From 8384d021a6ec0f86d084e92934683307e8695105 Mon Sep 17 00:00:00 2001 From: megan07 Date: Wed, 25 Sep 2019 15:48:04 +0000 Subject: [PATCH] add storage bucket access control Signed-off-by: Modular Magician --- google/provider.go | 5 +- .../resource_storage_bucket_access_control.go | 315 ++++++++++++++++++ ...ge_bucket_access_control_generated_test.go | 88 +++++ ...urce_storage_bucket_access_control_test.go | 56 ++++ ...torage_bucket_access_control.html.markdown | 143 ++++++++ website/google.erb | 4 + 6 files changed, 609 insertions(+), 2 deletions(-) create mode 100644 google/resource_storage_bucket_access_control.go create mode 100644 google/resource_storage_bucket_access_control_generated_test.go create mode 100644 google/resource_storage_bucket_access_control_test.go create mode 100644 website/docs/r/storage_bucket_access_control.html.markdown diff --git a/google/provider.go b/google/provider.go index 4f150dd4c42..e30199520e8 100644 --- a/google/provider.go +++ b/google/provider.go @@ -429,9 +429,9 @@ func Provider() terraform.ResourceProvider { return provider } -// Generated resources: 78 +// Generated resources: 79 // Generated IAM resources: 24 -// Total generated resources: 102 +// Total generated resources: 103 func ResourceMap() map[string]*schema.Resource { resourceMap, _ := ResourceMapWithErrors() return resourceMap @@ -539,6 +539,7 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) { "google_spanner_instance": resourceSpannerInstance(), "google_spanner_database": resourceSpannerDatabase(), "google_sql_database": resourceSQLDatabase(), + "google_storage_bucket_access_control": resourceStorageBucketAccessControl(), "google_storage_object_access_control": resourceStorageObjectAccessControl(), "google_storage_default_object_access_control": resourceStorageDefaultObjectAccessControl(), "google_tpu_node": resourceTPUNode(), diff --git a/google/resource_storage_bucket_access_control.go b/google/resource_storage_bucket_access_control.go new file mode 100644 index 00000000000..959056d2760 --- /dev/null +++ b/google/resource_storage_bucket_access_control.go @@ -0,0 +1,315 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "log" + "reflect" + "time" + + "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" +) + +func resourceStorageBucketAccessControl() *schema.Resource { + return &schema.Resource{ + Create: resourceStorageBucketAccessControlCreate, + Read: resourceStorageBucketAccessControlRead, + Update: resourceStorageBucketAccessControlUpdate, + Delete: resourceStorageBucketAccessControlDelete, + + Importer: &schema.ResourceImporter{ + State: resourceStorageBucketAccessControlImport, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(4 * time.Minute), + Update: schema.DefaultTimeout(4 * time.Minute), + Delete: schema.DefaultTimeout(4 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "bucket": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + DiffSuppressFunc: compareSelfLinkOrResourceName, + }, + "entity": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "role": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"OWNER", "READER", "WRITER", ""}, false), + }, + "domain": { + Type: schema.TypeString, + Computed: true, + }, + "email": { + Type: schema.TypeString, + Computed: true, + }, + "entity_id": { + Type: schema.TypeString, + Computed: true, + }, + "project_team": { + Type: schema.TypeList, + Computed: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "project_number": { + Type: schema.TypeString, + Optional: true, + }, + "team": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"editors", "owners", "viewers", ""}, false), + }, + }, + }, + }, + }, + } +} + +func resourceStorageBucketAccessControlCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + obj := make(map[string]interface{}) + bucketProp, err := expandStorageBucketAccessControlBucket(d.Get("bucket"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("bucket"); !isEmptyValue(reflect.ValueOf(bucketProp)) && (ok || !reflect.DeepEqual(v, bucketProp)) { + obj["bucket"] = bucketProp + } + entityProp, err := expandStorageBucketAccessControlEntity(d.Get("entity"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("entity"); !isEmptyValue(reflect.ValueOf(entityProp)) && (ok || !reflect.DeepEqual(v, entityProp)) { + obj["entity"] = entityProp + } + roleProp, err := expandStorageBucketAccessControlRole(d.Get("role"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("role"); !isEmptyValue(reflect.ValueOf(roleProp)) && (ok || !reflect.DeepEqual(v, roleProp)) { + obj["role"] = roleProp + } + + url, err := replaceVars(d, config, "{{StorageBasePath}}b/{{bucket}}/acl") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new BucketAccessControl: %#v", obj) + res, err := sendRequestWithTimeout(config, "POST", "", url, obj, d.Timeout(schema.TimeoutCreate)) + if err != nil { + return fmt.Errorf("Error creating BucketAccessControl: %s", err) + } + + // Store the ID now + id, err := replaceVars(d, config, "{{bucket}}/{{entity}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + log.Printf("[DEBUG] Finished creating BucketAccessControl %q: %#v", d.Id(), res) + + return resourceStorageBucketAccessControlRead(d, meta) +} + +func resourceStorageBucketAccessControlRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + url, err := replaceVars(d, config, "{{StorageBasePath}}b/{{bucket}}/acl/{{entity}}") + if err != nil { + return err + } + + res, err := sendRequest(config, "GET", "", url, nil) + if err != nil { + return handleNotFoundError(err, d, fmt.Sprintf("StorageBucketAccessControl %q", d.Id())) + } + + if err := d.Set("bucket", flattenStorageBucketAccessControlBucket(res["bucket"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + if err := d.Set("domain", flattenStorageBucketAccessControlDomain(res["domain"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + if err := d.Set("email", flattenStorageBucketAccessControlEmail(res["email"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + if err := d.Set("entity", flattenStorageBucketAccessControlEntity(res["entity"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + if err := d.Set("entity_id", flattenStorageBucketAccessControlEntityId(res["entityId"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + if err := d.Set("project_team", flattenStorageBucketAccessControlProjectTeam(res["projectTeam"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + if err := d.Set("role", flattenStorageBucketAccessControlRole(res["role"], d)); err != nil { + return fmt.Errorf("Error reading BucketAccessControl: %s", err) + } + + return nil +} + +func resourceStorageBucketAccessControlUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + obj := make(map[string]interface{}) + bucketProp, err := expandStorageBucketAccessControlBucket(d.Get("bucket"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("bucket"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, bucketProp)) { + obj["bucket"] = bucketProp + } + entityProp, err := expandStorageBucketAccessControlEntity(d.Get("entity"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("entity"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, entityProp)) { + obj["entity"] = entityProp + } + roleProp, err := expandStorageBucketAccessControlRole(d.Get("role"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("role"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, roleProp)) { + obj["role"] = roleProp + } + + url, err := replaceVars(d, config, "{{StorageBasePath}}b/{{bucket}}/acl/{{entity}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating BucketAccessControl %q: %#v", d.Id(), obj) + _, err = sendRequestWithTimeout(config, "PUT", "", url, obj, d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return fmt.Errorf("Error updating BucketAccessControl %q: %s", d.Id(), err) + } + + return resourceStorageBucketAccessControlRead(d, meta) +} + +func resourceStorageBucketAccessControlDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + url, err := replaceVars(d, config, "{{StorageBasePath}}b/{{bucket}}/acl/{{entity}}") + if err != nil { + return err + } + + var obj map[string]interface{} + log.Printf("[DEBUG] Deleting BucketAccessControl %q", d.Id()) + + res, err := sendRequestWithTimeout(config, "DELETE", "", url, obj, d.Timeout(schema.TimeoutDelete)) + if err != nil { + return handleNotFoundError(err, d, "BucketAccessControl") + } + + log.Printf("[DEBUG] Finished deleting BucketAccessControl %q: %#v", d.Id(), res) + return nil +} + +func resourceStorageBucketAccessControlImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*Config) + if err := parseImportId([]string{ + "(?P[^/]+)/(?P[^/]+)", + }, d, config); err != nil { + return nil, err + } + + // Replace import id for the resource id + id, err := replaceVars(d, config, "{{bucket}}/{{entity}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenStorageBucketAccessControlBucket(v interface{}, d *schema.ResourceData) interface{} { + if v == nil { + return v + } + return ConvertSelfLinkToV1(v.(string)) +} + +func flattenStorageBucketAccessControlDomain(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func flattenStorageBucketAccessControlEmail(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func flattenStorageBucketAccessControlEntity(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func flattenStorageBucketAccessControlEntityId(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func flattenStorageBucketAccessControlProjectTeam(v interface{}, d *schema.ResourceData) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["project_number"] = + flattenStorageBucketAccessControlProjectTeamProjectNumber(original["projectNumber"], d) + transformed["team"] = + flattenStorageBucketAccessControlProjectTeamTeam(original["team"], d) + return []interface{}{transformed} +} +func flattenStorageBucketAccessControlProjectTeamProjectNumber(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func flattenStorageBucketAccessControlProjectTeamTeam(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func flattenStorageBucketAccessControlRole(v interface{}, d *schema.ResourceData) interface{} { + return v +} + +func expandStorageBucketAccessControlBucket(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandStorageBucketAccessControlEntity(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandStorageBucketAccessControlRole(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} diff --git a/google/resource_storage_bucket_access_control_generated_test.go b/google/resource_storage_bucket_access_control_generated_test.go new file mode 100644 index 00000000000..8f032c4e719 --- /dev/null +++ b/google/resource_storage_bucket_access_control_generated_test.go @@ -0,0 +1,88 @@ +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package google + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccStorageBucketAccessControl_storageBucketAccessControlPublicBucketExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(10), + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckStorageBucketAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testAccStorageBucketAccessControl_storageBucketAccessControlPublicBucketExample(context), + }, + { + ResourceName: "google_storage_bucket_access_control.public_rule", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccStorageBucketAccessControl_storageBucketAccessControlPublicBucketExample(context map[string]interface{}) string { + return Nprintf(` +resource "google_storage_bucket_access_control" "public_rule" { + bucket = google_storage_bucket.bucket.name + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "static-content-bucket%{random_suffix}" +} +`, context) +} + +func testAccCheckStorageBucketAccessControlDestroy(s *terraform.State) error { + for name, rs := range s.RootModule().Resources { + if rs.Type != "google_storage_bucket_access_control" { + continue + } + if strings.HasPrefix(name, "data.") { + continue + } + + config := testAccProvider.Meta().(*Config) + + url, err := replaceVarsForTest(config, rs, "{{StorageBasePath}}b/{{bucket}}/acl/{{entity}}") + if err != nil { + return err + } + + _, err = sendRequest(config, "GET", "", url, nil) + if err == nil { + return fmt.Errorf("StorageBucketAccessControl still exists at %s", url) + } + } + + return nil +} diff --git a/google/resource_storage_bucket_access_control_test.go b/google/resource_storage_bucket_access_control_test.go new file mode 100644 index 00000000000..ac5d5063de6 --- /dev/null +++ b/google/resource_storage_bucket_access_control_test.go @@ -0,0 +1,56 @@ +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/resource" +) + +func TestAccStorageBucketAccessControl_update(t *testing.T) { + t.Parallel() + + bucketName := testBucketName() + resource.Test(t, resource.TestCase{ + PreCheck: func() { + if errObjectAcl != nil { + panic(errObjectAcl) + } + testAccPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testAccCheckStorageObjectAccessControlDestroy, + Steps: []resource.TestStep{ + { + Config: testGoogleStorageBucketAccessControlBasic(bucketName, "READER", "allUsers"), + }, + { + ResourceName: "google_storage_bucket_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testGoogleStorageBucketAccessControlBasic(bucketName, "OWNER", "allUsers"), + }, + { + ResourceName: "google_storage_bucket_access_control.default", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testGoogleStorageBucketAccessControlBasic(bucketName, role, entity string) string { + return fmt.Sprintf(` +resource "google_storage_bucket_access_control" "default" { + bucket = google_storage_bucket.bucket.name + role = "%s" + entity = "%s" +} + +resource "google_storage_bucket" "bucket" { + name = "%s" +} +`, role, entity, bucketName) +} diff --git a/website/docs/r/storage_bucket_access_control.html.markdown b/website/docs/r/storage_bucket_access_control.html.markdown new file mode 100644 index 00000000000..fbce4578bab --- /dev/null +++ b/website/docs/r/storage_bucket_access_control.html.markdown @@ -0,0 +1,143 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. +# +# ---------------------------------------------------------------------------- +layout: "google" +page_title: "Google: google_storage_bucket_access_control" +sidebar_current: "docs-google-storage-bucket-access-control" +description: |- + The BucketAccessControls resource represents the Access Control Lists + (ACLs) for buckets within Google Cloud Storage. +--- + +# google\_storage\_bucket\_access\_control + +The BucketAccessControls resource represents the Access Control Lists +(ACLs) for buckets within Google Cloud Storage. ACLs let you specify who +has access to your data and to what extent. + +There are three roles that can be assigned to an entity: + +READERs can get the bucket, though no acl property will be returned, and +list the bucket's objects. WRITERs are READERs, and they can insert +objects into the bucket and delete the bucket's objects. OWNERs are +WRITERs, and they can get the acl property of a bucket, update a bucket, +and call all BucketAccessControls methods on the bucket. For more +information, see Access Control, with the caveat that this API uses +READER, WRITER, and OWNER instead of READ, WRITE, and FULL_CONTROL. + + + +
+ + Open in Cloud Shell + +
+## Example Usage - Storage Bucket Access Control Public Bucket + + +```hcl +resource "google_storage_bucket_access_control" "public_rule" { + bucket = google_storage_bucket.bucket.name + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "static-content-bucket" +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `bucket` - + (Required) + The name of the bucket. + +* `entity` - + (Required) + The entity holding the permission, in one of the following forms: + user-userId + user-email + group-groupId + group-email + domain-domain + project-team-projectId + allUsers + allAuthenticatedUsers + Examples: + The user liz@example.com would be user-liz@example.com. + The group example@googlegroups.com would be + group-example@googlegroups.com. + To refer to all members of the Google Apps for Business domain + example.com, the entity would be domain-example.com. + + +- - - + + +* `role` - + (Optional) + The access permission for the entity. + + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + + +* `domain` - + The domain associated with the entity. + +* `email` - + The email address associated with the entity. + +* `entity_id` - + The ID for the entity + +* `project_team` - + The project team associated with the entity Structure is documented below. + + +The `project_team` block contains: + +* `project_number` - + (Optional) + The project team associated with the entity + +* `team` - + (Optional) + The team. + +## Timeouts + +This resource provides the following +[Timeouts](/docs/configuration/resources.html#timeouts) configuration options: + +- `create` - Default is 4 minutes. +- `update` - Default is 4 minutes. +- `delete` - Default is 4 minutes. + +## Import + +BucketAccessControl can be imported using any of these accepted formats: + +``` +$ terraform import google_storage_bucket_access_control.default {{bucket}}/{{entity}} +``` + +-> If you're importing a resource with beta features, make sure to include `-provider=google-beta` +as an argument so that Terraform uses the correct provider to import your resource. diff --git a/website/google.erb b/website/google.erb index 62cb445305c..11609da61aa 100644 --- a/website/google.erb +++ b/website/google.erb @@ -1061,6 +1061,10 @@ google_storage_bucket + > + google_storage_bucket_access_control + + > google_storage_bucket_acl