Add BlockingFunctionsConfig, AuthorizedDomains and QuotaConfig fields to identityplatform config

[mraouffouad]

Add BlockingFunctionsConfig, AuthorizedDomains and QuotaConfig fields to identityplatform config

If this PR is for Terraform, I acknowledge that I have:

• Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• Generated Terraform providers, and ran make test and make lint in the generated providers to ensure it passes unit and linter tests.
• Ran relevant acceptance tests using my own Google Cloud project and credentials (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• Read the Release Notes Guide before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

[modular-magician]

Hello! I am a robot who works on Magic Modules PRs.

I've detected that you're a community contributor. @roaks3, a repository maintainer, has been assigned to assist you and help review your changes.

❓ First time contributing? Click here for more details

---

Your assigned reviewer will help review your code by:

• Ensuring it's backwards compatible, covers common error cases, etc.
• Summarizing the change into a user-facing changelog note.
• Passes tests, either our "VCR" suite, a set of presubmit tests, or with manual test runs.

You can help make sure that review is quick by running local tests and ensuring they're passing in between each push you make to your PR's branch. Also, try to leave a comment with each push you make, as pushes generally don't generate emails.

If your reviewer doesn't get back to you within a week after your most recent change, please feel free to leave a comment on the issue asking them to take a look! In the absence of a dedicated review dashboard most maintainers manage their pending reviews through email, and those will sometimes get lost in their inbox.

---

[rainshen49]

Should this be a Timestamp, as in !ruby/object:Api::Type::Time

[mraouffouad]

yep, good catch.

[rainshen49]

Should this also be output only?

[mraouffouad]

Done.

[tylerg-dev]

would it make sense for this to be a resource reference to https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions_function instead of a pure string?

In theory we could accommodate someone that uses Terraform for Auth but not Functions, but do we expect that to be a common use-case?

[mraouffouad]

Would defer this to the reviewer to weigh in.

[roaks3]

Possibly, but there is currently some work being done with ResourceRef to get it working the way we want, and we are advising teams to avoid adding them for now. (see #8127)

Unrelated, but setting a function_uri within the map value seems like it should be required.

[mraouffouad]

Yep. Done.

[tylerg-dev]

are these keys represented as a resource in another product? They aren't ApiKeys I know, but if we can reference an object that is managed it will be less error prone.

[mraouffouad]

Ditto -- this field is removed from the PR for now.

[rainshen49]

Ditto !ruby/object:Api::Type::Time

[mraouffouad]

Done.

[rainshen49]

This is a string based on https://cloud.google.com/identity-platform/docs/reference/rest/v2/Config#TemporaryQuota

[mraouffouad]

Done.

[rainshen49]

This is output only

[mraouffouad]

Based on the GCIP team request, this field is removed from the PR for now.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 539 insertions(+))
Terraform Beta: Diff ( 2 files changed, 539 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: blocking_functions.triggers.function_uri, blocking_functions.triggers.event_type, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.forward_inbound_credentials.refresh_token, quota.sign_up_quota_config.start_time, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, authorized_domains

Please add acceptance tests which include these fields.

[modular-magician]

Tests analytics

Total tests: 2832
Passed tests 2536
Skipped tests: 294
Affected tests: 2

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccComputeNetworkEndpoints_networkEndpointsBasic|TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

Tests passed during RECORDING mode:
TestAccComputeNetworkEndpoints_networkEndpointsBasic[Debug log]

Tests failed during RECORDING mode:
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[mraouffouad]

@roaks3 This PR is ready for review.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 555 insertions(+))
Terraform Beta: Diff ( 2 files changed, 555 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: authorized_domains, blocking_functions.forward_inbound_credentials.refresh_token, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.triggers.function_uri, blocking_functions.triggers.event_type, quota.sign_up_quota_config.start_time, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration

Please add acceptance tests which include these fields.

[modular-magician]

Tests analytics

Total tests: 2836
Passed tests 2540
Skipped tests: 295
Affected tests: 1

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

Tests failed during RECORDING mode:
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 561 insertions(+))
Terraform Beta: Diff ( 2 files changed, 561 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: authorized_domains, blocking_functions.forward_inbound_credentials.refresh_token, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.triggers.event_type, blocking_functions.triggers.function_uri, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, quota.sign_up_quota_config.start_time

Please add acceptance tests which include these fields.

[modular-magician]

Tests analytics

Total tests: 2834
Passed tests 2537
Skipped tests: 295
Affected tests: 2

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccContainerAwsNodePool_BetaBasicHandWritten|TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

Tests failed during RECORDING mode:
TestAccContainerAwsNodePool_BetaBasicHandWritten[Error message] [Debug log]
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 561 insertions(+))
Terraform Beta: Diff ( 2 files changed, 561 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: blocking_functions.forward_inbound_credentials.id_token, blocking_functions.forward_inbound_credentials.refresh_token, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.triggers.event_type, blocking_functions.triggers.function_uri, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, quota.sign_up_quota_config.start_time, authorized_domains

Please add acceptance tests which include these fields.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 561 insertions(+))
Terraform Beta: Diff ( 2 files changed, 561 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, quota.sign_up_quota_config.start_time, authorized_domains, blocking_functions.forward_inbound_credentials.refresh_token, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.triggers.function_uri, blocking_functions.triggers.event_type

Please add acceptance tests which include these fields.

[modular-magician]

Tests analytics

Total tests: 2847
Passed tests 2548
Skipped tests: 295
Affected tests: 4

Action taken

Found 4 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccComputeTargetHttpsProxy_targetHttpsProxyHttpKeepAliveTimeoutExample|TestAccContainerAwsNodePool_BetaBasicHandWritten|TestAccComputeTargetHttpProxy_targetHttpProxyHttpKeepAliveTimeoutExample|TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

Tests analytics

Total tests: 2847
Passed tests 2548
Skipped tests: 295
Affected tests: 4

Action taken

Found 4 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccContainerAwsNodePool_BetaBasicHandWritten|TestAccComputeFirewallPolicyRule_multipleRules|TestAccComputeTargetHttpsProxy_targetHttpsProxyHttpKeepAliveTimeoutExample|TestAccComputeTargetHttpProxy_targetHttpProxyHttpKeepAliveTimeoutExample

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccComputeTargetHttpsProxy_targetHttpsProxyHttpKeepAliveTimeoutExample[Debug log]
TestAccComputeTargetHttpProxy_targetHttpProxyHttpKeepAliveTimeoutExample[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccContainerAwsNodePool_BetaBasicHandWritten[Error message] [Debug log]
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccComputeTargetHttpsProxy_targetHttpsProxyHttpKeepAliveTimeoutExample[Debug log]
TestAccComputeTargetHttpProxy_targetHttpProxyHttpKeepAliveTimeoutExample[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccContainerAwsNodePool_BetaBasicHandWritten[Error message] [Debug log]
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[roaks3]

Apologies for the delay on this! The changes overall look good, I had a few small comments but nothing major.

The tests are not running for this resource, so to approve we will need you to show evidence of running the test locally. Alternatively, I mentioned an option to switch these fields to another resource where testing is enabled.

[roaks3]

Possibly, but there is currently some work being done with ResourceRef to get it working the way we want, and we are advising teams to avoid adding them for now. (see #8127)

Unrelated, but setting a function_uri within the map value seems like it should be required.

[roaks3]

Honest question because I'm not caught up on your exact use case: is this a user-friendly description?

[roaks3]

Was this addressed?

[roaks3]

Due to hashicorp/terraform-provider-google#13327, tests are currently disabled on this resource. In short, the initial apply (and later the destroy) that is done during tests will clear out other settings on the project.

I think there are two main directions you can go from here:

1. Keep the changes where they are, but keep in mind that this bug is unresolved, so your users may experience difficulties. You can attempt to resolve the bug if you choose, which would help make these new features more usable. For testing, you will need to turn off skip_test locally, and run the test in your own environment to ensure things are working.
2. Move the changes to identityplatform/Config.yaml, which appears to use the same endpoint but without this bug. For testing, you could probably remove the skip_vcr: true so that they run in the PR, otherwise you will need to run the test in your own environment.

[roaks3]

I'm not sure this was addressed either. It seems like you're choosing to keep the changes in this resource (cc @tylerg-dev who I see is a reviewer and also authored identityplatform/Config.yaml #6587).

Either way, you will need to provide some sort of proof (ie. output) from running the acceptance tests.

[tylerg-dev]

I can't see why we'd have a duplicate at all? this one has more fields, but those should have just been merged into the initially added resource.
At this point do we have a way to combine them back together (and properly use field-masks to avoid the bug listed above)

[roaks3]

Yea, the second resources was added with #6679, and I believe it was created due to a miscommunication combined with unfortunate timing. Since users could be using the newer resource, we cannot simply remove or merge it, but we could choose to start down the deprecation process and remove it in the next major release.

Ideally, I think the fields on this resource should be moved to yours, and this resource removed.

[rainshen49]

Since this will go into the docs, how about let's put the default domains here? This way even if they didn't visit Firebase's docs, they still have some clue to follow.

authorized_domains = ["localhost", "${projectId}.firebaseapp.com", "${projectId}.web.app"]

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 561 insertions(+))
Terraform Beta: Diff ( 2 files changed, 561 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: authorized_domains, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.forward_inbound_credentials.refresh_token, blocking_functions.triggers.event_type, blocking_functions.triggers.function_uri, quota.sign_up_quota_config.quota_duration, quota.sign_up_quota_config.start_time, quota.sign_up_quota_config.quota

Please add acceptance tests which include these fields.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 561 insertions(+))
Terraform Beta: Diff ( 2 files changed, 561 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: blocking_functions.forward_inbound_credentials.id_token, blocking_functions.forward_inbound_credentials.refresh_token, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.triggers.event_type, blocking_functions.triggers.function_uri, quota.sign_up_quota_config.start_time, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, authorized_domains

Please add acceptance tests which include these fields.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 565 insertions(+))
Terraform Beta: Diff ( 2 files changed, 565 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: authorized_domains, blocking_functions.triggers.function_uri, blocking_functions.triggers.event_type, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.forward_inbound_credentials.refresh_token, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, quota.sign_up_quota_config.start_time

Please add acceptance tests which include these fields.

[modular-magician]

Tests analytics

Total tests: 2852
Passed tests 2554
Skipped tests: 296
Affected tests: 2

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccContainerAwsNodePool_BetaBasicHandWritten|TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccContainerAwsNodePool_BetaBasicHandWritten[Error message] [Debug log]
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[rainshen49]

I was thinking more of doing it properly, like "<%= ctx[:vars]['project_id'] %>", or actually put in a data source and reference.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 565 insertions(+))
Terraform Beta: Diff ( 2 files changed, 565 insertions(+))
TF Conversion: Diff ( 3 files changed, 202 insertions(+), 3 deletions(-))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_identity_platform_project_default_config (0 total tests)
Untested fields: authorized_domains, blocking_functions.triggers.event_type, blocking_functions.triggers.function_uri, blocking_functions.forward_inbound_credentials.access_token, blocking_functions.forward_inbound_credentials.id_token, blocking_functions.forward_inbound_credentials.refresh_token, quota.sign_up_quota_config.quota, quota.sign_up_quota_config.quota_duration, quota.sign_up_quota_config.start_time

Please add acceptance tests which include these fields.

[modular-magician]

Tests analytics

Total tests: 2853
Passed tests 2553
Skipped tests: 297
Affected tests: 3

Action taken

Found 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccHealthcareFhirStore_healthcareFhirStoreBasicExample|TestAccContainerAwsNodePool_BetaBasicHandWritten|TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccHealthcareFhirStore_healthcareFhirStoreBasicExample[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccContainerAwsNodePool_BetaBasicHandWritten[Error message] [Debug log]
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[roaks3]

I think a few things were not addressed, and we will need to confirm tests pass before approval

[roaks3]

Was this addressed?

[roaks3]

I'm not sure this was addressed either. It seems like you're choosing to keep the changes in this resource (cc @tylerg-dev who I see is a reviewer and also authored identityplatform/Config.yaml #6587).

Either way, you will need to provide some sort of proof (ie. output) from running the acceptance tests.