rewrite - fix GA diffs + small refresh (GoogleCloudPlatform#11642)

BBBmau · Sep 5, 2024 · bf76ec3 · bf76ec3
1 parent 4f35c8a
commit bf76ec3
Show file tree

Hide file tree

Showing 29 changed files with 307 additions and 111 deletions.
diff --git a/mmv1/api/resource.go b/mmv1/api/resource.go
@@ -349,6 +349,9 @@ func (r *Resource) SetDefault(product *Product) {
 	for _, property := range r.AllProperties() {
 		property.SetDefault(r)
 	}
+	if r.IamPolicy != nil && r.IamPolicy.MinVersion == "" {
+		r.IamPolicy.MinVersion = r.MinVersion
+	}
 }
 
 func (r *Resource) Validate() {
@@ -430,6 +433,12 @@ func (r Resource) AllProperties() []*Type {
 	return google.Concat(r.Properties, r.Parameters)
 }
 
+func (r Resource) AllPropertiesInVersion() []*Type {
+	return google.Reject(google.Concat(r.Properties, r.Parameters), func(p *Type) bool {
+		return p.Exclude
+	})
+}
+
 // def properties_with_excluded
 func (r Resource) PropertiesWithExcluded() []*Type {
 	return r.Properties
@@ -960,7 +969,7 @@ func (r Resource) Updatable() bool {
 	if !r.Immutable {
 		return true
 	}
-	for _, p := range r.AllProperties() {
+	for _, p := range r.AllPropertiesInVersion() {
 		if p.UpdateUrl != "" {
 			return true
 		}

diff --git a/mmv1/api/type.go b/mmv1/api/type.go
@@ -1422,7 +1422,7 @@ func (t *Type) GetPropertySchemaPath(schemaPath string) string {
 		}
 
 		if index == -1 {
-			continue
+			return ""
 		}
 
 		prop := nestedProps[index]

diff --git a/mmv1/products/certificatemanager/go_Certificate.yaml b/mmv1/products/certificatemanager/go_Certificate.yaml
@@ -133,6 +133,13 @@ properties:
     immutable: true
     diff_suppress_func: 'certManagerDefaultScopeDiffSuppress'
     default_value: "DEFAULT"
+  - name: 'sanDnsnames'
+    type: Array
+    description: |
+      The list of Subject Alternative Names of dnsName type defined in the certificate (see RFC 5280 4.2.1.6)
+    output: true
+    item_type:
+      type: String
   - name: 'selfManaged'
     type: NestedObject
     description: |

diff --git a/mmv1/products/cloudrun/go_Service.yaml b/mmv1/products/cloudrun/go_Service.yaml
@@ -846,15 +846,13 @@ properties:
                       type: NestedObject
                       description: |-
                         A filesystem specified by the Container Storage Interface (CSI).
-                      min_version: 'beta'
                       properties:
                         - name: 'driver'
                           type: String
                           description: |-
                             Unique name representing the type of file system to be created. Cloud Run supports the following values:
                               * gcsfuse.run.googleapis.com: Mount a Google Cloud Storage bucket using GCSFuse. This driver requires the
-                                run.googleapis.com/execution-environment annotation to be set to "gen2" and
-                                run.googleapis.com/launch-stage set to "BETA" or "ALPHA".
+                                run.googleapis.com/execution-environment annotation to be unset or set to "gen2"
                           required: true
                         - name: 'readOnly'
                           type: Boolean
@@ -871,9 +869,7 @@ properties:
                       type: NestedObject
                       description: |-
                         A filesystem backed by a Network File System share. This filesystem requires the
-                        run.googleapis.com/execution-environment annotation to be set to "gen2" and
-                        run.googleapis.com/launch-stage set to "BETA" or "ALPHA".
-                      min_version: 'beta'
+                        run.googleapis.com/execution-environment annotation to be unset or set to "gen2"
                       properties:
                         - name: 'server'
                           type: String

diff --git a/mmv1/products/cloudrunv2/go_Job.yaml b/mmv1/products/cloudrunv2/go_Job.yaml
@@ -522,8 +522,13 @@ properties:
                 - name: 'gcs'
                   type: NestedObject
                   description: |-
-                    Cloud Storage bucket mounted as a volume using GCSFuse. This feature requires the launch stage to be set to ALPHA or BETA.
-                  min_version: 'beta'
+                    Cloud Storage bucket mounted as a volume using GCSFuse.
+                  # exactly_one_of:
+                  #   - template.0.volumes.0.secret
+                  #   - template.0.volumes.0.cloudSqlInstance
+                  #   - template.0.volumes.0.emptyDir
+                  #   - template.0.volumes.0.gcs
+                  #   - template.0.volumes.0.nfs
                   properties:
                     - name: 'bucket'
                       type: String
@@ -537,8 +542,13 @@ properties:
                 - name: 'nfs'
                   type: NestedObject
                   description: |-
-                    NFS share mounted as a volume. This feature requires the launch stage to be set to ALPHA or BETA.
-                  min_version: 'beta'
+                    NFS share mounted as a volume.
+                  # exactly_one_of:
+                  #   - template.0.volumes.0.secret
+                  #   - template.0.volumes.0.cloudSqlInstance
+                  #   - template.0.volumes.0.emptyDir
+                  #   - template.0.volumes.0.gcs
+                  #   - template.0.volumes.0.nfs
                   properties:
                     - name: 'server'
                       type: String

diff --git a/mmv1/products/cloudrunv2/go_Service.yaml b/mmv1/products/cloudrunv2/go_Service.yaml
@@ -139,6 +139,16 @@ examples:
     ignore_read_extra:
       - 'deletion_protection'
     skip_vcr: true
+  - name: 'cloudrunv2_service_mesh'
+    primary_resource_id: 'default'
+    primary_resource_name: 'fmt.Sprintf("tf-test-cloudrun-service-%s", context["random_suffix"])'
+    min_version: 'beta'
+    vars:
+      cloud_run_service_name: 'cloudrun-service'
+      mesh_name: 'network-services-mesh'
+    ignore_read_extra:
+      - 'deletion_protection'
+    external_providers: ["time"]
 virtual_fields:
   - name: 'deletion_protection'
     description: |
@@ -813,7 +823,7 @@ properties:
             - name: 'gcs'
               type: NestedObject
               description: |-
-                Cloud Storage bucket mounted as a volume using GCSFuse. This feature is only supported in the gen2 execution environment and requires launch-stage to be set to ALPHA or BETA.
+                Cloud Storage bucket mounted as a volume using GCSFuse. This feature is only supported in the gen2 execution environment.
               # exactly_one_of:
               #   - template.0.volumes.0.secret
               #   - template.0.volumes.0.cloudSqlInstance
@@ -865,6 +875,16 @@ properties:
         type: Boolean
         description: |-
           Enables session affinity. For more information, go to https://cloud.google.com/run/docs/configuring/session-affinity
+      - name: 'serviceMesh'
+        type: NestedObject
+        description: |-
+          Enables Cloud Service Mesh for this Revision.
+        min_version: 'beta'
+        properties:
+          - name: 'mesh'
+            type: String
+            description: |-
+              The Mesh resource name. For more information see https://cloud.google.com/service-mesh/docs/reference/network-services/rest/v1/projects.locations.meshes#resource:-mesh.
   - name: 'traffic'
     type: Array
     description: |-

diff --git a/mmv1/products/iambeta/go_WorkloadIdentityPoolProvider.yaml b/mmv1/products/iambeta/go_WorkloadIdentityPoolProvider.yaml
@@ -85,6 +85,16 @@ examples:
     vars:
       workload_identity_pool_id: 'example-pool'
       workload_identity_pool_provider_id: 'example-prvdr'
+  - name: 'iam_workload_identity_pool_provider_x509_basic'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_provider_id: 'example-prvdr'
+  - name: 'iam_workload_identity_pool_provider_x509_full'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_provider_id: 'example-prvdr'
 parameters:
 properties:
   - name: 'workloadIdentityPoolId'
@@ -233,6 +243,7 @@ properties:
       - 'aws'
       - 'oidc'
       - 'saml'
+      - 'x509'
     properties:
       - name: 'accountId'
         type: String
@@ -251,6 +262,7 @@ properties:
       - 'aws'
       - 'oidc'
       - 'saml'
+      - 'x509'
     properties:
       - name: 'allowedAudiences'
         type: Array
@@ -309,8 +321,59 @@ properties:
       - 'aws'
       - 'oidc'
       - 'saml'
+      - 'x509'
     properties:
       - name: 'idpMetadataXml'
         type: String
         description: SAML Identity provider configuration metadata xml doc.
         required: true
+  - name: 'x509'
+    type: NestedObject
+    description: |
+      An X.509-type identity provider represents a CA. It is trusted to assert a
+      client identity if the client has a certificate that chains up to this CA.
+    exactly_one_of:
+      - 'aws'
+      - 'oidc'
+      - 'saml'
+      - 'x509'
+    properties:
+      - name: 'trustStore'
+        type: NestedObject
+        description: |
+          A Trust store, use this trust store as a wrapper to config the trust
+          anchor and optional intermediate cas to help build the trust chain for
+          the incoming end entity certificate. Follow the x509 guidelines to
+          define those PEM encoded certs. Only 1 trust store is currently
+          supported.
+        required: true
+        properties:
+          - name: 'trustAnchors'
+            type: Array
+            description: |
+              List of Trust Anchors to be used while performing validation
+              against a given TrustStore. The incoming end entity's certificate
+              must be chained up to one of the trust anchors here.
+            required: true
+            item_type:
+              type: NestedObject
+              properties:
+                - name: 'pemCertificate'
+                  type: String
+                  description: |
+                    PEM certificate of the PKI used for validation. Must only contain one
+                    ca certificate(either root or intermediate cert).
+          - name: 'intermediateCas'
+            type: Array
+            description: |
+              Set of intermediate CA certificates used for building the trust chain to
+              trust anchor.
+              IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
+            item_type:
+              type: NestedObject
+              properties:
+                - name: 'pemCertificate'
+                  type: String
+                  description: |
+                    PEM certificate of the PKI used for validation. Must only contain one
+                    ca certificate(either root or intermediate cert).
diff --git a/mmv1/products/securitycenter/go_NotificationConfig.yaml b/mmv1/products/securitycenter/go_NotificationConfig.yaml
@@ -93,6 +93,8 @@ properties:
     description: |
       The config for triggering streaming-based notifications.
     required: true
+    send_empty_value: true
+    allow_empty_object: true
     update_mask_fields:
       - 'streamingConfig.filter'
     properties:
@@ -125,3 +127,4 @@ properties:
           [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications)
           for information on how to write a filter.
         required: true
+        send_empty_value: true
diff --git a/mmv1/products/securitycenter/go_ProjectNotificationConfig.yaml b/mmv1/products/securitycenter/go_ProjectNotificationConfig.yaml
@@ -87,6 +87,8 @@ properties:
     description: |
       The config for triggering streaming-based notifications.
     required: true
+    send_empty_value: true
+    allow_empty_object: true
     update_mask_fields:
       - 'streamingConfig.filter'
     properties:
@@ -119,3 +121,4 @@ properties:
           [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications)
           for information on how to write a filter.
         required: true
+        send_empty_value: true
diff --git a/mmv1/products/securitycenterv2/go_OrganizationNotificationConfig.yaml b/mmv1/products/securitycenterv2/go_OrganizationNotificationConfig.yaml
@@ -100,6 +100,8 @@ properties:
     description: |
       The config for triggering streaming-based notifications.
     required: true
+    send_empty_value: true
+    allow_empty_object: true
     update_mask_fields:
       - 'streamingConfig.filter'
     properties:
@@ -132,3 +134,4 @@ properties:
           [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications)
           for information on how to write a filter.
         required: true
+        send_empty_value: true
diff --git a/mmv1/products/securitycenterv2/go_ProjectNotificationConfig.yaml b/mmv1/products/securitycenterv2/go_ProjectNotificationConfig.yaml
@@ -97,6 +97,8 @@ properties:
     description: |
       The config for triggering streaming-based notifications.
     required: true
+    send_empty_value: true
+    allow_empty_object: true
     update_mask_fields:
       - 'streamingConfig.filter'
     properties:
@@ -129,3 +131,4 @@ properties:
           [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications)
           for information on how to write a filter.
         required: true
+        send_empty_value: true
diff --git a/mmv1/provider/terraform.go b/mmv1/provider/terraform.go
@@ -25,6 +25,7 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
+	"slices"
 	"strings"
 	"time"
 
@@ -198,7 +199,7 @@ func (t *Terraform) GenerateOperation(outputFolder string) {
 // IAM policies separately from the resource itself
 // def generate_iam_policy(pwd, data, generate_code, generate_docs)
 func (t *Terraform) GenerateIamPolicy(object api.Resource, templateData TemplateData, outputFolder string, generateCode, generateDocs bool) {
-	if generateCode && object.IamPolicy != nil && (object.IamPolicy.MinVersion == "" || object.IamPolicy.MinVersion >= t.TargetVersionName) {
+	if generateCode && object.IamPolicy != nil && (object.IamPolicy.MinVersion == "" || slices.Index(product.ORDER, object.IamPolicy.MinVersion) <= slices.Index(product.ORDER, t.TargetVersionName)) {
 		productName := t.Product.ApiName
 		targetFolder := path.Join(outputFolder, t.FolderName(), "services", productName)
 		if err := os.MkdirAll(targetFolder, os.ModePerm); err != nil {
@@ -993,10 +994,10 @@ func (t Terraform) SupportedProviderVersions() []string {
 		if i == 0 {
 			continue
 		}
-		supported = append(supported, v)
-		if v == t.TargetVersionName {
+		if i > slices.Index(product.ORDER, t.TargetVersionName) {
 			break
 		}
+		supported = append(supported, v)
 	}
 	return supported
 }

diff --git a/mmv1/template-converter.go b/mmv1/template-converter.go
@@ -224,14 +224,14 @@ func replace(data []byte) []byte {
 	if err != nil {
 		log.Fatalf("Cannot compile the regular expression: %v", err)
 	}
-	data = r.ReplaceAll(data, []byte("\n\n$1{{ if or (ne $.TargetVersionName ``) (eq $.TargetVersionName `ga`) }}"))
+	data = r.ReplaceAll(data, []byte("\n\n$1{{ if not (or (eq $.TargetVersionName ``) (eq $.TargetVersionName `ga`)) }}"))
 
 	// Replace <% unless version.nil? || version == ['|"]ga['|"] -%>
 	r, err = regexp.Compile(`<% unless version\.nil\? \|\| version == ['|"]ga['|"] -%>`)
 	if err != nil {
 		log.Fatalf("Cannot compile the regular expression: %v", err)
 	}
-	data = r.ReplaceAll(data, []byte(`{{- if or (ne $.TargetVersionName "") (eq $.TargetVersionName "ga") }}`))
+	data = r.ReplaceAll(data, []byte(`{{- if not (or (eq $.TargetVersionName "") (eq $.TargetVersionName "ga")) }}`))
 
 	// Replace <% if version.nil? || version == ['|"]ga['|"] -%>
 	r, err = regexp.Compile(`<% if version\.nil\? \|\| version == ['|"]ga['|"] -%>`)

diff --git a/mmv1/templates/terraform/examples/go/iam_workload_identity_pool_provider_x509_basic.tf.tmpl b/mmv1/templates/terraform/examples/go/iam_workload_identity_pool_provider_x509_basic.tf.tmpl
@@ -0,0 +1,18 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "{{$.PrimaryResourceId}}" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "{{index $.Vars "workload_identity_pool_provider_id"}}"
+  attribute_mapping                  = {
+    "google.subject"        = "assertion.subject.dn.cn"
+  }
+  x509 {
+    trust_store {
+        trust_anchors {
+            pem_certificate = file("test-fixtures/trust_anchor.pem")
+        }
+    }
+  }
+}
diff --git a/mmv1/templates/terraform/examples/go/iam_workload_identity_pool_provider_x509_full.tf.tmpl b/mmv1/templates/terraform/examples/go/iam_workload_identity_pool_provider_x509_full.tf.tmpl
@@ -0,0 +1,24 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "{{$.PrimaryResourceId}}" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "{{index $.Vars "workload_identity_pool_provider_id"}}"
+  display_name                       = "Name of provider"
+  description                        = "X.509 identity pool provider for automated test"
+  disabled                           = true
+  attribute_mapping                  = {
+    "google.subject"        = "assertion.subject.dn.cn"
+  }
+  x509 {
+    trust_store {
+        trust_anchors {
+            pem_certificate = file("test-fixtures/trust_anchor.pem")
+        }
+        intermediate_cas {
+            pem_certificate = file("test-fixtures/intermediate_ca.pem")
+        }
+    }
+  }
+}