diff --git a/third_party/terraform/resources/resource_iam_audit_config.go b/third_party/terraform/resources/resource_iam_audit_config.go index 3dbbd32979cd..bec5b1634d9d 100644 --- a/third_party/terraform/resources/resource_iam_audit_config.go +++ b/third_party/terraform/resources/resource_iam_audit_config.go @@ -44,9 +44,9 @@ func ResourceIamAuditConfig(parentSpecificSchema map[string]*schema.Schema, newU func ResourceIamAuditConfigWithBatching(parentSpecificSchema map[string]*schema.Schema, newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser resourceIdParserFunc, enableBatching bool) *schema.Resource { return &schema.Resource{ - Create: resourceIamAuditConfigCreate(newUpdaterFunc, enableBatching), + Create: resourceIamAuditConfigCreateUpdate(newUpdaterFunc, enableBatching), Read: resourceIamAuditConfigRead(newUpdaterFunc), - Update: resourceIamAuditConfigUpdate(newUpdaterFunc, enableBatching), + Update: resourceIamAuditConfigCreateUpdate(newUpdaterFunc, enableBatching), Delete: resourceIamAuditConfigDelete(newUpdaterFunc, enableBatching), Schema: mergeSchemas(iamAuditConfigSchema, parentSpecificSchema), Importer: &schema.ResourceImporter{ @@ -55,34 +55,6 @@ func ResourceIamAuditConfigWithBatching(parentSpecificSchema map[string]*schema. } } -func resourceIamAuditConfigCreate(newUpdaterFunc newResourceIamUpdaterFunc, enableBatching bool) schema.CreateFunc { - return func(d *schema.ResourceData, meta interface{}) error { - config := meta.(*Config) - updater, err := newUpdaterFunc(d, config) - if err != nil { - return err - } - - ac := getResourceIamAuditConfig(d) - modifyF := func(ep *cloudresourcemanager.Policy) error { - ep.AuditConfigs = mergeAuditConfigs(append(ep.AuditConfigs, ac)) - return nil - } - - if enableBatching { - err = BatchRequestModifyIamPolicy(updater, modifyF, config, fmt.Sprintf( - "Add audit config for service %s on resource %q", ac.Service, updater.DescribeResource())) - } else { - err = iamPolicyReadModifyWrite(updater, modifyF) - } - if err != nil { - return err - } - d.SetId(updater.GetResourceId() + "/audit_config/" + ac.Service) - return resourceIamAuditConfigRead(newUpdaterFunc)(d, meta) - } -} - func resourceIamAuditConfigRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.ReadFunc { return func(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) @@ -150,7 +122,7 @@ func iamAuditConfigImport(resourceIdParser resourceIdParserFunc) schema.StateFun } } -func resourceIamAuditConfigUpdate(newUpdaterFunc newResourceIamUpdaterFunc, enableBatching bool) schema.UpdateFunc { +func resourceIamAuditConfigCreateUpdate(newUpdaterFunc newResourceIamUpdaterFunc, enableBatching bool) func(*schema.ResourceData, interface{}) error { return func(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) updater, err := newUpdaterFunc(d, config) @@ -173,7 +145,7 @@ func resourceIamAuditConfigUpdate(newUpdaterFunc newResourceIamUpdaterFunc, enab if err != nil { return err } - + d.SetId(updater.GetResourceId() + "/audit_config/" + ac.Service) return resourceIamAuditConfigRead(newUpdaterFunc)(d, meta) } } diff --git a/third_party/terraform/utils/iam.go b/third_party/terraform/utils/iam.go index 58ff369e1d13..7f3efa872af4 100644 --- a/third_party/terraform/utils/iam.go +++ b/third_party/terraform/utils/iam.go @@ -237,12 +237,6 @@ func listFromIamBindingMap(bm map[string]map[string]struct{}) []*cloudresourcema return rb } -// Flatten AuditConfigs so each service has a single exemption list of log type to members -func mergeAuditConfigs(auditConfigs []*cloudresourcemanager.AuditConfig) []*cloudresourcemanager.AuditConfig { - am := createIamAuditConfigsMap(auditConfigs) - return listFromIamAuditConfigMap(am) -} - // Flattens AuditConfigs so each role has a single Binding with combined members\ func removeAllAuditConfigsWithService(ac []*cloudresourcemanager.AuditConfig, service string) []*cloudresourcemanager.AuditConfig { acMap := createIamAuditConfigsMap(ac) diff --git a/third_party/terraform/utils/iam_test.go b/third_party/terraform/utils/iam_test.go index eed54b6257c7..a72475d40111 100644 --- a/third_party/terraform/utils/iam_test.go +++ b/third_party/terraform/utils/iam_test.go @@ -557,167 +557,6 @@ func TestIamListFromIamBindingMap(t *testing.T) { } } -func TestIamMergeAuditConfigs(t *testing.T) { - testCases := []struct { - input []*cloudresourcemanager.AuditConfig - expect []*cloudresourcemanager.AuditConfig - }{ - { - input: []*cloudresourcemanager.AuditConfig{}, - expect: []*cloudresourcemanager.AuditConfig{}, - }, - { - input: []*cloudresourcemanager.AuditConfig{ - { - Service: "foo.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - }, - }, - }, - { - Service: "bar.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - ExemptedMembers: []string{"user-1"}, - }, - }, - }, - }, - expect: []*cloudresourcemanager.AuditConfig{ - { - Service: "foo.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - }, - }, - }, - { - Service: "bar.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - ExemptedMembers: []string{"user-1"}, - }, - }, - }, - }, - }, - { - input: []*cloudresourcemanager.AuditConfig{ - { - Service: "kms.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - }, - { - LogType: "DATA_WRITE", - ExemptedMembers: []string{"user-1"}, - }, - }, - }, - { - Service: "iam.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - ExemptedMembers: []string{"user-1"}, - }, - }, - }, - { - Service: "kms.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "DATA_WRITE", - ExemptedMembers: []string{"user-2"}, - }, - }, - }, - { - Service: "iam.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - ExemptedMembers: []string{"user-2"}, - }, - }, - }, - { - Service: "foo.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "DATA_WRITE", - ExemptedMembers: []string{"user-1"}, - }, - }, - }, - { - Service: "kms.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "DATA_WRITE", - ExemptedMembers: []string{"user-3", "user-4"}, - }, - { - LogType: "DATA_READ", - ExemptedMembers: []string{"user-1", "user-2"}, - }, - }, - }, - }, - expect: []*cloudresourcemanager.AuditConfig{ - { - Service: "kms.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - }, - { - LogType: "DATA_WRITE", - ExemptedMembers: []string{"user-1", "user-2", "user-3", "user-4"}, - }, - { - LogType: "DATA_READ", - ExemptedMembers: []string{"user-1", "user-2"}, - }, - }, - }, - { - Service: "iam.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "ADMIN_READ", - ExemptedMembers: []string{"user-1", "user-2"}, - }, - }, - }, - { - Service: "foo.googleapis.com", - AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{ - { - LogType: "DATA_WRITE", - ExemptedMembers: []string{"user-1"}, - }, - }, - }, - }, - }, - } - - for _, tc := range testCases { - got := mergeAuditConfigs(tc.input) - if !compareAuditConfigs(got, tc.expect) { - t.Errorf("Unexpected value for mergeAuditConfigs(%s).\nActual: %s\nExpected: %s\n", - debugPrintAuditConfigs(tc.input), debugPrintAuditConfigs(got), debugPrintAuditConfigs(tc.expect)) - } - } -} - func TestIamRemoveAllAuditConfigsWithService(t *testing.T) { testCases := []struct { input []*cloudresourcemanager.AuditConfig