diff --git a/config/samples/resources/privilegedaccessmanagerentitlement/project-level-entitlement/iam_v1beta1_iamserviceaccount.yaml b/config/samples/resources/privilegedaccessmanagerentitlement/project-level-entitlement/iam_v1beta1_iamserviceaccount.yaml new file mode 100644 index 0000000000..ee15d9fff2 --- /dev/null +++ b/config/samples/resources/privilegedaccessmanagerentitlement/project-level-entitlement/iam_v1beta1_iamserviceaccount.yaml @@ -0,0 +1,21 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + annotations: + # Replace ${PROJECT_ID?} with your project ID. + cnrm.cloud.google.com/project-id: "${PROJECT_ID?}" + name: pame-dep-project diff --git a/config/samples/resources/privilegedaccessmanagerentitlement/project-level-entitlement/privilegedaccessmanager_v1alpha1_privilegedaccessmanagerentitlement.yaml b/config/samples/resources/privilegedaccessmanagerentitlement/project-level-entitlement/privilegedaccessmanager_v1alpha1_privilegedaccessmanagerentitlement.yaml new file mode 100644 index 0000000000..81edc4c975 --- /dev/null +++ b/config/samples/resources/privilegedaccessmanagerentitlement/project-level-entitlement/privilegedaccessmanager_v1alpha1_privilegedaccessmanagerentitlement.yaml @@ -0,0 +1,34 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1 +kind: PrivilegedAccessManagerEntitlement +metadata: + name: privilegedaccessmanagerentitlement-sample-project +spec: + projectRef: + # Replace ${PROJECT_ID?} with your project ID + external: "projects/${PROJECT_ID?}" + location: global + maxRequestDuration: 1800s + privilegedAccess: + gcpIAMAccess: + roleBindings: + - role: roles/pubsub.admin + requesterJustificationConfig: + notMandatory: {} + eligibleUsers: + - principals: + # Replace ${PROJECT_ID?} with your project ID + - serviceAccount:pame-dep-project@${PROJECT_ID?}.iam.gserviceaccount.com diff --git a/config/servicemappings/privilegedaccessmanager.yaml b/config/servicemappings/privilegedaccessmanager.yaml new file mode 100644 index 0000000000..728ed27653 --- /dev/null +++ b/config/servicemappings/privilegedaccessmanager.yaml @@ -0,0 +1,27 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: core.cnrm.cloud.google.com/v1alpha1 +kind: ServiceMapping +metadata: + name: privilegedaccessmanager.cnrm.cloud.google.com + namespace: cnrm-system +spec: + name: PrivilegedAccessManager + version: v1alpha1 + serviceHostName: "privilegedaccessmanager.googleapis.com" + resources: + - name: google_privileged_access_manager_entitlement + kind: PrivilegedAccessManagerEntitlement + direct: true \ No newline at end of file diff --git a/pkg/snippet/snippetgeneration/snippetgeneration.go b/pkg/snippet/snippetgeneration/snippetgeneration.go index 1e333ae85a..7dbf245319 100644 --- a/pkg/snippet/snippetgeneration/snippetgeneration.go +++ b/pkg/snippet/snippetgeneration/snippetgeneration.go @@ -32,86 +32,87 @@ import ( // generation for resources that have multiple samples. It is a map of // 'resource samples directory name' -> 'sample subdirectory name'. var preferredSampleForResource = map[string]string{ - "alloydbcluster": "regular-cluster", - "alloydbinstance": "primary-instance", - "alloydbuser": "database-user", - "bigqueryjob": "query-bigquery-job", - "bigtableappprofile": "multicluster-bigtable-app-profile", - "bigtableinstance": "replicated-instance", - "bigquerydatatransferconfig": "bigquerydatatransferconfig-salesforce", - "billingbudgetsbudget": "calendar-budget", - "binaryauthorizationpolicy": "cluster-policy", - "certificatemanagercertificate": "self-managed-certificate", - "cloudbuildtrigger": "build-trigger-for-cloud-source-repo", - "cloudbuildworkerpool": "workerpool-with-peered-network", - "cloudfunctionsfunction": "httpstrigger", - "cloudidentitymembership": "membership-with-manager-role", - "cloudschedulerjob": "scheduler-job-pubsub", - "computehealthcheck": "global-health-check", - "computeaddress": "global-compute-address", - "computebackendbucket": "basic-backend-bucket", - "computebackendservice": "external-load-balancing-backend-service", - "computedisk": "zonal-compute-disk", - "computefirewall": "allow-rule-firewall", - "computefirewallpolicyassociation": "association-with-folder-attachment-target", - "computeforwardingrule": "global-forwarding-rule-with-target-http-proxy", - "computeimage": "image-from-url-raw", - "computeinstance": "cloud-machine-instance", - "computeinstancegroupmanager": "regional-compute-instance-group-manager", - "computenodetemplate": "flexible-node-template", - "computeregionnetworkendpointgroup": "cloud-function-region-network-endpoint-group", - "computereservation": "specialized-compute-reservation", - "computeresourcepolicy": "weekly-resource-policy-schedule", - "computerouternat": "router-nat-for-all-subnets", - "computesecuritypolicy": "multirule-security-policy", - "computesslcertificate": "global-compute-ssl-certificate", - "computesslpolicy": "modern-tls-1-1-ssl-policy", - "computetargethttpsproxy": "target-https-proxy-with-ssl-certificates", - "computeurlmap": "global-compute-url-map", - "configcontrollerinstance": "autopilot-config-controller-instance", - "containerattachedcluster": "container-attached-cluster-basic", - "containercluster": "vpc-native-container-cluster", - "containernodepool": "basic-node-pool", - "dataflowjob": "streaming-dataflow-job", - "dataflowflextemplatejob": "streaming-dataflow-flex-template-job", - "dlpstoredinfotype": "big-query-field-stored-info-type", - "dlpdeidentifytemplate": "info-type-deidentify-template", - "dlpinspecttemplate": "custom-inspect-template", - "dlpjobtrigger": "big-query-job-trigger", - "dnsrecordset": "dns-a-record-set", - "edgecontainercluster": "edgecontainercluster-remote-control-plane", - "folder": "folder-in-folder", - "gkehubfeature": "multi-cluster-ingress-feature", - "gkehubfeaturemembership": "config-management-feature-membership", - "iamauditconfig": "project-level-audit-config", - "iamcustomrole": "project-role", - "iampolicy": "external-project-level-policy", - "iampartialpolicy": "project-level-policy", - "iampolicymember": "external-project-level-policy-member", - "iamworkforcepoolprovider": "oidc-workforce-pool-provider", - "iamworkloadidentitypoolprovider": "oidc-workload-identity-pool-provider", - "logginglogbucket": "project-log-bucket", - "logginglogexclusion": "project-exclusion", - "logginglogmetric": "linear-log-metric", - "logginglogsink": "project-sink", - "logginglogview": "project-log-view", - "monitoringalertpolicy": "network-connectivity-alert-policy", - "monitoringnotificationchannel": "sms-monitoring-notification-channel", - "monitoringservicelevelobjective": "window-based-gtr-distribution-cut", - "monitoringuptimecheckconfig": "http-uptime-check-config", - "osconfigospolicyassignment": "fixed-os-policy-assignment", - "privatecacertificate": "basic-certificate", - "project": "project-in-folder", - "pubsubsubscription": "basic-pubsub-subscription", - "runjob": "basic-job", - "recaptchaenterprisekey": "challenge-based-web-recaptcha-enterprise-key", - "resourcemanagerpolicy": "organization-policy-for-project", - "runservice": "run-service-secret", - "secretmanagersecret": "automatic-secret-replication", - "sqlinstance": "mysql-sql-instance", - "vpcaccessconnector": "cidr-connector", - "vertexaidataset": "vertexai-dataset-encryptionkey", - "vertexaiendpoint": "vertexai-endpoint-network", + "alloydbcluster": "regular-cluster", + "alloydbinstance": "primary-instance", + "alloydbuser": "database-user", + "bigqueryjob": "query-bigquery-job", + "bigtableappprofile": "multicluster-bigtable-app-profile", + "bigtableinstance": "replicated-instance", + "bigquerydatatransferconfig": "bigquerydatatransferconfig-salesforce", + "billingbudgetsbudget": "calendar-budget", + "binaryauthorizationpolicy": "cluster-policy", + "certificatemanagercertificate": "self-managed-certificate", + "cloudbuildtrigger": "build-trigger-for-cloud-source-repo", + "cloudbuildworkerpool": "workerpool-with-peered-network", + "cloudfunctionsfunction": "httpstrigger", + "cloudidentitymembership": "membership-with-manager-role", + "cloudschedulerjob": "scheduler-job-pubsub", + "computehealthcheck": "global-health-check", + "computeaddress": "global-compute-address", + "computebackendbucket": "basic-backend-bucket", + "computebackendservice": "external-load-balancing-backend-service", + "computedisk": "zonal-compute-disk", + "computefirewall": "allow-rule-firewall", + "computefirewallpolicyassociation": "association-with-folder-attachment-target", + "computeforwardingrule": "global-forwarding-rule-with-target-http-proxy", + "computeimage": "image-from-url-raw", + "computeinstance": "cloud-machine-instance", + "computeinstancegroupmanager": "regional-compute-instance-group-manager", + "computenodetemplate": "flexible-node-template", + "computeregionnetworkendpointgroup": "cloud-function-region-network-endpoint-group", + "computereservation": "specialized-compute-reservation", + "computeresourcepolicy": "weekly-resource-policy-schedule", + "computerouternat": "router-nat-for-all-subnets", + "computesecuritypolicy": "multirule-security-policy", + "computesslcertificate": "global-compute-ssl-certificate", + "computesslpolicy": "modern-tls-1-1-ssl-policy", + "computetargethttpsproxy": "target-https-proxy-with-ssl-certificates", + "computeurlmap": "global-compute-url-map", + "configcontrollerinstance": "autopilot-config-controller-instance", + "containerattachedcluster": "container-attached-cluster-basic", + "containercluster": "vpc-native-container-cluster", + "containernodepool": "basic-node-pool", + "dataflowjob": "streaming-dataflow-job", + "dataflowflextemplatejob": "streaming-dataflow-flex-template-job", + "dlpstoredinfotype": "big-query-field-stored-info-type", + "dlpdeidentifytemplate": "info-type-deidentify-template", + "dlpinspecttemplate": "custom-inspect-template", + "dlpjobtrigger": "big-query-job-trigger", + "dnsrecordset": "dns-a-record-set", + "edgecontainercluster": "edgecontainercluster-remote-control-plane", + "folder": "folder-in-folder", + "gkehubfeature": "multi-cluster-ingress-feature", + "gkehubfeaturemembership": "config-management-feature-membership", + "iamauditconfig": "project-level-audit-config", + "iamcustomrole": "project-role", + "iampolicy": "external-project-level-policy", + "iampartialpolicy": "project-level-policy", + "iampolicymember": "external-project-level-policy-member", + "iamworkforcepoolprovider": "oidc-workforce-pool-provider", + "iamworkloadidentitypoolprovider": "oidc-workload-identity-pool-provider", + "logginglogbucket": "project-log-bucket", + "logginglogexclusion": "project-exclusion", + "logginglogmetric": "linear-log-metric", + "logginglogsink": "project-sink", + "logginglogview": "project-log-view", + "monitoringalertpolicy": "network-connectivity-alert-policy", + "monitoringnotificationchannel": "sms-monitoring-notification-channel", + "monitoringservicelevelobjective": "window-based-gtr-distribution-cut", + "monitoringuptimecheckconfig": "http-uptime-check-config", + "osconfigospolicyassignment": "fixed-os-policy-assignment", + "privatecacertificate": "basic-certificate", + "privilegedaccessmanagerentitlement": "project-level-entitlement", + "project": "project-in-folder", + "pubsubsubscription": "basic-pubsub-subscription", + "runjob": "basic-job", + "recaptchaenterprisekey": "challenge-based-web-recaptcha-enterprise-key", + "resourcemanagerpolicy": "organization-policy-for-project", + "runservice": "run-service-secret", + "secretmanagersecret": "automatic-secret-replication", + "sqlinstance": "mysql-sql-instance", + "vpcaccessconnector": "cidr-connector", + "vertexaidataset": "vertexai-dataset-encryptionkey", + "vertexaiendpoint": "vertexai-endpoint-network", } type Snippet struct { diff --git a/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementbasicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml b/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementbasicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml index 21687b171f..0e3bc188da 100644 --- a/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementbasicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml +++ b/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementbasicproject/_generated_object_privilegedaccessmanagerentitlementbasicproject.golden.yaml @@ -1,6 +1,8 @@ apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1 kind: PrivilegedAccessManagerEntitlement metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none finalizers: - cnrm.cloud.google.com/finalizer - cnrm.cloud.google.com/deletion-defender diff --git a/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullfolder/_generated_object_privilegedaccessmanagerentitlementfullfolder.golden.yaml b/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullfolder/_generated_object_privilegedaccessmanagerentitlementfullfolder.golden.yaml index 9bd07ac741..d5a109f289 100644 --- a/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullfolder/_generated_object_privilegedaccessmanagerentitlementfullfolder.golden.yaml +++ b/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullfolder/_generated_object_privilegedaccessmanagerentitlementfullfolder.golden.yaml @@ -1,6 +1,8 @@ apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1 kind: PrivilegedAccessManagerEntitlement metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none finalizers: - cnrm.cloud.google.com/finalizer - cnrm.cloud.google.com/deletion-defender diff --git a/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullorg/_generated_object_privilegedaccessmanagerentitlementfullorg.golden.yaml b/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullorg/_generated_object_privilegedaccessmanagerentitlementfullorg.golden.yaml index 15647c2235..66f18b0aae 100644 --- a/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullorg/_generated_object_privilegedaccessmanagerentitlementfullorg.golden.yaml +++ b/pkg/test/resourcefixture/testdata/basic/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement/privilegedaccessmanagerentitlementfullorg/_generated_object_privilegedaccessmanagerentitlementfullorg.golden.yaml @@ -1,6 +1,8 @@ apiVersion: privilegedaccessmanager.cnrm.cloud.google.com/v1alpha1 kind: PrivilegedAccessManagerEntitlement metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none finalizers: - cnrm.cloud.google.com/finalizer - cnrm.cloud.google.com/deletion-defender diff --git a/pkg/webhook/immutable_fields_validator.go b/pkg/webhook/immutable_fields_validator.go index fa38aeef43..94d3376358 100644 --- a/pkg/webhook/immutable_fields_validator.go +++ b/pkg/webhook/immutable_fields_validator.go @@ -294,6 +294,9 @@ func validateImmutableFieldsForTFBasedResource(obj, oldObj *unstructured.Unstruc return admission.Errored(http.StatusBadRequest, fmt.Errorf("couldn't get ResourceConfig for kind %v: %w", obj.GetKind(), err)) } + if rc.Direct && rc.Name != "google_sql_database_instance" { + return allowedResponse + } if err := validateContainerAnnotationsForResource(obj.GetKind(), obj.GetAnnotations(), oldObj.GetAnnotations(), rc.Containers, rc.HierarchicalReferences); err != nil { return admission.Errored(http.StatusBadRequest,