")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Creating new AccessLevel: %#v", obj)
|
||||
res, err := sendRequestWithTimeout(config, "POST", url, obj, d.Timeout(schema.TimeoutCreate))
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error creating AccessLevel: %s", err)
|
||||
}
|
||||
|
||||
// Store the ID now
|
||||
id, err := replaceVars(d, config, "{{name}}")
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error constructing id: %s", err)
|
||||
}
|
||||
d.SetId(id)
|
||||
|
||||
waitErr := accessContextManagerOperationWaitTime(
|
||||
config, res, "Creating AccessLevel",
|
||||
int(d.Timeout(schema.TimeoutCreate).Minutes()))
|
||||
|
||||
if waitErr != nil {
|
||||
// The resource didn't actually create
|
||||
d.SetId("")
|
||||
return fmt.Errorf("Error waiting to create AccessLevel: %s", waitErr)
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Finished creating AccessLevel %q: %#v", d.Id(), res)
|
||||
|
||||
return resourceAccessContextManagerAccessLevelRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessLevelRead(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
res, err := sendRequest(config, "GET", url, nil)
|
||||
if err != nil {
|
||||
return handleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerAccessLevel %q", d.Id()))
|
||||
}
|
||||
|
||||
if err := d.Set("title", flattenAccessContextManagerAccessLevelTitle(res["title"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessLevel: %s", err)
|
||||
}
|
||||
if err := d.Set("description", flattenAccessContextManagerAccessLevelDescription(res["description"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessLevel: %s", err)
|
||||
}
|
||||
if err := d.Set("basic", flattenAccessContextManagerAccessLevelBasic(res["basic"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessLevel: %s", err)
|
||||
}
|
||||
if err := d.Set("name", flattenAccessContextManagerAccessLevelName(res["name"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessLevel: %s", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessLevelUpdate(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
obj := make(map[string]interface{})
|
||||
titleProp, err := expandAccessContextManagerAccessLevelTitle(d.Get("title"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
|
||||
obj["title"] = titleProp
|
||||
}
|
||||
descriptionProp, err := expandAccessContextManagerAccessLevelDescription(d.Get("description"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
|
||||
obj["description"] = descriptionProp
|
||||
}
|
||||
basicProp, err := expandAccessContextManagerAccessLevelBasic(d.Get("basic"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("basic"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, basicProp)) {
|
||||
obj["basic"] = basicProp
|
||||
}
|
||||
|
||||
obj, err = resourceAccessContextManagerAccessLevelEncoder(d, meta, obj)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Updating AccessLevel %q: %#v", d.Id(), obj)
|
||||
updateMask := []string{}
|
||||
|
||||
if d.HasChange("title") {
|
||||
updateMask = append(updateMask, "title")
|
||||
}
|
||||
|
||||
if d.HasChange("description") {
|
||||
updateMask = append(updateMask, "description")
|
||||
}
|
||||
|
||||
if d.HasChange("basic") {
|
||||
updateMask = append(updateMask, "basic")
|
||||
}
|
||||
// updateMask is a URL parameter but not present in the schema, so replaceVars
|
||||
// won't set it
|
||||
url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
res, err := sendRequestWithTimeout(config, "PATCH", url, obj, d.Timeout(schema.TimeoutUpdate))
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error updating AccessLevel %q: %s", d.Id(), err)
|
||||
}
|
||||
|
||||
err = accessContextManagerOperationWaitTime(
|
||||
config, res, "Updating AccessLevel",
|
||||
int(d.Timeout(schema.TimeoutUpdate).Minutes()))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return resourceAccessContextManagerAccessLevelRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessLevelDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var obj map[string]interface{}
|
||||
log.Printf("[DEBUG] Deleting AccessLevel %q", d.Id())
|
||||
res, err := sendRequestWithTimeout(config, "DELETE", url, obj, d.Timeout(schema.TimeoutDelete))
|
||||
if err != nil {
|
||||
return handleNotFoundError(err, d, "AccessLevel")
|
||||
}
|
||||
|
||||
err = accessContextManagerOperationWaitTime(
|
||||
config, res, "Deleting AccessLevel",
|
||||
int(d.Timeout(schema.TimeoutDelete).Minutes()))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Finished deleting AccessLevel %q: %#v", d.Id(), res)
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessLevelImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
|
||||
config := meta.(*Config)
|
||||
|
||||
// current import_formats can't import ids with forward slashes in them.
|
||||
if err := parseImportId([]string{"(?P<name>.+)"}, d, config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
stringParts := strings.Split(d.Get("name").(string), "/")
|
||||
d.Set("parent", fmt.Sprintf("%s/%s", stringParts[0], stringParts[1]))
|
||||
return []*schema.ResourceData{d}, nil
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelTitle(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelDescription(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasic(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil {
|
||||
return nil
|
||||
}
|
||||
original := v.(map[string]interface{})
|
||||
if len(original) == 0 {
|
||||
return nil
|
||||
}
|
||||
transformed := make(map[string]interface{})
|
||||
transformed["combining_function"] =
|
||||
flattenAccessContextManagerAccessLevelBasicCombiningFunction(original["combiningFunction"], d)
|
||||
transformed["conditions"] =
|
||||
flattenAccessContextManagerAccessLevelBasicConditions(original["conditions"], d)
|
||||
return []interface{}{transformed}
|
||||
}
|
||||
func flattenAccessContextManagerAccessLevelBasicCombiningFunction(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil || v.(string) == "" {
|
||||
return "AND"
|
||||
}
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditions(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil {
|
||||
return v
|
||||
}
|
||||
l := v.([]interface{})
|
||||
transformed := make([]interface{}, 0, len(l))
|
||||
for _, raw := range l {
|
||||
original := raw.(map[string]interface{})
|
||||
if len(original) < 1 {
|
||||
// Do not include empty json objects coming back from the api
|
||||
continue
|
||||
}
|
||||
transformed = append(transformed, map[string]interface{}{
|
||||
"ip_subnetworks": flattenAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(original["ipSubnetworks"], d),
|
||||
"required_access_levels": flattenAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(original["requiredAccessLevels"], d),
|
||||
"members": flattenAccessContextManagerAccessLevelBasicConditionsMembers(original["members"], d),
|
||||
"negate": flattenAccessContextManagerAccessLevelBasicConditionsNegate(original["negate"], d),
|
||||
"device_policy": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicy(original["devicePolicy"], d),
|
||||
})
|
||||
}
|
||||
return transformed
|
||||
}
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsMembers(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsNegate(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicy(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil {
|
||||
return nil
|
||||
}
|
||||
original := v.(map[string]interface{})
|
||||
if len(original) == 0 {
|
||||
return nil
|
||||
}
|
||||
transformed := make(map[string]interface{})
|
||||
transformed["require_screen_lock"] =
|
||||
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(original["requireScreenLock"], d)
|
||||
transformed["allowed_encryption_statuses"] =
|
||||
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(original["allowedEncryptionStatuses"], d)
|
||||
transformed["allowed_device_management_levels"] =
|
||||
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(original["allowedDeviceManagementLevels"], d)
|
||||
transformed["os_constraints"] =
|
||||
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(original["osConstraints"], d)
|
||||
return []interface{}{transformed}
|
||||
}
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil {
|
||||
return v
|
||||
}
|
||||
l := v.([]interface{})
|
||||
transformed := make([]interface{}, 0, len(l))
|
||||
for _, raw := range l {
|
||||
original := raw.(map[string]interface{})
|
||||
if len(original) < 1 {
|
||||
// Do not include empty json objects coming back from the api
|
||||
continue
|
||||
}
|
||||
transformed = append(transformed, map[string]interface{}{
|
||||
"minimum_version": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(original["minimumVersion"], d),
|
||||
"os_type": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(original["osType"], d),
|
||||
})
|
||||
}
|
||||
return transformed
|
||||
}
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessLevelName(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasic(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
l := v.([]interface{})
|
||||
if len(l) == 0 || l[0] == nil {
|
||||
return nil, nil
|
||||
}
|
||||
raw := l[0]
|
||||
original := raw.(map[string]interface{})
|
||||
transformed := make(map[string]interface{})
|
||||
|
||||
transformedCombiningFunction, err := expandAccessContextManagerAccessLevelBasicCombiningFunction(original["combining_function"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedCombiningFunction); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["combiningFunction"] = transformedCombiningFunction
|
||||
}
|
||||
|
||||
transformedConditions, err := expandAccessContextManagerAccessLevelBasicConditions(original["conditions"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedConditions); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["conditions"] = transformedConditions
|
||||
}
|
||||
|
||||
return transformed, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicCombiningFunction(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditions(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
l := v.([]interface{})
|
||||
req := make([]interface{}, 0, len(l))
|
||||
for _, raw := range l {
|
||||
if raw == nil {
|
||||
continue
|
||||
}
|
||||
original := raw.(map[string]interface{})
|
||||
transformed := make(map[string]interface{})
|
||||
|
||||
transformedIpSubnetworks, err := expandAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(original["ip_subnetworks"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedIpSubnetworks); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["ipSubnetworks"] = transformedIpSubnetworks
|
||||
}
|
||||
|
||||
transformedRequiredAccessLevels, err := expandAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(original["required_access_levels"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedRequiredAccessLevels); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["requiredAccessLevels"] = transformedRequiredAccessLevels
|
||||
}
|
||||
|
||||
transformedMembers, err := expandAccessContextManagerAccessLevelBasicConditionsMembers(original["members"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedMembers); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["members"] = transformedMembers
|
||||
}
|
||||
|
||||
transformedNegate, err := expandAccessContextManagerAccessLevelBasicConditionsNegate(original["negate"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedNegate); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["negate"] = transformedNegate
|
||||
}
|
||||
|
||||
transformedDevicePolicy, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicy(original["device_policy"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedDevicePolicy); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["devicePolicy"] = transformedDevicePolicy
|
||||
}
|
||||
|
||||
req = append(req, transformed)
|
||||
}
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsMembers(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsNegate(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicy(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
l := v.([]interface{})
|
||||
if len(l) == 0 || l[0] == nil {
|
||||
return nil, nil
|
||||
}
|
||||
raw := l[0]
|
||||
original := raw.(map[string]interface{})
|
||||
transformed := make(map[string]interface{})
|
||||
|
||||
transformedRequireScreenLock, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(original["require_screen_lock"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedRequireScreenLock); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["requireScreenLock"] = transformedRequireScreenLock
|
||||
}
|
||||
|
||||
transformedAllowedEncryptionStatuses, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(original["allowed_encryption_statuses"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedAllowedEncryptionStatuses); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["allowedEncryptionStatuses"] = transformedAllowedEncryptionStatuses
|
||||
}
|
||||
|
||||
transformedAllowedDeviceManagementLevels, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(original["allowed_device_management_levels"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedAllowedDeviceManagementLevels); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["allowedDeviceManagementLevels"] = transformedAllowedDeviceManagementLevels
|
||||
}
|
||||
|
||||
transformedOsConstraints, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(original["os_constraints"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedOsConstraints); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["osConstraints"] = transformedOsConstraints
|
||||
}
|
||||
|
||||
return transformed, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
l := v.([]interface{})
|
||||
req := make([]interface{}, 0, len(l))
|
||||
for _, raw := range l {
|
||||
if raw == nil {
|
||||
continue
|
||||
}
|
||||
original := raw.(map[string]interface{})
|
||||
transformed := make(map[string]interface{})
|
||||
|
||||
transformedMinimumVersion, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(original["minimum_version"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedMinimumVersion); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["minimumVersion"] = transformedMinimumVersion
|
||||
}
|
||||
|
||||
transformedOsType, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(original["os_type"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedOsType); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["osType"] = transformedOsType
|
||||
}
|
||||
|
||||
req = append(req, transformed)
|
||||
}
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessLevelName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessLevelEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
|
||||
delete(obj, "parent")
|
||||
return obj, nil
|
||||
}
|
|
@ -1,3 +1,156 @@
|
|||
package google
|
||||
|
||||
// Magic Modules doesn't let us remove files - blank out beta-only common-compile files for now.
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
)
|
||||
|
||||
// Since each test here is acting on the same organization and only one AccessPolicy
|
||||
// can exist, they need to be ran serially. See AccessPolicy for the test runner.
|
||||
|
||||
func testAccAccessContextManagerAccessLevel_basicTest(t *testing.T) {
|
||||
org := getTestOrgFromEnv(t)
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAccessContextManagerAccessLevel_basic(org, "my policy", "level"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_access_level.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
{
|
||||
Config: testAccAccessContextManagerAccessLevel_basicUpdated(org, "my new policy", "level"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_access_level.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerAccessLevel_fullTest(t *testing.T) {
|
||||
org := getTestOrgFromEnv(t)
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAccessContextManagerAccessLevel_full(org, "my policy", "level"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_access_level.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckAccessContextManagerAccessLevelDestroy(s *terraform.State) error {
|
||||
for _, rs := range s.RootModule().Resources {
|
||||
if rs.Type != "google_access_context_manager_access_level" {
|
||||
continue
|
||||
}
|
||||
|
||||
config := testAccProvider.Meta().(*Config)
|
||||
|
||||
url, err := replaceVarsForTest(rs, "https://accesscontextmanager.googleapis.com/v1beta/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = sendRequest(config, "GET", url, nil)
|
||||
if err == nil {
|
||||
return fmt.Errorf("AccessLevel still exists at %s", url)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerAccessLevel_basic(org, policyTitle, levelTitleName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
|
||||
title = "%s"
|
||||
description = "hello"
|
||||
basic {
|
||||
combining_function = "AND"
|
||||
conditions {
|
||||
ip_subnetworks = ["192.0.4.0/24"]
|
||||
}
|
||||
}
|
||||
}
|
||||
`, org, policyTitle, levelTitleName, levelTitleName)
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerAccessLevel_basicUpdated(org, policyTitle, levelTitleName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
|
||||
title = "%s"
|
||||
description = "hello"
|
||||
basic {
|
||||
combining_function = "OR"
|
||||
conditions {
|
||||
ip_subnetworks = ["192.0.2.0/24"]
|
||||
}
|
||||
}
|
||||
}
|
||||
`, org, policyTitle, levelTitleName, levelTitleName)
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerAccessLevel_full(org, policyTitle, levelTitleName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
|
||||
title = "%s"
|
||||
description = "hello"
|
||||
basic {
|
||||
combining_function = "AND"
|
||||
conditions {
|
||||
ip_subnetworks = ["192.0.4.0/24"]
|
||||
members = ["user:test@google.com", "user:test2@google.com"]
|
||||
negate = false
|
||||
device_policy {
|
||||
require_screen_lock = false
|
||||
os_constraints {
|
||||
os_type = "DESKTOP_CHROME_OS"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
`, org, policyTitle, levelTitleName, levelTitleName)
|
||||
}
|
||||
|
|
279
google/resource_access_context_manager_access_policy.go
Normal file
279
google/resource_access_context_manager_access_policy.go
Normal file
|
@ -0,0 +1,279 @@
|
|||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// This file is automatically generated by Magic Modules and manual
|
||||
// changes will be clobbered when the file is regenerated.
|
||||
//
|
||||
// Please read more about how to change this file in
|
||||
// .github/CONTRIBUTING.md.
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
package google
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
)
|
||||
|
||||
func resourceAccessContextManagerAccessPolicy() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Create: resourceAccessContextManagerAccessPolicyCreate,
|
||||
Read: resourceAccessContextManagerAccessPolicyRead,
|
||||
Update: resourceAccessContextManagerAccessPolicyUpdate,
|
||||
Delete: resourceAccessContextManagerAccessPolicyDelete,
|
||||
|
||||
Importer: &schema.ResourceImporter{
|
||||
State: resourceAccessContextManagerAccessPolicyImport,
|
||||
},
|
||||
|
||||
Timeouts: &schema.ResourceTimeout{
|
||||
Create: schema.DefaultTimeout(360 * time.Second),
|
||||
Update: schema.DefaultTimeout(360 * time.Second),
|
||||
Delete: schema.DefaultTimeout(360 * time.Second),
|
||||
},
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"parent": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
"title": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
"create_time": {
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
"name": {
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
"update_time": {
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessPolicyCreate(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
obj := make(map[string]interface{})
|
||||
parentProp, err := expandAccessContextManagerAccessPolicyParent(d.Get("parent"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("parent"); !isEmptyValue(reflect.ValueOf(parentProp)) && (ok || !reflect.DeepEqual(v, parentProp)) {
|
||||
obj["parent"] = parentProp
|
||||
}
|
||||
titleProp, err := expandAccessContextManagerAccessPolicyTitle(d.Get("title"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
|
||||
obj["title"] = titleProp
|
||||
}
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Creating new AccessPolicy: %#v", obj)
|
||||
res, err := sendRequestWithTimeout(config, "POST", url, obj, d.Timeout(schema.TimeoutCreate))
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error creating AccessPolicy: %s", err)
|
||||
}
|
||||
|
||||
// Store the ID now
|
||||
id, err := replaceVars(d, config, "{{name}}")
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error constructing id: %s", err)
|
||||
}
|
||||
d.SetId(id)
|
||||
|
||||
waitErr := accessContextManagerOperationWaitTime(
|
||||
config, res, "Creating AccessPolicy",
|
||||
int(d.Timeout(schema.TimeoutCreate).Minutes()))
|
||||
|
||||
if waitErr != nil {
|
||||
// The resource didn't actually create
|
||||
d.SetId("")
|
||||
return fmt.Errorf("Error waiting to create AccessPolicy: %s", waitErr)
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Finished creating AccessPolicy %q: %#v", d.Id(), res)
|
||||
|
||||
// The operation for this resource contains the generated name that we need
|
||||
// in order to perform a READ. We need to access the object inside of it as
|
||||
// a map[string]interface, so let's do that.
|
||||
|
||||
resp := res["response"].(map[string]interface{})
|
||||
name := GetResourceNameFromSelfLink(resp["name"].(string))
|
||||
log.Printf("[DEBUG] Setting AccessPolicy name, id to %s", name)
|
||||
d.Set("name", name)
|
||||
d.SetId(name)
|
||||
|
||||
return resourceAccessContextManagerAccessPolicyRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessPolicyRead(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
res, err := sendRequest(config, "GET", url, nil)
|
||||
if err != nil {
|
||||
return handleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerAccessPolicy %q", d.Id()))
|
||||
}
|
||||
|
||||
if err := d.Set("name", flattenAccessContextManagerAccessPolicyName(res["name"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessPolicy: %s", err)
|
||||
}
|
||||
if err := d.Set("create_time", flattenAccessContextManagerAccessPolicyCreateTime(res["createTime"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessPolicy: %s", err)
|
||||
}
|
||||
if err := d.Set("update_time", flattenAccessContextManagerAccessPolicyUpdateTime(res["updateTime"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessPolicy: %s", err)
|
||||
}
|
||||
if err := d.Set("parent", flattenAccessContextManagerAccessPolicyParent(res["parent"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessPolicy: %s", err)
|
||||
}
|
||||
if err := d.Set("title", flattenAccessContextManagerAccessPolicyTitle(res["title"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading AccessPolicy: %s", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
obj := make(map[string]interface{})
|
||||
titleProp, err := expandAccessContextManagerAccessPolicyTitle(d.Get("title"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
|
||||
obj["title"] = titleProp
|
||||
}
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Updating AccessPolicy %q: %#v", d.Id(), obj)
|
||||
updateMask := []string{}
|
||||
|
||||
if d.HasChange("title") {
|
||||
updateMask = append(updateMask, "title")
|
||||
}
|
||||
// updateMask is a URL parameter but not present in the schema, so replaceVars
|
||||
// won't set it
|
||||
url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
res, err := sendRequestWithTimeout(config, "PATCH", url, obj, d.Timeout(schema.TimeoutUpdate))
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error updating AccessPolicy %q: %s", d.Id(), err)
|
||||
}
|
||||
|
||||
err = accessContextManagerOperationWaitTime(
|
||||
config, res, "Updating AccessPolicy",
|
||||
int(d.Timeout(schema.TimeoutUpdate).Minutes()))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return resourceAccessContextManagerAccessPolicyRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessPolicyDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var obj map[string]interface{}
|
||||
log.Printf("[DEBUG] Deleting AccessPolicy %q", d.Id())
|
||||
res, err := sendRequestWithTimeout(config, "DELETE", url, obj, d.Timeout(schema.TimeoutDelete))
|
||||
if err != nil {
|
||||
return handleNotFoundError(err, d, "AccessPolicy")
|
||||
}
|
||||
|
||||
err = accessContextManagerOperationWaitTime(
|
||||
config, res, "Deleting AccessPolicy",
|
||||
int(d.Timeout(schema.TimeoutDelete).Minutes()))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Finished deleting AccessPolicy %q: %#v", d.Id(), res)
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerAccessPolicyImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
|
||||
config := meta.(*Config)
|
||||
if err := parseImportId([]string{"(?P<name>[^/]+)"}, d, config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Replace import id for the resource id
|
||||
id, err := replaceVars(d, config, "{{name}}")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Error constructing id: %s", err)
|
||||
}
|
||||
d.SetId(id)
|
||||
|
||||
return []*schema.ResourceData{d}, nil
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessPolicyName(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil {
|
||||
return v
|
||||
}
|
||||
return NameFromSelfLinkStateFunc(v)
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessPolicyCreateTime(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessPolicyUpdateTime(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessPolicyParent(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerAccessPolicyTitle(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessPolicyParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerAccessPolicyTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
|
@ -1,3 +1,91 @@
|
|||
package google
|
||||
|
||||
// Magic Modules doesn't let us remove files - blank out beta-only common-compile files for now.
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
)
|
||||
|
||||
// Since each test here is acting on the same organization and only one AccessPolicy
|
||||
// can exist, they need to be ran serially
|
||||
func TestAccAccessContextManager(t *testing.T) {
|
||||
testCases := map[string]func(t *testing.T){
|
||||
"access_policy": testAccAccessContextManagerAccessPolicy_basicTest,
|
||||
"service_perimeter": testAccAccessContextManagerServicePerimeter_basicTest,
|
||||
"service_perimeter_update": testAccAccessContextManagerServicePerimeter_updateTest,
|
||||
"access_level": testAccAccessContextManagerAccessLevel_basicTest,
|
||||
"access_level_full": testAccAccessContextManagerAccessLevel_fullTest,
|
||||
}
|
||||
|
||||
for name, tc := range testCases {
|
||||
// shadow the tc variable into scope so that when
|
||||
// the loop continues, if t.Run hasn't executed tc(t)
|
||||
// yet, we don't have a race condition
|
||||
// see https://github.com/golang/go/wiki/CommonMistakes#using-goroutines-on-loop-iterator-variables
|
||||
tc := tc
|
||||
t.Run(name, func(t *testing.T) {
|
||||
tc(t)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerAccessPolicy_basicTest(t *testing.T) {
|
||||
org := getTestOrgFromEnv(t)
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAccessContextManagerAccessPolicyDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAccessContextManagerAccessPolicy_basic(org, "my policy"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_access_policy.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
{
|
||||
Config: testAccAccessContextManagerAccessPolicy_basic(org, "my new policy"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_access_policy.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckAccessContextManagerAccessPolicyDestroy(s *terraform.State) error {
|
||||
for _, rs := range s.RootModule().Resources {
|
||||
if rs.Type != "google_access_context_manager_access_policy" {
|
||||
continue
|
||||
}
|
||||
|
||||
config := testAccProvider.Meta().(*Config)
|
||||
|
||||
url, err := replaceVarsForTest(rs, "https://accesscontextmanager.googleapis.com/v1beta/accessPolicies/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = sendRequest(config, "GET", url, nil)
|
||||
if err == nil {
|
||||
return fmt.Errorf("AccessPolicy still exists at %s", url)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerAccessPolicy_basic(org, title string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
`, org, title)
|
||||
}
|
||||
|
|
463
google/resource_access_context_manager_service_perimeter.go
Normal file
463
google/resource_access_context_manager_service_perimeter.go
Normal file
|
@ -0,0 +1,463 @@
|
|||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
//
|
||||
// This file is automatically generated by Magic Modules and manual
|
||||
// changes will be clobbered when the file is regenerated.
|
||||
//
|
||||
// Please read more about how to change this file in
|
||||
// .github/CONTRIBUTING.md.
|
||||
//
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
package google
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
"github.com/hashicorp/terraform/helper/validation"
|
||||
)
|
||||
|
||||
func resourceAccessContextManagerServicePerimeter() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Create: resourceAccessContextManagerServicePerimeterCreate,
|
||||
Read: resourceAccessContextManagerServicePerimeterRead,
|
||||
Update: resourceAccessContextManagerServicePerimeterUpdate,
|
||||
Delete: resourceAccessContextManagerServicePerimeterDelete,
|
||||
|
||||
Importer: &schema.ResourceImporter{
|
||||
State: resourceAccessContextManagerServicePerimeterImport,
|
||||
},
|
||||
|
||||
Timeouts: &schema.ResourceTimeout{
|
||||
Create: schema.DefaultTimeout(360 * time.Second),
|
||||
Update: schema.DefaultTimeout(360 * time.Second),
|
||||
Delete: schema.DefaultTimeout(360 * time.Second),
|
||||
},
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"name": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
"parent": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
"title": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
"description": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
},
|
||||
"perimeter_type": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
ValidateFunc: validation.StringInSlice([]string{"PERIMETER_TYPE_REGULAR", "PERIMETER_TYPE_BRIDGE", ""}, false),
|
||||
Default: "PERIMETER_TYPE_REGULAR",
|
||||
},
|
||||
"status": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
MaxItems: 1,
|
||||
Elem: &schema.Resource{
|
||||
Schema: map[string]*schema.Schema{
|
||||
"access_levels": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
"resources": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
"restricted_services": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"create_time": {
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
"update_time": {
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerServicePerimeterCreate(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
obj := make(map[string]interface{})
|
||||
titleProp, err := expandAccessContextManagerServicePerimeterTitle(d.Get("title"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
|
||||
obj["title"] = titleProp
|
||||
}
|
||||
descriptionProp, err := expandAccessContextManagerServicePerimeterDescription(d.Get("description"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
|
||||
obj["description"] = descriptionProp
|
||||
}
|
||||
perimeterTypeProp, err := expandAccessContextManagerServicePerimeterPerimeterType(d.Get("perimeter_type"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("perimeter_type"); !isEmptyValue(reflect.ValueOf(perimeterTypeProp)) && (ok || !reflect.DeepEqual(v, perimeterTypeProp)) {
|
||||
obj["perimeterType"] = perimeterTypeProp
|
||||
}
|
||||
statusProp, err := expandAccessContextManagerServicePerimeterStatus(d.Get("status"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("status"); !isEmptyValue(reflect.ValueOf(statusProp)) && (ok || !reflect.DeepEqual(v, statusProp)) {
|
||||
obj["status"] = statusProp
|
||||
}
|
||||
parentProp, err := expandAccessContextManagerServicePerimeterParent(d.Get("parent"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("parent"); !isEmptyValue(reflect.ValueOf(parentProp)) && (ok || !reflect.DeepEqual(v, parentProp)) {
|
||||
obj["parent"] = parentProp
|
||||
}
|
||||
nameProp, err := expandAccessContextManagerServicePerimeterName(d.Get("name"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("name"); !isEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) {
|
||||
obj["name"] = nameProp
|
||||
}
|
||||
|
||||
obj, err = resourceAccessContextManagerServicePerimeterEncoder(d, meta, obj)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{parent}}/servicePerimeters")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Creating new ServicePerimeter: %#v", obj)
|
||||
res, err := sendRequestWithTimeout(config, "POST", url, obj, d.Timeout(schema.TimeoutCreate))
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error creating ServicePerimeter: %s", err)
|
||||
}
|
||||
|
||||
// Store the ID now
|
||||
id, err := replaceVars(d, config, "{{name}}")
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error constructing id: %s", err)
|
||||
}
|
||||
d.SetId(id)
|
||||
|
||||
waitErr := accessContextManagerOperationWaitTime(
|
||||
config, res, "Creating ServicePerimeter",
|
||||
int(d.Timeout(schema.TimeoutCreate).Minutes()))
|
||||
|
||||
if waitErr != nil {
|
||||
// The resource didn't actually create
|
||||
d.SetId("")
|
||||
return fmt.Errorf("Error waiting to create ServicePerimeter: %s", waitErr)
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Finished creating ServicePerimeter %q: %#v", d.Id(), res)
|
||||
|
||||
return resourceAccessContextManagerServicePerimeterRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerServicePerimeterRead(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
res, err := sendRequest(config, "GET", url, nil)
|
||||
if err != nil {
|
||||
return handleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerServicePerimeter %q", d.Id()))
|
||||
}
|
||||
|
||||
if err := d.Set("title", flattenAccessContextManagerServicePerimeterTitle(res["title"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
if err := d.Set("description", flattenAccessContextManagerServicePerimeterDescription(res["description"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
if err := d.Set("create_time", flattenAccessContextManagerServicePerimeterCreateTime(res["createTime"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
if err := d.Set("update_time", flattenAccessContextManagerServicePerimeterUpdateTime(res["updateTime"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
if err := d.Set("perimeter_type", flattenAccessContextManagerServicePerimeterPerimeterType(res["perimeterType"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
if err := d.Set("status", flattenAccessContextManagerServicePerimeterStatus(res["status"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
if err := d.Set("name", flattenAccessContextManagerServicePerimeterName(res["name"], d)); err != nil {
|
||||
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerServicePerimeterUpdate(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
obj := make(map[string]interface{})
|
||||
titleProp, err := expandAccessContextManagerServicePerimeterTitle(d.Get("title"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
|
||||
obj["title"] = titleProp
|
||||
}
|
||||
descriptionProp, err := expandAccessContextManagerServicePerimeterDescription(d.Get("description"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
|
||||
obj["description"] = descriptionProp
|
||||
}
|
||||
statusProp, err := expandAccessContextManagerServicePerimeterStatus(d.Get("status"), d, config)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if v, ok := d.GetOkExists("status"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, statusProp)) {
|
||||
obj["status"] = statusProp
|
||||
}
|
||||
|
||||
obj, err = resourceAccessContextManagerServicePerimeterEncoder(d, meta, obj)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Updating ServicePerimeter %q: %#v", d.Id(), obj)
|
||||
updateMask := []string{}
|
||||
|
||||
if d.HasChange("title") {
|
||||
updateMask = append(updateMask, "title")
|
||||
}
|
||||
|
||||
if d.HasChange("description") {
|
||||
updateMask = append(updateMask, "description")
|
||||
}
|
||||
|
||||
if d.HasChange("status") {
|
||||
updateMask = append(updateMask, "status")
|
||||
}
|
||||
// updateMask is a URL parameter but not present in the schema, so replaceVars
|
||||
// won't set it
|
||||
url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
res, err := sendRequestWithTimeout(config, "PATCH", url, obj, d.Timeout(schema.TimeoutUpdate))
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error updating ServicePerimeter %q: %s", d.Id(), err)
|
||||
}
|
||||
|
||||
err = accessContextManagerOperationWaitTime(
|
||||
config, res, "Updating ServicePerimeter",
|
||||
int(d.Timeout(schema.TimeoutUpdate).Minutes()))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return resourceAccessContextManagerServicePerimeterRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerServicePerimeterDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
config := meta.(*Config)
|
||||
|
||||
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var obj map[string]interface{}
|
||||
log.Printf("[DEBUG] Deleting ServicePerimeter %q", d.Id())
|
||||
res, err := sendRequestWithTimeout(config, "DELETE", url, obj, d.Timeout(schema.TimeoutDelete))
|
||||
if err != nil {
|
||||
return handleNotFoundError(err, d, "ServicePerimeter")
|
||||
}
|
||||
|
||||
err = accessContextManagerOperationWaitTime(
|
||||
config, res, "Deleting ServicePerimeter",
|
||||
int(d.Timeout(schema.TimeoutDelete).Minutes()))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Finished deleting ServicePerimeter %q: %#v", d.Id(), res)
|
||||
return nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerServicePerimeterImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
|
||||
config := meta.(*Config)
|
||||
|
||||
// current import_formats can't import ids with forward slashes in them.
|
||||
if err := parseImportId([]string{"(?P<name>.+)"}, d, config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
stringParts := strings.Split(d.Get("name").(string), "/")
|
||||
d.Set("parent", fmt.Sprintf("%s/%s", stringParts[0], stringParts[1]))
|
||||
return []*schema.ResourceData{d}, nil
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterTitle(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterDescription(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterCreateTime(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterUpdateTime(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterPerimeterType(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil || v.(string) == "" {
|
||||
return "PERIMETER_TYPE_REGULAR"
|
||||
}
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterStatus(v interface{}, d *schema.ResourceData) interface{} {
|
||||
if v == nil {
|
||||
return nil
|
||||
}
|
||||
original := v.(map[string]interface{})
|
||||
if len(original) == 0 {
|
||||
return nil
|
||||
}
|
||||
transformed := make(map[string]interface{})
|
||||
transformed["resources"] =
|
||||
flattenAccessContextManagerServicePerimeterStatusResources(original["resources"], d)
|
||||
transformed["access_levels"] =
|
||||
flattenAccessContextManagerServicePerimeterStatusAccessLevels(original["accessLevels"], d)
|
||||
transformed["restricted_services"] =
|
||||
flattenAccessContextManagerServicePerimeterStatusRestrictedServices(original["restrictedServices"], d)
|
||||
return []interface{}{transformed}
|
||||
}
|
||||
func flattenAccessContextManagerServicePerimeterStatusResources(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterStatusAccessLevels(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterStatusRestrictedServices(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func flattenAccessContextManagerServicePerimeterName(v interface{}, d *schema.ResourceData) interface{} {
|
||||
return v
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterPerimeterType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterStatus(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
l := v.([]interface{})
|
||||
if len(l) == 0 || l[0] == nil {
|
||||
return nil, nil
|
||||
}
|
||||
raw := l[0]
|
||||
original := raw.(map[string]interface{})
|
||||
transformed := make(map[string]interface{})
|
||||
|
||||
transformedResources, err := expandAccessContextManagerServicePerimeterStatusResources(original["resources"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["resources"] = transformedResources
|
||||
}
|
||||
|
||||
transformedAccessLevels, err := expandAccessContextManagerServicePerimeterStatusAccessLevels(original["access_levels"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedAccessLevels); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["accessLevels"] = transformedAccessLevels
|
||||
}
|
||||
|
||||
transformedRestrictedServices, err := expandAccessContextManagerServicePerimeterStatusRestrictedServices(original["restricted_services"], d, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if val := reflect.ValueOf(transformedRestrictedServices); val.IsValid() && !isEmptyValue(val) {
|
||||
transformed["restrictedServices"] = transformedRestrictedServices
|
||||
}
|
||||
|
||||
return transformed, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterStatusResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterStatusAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterStatusRestrictedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func expandAccessContextManagerServicePerimeterName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func resourceAccessContextManagerServicePerimeterEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
|
||||
delete(obj, "parent")
|
||||
return obj, nil
|
||||
}
|
|
@ -1,3 +1,171 @@
|
|||
package google
|
||||
|
||||
// Magic Modules doesn't let us remove files - blank out beta-only common-compile files for now.
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
)
|
||||
|
||||
// Since each test here is acting on the same organization and only one AccessPolicy
|
||||
// can exist, they need to be ran serially. See AccessPolicy for the test runner.
|
||||
func testAccAccessContextManagerServicePerimeter_basicTest(t *testing.T) {
|
||||
org := getTestOrgFromEnv(t)
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAccessContextManagerServicePerimeterDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAccessContextManagerServicePerimeter_basic(org, "my policy", "level", "perimeter"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_service_perimeter.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) {
|
||||
org := getTestOrgFromEnv(t)
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAccessContextManagerServicePerimeterDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAccessContextManagerServicePerimeter_update(org, "my policy", "level", "perimeter"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_service_perimeter.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
{
|
||||
Config: testAccAccessContextManagerServicePerimeter_update2(org, "my policy", "level", "perimeter"),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_access_context_manager_service_perimeter.test-access",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckAccessContextManagerServicePerimeterDestroy(s *terraform.State) error {
|
||||
for _, rs := range s.RootModule().Resources {
|
||||
if rs.Type != "google_access_context_manager_service_perimeter" {
|
||||
continue
|
||||
}
|
||||
|
||||
config := testAccProvider.Meta().(*Config)
|
||||
|
||||
url, err := replaceVarsForTest(rs, "https://accesscontextmanager.googleapis.com/v1beta/{{name}}")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = sendRequest(config, "GET", url, nil)
|
||||
if err == nil {
|
||||
return fmt.Errorf("ServicePerimeter still exists at %s", url)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerServicePerimeter_basic(org, policyTitle, levelTitleName, perimeterTitleName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
|
||||
title = "%s"
|
||||
description = "hello"
|
||||
basic {
|
||||
combining_function = "AND"
|
||||
conditions {
|
||||
ip_subnetworks = ["192.0.4.0/24"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
|
||||
title = "%s"
|
||||
perimeter_type = "PERIMETER_TYPE_BRIDGE"
|
||||
}
|
||||
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerServicePerimeter_update(org, policyTitle, levelTitleName, perimeterTitleName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
|
||||
title = "%s"
|
||||
description = "hello"
|
||||
basic {
|
||||
combining_function = "AND"
|
||||
conditions {
|
||||
ip_subnetworks = ["192.0.4.0/24"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
|
||||
title = "%s"
|
||||
perimeter_type = "PERIMETER_TYPE_REGULAR"
|
||||
status {
|
||||
restricted_services = ["storage.googleapis.com"]
|
||||
}
|
||||
}
|
||||
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
|
||||
}
|
||||
|
||||
func testAccAccessContextManagerServicePerimeter_update2(org, policyTitle, levelTitleName, perimeterTitleName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_access_context_manager_access_policy" "test-access" {
|
||||
parent = "organizations/%s"
|
||||
title = "%s"
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
|
||||
title = "%s"
|
||||
description = "hello"
|
||||
basic {
|
||||
combining_function = "AND"
|
||||
conditions {
|
||||
ip_subnetworks = ["192.0.4.0/24"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter" "test-access" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
|
||||
title = "%s"
|
||||
perimeter_type = "PERIMETER_TYPE_REGULAR"
|
||||
}
|
||||
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
|
||||
}
|
||||
|
|
208
website/docs/r/access_context_manager_access_level.html.markdown
Normal file
208
website/docs/r/access_context_manager_access_level.html.markdown
Normal file
|
@ -0,0 +1,208 @@
|
|||
---
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# This file is automatically generated by Magic Modules and manual
|
||||
# changes will be clobbered when the file is regenerated.
|
||||
#
|
||||
# Please read more about how to change this file in
|
||||
# .github/CONTRIBUTING.md.
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
layout: "google"
|
||||
page_title: "Google: google_access_context_manager_access_level"
|
||||
sidebar_current: "docs-google-access-context-manager-access-level"
|
||||
description: |-
|
||||
An AccessLevel is a label that can be applied to requests to GCP services,
|
||||
along with a list of requirements necessary for the label to be applied.
|
||||
---
|
||||
|
||||
# google\_access\_context\_manager\_access\_level
|
||||
|
||||
An AccessLevel is a label that can be applied to requests to GCP services,
|
||||
along with a list of requirements necessary for the label to be applied.
|
||||
|
||||
|
||||
To get more information about AccessLevel, see:
|
||||
|
||||
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels)
|
||||
* How-to Guides
|
||||
* [Access Policy Quickstart](https://cloud.google.com/access-context-manager/docs/quickstart)
|
||||
|
||||
## Example Usage - Access Context Manager Access Level Basic
|
||||
|
||||
|
||||
```hcl
|
||||
resource "google_access_context_manager_access_level" "access-level" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"
|
||||
title = "chromeos_no_lock"
|
||||
basic {
|
||||
conditions {
|
||||
device_policy {
|
||||
require_screen_lock = false
|
||||
os_constraints {
|
||||
os_type = "DESKTOP_CHROME_OS"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_policy" "access-policy" {
|
||||
parent = "organizations/123456789"
|
||||
title = "my policy"
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
|
||||
* `title` -
|
||||
(Required)
|
||||
Human readable title. Must be unique within the Policy.
|
||||
|
||||
* `parent` -
|
||||
(Required)
|
||||
The AccessPolicy this AccessLevel lives in.
|
||||
Format: accessPolicies/{policy_id}
|
||||
|
||||
* `name` -
|
||||
(Required)
|
||||
Resource name for the Access Level. The short_name component must begin
|
||||
with a letter and only include alphanumeric and '_'.
|
||||
Format: accessPolicies/{policy_id}/accessLevels/{short_name}
|
||||
|
||||
|
||||
- - -
|
||||
|
||||
|
||||
* `description` -
|
||||
(Optional)
|
||||
Description of the AccessLevel and its use. Does not affect behavior.
|
||||
|
||||
* `basic` -
|
||||
(Optional)
|
||||
A set of predefined conditions for the access level and a combining function. Structure is documented below.
|
||||
|
||||
|
||||
The `basic` block supports:
|
||||
|
||||
* `combining_function` -
|
||||
(Optional)
|
||||
How the conditions list should be combined to determine if a request
|
||||
is granted this AccessLevel. If AND is used, each Condition in
|
||||
conditions must be satisfied for the AccessLevel to be applied. If
|
||||
OR is used, at least one Condition in conditions must be satisfied
|
||||
for the AccessLevel to be applied. Defaults to AND if unspecified.
|
||||
|
||||
* `conditions` -
|
||||
(Required)
|
||||
A set of requirements for the AccessLevel to be granted. Structure is documented below.
|
||||
|
||||
|
||||
The `conditions` block supports:
|
||||
|
||||
* `ip_subnetworks` -
|
||||
(Optional)
|
||||
A list of CIDR block IP subnetwork specification. May be IPv4
|
||||
or IPv6.
|
||||
Note that for a CIDR IP address block, the specified IP address
|
||||
portion must be properly truncated (i.e. all the host bits must
|
||||
be zero) or the input is considered malformed. For example,
|
||||
"192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
|
||||
for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
|
||||
is not. The originating IP of a request must be in one of the
|
||||
listed subnets in order for this Condition to be true.
|
||||
If empty, all IP addresses are allowed.
|
||||
|
||||
* `required_access_levels` -
|
||||
(Optional)
|
||||
A list of other access levels defined in the same Policy,
|
||||
referenced by resource name. Referencing an AccessLevel which
|
||||
does not exist is an error. All access levels listed must be
|
||||
granted for the Condition to be true.
|
||||
Format: accessPolicies/{policy_id}/accessLevels/{short_name}
|
||||
|
||||
* `members` -
|
||||
(Optional)
|
||||
An allowed list of members (users, groups, service accounts).
|
||||
The signed-in user originating the request must be a part of one
|
||||
of the provided members. If not specified, a request may come
|
||||
from any user (logged in/not logged in, not present in any
|
||||
groups, etc.).
|
||||
Formats: `user:{emailid}`, `group:{emailid}`, `serviceAccount:{emailid}`
|
||||
|
||||
* `negate` -
|
||||
(Optional)
|
||||
Whether to negate the Condition. If true, the Condition becomes
|
||||
a NAND over its non-empty fields, each field must be false for
|
||||
the Condition overall to be satisfied. Defaults to false.
|
||||
|
||||
* `device_policy` -
|
||||
(Optional)
|
||||
Device specific restrictions, all restrictions must hold for
|
||||
the Condition to be true. If not specified, all devices are
|
||||
allowed. Structure is documented below.
|
||||
|
||||
|
||||
The `device_policy` block supports:
|
||||
|
||||
* `require_screen_lock` -
|
||||
(Optional)
|
||||
Whether or not screenlock is required for the DevicePolicy
|
||||
to be true. Defaults to false.
|
||||
|
||||
* `allowed_encryption_statuses` -
|
||||
(Optional)
|
||||
A list of allowed encryptions statuses.
|
||||
An empty list allows all statuses.
|
||||
|
||||
* `allowed_device_management_levels` -
|
||||
(Optional)
|
||||
A list of allowed device management levels.
|
||||
An empty list allows all management levels.
|
||||
|
||||
* `os_constraints` -
|
||||
(Optional)
|
||||
A list of allowed OS versions.
|
||||
An empty list allows all types and all versions. Structure is documented below.
|
||||
|
||||
|
||||
The `os_constraints` block supports:
|
||||
|
||||
* `minimum_version` -
|
||||
(Optional)
|
||||
The minimum allowed OS version. If not set, any version
|
||||
of this OS satisfies the constraint.
|
||||
Format: "major.minor.patch" such as "10.5.301", "9.2.1".
|
||||
|
||||
* `os_type` -
|
||||
(Optional)
|
||||
The operating system type of the device.
|
||||
|
||||
|
||||
## Timeouts
|
||||
|
||||
This resource provides the following
|
||||
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
||||
|
||||
- `create` - Default is 6 minutes.
|
||||
- `update` - Default is 6 minutes.
|
||||
- `delete` - Default is 6 minutes.
|
||||
|
||||
## Import
|
||||
|
||||
AccessLevel can be imported using any of these accepted formats:
|
||||
|
||||
```
|
||||
$ terraform import google_access_context_manager_access_level.default {{name}}
|
||||
```
|
||||
|
||||
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
|
||||
as an argument so that Terraform uses the correct provider to import your resource.
|
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# This file is automatically generated by Magic Modules and manual
|
||||
# changes will be clobbered when the file is regenerated.
|
||||
#
|
||||
# Please read more about how to change this file in
|
||||
# .github/CONTRIBUTING.md.
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
layout: "google"
|
||||
page_title: "Google: google_access_context_manager_access_policy"
|
||||
sidebar_current: "docs-google-access-context-manager-access-policy"
|
||||
description: |-
|
||||
AccessPolicy is a container for AccessLevels (which define the necessary
|
||||
attributes to use GCP services) and ServicePerimeters (which define
|
||||
regions of services able to freely pass data within a perimeter).
|
||||
---
|
||||
|
||||
# google\_access\_context\_manager\_access\_policy
|
||||
|
||||
AccessPolicy is a container for AccessLevels (which define the necessary
|
||||
attributes to use GCP services) and ServicePerimeters (which define
|
||||
regions of services able to freely pass data within a perimeter). An
|
||||
access policy is globally visible within an organization, and the
|
||||
restrictions it specifies apply to all projects within an organization.
|
||||
|
||||
|
||||
To get more information about AccessPolicy, see:
|
||||
|
||||
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies)
|
||||
* How-to Guides
|
||||
* [Access Policy Quickstart](https://cloud.google.com/access-context-manager/docs/quickstart)
|
||||
|
||||
## Example Usage - Access Context Manager Access Policy Basic
|
||||
|
||||
|
||||
```hcl
|
||||
resource "google_access_context_manager_access_policy" "access-policy" {
|
||||
parent = "organizations/123456789"
|
||||
title = "my policy"
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
|
||||
* `parent` -
|
||||
(Required)
|
||||
The parent of this AccessPolicy in the Cloud Resource Hierarchy.
|
||||
Format: organizations/{organization_id}
|
||||
|
||||
* `title` -
|
||||
(Required)
|
||||
Human readable title. Does not affect behavior.
|
||||
|
||||
|
||||
- - -
|
||||
|
||||
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
In addition to the arguments listed above, the following computed attributes are exported:
|
||||
|
||||
|
||||
* `name` -
|
||||
Resource name of the AccessPolicy. Format: {policy_id}
|
||||
|
||||
* `create_time` -
|
||||
Time the AccessPolicy was created in UTC.
|
||||
|
||||
* `update_time` -
|
||||
Time the AccessPolicy was updated in UTC.
|
||||
|
||||
|
||||
## Timeouts
|
||||
|
||||
This resource provides the following
|
||||
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
||||
|
||||
- `create` - Default is 6 minutes.
|
||||
- `update` - Default is 6 minutes.
|
||||
- `delete` - Default is 6 minutes.
|
||||
|
||||
## Import
|
||||
|
||||
AccessPolicy can be imported using any of these accepted formats:
|
||||
|
||||
```
|
||||
$ terraform import google_access_context_manager_access_policy.default {{name}}
|
||||
```
|
||||
|
||||
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
|
||||
as an argument so that Terraform uses the correct provider to import your resource.
|
|
@ -0,0 +1,189 @@
|
|||
---
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# This file is automatically generated by Magic Modules and manual
|
||||
# changes will be clobbered when the file is regenerated.
|
||||
#
|
||||
# Please read more about how to change this file in
|
||||
# .github/CONTRIBUTING.md.
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
layout: "google"
|
||||
page_title: "Google: google_access_context_manager_service_perimeter"
|
||||
sidebar_current: "docs-google-access-context-manager-service-perimeter"
|
||||
description: |-
|
||||
ServicePerimeter describes a set of GCP resources which can freely import
|
||||
and export data amongst themselves, but not export outside of the
|
||||
ServicePerimeter.
|
||||
---
|
||||
|
||||
# google\_access\_context\_manager\_service\_perimeter
|
||||
|
||||
ServicePerimeter describes a set of GCP resources which can freely import
|
||||
and export data amongst themselves, but not export outside of the
|
||||
ServicePerimeter. If a request with a source within this ServicePerimeter
|
||||
has a target outside of the ServicePerimeter, the request will be blocked.
|
||||
Otherwise the request is allowed. There are two types of Service Perimeter
|
||||
- Regular and Bridge. Regular Service Perimeters cannot overlap, a single
|
||||
GCP project can only belong to a single regular Service Perimeter. Service
|
||||
Perimeter Bridges can contain only GCP projects as members, a single GCP
|
||||
project may belong to multiple Service Perimeter Bridges.
|
||||
|
||||
|
||||
To get more information about ServicePerimeter, see:
|
||||
|
||||
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters)
|
||||
* How-to Guides
|
||||
* [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart)
|
||||
|
||||
## Example Usage - Access Context Manager Service Perimeter Basic
|
||||
|
||||
|
||||
```hcl
|
||||
resource "google_access_context_manager_service_perimeter" "service-perimeter" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/restrict_all"
|
||||
title = "restrict_all"
|
||||
status {
|
||||
restricted_services = ["storage.googleapis.com"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "access-level" {
|
||||
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||||
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"
|
||||
title = "chromeos_no_lock"
|
||||
basic {
|
||||
conditions {
|
||||
device_policy {
|
||||
require_screen_lock = false
|
||||
os_constraints {
|
||||
os_type = "DESKTOP_CHROME_OS"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_policy" "access-policy" {
|
||||
parent = "organizations/123456789"
|
||||
title = "my policy"
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
|
||||
* `title` -
|
||||
(Required)
|
||||
Human readable title. Must be unique within the Policy.
|
||||
|
||||
* `parent` -
|
||||
(Required)
|
||||
The AccessPolicy this ServicePerimeter lives in.
|
||||
Format: accessPolicies/{policy_id}
|
||||
|
||||
* `name` -
|
||||
(Required)
|
||||
Resource name for the ServicePerimeter. The short_name component must
|
||||
begin with a letter and only include alphanumeric and '_'.
|
||||
Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}
|
||||
|
||||
|
||||
- - -
|
||||
|
||||
|
||||
* `description` -
|
||||
(Optional)
|
||||
Description of the ServicePerimeter and its use. Does not affect
|
||||
behavior.
|
||||
|
||||
* `perimeter_type` -
|
||||
(Optional)
|
||||
Specifies the type of the Perimeter. There are two types: regular and
|
||||
bridge. Regular Service Perimeter contains resources, access levels,
|
||||
and restricted services. Every resource can be in at most
|
||||
ONE regular Service Perimeter.
|
||||
In addition to being in a regular service perimeter, a resource can also
|
||||
be in zero or more perimeter bridges. A perimeter bridge only contains
|
||||
resources. Cross project operations are permitted if all effected
|
||||
resources share some perimeter (whether bridge or regular). Perimeter
|
||||
Bridge does not contain access levels or services: those are governed
|
||||
entirely by the regular perimeter that resource is in.
|
||||
Perimeter Bridges are typically useful when building more complex
|
||||
toplogies with many independent perimeters that need to share some data
|
||||
with a common perimeter, but should not be able to share data among
|
||||
themselves.
|
||||
|
||||
* `status` -
|
||||
(Optional)
|
||||
ServicePerimeter configuration. Specifies sets of resources,
|
||||
restricted services and access levels that determine
|
||||
perimeter content and boundaries. Structure is documented below.
|
||||
|
||||
|
||||
The `status` block supports:
|
||||
|
||||
* `resources` -
|
||||
(Optional)
|
||||
A list of GCP resources that are inside of the service perimeter.
|
||||
Currently only projects are allowed.
|
||||
Format: projects/{project_number}
|
||||
|
||||
* `access_levels` -
|
||||
(Optional)
|
||||
A list of AccessLevel resource names that allow resources within
|
||||
the ServicePerimeter to be accessed from the internet.
|
||||
AccessLevels listed must be in the same policy as this
|
||||
ServicePerimeter. Referencing a nonexistent AccessLevel is a
|
||||
syntax error. If no AccessLevel names are listed, resources within
|
||||
the perimeter can only be accessed via GCP calls with request
|
||||
origins within the perimeter. For Service Perimeter Bridge, must
|
||||
be empty.
|
||||
Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}
|
||||
|
||||
* `restricted_services` -
|
||||
(Optional)
|
||||
GCP services that are subject to the Service Perimeter
|
||||
restrictions. Must contain a list of services. For example, if
|
||||
`storage.googleapis.com` is specified, access to the storage
|
||||
buckets inside the perimeter must meet the perimeter's access
|
||||
restrictions.
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
In addition to the arguments listed above, the following computed attributes are exported:
|
||||
|
||||
|
||||
* `create_time` -
|
||||
Time the AccessPolicy was created in UTC.
|
||||
|
||||
* `update_time` -
|
||||
Time the AccessPolicy was updated in UTC.
|
||||
|
||||
|
||||
## Timeouts
|
||||
|
||||
This resource provides the following
|
||||
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
||||
|
||||
- `create` - Default is 6 minutes.
|
||||
- `update` - Default is 6 minutes.
|
||||
- `delete` - Default is 6 minutes.
|
||||
|
||||
## Import
|
||||
|
||||
ServicePerimeter can be imported using any of these accepted formats:
|
||||
|
||||
```
|
||||
$ terraform import google_access_context_manager_service_perimeter.default {{name}}
|
||||
```
|
||||
|
||||
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
|
||||
as an argument so that Terraform uses the correct provider to import your resource.
|
Loading…
Reference in New Issue
Block a user