Merge pull request GoogleCloudPlatform#3021 from maqiuyujoyce/202410-…

…fix-pam Fix hanging deletion for PrivilegedAccessManagerEntitlement
cheftako · Nov 1, 2024 · 1e723b5 · 1e723b5
2 parents 68d9f31 + d6fefeb
commit 1e723b5
Show file tree

Hide file tree

Showing 8 changed files with 172 additions and 80 deletions.
diff --git a/...egedaccessmanagerentitlement/project-level-entitlement/iam_v1beta1_iamserviceaccount.yaml b/...egedaccessmanagerentitlement/project-level-entitlement/iam_v1beta1_iamserviceaccount.yaml
@@ -0,0 +1,21 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMServiceAccount
+metadata:
+  annotations:
+    # Replace ${PROJECT_ID?} with your project ID.
+    cnrm.cloud.google.com/project-id: "${PROJECT_ID?}"
+  name: pame-dep-project
diff --git a/...evel-entitlement/privilegedaccessmanager_v1alpha1_privilegedaccessmanagerentitlement.yaml b/...evel-entitlement/privilegedaccessmanager_v1alpha1_privilegedaccessmanagerentitlement.yaml
@@ -0,0 +1,34 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1
+kind: PrivilegedAccessManagerEntitlement
+metadata:
+  name: privilegedaccessmanagerentitlement-sample-project
+spec:
+  projectRef:
+    # Replace ${PROJECT_ID?} with your project ID
+    external: "projects/${PROJECT_ID?}"
+  location: global
+  maxRequestDuration: 1800s
+  privilegedAccess:
+    gcpIAMAccess:
+      roleBindings:
+        - role: roles/pubsub.admin
+  requesterJustificationConfig:
+    notMandatory: {}
+  eligibleUsers:
+    - principals:
+        # Replace ${PROJECT_ID?} with your project ID
+        - serviceAccount:pame-dep-project@${PROJECT_ID?}.iam.gserviceaccount.com
diff --git a/config/servicemappings/privilegedaccessmanager.yaml b/config/servicemappings/privilegedaccessmanager.yaml
@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: core.cnrm.cloud.google.com/v1alpha1
+kind: ServiceMapping
+metadata:
+  name: privilegedaccessmanager.cnrm.cloud.google.com
+  namespace: cnrm-system
+spec:
+  name: PrivilegedAccessManager
+  version: v1alpha1
+  serviceHostName: "privilegedaccessmanager.googleapis.com"
+  resources:
+    - name: google_privileged_access_manager_entitlement
+      kind: PrivilegedAccessManagerEntitlement
+      direct: true
diff --git a/pkg/snippet/snippetgeneration/snippetgeneration.go b/pkg/snippet/snippetgeneration/snippetgeneration.go
@@ -32,86 +32,87 @@ import (
 // generation for resources that have multiple samples. It is a map of
 // 'resource samples directory name' -> 'sample subdirectory name'.
 var preferredSampleForResource = map[string]string{
-	"alloydbcluster":                    "regular-cluster",
-	"alloydbinstance":                   "primary-instance",
-	"alloydbuser":                       "database-user",
-	"bigqueryjob":                       "query-bigquery-job",
-	"bigtableappprofile":                "multicluster-bigtable-app-profile",
-	"bigtableinstance":                  "replicated-instance",
-	"bigquerydatatransferconfig":        "bigquerydatatransferconfig-salesforce",
-	"billingbudgetsbudget":              "calendar-budget",
-	"binaryauthorizationpolicy":         "cluster-policy",
-	"certificatemanagercertificate":     "self-managed-certificate",
-	"cloudbuildtrigger":                 "build-trigger-for-cloud-source-repo",
-	"cloudbuildworkerpool":              "workerpool-with-peered-network",
-	"cloudfunctionsfunction":            "httpstrigger",
-	"cloudidentitymembership":           "membership-with-manager-role",
-	"cloudschedulerjob":                 "scheduler-job-pubsub",
-	"computehealthcheck":                "global-health-check",
-	"computeaddress":                    "global-compute-address",
-	"computebackendbucket":              "basic-backend-bucket",
-	"computebackendservice":             "external-load-balancing-backend-service",
-	"computedisk":                       "zonal-compute-disk",
-	"computefirewall":                   "allow-rule-firewall",
-	"computefirewallpolicyassociation":  "association-with-folder-attachment-target",
-	"computeforwardingrule":             "global-forwarding-rule-with-target-http-proxy",
-	"computeimage":                      "image-from-url-raw",
-	"computeinstance":                   "cloud-machine-instance",
-	"computeinstancegroupmanager":       "regional-compute-instance-group-manager",
-	"computenodetemplate":               "flexible-node-template",
-	"computeregionnetworkendpointgroup": "cloud-function-region-network-endpoint-group",
-	"computereservation":                "specialized-compute-reservation",
-	"computeresourcepolicy":             "weekly-resource-policy-schedule",
-	"computerouternat":                  "router-nat-for-all-subnets",
-	"computesecuritypolicy":             "multirule-security-policy",
-	"computesslcertificate":             "global-compute-ssl-certificate",
-	"computesslpolicy":                  "modern-tls-1-1-ssl-policy",
-	"computetargethttpsproxy":           "target-https-proxy-with-ssl-certificates",
-	"computeurlmap":                     "global-compute-url-map",
-	"configcontrollerinstance":          "autopilot-config-controller-instance",
-	"containerattachedcluster":          "container-attached-cluster-basic",
-	"containercluster":                  "vpc-native-container-cluster",
-	"containernodepool":                 "basic-node-pool",
-	"dataflowjob":                       "streaming-dataflow-job",
-	"dataflowflextemplatejob":           "streaming-dataflow-flex-template-job",
-	"dlpstoredinfotype":                 "big-query-field-stored-info-type",
-	"dlpdeidentifytemplate":             "info-type-deidentify-template",
-	"dlpinspecttemplate":                "custom-inspect-template",
-	"dlpjobtrigger":                     "big-query-job-trigger",
-	"dnsrecordset":                      "dns-a-record-set",
-	"edgecontainercluster":              "edgecontainercluster-remote-control-plane",
-	"folder":                            "folder-in-folder",
-	"gkehubfeature":                     "multi-cluster-ingress-feature",
-	"gkehubfeaturemembership":           "config-management-feature-membership",
-	"iamauditconfig":                    "project-level-audit-config",
-	"iamcustomrole":                     "project-role",
-	"iampolicy":                         "external-project-level-policy",
-	"iampartialpolicy":                  "project-level-policy",
-	"iampolicymember":                   "external-project-level-policy-member",
-	"iamworkforcepoolprovider":          "oidc-workforce-pool-provider",
-	"iamworkloadidentitypoolprovider":   "oidc-workload-identity-pool-provider",
-	"logginglogbucket":                  "project-log-bucket",
-	"logginglogexclusion":               "project-exclusion",
-	"logginglogmetric":                  "linear-log-metric",
-	"logginglogsink":                    "project-sink",
-	"logginglogview":                    "project-log-view",
-	"monitoringalertpolicy":             "network-connectivity-alert-policy",
-	"monitoringnotificationchannel":     "sms-monitoring-notification-channel",
-	"monitoringservicelevelobjective":   "window-based-gtr-distribution-cut",
-	"monitoringuptimecheckconfig":       "http-uptime-check-config",
-	"osconfigospolicyassignment":        "fixed-os-policy-assignment",
-	"privatecacertificate":              "basic-certificate",
-	"project":                           "project-in-folder",
-	"pubsubsubscription":                "basic-pubsub-subscription",
-	"runjob":                            "basic-job",
-	"recaptchaenterprisekey":            "challenge-based-web-recaptcha-enterprise-key",
-	"resourcemanagerpolicy":             "organization-policy-for-project",
-	"runservice":                        "run-service-secret",
-	"secretmanagersecret":               "automatic-secret-replication",
-	"sqlinstance":                       "mysql-sql-instance",
-	"vpcaccessconnector":                "cidr-connector",
-	"vertexaidataset":                   "vertexai-dataset-encryptionkey",
-	"vertexaiendpoint":                  "vertexai-endpoint-network",
+	"alloydbcluster":                     "regular-cluster",
+	"alloydbinstance":                    "primary-instance",
+	"alloydbuser":                        "database-user",
+	"bigqueryjob":                        "query-bigquery-job",
+	"bigtableappprofile":                 "multicluster-bigtable-app-profile",
+	"bigtableinstance":                   "replicated-instance",
+	"bigquerydatatransferconfig":         "bigquerydatatransferconfig-salesforce",
+	"billingbudgetsbudget":               "calendar-budget",
+	"binaryauthorizationpolicy":          "cluster-policy",
+	"certificatemanagercertificate":      "self-managed-certificate",
+	"cloudbuildtrigger":                  "build-trigger-for-cloud-source-repo",
+	"cloudbuildworkerpool":               "workerpool-with-peered-network",
+	"cloudfunctionsfunction":             "httpstrigger",
+	"cloudidentitymembership":            "membership-with-manager-role",
+	"cloudschedulerjob":                  "scheduler-job-pubsub",
+	"computehealthcheck":                 "global-health-check",
+	"computeaddress":                     "global-compute-address",
+	"computebackendbucket":               "basic-backend-bucket",
+	"computebackendservice":              "external-load-balancing-backend-service",
+	"computedisk":                        "zonal-compute-disk",
+	"computefirewall":                    "allow-rule-firewall",
+	"computefirewallpolicyassociation":   "association-with-folder-attachment-target",
+	"computeforwardingrule":              "global-forwarding-rule-with-target-http-proxy",
+	"computeimage":                       "image-from-url-raw",
+	"computeinstance":                    "cloud-machine-instance",
+	"computeinstancegroupmanager":        "regional-compute-instance-group-manager",
+	"computenodetemplate":                "flexible-node-template",
+	"computeregionnetworkendpointgroup":  "cloud-function-region-network-endpoint-group",
+	"computereservation":                 "specialized-compute-reservation",
+	"computeresourcepolicy":              "weekly-resource-policy-schedule",
+	"computerouternat":                   "router-nat-for-all-subnets",
+	"computesecuritypolicy":              "multirule-security-policy",
+	"computesslcertificate":              "global-compute-ssl-certificate",
+	"computesslpolicy":                   "modern-tls-1-1-ssl-policy",
+	"computetargethttpsproxy":            "target-https-proxy-with-ssl-certificates",
+	"computeurlmap":                      "global-compute-url-map",
+	"configcontrollerinstance":           "autopilot-config-controller-instance",
+	"containerattachedcluster":           "container-attached-cluster-basic",
+	"containercluster":                   "vpc-native-container-cluster",
+	"containernodepool":                  "basic-node-pool",
+	"dataflowjob":                        "streaming-dataflow-job",
+	"dataflowflextemplatejob":            "streaming-dataflow-flex-template-job",
+	"dlpstoredinfotype":                  "big-query-field-stored-info-type",
+	"dlpdeidentifytemplate":              "info-type-deidentify-template",
+	"dlpinspecttemplate":                 "custom-inspect-template",
+	"dlpjobtrigger":                      "big-query-job-trigger",
+	"dnsrecordset":                       "dns-a-record-set",
+	"edgecontainercluster":               "edgecontainercluster-remote-control-plane",
+	"folder":                             "folder-in-folder",
+	"gkehubfeature":                      "multi-cluster-ingress-feature",
+	"gkehubfeaturemembership":            "config-management-feature-membership",
+	"iamauditconfig":                     "project-level-audit-config",
+	"iamcustomrole":                      "project-role",
+	"iampolicy":                          "external-project-level-policy",
+	"iampartialpolicy":                   "project-level-policy",
+	"iampolicymember":                    "external-project-level-policy-member",
+	"iamworkforcepoolprovider":           "oidc-workforce-pool-provider",
+	"iamworkloadidentitypoolprovider":    "oidc-workload-identity-pool-provider",
+	"logginglogbucket":                   "project-log-bucket",
+	"logginglogexclusion":                "project-exclusion",
+	"logginglogmetric":                   "linear-log-metric",
+	"logginglogsink":                     "project-sink",
+	"logginglogview":                     "project-log-view",
+	"monitoringalertpolicy":              "network-connectivity-alert-policy",
+	"monitoringnotificationchannel":      "sms-monitoring-notification-channel",
+	"monitoringservicelevelobjective":    "window-based-gtr-distribution-cut",
+	"monitoringuptimecheckconfig":        "http-uptime-check-config",
+	"osconfigospolicyassignment":         "fixed-os-policy-assignment",
+	"privatecacertificate":               "basic-certificate",
+	"privilegedaccessmanagerentitlement": "project-level-entitlement",
+	"project":                            "project-in-folder",
+	"pubsubsubscription":                 "basic-pubsub-subscription",
+	"runjob":                             "basic-job",
+	"recaptchaenterprisekey":             "challenge-based-web-recaptcha-enterprise-key",
+	"resourcemanagerpolicy":              "organization-policy-for-project",
+	"runservice":                         "run-service-secret",
+	"secretmanagersecret":                "automatic-secret-replication",
+	"sqlinstance":                        "mysql-sql-instance",
+	"vpcaccessconnector":                 "cidr-connector",
+	"vertexaidataset":                    "vertexai-dataset-encryptionkey",
+	"vertexaiendpoint":                   "vertexai-endpoint-network",
 }
 
 type Snippet struct {

diff --git a/...basicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml b/...basicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml
@@ -1,6 +1,8 @@
 apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1
 kind: PrivilegedAccessManagerEntitlement
 metadata:
+  annotations:
+    cnrm.cloud.google.com/management-conflict-prevention-policy: none
   finalizers:
   - cnrm.cloud.google.com/finalizer
   - cnrm.cloud.google.com/deletion-defender

diff --git a/...mentfullfolder/_generated_object_privilegedaccessmanagerentitlementfullfolder.golden.yaml b/...mentfullfolder/_generated_object_privilegedaccessmanagerentitlementfullfolder.golden.yaml
@@ -1,6 +1,8 @@
 apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1
 kind: PrivilegedAccessManagerEntitlement
 metadata:
+  annotations:
+    cnrm.cloud.google.com/management-conflict-prevention-policy: none
   finalizers:
   - cnrm.cloud.google.com/finalizer
   - cnrm.cloud.google.com/deletion-defender

diff --git a/...ntitlementfullorg/_generated_object_privilegedaccessmanagerentitlementfullorg.golden.yaml b/...ntitlementfullorg/_generated_object_privilegedaccessmanagerentitlementfullorg.golden.yaml
@@ -1,6 +1,8 @@
 apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1
 kind: PrivilegedAccessManagerEntitlement
 metadata:
+  annotations:
+    cnrm.cloud.google.com/management-conflict-prevention-policy: none
   finalizers:
   - cnrm.cloud.google.com/finalizer
   - cnrm.cloud.google.com/deletion-defender

diff --git a/pkg/webhook/immutable_fields_validator.go b/pkg/webhook/immutable_fields_validator.go
@@ -294,6 +294,9 @@ func validateImmutableFieldsForTFBasedResource(obj, oldObj *unstructured.Unstruc
 		return admission.Errored(http.StatusBadRequest,
 			fmt.Errorf("couldn't get ResourceConfig for kind %v: %w", obj.GetKind(), err))
 	}
+	if rc.Direct && rc.Name != "google_sql_database_instance" {
+		return allowedResponse
+	}
 
 	if err := validateContainerAnnotationsForResource(obj.GetKind(), obj.GetAnnotations(), oldObj.GetAnnotations(), rc.Containers, rc.HierarchicalReferences); err != nil {
 		return admission.Errored(http.StatusBadRequest,