Merge pull request GoogleCloudPlatform#1 from drebes/privateca-resource

Add example/test

.ci/gcb-downstream-builder.yml

@@ -10,4 +10,7 @@ steps:
             '--cache-from', 'gcr.io/$PROJECT_ID/downstream-builder:latest',
             './.ci/containers/downstream-builder'
         ]
+# the downstream-builder takes around 15 minutes to build
+timeout: "8000s"
+# note: this container is also used for the run-rake-tests build
 images: ['gcr.io/$PROJECT_ID/downstream-builder:latest']

.ci/gcb-run-rake-tests.yml

@@ -0,0 +1,9 @@
+---
+steps:
+- name: 'gcr.io/$PROJECT_ID/downstream-builder'
+  id: run-rake-tests
+  entrypoint: bundle
+  args:
+      - exec
+      - rake
+      - test

products/bigquerydatatransfer/api.yaml

@@ -138,6 +138,17 @@ objects:
               - schedule_options.0.disable_auto_scheduling
               - schedule_options.0.start_time
               - schedule_options.0.end_time
+      - !ruby/object:Api::Type::NestedObject
+        name: 'emailPreferences'
+        description: |
+          Email notifications will be sent according to these preferences to the
+          email address of the user who owns this transfer config.
+        properties:
+          - !ruby/object:Api::Type::Boolean
+            name: 'enableFailureEmail'
+            required: true
+            description: |
+              If true, email notifications will be sent on transfer run failures.
       - !ruby/object:Api::Type::String
           name: 'notificationPubsubTopic'
           description: |

products/billingbudget/api.yaml

@@ -13,7 +13,8 @@
 
 --- !ruby/object:Api::Product
 name: Billing
-display_name: Billing Budget
+# Strictly speaking it should be Billing Budget but setting it to Cloud Billing will put in the same doc section as billing accounts.
+display_name: Cloud Billing 
 versions:
   - !ruby/object:Api::Product::Version
     name: beta

products/compute/api.yaml

@@ -13886,6 +13886,7 @@ objects:
             description: |
               Export filter used to define which VPC flow logs should be logged, as as CEL expression. See
               https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field.
+              The default value is 'true', which evaluates to include everything.
             default_value: "true"
     references: !ruby/object:Api::Resource::ReferenceLinks
       guides:

products/iambeta/api.yaml

@@ -71,14 +71,14 @@ objects:
         name: 'state'
         description: |
           The state of the pool.
-          STATE_UNSPECIFIED: State unspecified.
-          ACTIVE: The pool is active, and may be used in Google Cloud policies.
-          DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
-          approximately 30 days. You can restore a soft-deleted pool using
-          UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
-          permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
-          use existing tokens to access resources. If the pool is undeleted, existing tokens grant
-          access again.
+          * STATE_UNSPECIFIED: State unspecified.
+          * ACTIVE: The pool is active, and may be used in Google Cloud policies.
+          * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
+            approximately 30 days. You can restore a soft-deleted pool using
+            UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
+            permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
+            use existing tokens to access resources. If the pool is undeleted, existing tokens grant
+            access again.
         output: true
         values:
           - :STATE_UNSPECIFIED
@@ -94,11 +94,199 @@ objects:
         name: 'name'
         description: |
           The resource name of the pool as
-          `projects/<projectnumber>/locations/global/workloadIdentityPools/<id>`.
+          `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`.
         output: true
       - !ruby/object:Api::Type::Boolean
         name: 'disabled'
         description: |
           Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
           existing tokens to access resources. If the pool is re-enabled, existing tokens grant
           access again.
+  - !ruby/object:Api::Resource
+    name: 'WorkloadIdentityPoolProvider'
+    min_version: beta
+    base_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers
+    self_link: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
+    create_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers?workloadIdentityPoolProviderId={{workload_identity_pool_provider_id}}
+    update_verb: :PATCH
+    update_mask: true
+    description: A configuration for an external identity provider.
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Managing workload identity providers':
+          'https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers'
+      api: 'https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools.providers'
+    properties:
+      - !ruby/object:Api::Type::String
+         name: 'workloadIdentityPoolId'
+         description: |
+           The ID used for the pool, which is the final component of the pool resource name. This
+           value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
+           `gcp-` is reserved for use by Google, and may not be specified.
+         required: true
+         input: true
+         url_param_only: true
+      - !ruby/object:Api::Type::String
+         name: 'workloadIdentityPoolProviderId'
+         description: |
+           The ID for the provider, which becomes the final component of the resource name. This
+           value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
+           `gcp-` is reserved for use by Google, and may not be specified.
+         required: true
+         input: true
+         url_param_only: true
+      - !ruby/object:Api::Type::Enum
+        name: 'state'
+        description: |
+          The state of the provider.
+          * STATE_UNSPECIFIED: State unspecified.
+          * ACTIVE: The provider is active, and may be used to validate authentication credentials.
+          * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted
+            after approximately 30 days. You can restore a soft-deleted provider using
+            UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider
+            until it is permanently deleted.
+        output: true
+        values:
+          - :STATE_UNSPECIFIED
+          - :ACTIVE
+          - :DELETED
+      - !ruby/object:Api::Type::String
+        name: 'displayName'
+        description: A display name for the provider. Cannot exceed 32 characters.
+      - !ruby/object:Api::Type::String
+        name: 'description'
+        description: A description for the provider. Cannot exceed 256 characters.
+      - !ruby/object:Api::Type::String
+        name: 'name'
+        description: |
+          The resource name of the provider as
+          `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`.
+        output: true
+      - !ruby/object:Api::Type::Boolean
+        name: 'disabled'
+        description: |
+          Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
+          However, existing tokens still grant access.
+      - !ruby/object:Api::Type::KeyValuePairs
+        name: 'attributeMapping'
+        description: |
+          Maps attributes from authentication credentials issued by an external identity provider
+          to Google Cloud attributes, such as `subject` and `segment`.
+
+          Each key must be a string specifying the Google Cloud IAM attribute to map to.
+
+          The following keys are supported:
+            * `google.subject`: The principal IAM is authenticating. You can reference this value
+              in IAM bindings. This is also the subject that appears in Cloud Logging logs.
+              Cannot exceed 127 characters.
+            * `google.groups`: Groups the external identity belongs to. You can grant groups
+              access to resources using an IAM `principalSet` binding; access applies to all
+              members of the group.
+
+          You can also provide custom attributes by specifying `attribute.{custom_attribute}`,
+          where `{custom_attribute}` is the name of the custom attribute to be mapped. You can
+          define a maximum of 50 custom attributes. The maximum length of a mapped attribute key
+          is 100 characters, and the key may only contain the characters [a-z0-9_].
+
+          You can reference these attributes in IAM policies to define fine-grained access for a
+          workload to Google Cloud resources. For example:
+            * `google.subject`:
+              `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
+            * `google.groups`:
+              `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
+            * `attribute.{custom_attribute}`:
+              `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
+
+          Each value must be a [Common Expression Language](https://opensource.google/projects/cel)
+          function that maps an identity provider credential to the normalized attribute specified
+          by the corresponding map key.
+
+          You can use the `assertion` keyword in the expression to access a JSON representation of
+          the authentication credential issued by the provider.
+
+          The maximum length of an attribute mapping expression is 2048 characters. When evaluated,
+          the total size of all mapped attributes must not exceed 8KB.
+
+          For AWS providers, the following rules apply:
+            - If no attribute mapping is defined, the following default mapping applies:
+              ```
+              {
+                "google.subject":"assertion.arn",
+                "attribute.aws_role":
+                  "assertion.arn.contains('assumed-role')"
+                  " ? assertion.arn.extract('{account_arn}assumed-role/')"
+                  "   + 'assumed-role/'"
+                  "   + assertion.arn.extract('assumed-role/{role_name}/')"
+                  " : assertion.arn",
+              }
+              ```
+            - If any custom attribute mappings are defined, they must include a mapping to the
+              `google.subject` attribute.
+
+          For OIDC providers, the following rules apply:
+            - Custom attribute mappings must be defined, and must include a mapping to the
+              `google.subject` attribute. For example, the following maps the `sub` claim of the
+              incoming credential to the `subject` attribute on a Google token.
+              ```
+              {"google.subject": "assertion.sub"}
+              ```
+      - !ruby/object:Api::Type::String
+        name: 'attributeCondition'
+        description: |
+          [A Common Expression Language](https://opensource.google/projects/cel) expression, in
+          plain text, to restrict what otherwise valid authentication credentials issued by the
+          provider should not be accepted.
+
+          The expression must output a boolean representing whether to allow the federation.
+
+          The following keywords may be referenced in the expressions:
+            * `assertion`: JSON representing the authentication credential issued by the provider.
+            * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`.
+            * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`.
+
+          The maximum length of the attribute condition expression is 4096 characters. If
+          unspecified, all valid authentication credential are accepted.
+
+          The following example shows how to only allow credentials with a mapped `google.groups`
+          value of `admins`:
+          ```
+          "'admins' in google.groups"
+          ```
+      - !ruby/object:Api::Type::NestedObject
+        name: aws
+        description: An Amazon Web Services identity provider. Not compatible with the property oidc.
+        exactly_one_of:
+          - aws
+          - oidc
+        properties:
+          - !ruby/object:Api::Type::String
+            name: accountId
+            description: The AWS account ID.
+            required: true
+      - !ruby/object:Api::Type::NestedObject
+        name: oidc
+        description: An OpenId Connect 1.0 identity provider. Not compatible with the property aws.
+        exactly_one_of:
+          - aws
+          - oidc
+        properties:
+          - !ruby/object:Api::Type::Array
+            name: allowedAudiences
+            item_type: Api::Type::String
+            description: |
+              Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange
+              requests are rejected if the token audience does not match one of the configured
+              values. Each audience may be at most 256 characters. A maximum of 10 audiences may
+              be configured.
+
+              If this list is empty, the OIDC token audience must be equal to the full canonical
+              resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
+              For example:
+              ```
+              //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+              https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+              ```
+          - !ruby/object:Api::Type::String
+            name: issuerUri
+            description: The OIDC issuer URL.
+            required: true

products/iambeta/terraform.yaml

@@ -30,15 +30,54 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         vars:
           workload_identity_pool_id: "example-pool"
         min_version: beta
-    docs: !ruby/object:Provider::Terraform::Docs
-      attributes: |
-        * `self_link`: The self link of the created WorkloadIdentityPool in the format `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`
     custom_code: !ruby/object:Provider::Terraform::CustomCode
       constants: templates/terraform/constants/iam_workload_identity_pool.go.erb
+      decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb
+      test_check_destroy: templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.erb
     properties:
       workloadIdentityPoolId: !ruby/object:Overrides::Terraform::PropertyOverride
         validation: !ruby/object:Provider::Terraform::Validation
           function: 'validateWorkloadIdentityPoolId'
+  WorkloadIdentityPoolProvider: !ruby/object:Overrides::Terraform::ResourceOverride
+    autogen_async: true
+    import_format: ["projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}"]
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "iam_workload_identity_pool_provider_aws_basic"
+        primary_resource_id: "example"
+        vars:
+          workload_identity_pool_id: "example-pool"
+          workload_identity_pool_provider_id: "example-prvdr"
+        min_version: beta
+      - !ruby/object:Provider::Terraform::Examples
+        name: "iam_workload_identity_pool_provider_aws_full"
+        primary_resource_id: "example"
+        vars:
+          workload_identity_pool_id: "example-pool"
+          workload_identity_pool_provider_id: "example-prvdr"
+        min_version: beta
+      - !ruby/object:Provider::Terraform::Examples
+        name: "iam_workload_identity_pool_provider_oidc_basic"
+        primary_resource_id: "example"
+        vars:
+          workload_identity_pool_id: "example-pool"
+          workload_identity_pool_provider_id: "example-prvdr"
+        min_version: beta
+      - !ruby/object:Provider::Terraform::Examples
+        name: "iam_workload_identity_pool_provider_oidc_full"
+        primary_resource_id: "example"
+        vars:
+          workload_identity_pool_id: "example-pool"
+          workload_identity_pool_provider_id: "example-prvdr"
+        min_version: beta
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb
+      decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb
+      test_check_destroy: templates/terraform/custom_check_destroy/iam_workload_identity_pool_provider.go.erb
+    properties:
+      workloadIdentityPoolProviderId: !ruby/object:Overrides::Terraform::PropertyOverride
+        validation: !ruby/object:Provider::Terraform::Validation
+          function: 'validateWorkloadIdentityPoolProviderId'
 # This is for copying files over
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.