public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-06-29 06:42:36 +00:00
Code Issues Projects Releases Wiki Activity
cf3c406fee
terraform-provider-google/google/iam.go
The Magician 462c367842 Add retries/backoff when (only) reading IAM policies (#3455) 
Signed-off-by: Modular Magician <magic-modules@google.com>
2019-04-19 13:15:51 -07:00

257 lines
8.5 KiB
Go
Raw Blame History

package google
import (
"fmt"
"log"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/terraform/helper/schema"
"google.golang.org/api/cloudresourcemanager/v1"
)
const maxBackoffSeconds = 30
// The ResourceIamUpdater interface is implemented for each GCP resource supporting IAM policy.
//
// Implementations should keep track of the resource identifier.
type ResourceIamUpdater interface {
// Fetch the existing IAM policy attached to a resource.
GetResourceIamPolicy() (*cloudresourcemanager.Policy, error)
// Replaces the existing IAM Policy attached to a resource.
SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error
// A mutex guards against concurrent to call to the SetResourceIamPolicy method.
// The mutex key should be made of the resource type and resource id.
// For example: `iam-project-{id}`.
GetMutexKey() string
// Returns the unique resource identifier.
GetResourceId() string
// Textual description of this resource to be used in error message.
// The description should include the unique resource identifier.
DescribeResource() string
}
type newResourceIamUpdaterFunc func(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error)
type iamPolicyModifyFunc func(p *cloudresourcemanager.Policy) error
// This method parses identifiers specific to the resource (d.GetId()) into the ResourceData
// object, so that it can be given to the resource's Read method. Externally, this is wrapped
// into schema.StateFunc functions - one each for a _member, a _binding, and a _policy. Any
// GCP resource supporting IAM policy might support one, two, or all of these. Any GCP resource
// for which an implementation of this interface exists could support any of the three.
type resourceIdParserFunc func(d *schema.ResourceData, config *Config) error
// Wrapper around updater.GetResourceIamPolicy() to handle retry/backoff
// for just reading policies from IAM
func iamPolicyReadWithRetry(updater ResourceIamUpdater) (*cloudresourcemanager.Policy, error) {
mutexKey := updater.GetMutexKey()
mutexKV.Lock(mutexKey)
defer mutexKV.Unlock(mutexKey)
log.Printf("[DEBUG] Retrieving policy for %s\n", updater.DescribeResource())
var policy *cloudresourcemanager.Policy
err := retryTime(func() (perr error) {
policy, perr = updater.GetResourceIamPolicy()
return perr
}, 10)
if err != nil {
return nil, err
}
log.Printf("[DEBUG] Retrieved policy for %s: %+v\n", updater.DescribeResource(), policy)
return policy, nil
}
func iamPolicyReadModifyWrite(updater ResourceIamUpdater, modify iamPolicyModifyFunc) error {
mutexKey := updater.GetMutexKey()
mutexKV.Lock(mutexKey)
defer mutexKV.Unlock(mutexKey)
backoff := time.Second
for {
log.Printf("[DEBUG]: Retrieving policy for %s\n", updater.DescribeResource())
p, err := updater.GetResourceIamPolicy()
if isGoogleApiErrorWithCode(err, 429) {
log.Printf("[DEBUG] 429 while attempting to read policy for %s, waiting %v before attempting again", updater.DescribeResource(), backoff)
time.Sleep(backoff)
continue
} else if err != nil {
return err
}
log.Printf("[DEBUG]: Retrieved policy for %s: %+v\n", updater.DescribeResource(), p)
err = modify(p)
if err != nil {
return err
}
log.Printf("[DEBUG]: Setting policy for %s to %+v\n", updater.DescribeResource(), p)
err = updater.SetResourceIamPolicy(p)
if err == nil {
fetchBackoff := 1 * time.Second
for successfulFetches := 0; successfulFetches < 3; {
if fetchBackoff > maxBackoffSeconds*time.Second {
return fmt.Errorf("Error applying IAM policy to %s: Waited too long for propagation.\n", updater.DescribeResource())
}
time.Sleep(fetchBackoff)
log.Printf("[DEBUG]: Retrieving policy for %s\n", updater.DescribeResource())
new_p, err := updater.GetResourceIamPolicy()
if err != nil {
// Quota for Read is pretty limited, so watch out for running out of quota.
if isGoogleApiErrorWithCode(err, 429) {
fetchBackoff = fetchBackoff * 2
} else {
return err
}
}
log.Printf("[DEBUG]: Retrieved policy for %s: %+v\n", updater.DescribeResource(), p)
if new_p == nil {
// https://github.com/terraform-providers/terraform-provider-google/issues/2625
fetchBackoff = fetchBackoff * 2
continue
}
modified_p := new_p
// This relies on the fact that `modify` is idempotent: since other changes might have
// happened between the call to set the policy and now, we just need to make sure that
// our change has been made. 'modify(p) == p' is our check for whether this has been
// correctly applied.
err = modify(modified_p)
if err != nil {
return err
}
if modified_p == new_p {
successfulFetches += 1
} else {
fetchBackoff = fetchBackoff * 2
}
}
break
}
if isConflictError(err) {
log.Printf("[DEBUG]: Concurrent policy changes, restarting read-modify-write after %s\n", backoff)
time.Sleep(backoff)
backoff = backoff * 2
if backoff > 30*time.Second {
return errwrap.Wrapf(fmt.Sprintf("Error applying IAM policy to %s: Too many conflicts. Latest error: {{err}}", updater.DescribeResource()), err)
}
continue
}
return errwrap.Wrapf(fmt.Sprintf("Error applying IAM policy for %s: {{err}}", updater.DescribeResource()), err)
}
log.Printf("[DEBUG]: Set policy for %s", updater.DescribeResource())
return nil
}
// Takes a single binding and will either overwrite the same role in a list or append it to the end
func overwriteBinding(bindings []*cloudresourcemanager.Binding, overwrite *cloudresourcemanager.Binding) []*cloudresourcemanager.Binding {
var found bool
for i, b := range bindings {
if b.Role == overwrite.Role {
bindings[i] = overwrite
found = true
break
}
}
if !found {
bindings = append(bindings, overwrite)
}
return bindings
}
// Merge multiple Bindings such that Bindings with the same Role result in
// a single Binding with combined Members
func mergeBindings(bindings []*cloudresourcemanager.Binding) []*cloudresourcemanager.Binding {
bm := rolesToMembersMap(bindings)
rb := make([]*cloudresourcemanager.Binding, 0)
for role, members := range bm {
var b cloudresourcemanager.Binding
b.Role = role
b.Members = make([]string, 0)
for m := range members {
b.Members = append(b.Members, m)
}
if len(b.Members) > 0 {
rb = append(rb, &b)
}
}
return rb
}
// Map a role to a map of members, allowing easy merging of multiple bindings.
func rolesToMembersMap(bindings []*cloudresourcemanager.Binding) map[string]map[string]bool {
bm := make(map[string]map[string]bool)
// Get each binding
for _, b := range bindings {
// Initialize members map
if _, ok := bm[b.Role]; !ok {
bm[b.Role] = make(map[string]bool)
}
// Get each member (user/principal) for the binding
for _, m := range b.Members {
// Add the member
bm[b.Role][m] = true
}
}
return bm
}
// Merge multiple Audit Configs such that configs with the same service result in
// a single exemption list with combined members
func mergeAuditConfigs(auditConfigs []*cloudresourcemanager.AuditConfig) []*cloudresourcemanager.AuditConfig {
am := auditConfigToServiceMap(auditConfigs)
var ac []*cloudresourcemanager.AuditConfig
for service, auditLogConfigs := range am {
var a cloudresourcemanager.AuditConfig
a.Service = service
a.AuditLogConfigs = make([]*cloudresourcemanager.AuditLogConfig, 0, len(auditLogConfigs))
for k, v := range auditLogConfigs {
var alc cloudresourcemanager.AuditLogConfig
alc.LogType = k
for member := range v {
alc.ExemptedMembers = append(alc.ExemptedMembers, member)
}
a.AuditLogConfigs = append(a.AuditLogConfigs, &alc)
}
if len(a.AuditLogConfigs) > 0 {
ac = append(ac, &a)
}
}
return ac
}
// Build a service map with the log_type and bindings below it
func auditConfigToServiceMap(auditConfig []*cloudresourcemanager.AuditConfig) map[string]map[string]map[string]bool {
ac := make(map[string]map[string]map[string]bool)
// Get each config
for _, c := range auditConfig {
// Initialize service map
if _, ok := ac[c.Service]; !ok {
ac[c.Service] = map[string]map[string]bool{}
}
// loop through audit log configs
for _, lc := range c.AuditLogConfigs {
// Initialize service map
if _, ok := ac[c.Service][lc.LogType]; !ok {
ac[c.Service][lc.LogType] = map[string]bool{}
}
// Get each member (user/principal) for the binding
for _, m := range lc.ExemptedMembers {
// Add the member
if _, ok := ac[c.Service][lc.LogType][m]; !ok {
ac[c.Service][lc.LogType][m] = true
}
}
}
}
return ac
}
Reference in New Issue View Git Blame Copy Permalink