From c5e5fbb850df7c1adf39b79a0558d04bb204b757 Mon Sep 17 00:00:00 2001 From: vgm Date: Mon, 18 Sep 2023 11:32:59 -0700 Subject: [PATCH 01/11] First commit for VPC sub-segmentation feature. All relevant resources and tests updated. --- .../accesscontextmanager/AccessLevel.yaml | 16 +++++++ .../AccessLevelCondition.yaml | 16 +++++++ .../accesscontextmanager/AccessLevels.yaml | 16 +++++++ .../ServicePerimeter.yaml | 44 +++++++++++++++++++ .../ServicePerimeterEgressPolicy.yaml | 22 ++++++++++ .../ServicePerimeters.yaml | 44 +++++++++++++++++++ ...cess_level_with_vpc_network_sources.tf.erb | 20 +++++++++ ...ext_manager_access_level_condition_test.go | 11 +++++ ...s_context_manager_access_level_test.go.erb | 25 ++++++++++- ...cess_context_manager_access_levels_test.go | 23 +++++++--- ...er_service_perimeter_egress_policy_test.go | 4 ++ ...text_manager_service_perimeter_test.go.erb | 4 ++ ...ontext_manager_services_perimeters_test.go | 7 +++ 13 files changed, 244 insertions(+), 8 deletions(-) create mode 100644 mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb diff --git a/mmv1/products/accesscontextmanager/AccessLevel.yaml b/mmv1/products/accesscontextmanager/AccessLevel.yaml index 471c23829f69..66e869784bd6 100644 --- a/mmv1/products/accesscontextmanager/AccessLevel.yaml +++ b/mmv1/products/accesscontextmanager/AccessLevel.yaml @@ -243,6 +243,22 @@ properties: countries/regions. Format: A valid ISO 3166-1 alpha-2 code. item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'vpc_network_sources' + description: 'The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ip_subnetworks`.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'vpc_subnetwork' + description: 'Sub networks within a VPC network.' + properties: + - !ruby/object:Api::Type::String + name: 'network' + description: 'Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller.' + - !ruby/object:Api::Type::Array + name: 'vpc_ip_subnetworks' + description: 'CIDR block IP subnetwork specification. Must be IPv4.' + item_type: Api::Type::String - !ruby/object:Api::Type::NestedObject name: 'custom' description: | diff --git a/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml b/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml index e8fcca417b03..0b4a2eba5f7c 100644 --- a/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml +++ b/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml @@ -212,3 +212,19 @@ properties: countries/regions. Format: A valid ISO 3166-1 alpha-2 code. item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'vpc_network_sources' + description: 'The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ip_subnetworks`.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'vpc_subnetwork' + description: 'Sub networks within a VPC network.' + properties: + - !ruby/object:Api::Type::String + name: 'network' + description: 'Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller.' + - !ruby/object:Api::Type::Array + name: 'vpc_ip_subnetworks' + description: 'CIDR block IP subnetwork specification. Must be IPv4.' + item_type: Api::Type::String diff --git a/mmv1/products/accesscontextmanager/AccessLevels.yaml b/mmv1/products/accesscontextmanager/AccessLevels.yaml index 2a45c3cc0563..adf6dae21af9 100644 --- a/mmv1/products/accesscontextmanager/AccessLevels.yaml +++ b/mmv1/products/accesscontextmanager/AccessLevels.yaml @@ -234,6 +234,22 @@ properties: countries/regions. Format: A valid ISO 3166-1 alpha-2 code. item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'vpc_network_sources' + description: 'The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ip_subnetworks`.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'vpc_subnetwork' + description: 'Sub networks within a VPC network.' + properties: + - !ruby/object:Api::Type::String + name: 'network' + description: 'Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller.' + - !ruby/object:Api::Type::Array + name: 'vpc_ip_subnetworks' + description: 'CIDR block IP subnetwork specification. Must be IPv4.' + item_type: Api::Type::String - !ruby/object:Api::Type::NestedObject name: 'custom' description: | diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml index 96c2bf0b5b86..f6c77794d0e9 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml @@ -342,6 +342,28 @@ properties: - :ANY_IDENTITY - :ANY_USER_ACCOUNT - :ANY_SERVICE_ACCOUNT + - !ruby/object:Api::Type::Array + name: 'sources' + description: 'Sources that this EgressPolicy authorizes access from.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'access_level' + description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + conflicts: + - resource + - !ruby/object:Api::Type::String + name: 'resource' + description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' + conflicts: + - access_level + - !ruby/object:Api::Type::Enum + name: 'source_restriction' + description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' + values: + - :SOURCE_RESTRICTION_UNSPECIFIED + - :SOURCE_RESTRICTION_ENABLED + - :SOURCE_RESTRICTION_DISABLED - !ruby/object:Api::Type::Array name: 'identities' description: | @@ -606,6 +628,28 @@ properties: - :ANY_IDENTITY - :ANY_USER_ACCOUNT - :ANY_SERVICE_ACCOUNT + - !ruby/object:Api::Type::Array + name: 'sources' + description: 'Sources that this EgressPolicy authorizes access from.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'access_level' + description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + conflicts: + - resource + - !ruby/object:Api::Type::String + name: 'resource' + description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' + conflicts: + - access_level + - !ruby/object:Api::Type::Enum + name: 'source_restriction' + description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' + values: + - :SOURCE_RESTRICTION_UNSPECIFIED + - :SOURCE_RESTRICTION_ENABLED + - :SOURCE_RESTRICTION_DISABLED - !ruby/object:Api::Type::Array name: 'identities' description: | diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml index 8ff821cb691b..82a9d36898b0 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml @@ -79,6 +79,28 @@ properties: Should be in the format of email address. The email address should represent individual user or service account only. item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'sources' + description: 'Sources that this EgressPolicy authorizes access from.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'access_level' + description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + conflicts: + - resource + - !ruby/object:Api::Type::String + name: 'resource' + description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' + conflicts: + - access_level + - !ruby/object:Api::Type::Enum + name: 'source_restriction' + description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' + values: + - :SOURCE_RESTRICTION_UNSPECIFIED + - :SOURCE_RESTRICTION_ENABLED + - :SOURCE_RESTRICTION_DISABLED - !ruby/object:Api::Type::NestedObject name: 'egressTo' description: | diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml index 72a41e289a0d..d5fdc81fbfa7 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml @@ -329,6 +329,28 @@ properties: Should be in the format of email address. The email address should represent individual user or service account only. item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'sources' + description: 'Sources that this EgressPolicy authorizes access from.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'access_level' + description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + conflicts: + - resource + - !ruby/object:Api::Type::String + name: 'resource' + description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' + conflicts: + - access_level + - !ruby/object:Api::Type::Enum + name: 'source_restriction' + description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' + values: + - :SOURCE_RESTRICTION_UNSPECIFIED + - :SOURCE_RESTRICTION_ENABLED + - :SOURCE_RESTRICTION_DISABLED - !ruby/object:Api::Type::NestedObject name: 'egressTo' description: | @@ -599,6 +621,28 @@ properties: Should be in the format of email address. The email address should represent individual user or service account only. item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'sources' + description: 'Sources that this EgressPolicy authorizes access from.' + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'access_level' + description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + conflicts: + - resource + - !ruby/object:Api::Type::String + name: 'resource' + description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' + conflicts: + - access_level + - !ruby/object:Api::Type::Enum + name: 'source_restriction' + description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' + values: + - :SOURCE_RESTRICTION_UNSPECIFIED + - :SOURCE_RESTRICTION_ENABLED + - :SOURCE_RESTRICTION_DISABLED - !ruby/object:Api::Type::NestedObject name: 'egressTo' description: | diff --git a/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb b/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb new file mode 100644 index 000000000000..83012c343e35 --- /dev/null +++ b/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb @@ -0,0 +1,20 @@ +resource "google_access_context_manager_access_level" "<%= ctx[:primary_resource_id] %>" { + parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/<%= ctx[:vars]['access_level_name'] %>" + title = "<%= ctx[:vars]['access_level_name'] %>" + basic { + conditions { + vpc_network_sources { + vpc_subnetwork { + network = "some-network-name" + vpc_ip_subnetworks = ["20.0.5.0/24"] + } + } + } + } +} + +resource "google_access_context_manager_access_policy" "access-policy" { + parent = "organizations/123456789" + title = "my policy" +} diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index 9b21e7384e73..ea3d0cc339bd 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -154,6 +154,10 @@ resource "google_service_account" "created-later" { account_id = "%s" } +resource "google_compute_network" "vpc_network" { + name = "tf-test" +} + resource "google_access_context_manager_access_level_condition" "access-level-condition" { access_level = google_access_context_manager_access_level.test-access.name ip_subnetworks = ["192.0.4.0/24"] @@ -171,6 +175,13 @@ resource "google_access_context_manager_access_level_condition" "access-level-co "IT", "US", ] + + vpc_network_sources { + vpc_subnetwork { + network = "//compute.googleapis.com/${google_compute_network.vpc_network.id}" + vpc_ip_subnetworks = ["20.0.5.0/24"] + } + } } `, org, policyTitle, levelTitleName, levelTitleName, saName) } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb index d1de435be63f..5546189f8b1f 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb @@ -133,7 +133,30 @@ resource "google_access_context_manager_access_level" "test-access" { } } } -`, org, policyTitle, levelTitleName, levelTitleName) + +resource "google_compute_network" "vpc_network" { + name = "tf-test" +} + +resource "google_access_context_manager_access_level" "test-access2" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s2" + title = "%s2" + description = "hello2" + basic { + combining_function = "AND" + conditions { + vpc_network_sources { + vpc_subnetwork { + network = "//compute.googleapis.com/${google_compute_network.vpc_network.id}" + vpc_ip_subnetworks = ["20.0.5.0/24"] + } + } + } + } +} + +`, org, policyTitle, levelTitleName, levelTitleName, levelTitleName, levelTitleName) } func testAccAccessContextManagerAccessLevel_custom(org, policyTitle, levelTitleName string) string { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go index 4098e8683ff3..a86d6bf29410 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go @@ -138,14 +138,23 @@ resource "google_access_context_manager_access_levels" "test-access" { } } + resource "google_compute_network" "vpc_network" { + name = "tf-test" + } + access_levels { - name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" - title = "%s" - description = "hello again" - basic { - conditions { - ip_subnetworks = ["176.0.4.0/24"] - } + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" + title = "%s" + description = "hello again" + basic { + conditions { + vpc_network_sources { + vpc_subnetwork { + network = "//compute.googleapis.com/${google_compute_network.vpc_network.id}" + vpc_ip_subnetworks = ["20.0.5.0/24"] + } + } + } } } } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go index f0556dfceb5c..c5cc59aca393 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go @@ -114,6 +114,10 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a perimeter = google_access_context_manager_service_perimeter.test-access.name egress_from { identity_type = "ANY_USER_ACCOUNT" + sources { + access_level = "some-level-name" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" } } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb index 8e945af590f8..a6cd03ddd3a3 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb @@ -255,6 +255,10 @@ resource "google_access_context_manager_service_perimeter" "test-access" { egress_policies { egress_from { identity_type = "ANY_USER_ACCOUNT" + sources { + access_level = "some-level-name" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" } } } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go index d66bb2950e49..4ea7d2d16ec3 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go @@ -136,6 +136,13 @@ resource "google_access_context_manager_service_perimeters" "test-access" { } } } + egress_from { + identity_type = "ANY_USER_ACCOUNT" + sources { + access_level = "some-level-name" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" + } } } } From 203cc9615a06eaf76a458c7b629d4ac85add1c32 Mon Sep 17 00:00:00 2001 From: vgm Date: Tue, 19 Sep 2023 06:28:31 -0700 Subject: [PATCH 02/11] Adding access levels instead of using a fake access level name. Also moving a VPC network to the top level instead of (incorrectly) inside another resource. --- ...e_access_context_manager_access_levels_test.go | 8 ++++---- ...anager_service_perimeter_egress_policy_test.go | 15 ++++++++++++++- ..._context_manager_service_perimeter_test.go.erb | 2 +- ...ss_context_manager_services_perimeters_test.go | 2 +- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go index a86d6bf29410..feee72e02a6f 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go @@ -123,6 +123,10 @@ resource "google_access_context_manager_access_policy" "test-access" { title = "%s" } +resource "google_compute_network" "vpc_network" { + name = "tf-test" +} + resource "google_access_context_manager_access_levels" "test-access" { parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" @@ -138,10 +142,6 @@ resource "google_access_context_manager_access_levels" "test-access" { } } - resource "google_compute_network" "vpc_network" { - name = "tf-test" - } - access_levels { name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" title = "%s" diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go index c5cc59aca393..d6c2db7e0771 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go @@ -110,12 +110,25 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a } +resource "google_access_context_manager_access_level" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/level" + title = "level" + description = "hello" + basic { + combining_function = "AND" + conditions { + ip_subnetworks = ["192.0.4.0/24"] + } + } +} + resource "google_access_context_manager_service_perimeter_egress_policy" "test-access2" { perimeter = google_access_context_manager_service_perimeter.test-access.name egress_from { identity_type = "ANY_USER_ACCOUNT" sources { - access_level = "some-level-name" + access_level = google_access_context_manager_access_level.test-access.name } source_restriction = "SOURCE_RESTRICTION_ENABLED" } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb index a6cd03ddd3a3..2873aba84bd7 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb @@ -256,7 +256,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" { egress_from { identity_type = "ANY_USER_ACCOUNT" sources { - access_level = "some-level-name" + access_level = google_access_context_manager_access_level.test-access.name } source_restriction = "SOURCE_RESTRICTION_ENABLED" } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go index 4ea7d2d16ec3..eebe11c2604b 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go @@ -139,7 +139,7 @@ resource "google_access_context_manager_service_perimeters" "test-access" { egress_from { identity_type = "ANY_USER_ACCOUNT" sources { - access_level = "some-level-name" + access_level = google_access_context_manager_access_level.test-access.name } source_restriction = "SOURCE_RESTRICTION_ENABLED" } From dc7c656ac3aeaa91f7113ade2d8b357e70fd45d9 Mon Sep 17 00:00:00 2001 From: vgm Date: Tue, 19 Sep 2023 09:06:00 -0700 Subject: [PATCH 03/11] Fixing conflict between ip_subnetworks and vpc_ip_subnetworks --- ...rce_access_context_manager_access_level_condition_test.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index ea3d0cc339bd..738bb2987f35 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -139,10 +139,6 @@ resource "google_access_context_manager_access_level" "test-access" { "US", ] } - - conditions { - ip_subnetworks = ["176.0.4.0/24"] - } } lifecycle { @@ -160,7 +156,6 @@ resource "google_compute_network" "vpc_network" { resource "google_access_context_manager_access_level_condition" "access-level-condition" { access_level = google_access_context_manager_access_level.test-access.name - ip_subnetworks = ["192.0.4.0/24"] members = ["user:test@google.com", "user:test2@google.com", "serviceAccount:${google_service_account.created-later.email}"] negate = false device_policy { From b932cceade280f0531bacb9b21641d4e641ebd1d Mon Sep 17 00:00:00 2001 From: vgm Date: Tue, 19 Sep 2023 11:10:57 -0700 Subject: [PATCH 04/11] Undoing changes to access level condition test --- ...ext_manager_access_level_condition_test.go | 233 ++++++++++-------- 1 file changed, 134 insertions(+), 99 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index 738bb2987f35..d3f54e821644 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -1,8 +1,8 @@ +<% autogen_exception -%> package accesscontextmanager_test import ( "fmt" - "reflect" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" @@ -17,89 +17,72 @@ import ( // Since each test here is acting on the same organization and only one AccessPolicy // can exist, they need to be run serially. See AccessPolicy for the test runner. -func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { +func testAccAccessContextManagerAccessLevel_basicTest(t *testing.T) { org := envvar.GetTestOrgFromEnv(t) - project := envvar.GetTestProjectFromEnv() - - serviceAccountName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10)) - - expected := map[string]interface{}{ - "ipSubnetworks": []interface{}{"192.0.4.0/24"}, - "members": []interface{}{"user:test@google.com", "user:test2@google.com", fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", serviceAccountName, project)}, - "devicePolicy": map[string]interface{}{ - "requireCorpOwned": true, - "osConstraints": []interface{}{ - map[string]interface{}{ - "osType": "DESKTOP_CHROME_OS", - }, - }, - }, - "regions": []interface{}{"IT", "US"}, - } acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), - CheckDestroy: testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t), + CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccAccessContextManagerAccessLevelCondition_basic(org, "my policy", "level", serviceAccountName), - Check: testAccCheckAccessContextManagerAccessLevelConditionPresent(t, "google_access_context_manager_access_level_condition.access-level-condition", expected), + Config: testAccAccessContextManagerAccessLevel_basic(org, "my policy", "level"), + }, + { + ResourceName: "google_access_context_manager_access_level.test-access", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAccessContextManagerAccessLevel_basicUpdated(org, "my new policy", "level"), + }, + { + ResourceName: "google_access_context_manager_access_level.test-access", + ImportState: true, + ImportStateVerify: true, }, }, }) } -func testAccCheckAccessContextManagerAccessLevelConditionPresent(t *testing.T, n string, expected map[string]interface{}) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[n] - if !ok { - return fmt.Errorf("Not found: %s", n) - } - - config := acctest.GoogleProviderConfig(t) - url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{access_level}}") - if err != nil { - return err - } +func testAccAccessContextManagerAccessLevel_fullTest(t *testing.T) { + org := envvar.GetTestOrgFromEnv(t) - al, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ - Config: config, - Method: "GET", - RawURL: url, - UserAgent: config.UserAgent, - }) - if err != nil { - return err - } - conditions := al["basic"].(map[string]interface{})["conditions"].([]interface{}) - for _, c := range conditions { - if reflect.DeepEqual(c, expected) { - return nil - } - } - return fmt.Errorf("Did not find condition %+v", expected) - } + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccAccessContextManagerAccessLevel_full(org, "my policy", "level"), + }, + { + ResourceName: "google_access_context_manager_access_level.test-access", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) } -func testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t *testing.T) func(s *terraform.State) error { +func testAccCheckAccessContextManagerAccessLevelDestroyProducer(t *testing.T) func(s *terraform.State) error { return func(s *terraform.State) error { for _, rs := range s.RootModule().Resources { - if rs.Type != "google_access_context_manager_access_level_condition" { + if rs.Type != "google_access_context_manager_access_level" { continue } config := acctest.GoogleProviderConfig(t) - url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{access_level}}") + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{name}}") if err != nil { return err } _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ - Config: config, - Method: "GET", - RawURL: url, + Config: config, + Method: "GET", + RawURL: url, UserAgent: config.UserAgent, }) if err == nil { @@ -111,7 +94,27 @@ func testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t *test } } -func testAccAccessContextManagerAccessLevelCondition_basic(org, policyTitle, levelTitleName, saName string) string { +func testAccAccessContextManagerAccessLevel_customTest(t *testing.T) { + org := envvar.GetTestOrgFromEnv(t) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccAccessContextManagerAccessLevel_custom(org, "my policy", "level"), + }, + { + ResourceName: "google_access_context_manager_access_level.test-access", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccAccessContextManagerAccessLevel_basic(org, policyTitle, levelTitleName string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -126,57 +129,89 @@ resource "google_access_context_manager_access_level" "test-access" { basic { combining_function = "AND" conditions { - device_policy { - require_screen_lock = true - os_constraints { - os_type = "DESKTOP_CHROME_OS" - require_verified_chrome_os = true - } - } - regions = [ - "CH", - "IT", - "US", - ] + ip_subnetworks = ["192.0.4.0/24"] } } +} +`, org, policyTitle, levelTitleName, levelTitleName) +} - lifecycle { - ignore_changes = [basic.0.conditions] - } +func testAccAccessContextManagerAccessLevel_custom(org, policyTitle, levelTitleName string) string { + return fmt.Sprintf(` +resource "google_access_context_manager_access_policy" "test-access" { + parent = "organizations/%s" + title = "%s" } -resource "google_service_account" "created-later" { - account_id = "%s" +resource "google_access_context_manager_access_level" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" + title = "%s" + description = "hello" + custom { + expr { + expression = "device.os_type == OsType.DESKTOP_MAC" + } + } +} +`, org, policyTitle, levelTitleName, levelTitleName) } -resource "google_compute_network" "vpc_network" { - name = "tf-test" +func testAccAccessContextManagerAccessLevel_basicUpdated(org, policyTitle, levelTitleName string) string { + return fmt.Sprintf(` +resource "google_access_context_manager_access_policy" "test-access" { + parent = "organizations/%s" + title = "%s" } -resource "google_access_context_manager_access_level_condition" "access-level-condition" { - access_level = google_access_context_manager_access_level.test-access.name - members = ["user:test@google.com", "user:test2@google.com", "serviceAccount:${google_service_account.created-later.email}"] - negate = false - device_policy { - require_screen_lock = false - require_admin_approval = false - require_corp_owned = true - os_constraints { - os_type = "DESKTOP_CHROME_OS" +resource "google_access_context_manager_access_level" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" + title = "%s" + description = "hello" + basic { + combining_function = "OR" + conditions { + ip_subnetworks = ["192.0.2.0/24"] } } - regions = [ - "IT", - "US", - ] - - vpc_network_sources { - vpc_subnetwork { - network = "//compute.googleapis.com/${google_compute_network.vpc_network.id}" - vpc_ip_subnetworks = ["20.0.5.0/24"] - } - } } -`, org, policyTitle, levelTitleName, levelTitleName, saName) +`, org, policyTitle, levelTitleName, levelTitleName) +} + +func testAccAccessContextManagerAccessLevel_full(org, policyTitle, levelTitleName string) string { + return fmt.Sprintf(` +resource "google_access_context_manager_access_policy" "test-access" { + parent = "organizations/%s" + title = "%s" +} + +resource "google_access_context_manager_access_level" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" + title = "%s" + description = "hello" + basic { + combining_function = "AND" + conditions { + ip_subnetworks = ["192.0.4.0/24"] + members = ["user:test@google.com", "user:test2@google.com"] + negate = false + device_policy { + require_screen_lock = false + require_admin_approval = false + require_corp_owned = true + os_constraints { + os_type = "DESKTOP_CHROME_OS" + require_verified_chrome_os = true + } + } + regions = [ + "IT", + "US", + ] + } + } } +`, org, policyTitle, levelTitleName, levelTitleName) +} \ No newline at end of file From 1bf80fa26ad867baeef462baef80e1ea79838a92 Mon Sep 17 00:00:00 2001 From: vgm Date: Tue, 19 Sep 2023 11:28:13 -0700 Subject: [PATCH 05/11] Undoing changes to access level condition test --- ...ext_manager_access_level_condition_test.go | 227 +++++++----------- 1 file changed, 93 insertions(+), 134 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index d3f54e821644..dab63722074b 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -1,8 +1,8 @@ -<% autogen_exception -%> package accesscontextmanager_test import ( "fmt" + "reflect" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" @@ -17,72 +17,89 @@ import ( // Since each test here is acting on the same organization and only one AccessPolicy // can exist, they need to be run serially. See AccessPolicy for the test runner. -func testAccAccessContextManagerAccessLevel_basicTest(t *testing.T) { +func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { org := envvar.GetTestOrgFromEnv(t) + project := envvar.GetTestProjectFromEnv() + + serviceAccountName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10)) + + expected := map[string]interface{}{ + "ipSubnetworks": []interface{}{"192.0.4.0/24"}, + "members": []interface{}{"user:test@google.com", "user:test2@google.com", fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", serviceAccountName, project)}, + "devicePolicy": map[string]interface{}{ + "requireCorpOwned": true, + "osConstraints": []interface{}{ + map[string]interface{}{ + "osType": "DESKTOP_CHROME_OS", + }, + }, + }, + "regions": []interface{}{"IT", "US"}, + } acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), - CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), + CheckDestroy: testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccAccessContextManagerAccessLevel_basic(org, "my policy", "level"), - }, - { - ResourceName: "google_access_context_manager_access_level.test-access", - ImportState: true, - ImportStateVerify: true, - }, - { - Config: testAccAccessContextManagerAccessLevel_basicUpdated(org, "my new policy", "level"), - }, - { - ResourceName: "google_access_context_manager_access_level.test-access", - ImportState: true, - ImportStateVerify: true, + Config: testAccAccessContextManagerAccessLevelCondition_basic(org, "my policy", "level", serviceAccountName), + Check: testAccCheckAccessContextManagerAccessLevelConditionPresent(t, "google_access_context_manager_access_level_condition.access-level-condition", expected), }, }, }) } -func testAccAccessContextManagerAccessLevel_fullTest(t *testing.T) { - org := envvar.GetTestOrgFromEnv(t) +func testAccCheckAccessContextManagerAccessLevelConditionPresent(t *testing.T, n string, expected map[string]interface{}) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } - acctest.VcrTest(t, resource.TestCase{ - PreCheck: func() { acctest.AccTestPreCheck(t) }, - ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), - CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), - Steps: []resource.TestStep{ - { - Config: testAccAccessContextManagerAccessLevel_full(org, "my policy", "level"), - }, - { - ResourceName: "google_access_context_manager_access_level.test-access", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) + config := acctest.GoogleProviderConfig(t) + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{access_level}}") + if err != nil { + return err + } + + al, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + RawURL: url, + UserAgent: config.UserAgent, + }) + if err != nil { + return err + } + conditions := al["basic"].(map[string]interface{})["conditions"].([]interface{}) + for _, c := range conditions { + if reflect.DeepEqual(c, expected) { + return nil + } + } + return fmt.Errorf("Did not find condition %+v", expected) + } } -func testAccCheckAccessContextManagerAccessLevelDestroyProducer(t *testing.T) func(s *terraform.State) error { +func testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t *testing.T) func(s *terraform.State) error { return func(s *terraform.State) error { for _, rs := range s.RootModule().Resources { - if rs.Type != "google_access_context_manager_access_level" { + if rs.Type != "google_access_context_manager_access_level_condition" { continue } config := acctest.GoogleProviderConfig(t) - url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{name}}") + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{AccessContextManagerBasePath}}{{access_level}}") if err != nil { return err } _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ - Config: config, - Method: "GET", - RawURL: url, + Config: config, + Method: "GET", + RawURL: url, UserAgent: config.UserAgent, }) if err == nil { @@ -94,27 +111,7 @@ func testAccCheckAccessContextManagerAccessLevelDestroyProducer(t *testing.T) fu } } -func testAccAccessContextManagerAccessLevel_customTest(t *testing.T) { - org := envvar.GetTestOrgFromEnv(t) - - acctest.VcrTest(t, resource.TestCase{ - PreCheck: func() { acctest.AccTestPreCheck(t) }, - ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), - CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), - Steps: []resource.TestStep{ - { - Config: testAccAccessContextManagerAccessLevel_custom(org, "my policy", "level"), - }, - { - ResourceName: "google_access_context_manager_access_level.test-access", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func testAccAccessContextManagerAccessLevel_basic(org, policyTitle, levelTitleName string) string { +func testAccAccessContextManagerAccessLevelCondition_basic(org, policyTitle, levelTitleName, saName string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -129,89 +126,51 @@ resource "google_access_context_manager_access_level" "test-access" { basic { combining_function = "AND" conditions { - ip_subnetworks = ["192.0.4.0/24"] + device_policy { + require_screen_lock = true + os_constraints { + os_type = "DESKTOP_CHROME_OS" + require_verified_chrome_os = true + } + } + regions = [ + "CH", + "IT", + "US", + ] } - } -} -`, org, policyTitle, levelTitleName, levelTitleName) -} - -func testAccAccessContextManagerAccessLevel_custom(org, policyTitle, levelTitleName string) string { - return fmt.Sprintf(` -resource "google_access_context_manager_access_policy" "test-access" { - parent = "organizations/%s" - title = "%s" -} - -resource "google_access_context_manager_access_level" "test-access" { - parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" - name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" - title = "%s" - description = "hello" - custom { - expr { - expression = "device.os_type == OsType.DESKTOP_MAC" - } - } -} -`, org, policyTitle, levelTitleName, levelTitleName) -} -func testAccAccessContextManagerAccessLevel_basicUpdated(org, policyTitle, levelTitleName string) string { - return fmt.Sprintf(` -resource "google_access_context_manager_access_policy" "test-access" { - parent = "organizations/%s" - title = "%s" -} - -resource "google_access_context_manager_access_level" "test-access" { - parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" - name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" - title = "%s" - description = "hello" - basic { - combining_function = "OR" conditions { - ip_subnetworks = ["192.0.2.0/24"] + ip_subnetworks = ["176.0.4.0/24"] } } -} -`, org, policyTitle, levelTitleName, levelTitleName) + + lifecycle { + ignore_changes = [basic.0.conditions] + } } -func testAccAccessContextManagerAccessLevel_full(org, policyTitle, levelTitleName string) string { - return fmt.Sprintf(` -resource "google_access_context_manager_access_policy" "test-access" { - parent = "organizations/%s" - title = "%s" +resource "google_service_account" "created-later" { + account_id = "%s" } -resource "google_access_context_manager_access_level" "test-access" { - parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" - name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s" - title = "%s" - description = "hello" - basic { - combining_function = "AND" - conditions { - ip_subnetworks = ["192.0.4.0/24"] - members = ["user:test@google.com", "user:test2@google.com"] - negate = false - device_policy { - require_screen_lock = false - require_admin_approval = false - require_corp_owned = true - os_constraints { - os_type = "DESKTOP_CHROME_OS" - require_verified_chrome_os = true - } - } - regions = [ - "IT", - "US", - ] +resource "google_access_context_manager_access_level_condition" "access-level-condition" { + access_level = google_access_context_manager_access_level.test-access.name + ip_subnetworks = ["192.0.4.0/24"] + members = ["user:test@google.com", "user:test2@google.com", "serviceAccount:${google_service_account.created-later.email}"] + negate = false + device_policy { + require_screen_lock = false + require_admin_approval = false + require_corp_owned = true + os_constraints { + os_type = "DESKTOP_CHROME_OS" } } + regions = [ + "IT", + "US", + ] } -`, org, policyTitle, levelTitleName, levelTitleName) +`, org, policyTitle, levelTitleName, levelTitleName, saName) } \ No newline at end of file From 4345e60243b5e5be394c6f96fa1d190aac07c2a5 Mon Sep 17 00:00:00 2001 From: vgm Date: Tue, 19 Sep 2023 12:43:49 -0700 Subject: [PATCH 06/11] Ran gofmt --- ...source_access_context_manager_access_level_condition_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index dab63722074b..9b21e7384e73 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -173,4 +173,4 @@ resource "google_access_context_manager_access_level_condition" "access-level-co ] } `, org, policyTitle, levelTitleName, levelTitleName, saName) -} \ No newline at end of file +} From 134d0b273acb036de32c54ff52214d3febc0588a Mon Sep 17 00:00:00 2001 From: vgm Date: Tue, 26 Sep 2023 13:37:31 -0700 Subject: [PATCH 07/11] Re-adding access level conditions tests --- ...ontext_manager_access_level_condition_test.go | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index 9b21e7384e73..738bb2987f35 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -139,10 +139,6 @@ resource "google_access_context_manager_access_level" "test-access" { "US", ] } - - conditions { - ip_subnetworks = ["176.0.4.0/24"] - } } lifecycle { @@ -154,9 +150,12 @@ resource "google_service_account" "created-later" { account_id = "%s" } +resource "google_compute_network" "vpc_network" { + name = "tf-test" +} + resource "google_access_context_manager_access_level_condition" "access-level-condition" { access_level = google_access_context_manager_access_level.test-access.name - ip_subnetworks = ["192.0.4.0/24"] members = ["user:test@google.com", "user:test2@google.com", "serviceAccount:${google_service_account.created-later.email}"] negate = false device_policy { @@ -171,6 +170,13 @@ resource "google_access_context_manager_access_level_condition" "access-level-co "IT", "US", ] + + vpc_network_sources { + vpc_subnetwork { + network = "//compute.googleapis.com/${google_compute_network.vpc_network.id}" + vpc_ip_subnetworks = ["20.0.5.0/24"] + } + } } `, org, policyTitle, levelTitleName, levelTitleName, saName) } From 79ea7b93d407471d10e9887b7634d3da576e8700 Mon Sep 17 00:00:00 2001 From: vgm Date: Thu, 28 Sep 2023 08:04:16 -0700 Subject: [PATCH 08/11] Changing resource names to camel case to match what the HTTP response from the API returns. Also removing the 'resource' field because it's behind an allowlist. --- .../accesscontextmanager/AccessLevel.yaml | 6 ++--- .../AccessLevelCondition.yaml | 6 ++--- .../accesscontextmanager/AccessLevels.yaml | 6 ++--- .../ServicePerimeter.yaml | 22 ++++--------------- .../ServicePerimeterEgressPolicy.yaml | 11 ++-------- .../ServicePerimeters.yaml | 22 ++++--------------- ...cess_level_with_vpc_network_sources.tf.erb | 6 ++++- ...ext_manager_access_level_condition_test.go | 2 +- ...s_context_manager_access_level_test.go.erb | 2 +- ...cess_context_manager_access_levels_test.go | 2 +- 10 files changed, 27 insertions(+), 58 deletions(-) diff --git a/mmv1/products/accesscontextmanager/AccessLevel.yaml b/mmv1/products/accesscontextmanager/AccessLevel.yaml index 66e869784bd6..e2639e7e0a51 100644 --- a/mmv1/products/accesscontextmanager/AccessLevel.yaml +++ b/mmv1/products/accesscontextmanager/AccessLevel.yaml @@ -244,19 +244,19 @@ properties: Format: A valid ISO 3166-1 alpha-2 code. item_type: Api::Type::String - !ruby/object:Api::Type::Array - name: 'vpc_network_sources' + name: 'vpcNetworkSources' description: 'The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ip_subnetworks`.' item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::NestedObject - name: 'vpc_subnetwork' + name: 'vpcSubnetwork' description: 'Sub networks within a VPC network.' properties: - !ruby/object:Api::Type::String name: 'network' description: 'Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller.' - !ruby/object:Api::Type::Array - name: 'vpc_ip_subnetworks' + name: 'vpcIpSubnetworks' description: 'CIDR block IP subnetwork specification. Must be IPv4.' item_type: Api::Type::String - !ruby/object:Api::Type::NestedObject diff --git a/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml b/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml index 0b4a2eba5f7c..403c2f4db7af 100644 --- a/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml +++ b/mmv1/products/accesscontextmanager/AccessLevelCondition.yaml @@ -213,18 +213,18 @@ properties: Format: A valid ISO 3166-1 alpha-2 code. item_type: Api::Type::String - !ruby/object:Api::Type::Array - name: 'vpc_network_sources' + name: 'vpcNetworkSources' description: 'The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ip_subnetworks`.' item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::NestedObject - name: 'vpc_subnetwork' + name: 'vpcSubnetwork' description: 'Sub networks within a VPC network.' properties: - !ruby/object:Api::Type::String name: 'network' description: 'Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller.' - !ruby/object:Api::Type::Array - name: 'vpc_ip_subnetworks' + name: 'vpcIpSubnetworks' description: 'CIDR block IP subnetwork specification. Must be IPv4.' item_type: Api::Type::String diff --git a/mmv1/products/accesscontextmanager/AccessLevels.yaml b/mmv1/products/accesscontextmanager/AccessLevels.yaml index adf6dae21af9..4d2a5933702d 100644 --- a/mmv1/products/accesscontextmanager/AccessLevels.yaml +++ b/mmv1/products/accesscontextmanager/AccessLevels.yaml @@ -235,19 +235,19 @@ properties: Format: A valid ISO 3166-1 alpha-2 code. item_type: Api::Type::String - !ruby/object:Api::Type::Array - name: 'vpc_network_sources' + name: 'vpcNetworkSources' description: 'The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ip_subnetworks`.' item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::NestedObject - name: 'vpc_subnetwork' + name: 'vpcSubnetwork' description: 'Sub networks within a VPC network.' properties: - !ruby/object:Api::Type::String name: 'network' description: 'Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller.' - !ruby/object:Api::Type::Array - name: 'vpc_ip_subnetworks' + name: 'vpcIpSubnetworks' description: 'CIDR block IP subnetwork specification. Must be IPv4.' item_type: Api::Type::String - !ruby/object:Api::Type::NestedObject diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml index f6c77794d0e9..291ea4829526 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml @@ -348,17 +348,10 @@ properties: item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::String - name: 'access_level' + name: 'accessLevel' description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' - conflicts: - - resource - - !ruby/object:Api::Type::String - name: 'resource' - description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' - conflicts: - - access_level - !ruby/object:Api::Type::Enum - name: 'source_restriction' + name: 'sourceRestriction' description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' values: - :SOURCE_RESTRICTION_UNSPECIFIED @@ -634,17 +627,10 @@ properties: item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::String - name: 'access_level' + name: 'accessLevel' description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' - conflicts: - - resource - - !ruby/object:Api::Type::String - name: 'resource' - description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' - conflicts: - - access_level - !ruby/object:Api::Type::Enum - name: 'source_restriction' + name: 'sourceRestriction' description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' values: - :SOURCE_RESTRICTION_UNSPECIFIED diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml index 82a9d36898b0..5e46e6770c0d 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml @@ -85,17 +85,10 @@ properties: item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::String - name: 'access_level' + name: 'accessLevel' description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' - conflicts: - - resource - - !ruby/object:Api::Type::String - name: 'resource' - description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' - conflicts: - - access_level - !ruby/object:Api::Type::Enum - name: 'source_restriction' + name: 'sourceRestriction' description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' values: - :SOURCE_RESTRICTION_UNSPECIFIED diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml index d5fdc81fbfa7..987a7fac27c9 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml @@ -335,17 +335,10 @@ properties: item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::String - name: 'access_level' + name: 'accessLevel' description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' - conflicts: - - resource - - !ruby/object:Api::Type::String - name: 'resource' - description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' - conflicts: - - access_level - !ruby/object:Api::Type::Enum - name: 'source_restriction' + name: 'sourceRestriction' description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' values: - :SOURCE_RESTRICTION_UNSPECIFIED @@ -627,17 +620,10 @@ properties: item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::String - name: 'access_level' + name: 'accessLevel' description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' - conflicts: - - resource - - !ruby/object:Api::Type::String - name: 'resource' - description: 'A Google Cloud resource that is allowed to egress the perimeter. Requests from these resources are allowed to access data outside the perimeter. Only projects and VPCs are allowed.' - conflicts: - - access_level - !ruby/object:Api::Type::Enum - name: 'source_restriction' + name: 'sourceRestriction' description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' values: - :SOURCE_RESTRICTION_UNSPECIFIED diff --git a/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb b/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb index 83012c343e35..d80fe1a6c9ad 100644 --- a/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb +++ b/mmv1/templates/terraform/examples/access_context_manager_access_level_with_vpc_network_sources.tf.erb @@ -1,3 +1,7 @@ +resource "google_compute_network" "vpc_network" { + name = "tf-test" +} + resource "google_access_context_manager_access_level" "<%= ctx[:primary_resource_id] %>" { parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}" name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/<%= ctx[:vars]['access_level_name'] %>" @@ -6,7 +10,7 @@ resource "google_access_context_manager_access_level" "<%= ctx[:primary_resource conditions { vpc_network_sources { vpc_subnetwork { - network = "some-network-name" + network = "//compute.googleapis.com/${google_compute_network.vpc_network.id}" vpc_ip_subnetworks = ["20.0.5.0/24"] } } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index 738bb2987f35..5f01ecb3ab45 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -151,7 +151,7 @@ resource "google_service_account" "created-later" { } resource "google_compute_network" "vpc_network" { - name = "tf-test" + name = "tf-test-vpc" } resource "google_access_context_manager_access_level_condition" "access-level-condition" { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb index 5546189f8b1f..d2000c4f6c7f 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb @@ -135,7 +135,7 @@ resource "google_access_context_manager_access_level" "test-access" { } resource "google_compute_network" "vpc_network" { - name = "tf-test" + name = "tf-test-vpc" } resource "google_access_context_manager_access_level" "test-access2" { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go index feee72e02a6f..eff7e7b3ed4e 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go @@ -124,7 +124,7 @@ resource "google_access_context_manager_access_policy" "test-access" { } resource "google_compute_network" "vpc_network" { - name = "tf-test" + name = "tf-test-vpc" } resource "google_access_context_manager_access_levels" "test-access" { From a52ee0d1e192408ae3eed7a22e59c8a6e2b8867a Mon Sep 17 00:00:00 2001 From: vgm Date: Thu, 28 Sep 2023 12:45:57 -0700 Subject: [PATCH 09/11] Parameterizing the names of VPC networks created in tests --- ...ntext_manager_access_level_condition_test.go | 17 +++++++++++++---- ...ess_context_manager_access_level_test.go.erb | 9 +++++---- ...access_context_manager_access_levels_test.go | 9 +++++---- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index 5f01ecb3ab45..bbe15d584bab 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -22,6 +22,7 @@ func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { project := envvar.GetTestProjectFromEnv() serviceAccountName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10)) + vpcName := fmt.Sprintf("test-vpc-%s", acctest.RandString(t, 10)) expected := map[string]interface{}{ "ipSubnetworks": []interface{}{"192.0.4.0/24"}, @@ -35,6 +36,14 @@ func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { }, }, "regions": []interface{}{"IT", "US"}, + "vpcNetworkSources": []interface{}{ + map[string]interface{}{ + "vpcSubnetwork": map[string]interface{}{ + "network": fmt.Sprintf("//compute.googleapis.com/projects/%s/global/networks/%s", project, vpcName), + "vpcIpSubnetworks": []interface{}{"20.0.5.0/24"} + } + } + } } acctest.VcrTest(t, resource.TestCase{ @@ -43,7 +52,7 @@ func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { CheckDestroy: testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccAccessContextManagerAccessLevelCondition_basic(org, "my policy", "level", serviceAccountName), + Config: testAccAccessContextManagerAccessLevelCondition_basic(org, "my policy", "level", serviceAccountName, vpcName), Check: testAccCheckAccessContextManagerAccessLevelConditionPresent(t, "google_access_context_manager_access_level_condition.access-level-condition", expected), }, }, @@ -111,7 +120,7 @@ func testAccCheckAccessContextManagerAccessLevelConditionDestroyProducer(t *test } } -func testAccAccessContextManagerAccessLevelCondition_basic(org, policyTitle, levelTitleName, saName string) string { +func testAccAccessContextManagerAccessLevelCondition_basic(org, policyTitle, levelTitleName, saName, vpcName string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -151,7 +160,7 @@ resource "google_service_account" "created-later" { } resource "google_compute_network" "vpc_network" { - name = "tf-test-vpc" + name = "%s" } resource "google_access_context_manager_access_level_condition" "access-level-condition" { @@ -178,5 +187,5 @@ resource "google_access_context_manager_access_level_condition" "access-level-co } } } -`, org, policyTitle, levelTitleName, levelTitleName, saName) +`, org, policyTitle, levelTitleName, levelTitleName, saName, vpcName) } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb index d2000c4f6c7f..fd21c8ed60d7 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_test.go.erb @@ -19,6 +19,7 @@ import ( func testAccAccessContextManagerAccessLevel_basicTest(t *testing.T) { org := envvar.GetTestOrgFromEnv(t) + vpcName := fmt.Sprintf("test-vpc-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -26,7 +27,7 @@ func testAccAccessContextManagerAccessLevel_basicTest(t *testing.T) { CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccAccessContextManagerAccessLevel_basic(org, "my policy", "level"), + Config: testAccAccessContextManagerAccessLevel_basic(org, "my policy", "level", vpcName), }, { ResourceName: "google_access_context_manager_access_level.test-access", @@ -114,7 +115,7 @@ func testAccAccessContextManagerAccessLevel_customTest(t *testing.T) { }) } -func testAccAccessContextManagerAccessLevel_basic(org, policyTitle, levelTitleName string) string { +func testAccAccessContextManagerAccessLevel_basic(org, policyTitle, levelTitleName, vpcName string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -135,7 +136,7 @@ resource "google_access_context_manager_access_level" "test-access" { } resource "google_compute_network" "vpc_network" { - name = "tf-test-vpc" + name = "%s" } resource "google_access_context_manager_access_level" "test-access2" { @@ -156,7 +157,7 @@ resource "google_access_context_manager_access_level" "test-access2" { } } -`, org, policyTitle, levelTitleName, levelTitleName, levelTitleName, levelTitleName) +`, org, policyTitle, levelTitleName, levelTitleName, vpcName, levelTitleName, levelTitleName) } func testAccAccessContextManagerAccessLevel_custom(org, policyTitle, levelTitleName string) string { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go index eff7e7b3ed4e..21e782058d6f 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_levels_test.go @@ -17,6 +17,7 @@ import ( func testAccAccessContextManagerAccessLevels_basicTest(t *testing.T) { org := envvar.GetTestOrgFromEnv(t) + vpcName := fmt.Sprintf("test-vpc-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -32,7 +33,7 @@ func testAccAccessContextManagerAccessLevels_basicTest(t *testing.T) { ImportStateVerify: true, }, { - Config: testAccAccessContextManagerAccessLevels_basicUpdated(org, "my new policy", "corpnet_access", "prodnet_access"), + Config: testAccAccessContextManagerAccessLevels_basicUpdated(org, "my new policy", "corpnet_access", "prodnet_access", vpcName), }, { ResourceName: "google_access_context_manager_access_levels.test-access", @@ -116,7 +117,7 @@ resource "google_access_context_manager_access_levels" "test-access" { `, org, policyTitle, levelTitleName1, levelTitleName1, levelTitleName2, levelTitleName2) } -func testAccAccessContextManagerAccessLevels_basicUpdated(org, policyTitle, levelTitleName1, levelTitleName2 string) string { +func testAccAccessContextManagerAccessLevels_basicUpdated(org, policyTitle, levelTitleName1, levelTitleName2, vpcName string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -124,7 +125,7 @@ resource "google_access_context_manager_access_policy" "test-access" { } resource "google_compute_network" "vpc_network" { - name = "tf-test-vpc" + name = "%s" } resource "google_access_context_manager_access_levels" "test-access" { @@ -158,7 +159,7 @@ resource "google_access_context_manager_access_levels" "test-access" { } } } -`, org, policyTitle, levelTitleName1, levelTitleName1, levelTitleName2, levelTitleName2) +`, org, policyTitle, vpcName, levelTitleName1, levelTitleName1, levelTitleName2, levelTitleName2) } func testAccAccessContextManagerAccessLevel_empty(org, policyTitle string) string { From ad1898feeeeba6b08f2f1673ccd91444a0d1fec1 Mon Sep 17 00:00:00 2001 From: vgm Date: Thu, 28 Sep 2023 18:59:09 -0700 Subject: [PATCH 10/11] Fixing access level condition test --- ...ess_context_manager_access_level_condition_test.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index bbe15d584bab..9bdad29e55e5 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -25,7 +25,6 @@ func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { vpcName := fmt.Sprintf("test-vpc-%s", acctest.RandString(t, 10)) expected := map[string]interface{}{ - "ipSubnetworks": []interface{}{"192.0.4.0/24"}, "members": []interface{}{"user:test@google.com", "user:test2@google.com", fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", serviceAccountName, project)}, "devicePolicy": map[string]interface{}{ "requireCorpOwned": true, @@ -39,11 +38,11 @@ func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { "vpcNetworkSources": []interface{}{ map[string]interface{}{ "vpcSubnetwork": map[string]interface{}{ - "network": fmt.Sprintf("//compute.googleapis.com/projects/%s/global/networks/%s", project, vpcName), - "vpcIpSubnetworks": []interface{}{"20.0.5.0/24"} - } - } - } + "network": fmt.Sprintf("//compute.googleapis.com/projects/%s/global/networks/%s", project, vpcName), + "vpcIpSubnetworks": []interface{}{"20.0.5.0/24"}, + }, + }, + }, } acctest.VcrTest(t, resource.TestCase{ From 26e6d760dc0ce89eb0a15a7c865ff78a501c27c7 Mon Sep 17 00:00:00 2001 From: vgm Date: Fri, 29 Sep 2023 06:02:56 -0700 Subject: [PATCH 11/11] Fixed formatting with gofmt --- ...source_access_context_manager_access_level_condition_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go index 9bdad29e55e5..047e93801469 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_access_level_condition_test.go @@ -25,7 +25,7 @@ func testAccAccessContextManagerAccessLevelCondition_basicTest(t *testing.T) { vpcName := fmt.Sprintf("test-vpc-%s", acctest.RandString(t, 10)) expected := map[string]interface{}{ - "members": []interface{}{"user:test@google.com", "user:test2@google.com", fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", serviceAccountName, project)}, + "members": []interface{}{"user:test@google.com", "user:test2@google.com", fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", serviceAccountName, project)}, "devicePolicy": map[string]interface{}{ "requireCorpOwned": true, "osConstraints": []interface{}{