Add sms_region_config block to identity platform. (#9077) (#6398)

* Add sms_region_config block to identity platform. Permits configuring the allow/denylist for SMS regions. * use exactly_one_of instead of conflicts update test add example Signed-off-by: Modular Magician <[email protected]>
hashicorp · Sep 28, 2023 · 5e72c8b · 5e72c8b
1 parent 7bbc36d
commit 5e72c8b
Show file tree

Hide file tree

Showing 5 changed files with 247 additions and 0 deletions.
diff --git a/.changelog/9077.txt b/.changelog/9077.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+identityplatform: added `sms_region_config` to the resource `google_identity_platform_config`
+```
diff --git a/google-beta/services/identityplatform/resource_identity_platform_config.go b/google-beta/services/identityplatform/resource_identity_platform_config.go
@@ -268,6 +268,54 @@ email/password or email link.`,
 					},
 				},
 			},
+			"sms_region_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `Configures the regions where users are allowed to send verification SMS for the project or tenant. This is based on the calling code of the destination phone number.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"allow_by_default": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"disallowed_regions": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: `Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json`,
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+							ExactlyOneOf: []string{"sms_region_config.0.allow_by_default", "sms_region_config.0.allowlist_only"},
+						},
+						"allowlist_only": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `A policy of only allowing regions by explicitly adding them to an allowlist.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"allowed_regions": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: `Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json`,
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+							ExactlyOneOf: []string{"sms_region_config.0.allow_by_default", "sms_region_config.0.allowlist_only"},
+						},
+					},
+				},
+			},
 			"name": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -399,6 +447,9 @@ func resourceIdentityPlatformConfigRead(d *schema.ResourceData, meta interface{}
 	if err := d.Set("authorized_domains", flattenIdentityPlatformConfigAuthorizedDomains(res["authorizedDomains"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Config: %s", err)
 	}
+	if err := d.Set("sms_region_config", flattenIdentityPlatformConfigSmsRegionConfig(res["smsRegionConfig"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Config: %s", err)
+	}
 
 	return nil
 }
@@ -449,6 +500,12 @@ func resourceIdentityPlatformConfigUpdate(d *schema.ResourceData, meta interface
 	} else if v, ok := d.GetOkExists("authorized_domains"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, authorizedDomainsProp)) {
 		obj["authorizedDomains"] = authorizedDomainsProp
 	}
+	smsRegionConfigProp, err := expandIdentityPlatformConfigSmsRegionConfig(d.Get("sms_region_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("sms_region_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, smsRegionConfigProp)) {
+		obj["smsRegionConfig"] = smsRegionConfigProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{IdentityPlatformBasePath}}projects/{{project}}/config")
 	if err != nil {
@@ -477,6 +534,10 @@ func resourceIdentityPlatformConfigUpdate(d *schema.ResourceData, meta interface
 	if d.HasChange("authorized_domains") {
 		updateMask = append(updateMask, "authorizedDomains")
 	}
+
+	if d.HasChange("sms_region_config") {
+		updateMask = append(updateMask, "smsRegionConfig")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -827,6 +888,55 @@ func flattenIdentityPlatformConfigAuthorizedDomains(v interface{}, d *schema.Res
 	return v
 }
 
+func flattenIdentityPlatformConfigSmsRegionConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["allow_by_default"] =
+		flattenIdentityPlatformConfigSmsRegionConfigAllowByDefault(original["allowByDefault"], d, config)
+	transformed["allowlist_only"] =
+		flattenIdentityPlatformConfigSmsRegionConfigAllowlistOnly(original["allowlistOnly"], d, config)
+	return []interface{}{transformed}
+}
+func flattenIdentityPlatformConfigSmsRegionConfigAllowByDefault(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["disallowed_regions"] =
+		flattenIdentityPlatformConfigSmsRegionConfigAllowByDefaultDisallowedRegions(original["disallowedRegions"], d, config)
+	return []interface{}{transformed}
+}
+func flattenIdentityPlatformConfigSmsRegionConfigAllowByDefaultDisallowedRegions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenIdentityPlatformConfigSmsRegionConfigAllowlistOnly(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["allowed_regions"] =
+		flattenIdentityPlatformConfigSmsRegionConfigAllowlistOnlyAllowedRegions(original["allowedRegions"], d, config)
+	return []interface{}{transformed}
+}
+func flattenIdentityPlatformConfigSmsRegionConfigAllowlistOnlyAllowedRegions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandIdentityPlatformConfigAutodeleteAnonymousUsers(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -1225,3 +1335,75 @@ func expandIdentityPlatformConfigQuotaSignUpQuotaConfigQuotaDuration(v interface
 func expandIdentityPlatformConfigAuthorizedDomains(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandIdentityPlatformConfigSmsRegionConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedAllowByDefault, err := expandIdentityPlatformConfigSmsRegionConfigAllowByDefault(original["allow_by_default"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAllowByDefault); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["allowByDefault"] = transformedAllowByDefault
+	}
+
+	transformedAllowlistOnly, err := expandIdentityPlatformConfigSmsRegionConfigAllowlistOnly(original["allowlist_only"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAllowlistOnly); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["allowlistOnly"] = transformedAllowlistOnly
+	}
+
+	return transformed, nil
+}
+
+func expandIdentityPlatformConfigSmsRegionConfigAllowByDefault(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedDisallowedRegions, err := expandIdentityPlatformConfigSmsRegionConfigAllowByDefaultDisallowedRegions(original["disallowed_regions"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedDisallowedRegions); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["disallowedRegions"] = transformedDisallowedRegions
+	}
+
+	return transformed, nil
+}
+
+func expandIdentityPlatformConfigSmsRegionConfigAllowByDefaultDisallowedRegions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandIdentityPlatformConfigSmsRegionConfigAllowlistOnly(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedAllowedRegions, err := expandIdentityPlatformConfigSmsRegionConfigAllowlistOnlyAllowedRegions(original["allowed_regions"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAllowedRegions); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["allowedRegions"] = transformedAllowedRegions
+	}
+
+	return transformed, nil
+}
+
+func expandIdentityPlatformConfigSmsRegionConfigAllowlistOnlyAllowedRegions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
diff --git a/google-beta/services/identityplatform/resource_identity_platform_config_generated_test.go b/google-beta/services/identityplatform/resource_identity_platform_config_generated_test.go
@@ -91,6 +91,14 @@ resource "google_identity_platform_config" "default" {
         }
     }
   }
+  sms_region_config {
+    allowlist_only {
+      allowed_regions = [
+        "US",
+        "CA",
+      ]
+    }
+  }
   blocking_functions {
     triggers {
       event_type = "beforeSignIn"

diff --git a/google-beta/services/identityplatform/resource_identity_platform_config_test.go b/google-beta/services/identityplatform/resource_identity_platform_config_test.go
@@ -84,6 +84,14 @@ resource "google_identity_platform_config" "basic" {
         }
     }
   }
+  sms_region_config {
+    allow_by_default {
+      disallowed_regions = [
+        "CA",
+        "US",
+      ]
+    }
+  }
 }
 `, context)
 }
@@ -124,6 +132,14 @@ resource "google_identity_platform_config" "basic" {
         }
     }
   }
+  sms_region_config {
+    allowlist_only {
+      allowed_regions = [
+        "AU",
+        "NZ",
+      ]
+    }
+  }
 }
 `, context)
 }
diff --git a/website/docs/r/identity_platform_config.html.markdown b/website/docs/r/identity_platform_config.html.markdown
@@ -73,6 +73,14 @@ resource "google_identity_platform_config" "default" {
         }
     }
   }
+  sms_region_config {
+    allowlist_only {
+      allowed_regions = [
+        "US",
+        "CA",
+      ]
+    }
+  }
   blocking_functions {
     triggers {
       event_type = "beforeSignIn"
@@ -131,6 +139,11 @@ The following arguments are supported:
   (Optional)
   List of domains authorized for OAuth redirects.
 
+* `sms_region_config` -
+  (Optional)
+  Configures the regions where users are allowed to send verification SMS for the project or tenant. This is based on the calling code of the destination phone number.
+  Structure is [documented below](#nested_sms_region_config).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
@@ -273,6 +286,31 @@ The following arguments are supported:
   (Optional)
   How long this quota will be active for. It is measurred in seconds, e.g., Example: "9.615s".
 
+<a name="nested_sms_region_config"></a>The `sms_region_config` block supports:
+
+* `allow_by_default` -
+  (Optional)
+  A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.
+  Structure is [documented below](#nested_allow_by_default).
+
+* `allowlist_only` -
+  (Optional)
+  A policy of only allowing regions by explicitly adding them to an allowlist.
+  Structure is [documented below](#nested_allowlist_only).
+
+
+<a name="nested_allow_by_default"></a>The `allow_by_default` block supports:
+
+* `disallowed_regions` -
+  (Optional)
+  Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json
+
+<a name="nested_allowlist_only"></a>The `allowlist_only` block supports:
+
+* `allowed_regions` -
+  (Optional)
+  Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: