From ee48c7a4c2e36fea38307dab58b615b1903a9f65 Mon Sep 17 00:00:00 2001 From: Rohit Jangid Date: Fri, 19 Apr 2024 22:40:04 +0530 Subject: [PATCH] Add AuthConfig resource in Integrations product (#10335) --- mmv1/products/integrations/AuthConfig.yaml | 478 ++++++++++++++++++ .../integrations_auth_config_advance.tf.erb | 21 + ...integrations_auth_config_auth_token.tf.erb | 18 + .../integrations_auth_config_basic.tf.erb | 18 + ...auth_config_client_certificate_only.tf.erb | 64 +++ .../integrations_auth_config_jwt.tf.erb | 19 + ...th_config_oauth2_authorization_code.tf.erb | 21 + ...th_config_oauth2_client_credentials.tf.erb | 35 ++ ...integrations_auth_config_oidc_token.tf.erb | 23 + ...rations_auth_config_service_account.tf.erb | 23 + ...s_auth_config_username_and_password.tf.erb | 18 + .../integrations_auth_config.go.erb | 17 + .../integrations_auth_config.go.erb | 21 + .../resource_integrations_auth_config_test.go | 141 ++++++ 14 files changed, 917 insertions(+) create mode 100644 mmv1/products/integrations/AuthConfig.yaml create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_advance.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_auth_token.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_basic.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_client_certificate_only.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_jwt.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_oauth2_authorization_code.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_oauth2_client_credentials.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_oidc_token.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_service_account.tf.erb create mode 100644 mmv1/templates/terraform/examples/integrations_auth_config_username_and_password.tf.erb create mode 100644 mmv1/templates/terraform/pre_create/integrations_auth_config.go.erb create mode 100644 mmv1/templates/terraform/pre_update/integrations_auth_config.go.erb create mode 100644 mmv1/third_party/terraform/services/integrations/resource_integrations_auth_config_test.go diff --git a/mmv1/products/integrations/AuthConfig.yaml b/mmv1/products/integrations/AuthConfig.yaml new file mode 100644 index 000000000000..f58f4dd9c8ea --- /dev/null +++ b/mmv1/products/integrations/AuthConfig.yaml @@ -0,0 +1,478 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- !ruby/object:Api::Resource +name: 'AuthConfig' +description: | + The AuthConfig resource use to hold channels and connection config data. +references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Official Documentation': 'https://cloud.google.com/application-integration/docs/overview' + 'Manage authentication profiles': 'https://cloud.google.com/application-integration/docs/configure-authentication-profiles' + api: 'https://cloud.google.com/application-integration/docs/reference/rest/v1/projects.locations.authConfigs' +base_url: 'projects/{{project}}/locations/{{location}}/authConfigs' +self_link: '{{name}}' +update_verb: :PATCH +autogen_async: false +id_format: '{{name}}' +import_format: ['{{name}}'] +mutex: '{{name}}' +custom_code: !ruby/object:Provider::Terraform::CustomCode + custom_import: templates/terraform/custom_import/self_link_as_name.erb + pre_create: templates/terraform/pre_create/integrations_auth_config.go.erb + post_create: templates/terraform/post_create/set_computed_name.erb + pre_update: templates/terraform/pre_update/integrations_auth_config.go.erb +parameters: + - !ruby/object:Api::Type::String + name: 'location' + required: true + immutable: true + url_param_only: true + description: | + Location in which client needs to be provisioned. +properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + Resource name of the auth config. + output: true + - !ruby/object:Api::Type::String + name: 'displayName' + description: | + The name of the auth config. + required: true + - !ruby/object:Api::Type::String + name: 'description' + description: | + A description of the auth config. + - !ruby/object:Api::Type::String + name: 'certificateId' + description: | + Certificate id for client certificate. + output: true + - !ruby/object:Api::Type::Enum + name: 'credentialType' + description: | + Credential type of the encrypted credential. + values: + - USERNAME_AND_PASSWORD + - OAUTH2_AUTHORIZATION_CODE + - OAUTH2_IMPLICIT + - OAUTH2_CLIENT_CREDENTIALS + - OAUTH2_RESORUCE_OWNER_CREDENTIALS + - JWT + - AUTH_TOKEN + - SERVICE_ACCOUNT + - CLIENT_CERTIFICATE_ONLY + - OIDC_TOKEN + output: true + - !ruby/object:Api::Type::String + name: 'creatorEmail' + description: | + The creator's email address. Generated based on the End User Credentials/LOAS role of the user making the call. + output: true + - !ruby/object:Api::Type::Time + name: "createTime" + description: | + The timestamp when the auth config is created. + + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + output: true + - !ruby/object:Api::Type::String + name: 'lastModifierEmail' + description: | + The last modifier's email address. Generated based on the End User Credentials/LOAS role of the user making the call. + output: true + - !ruby/object:Api::Type::Time + name: "updateTime" + description: | + The timestamp when the auth config is modified. + + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + output: true + - !ruby/object:Api::Type::Enum + name: 'visibility' + description: | + The visibility of the auth config. + values: + - PRIVATE + - CLIENT_VISIBLE + - !ruby/object:Api::Type::Enum + name: 'state' + description: | + The status of the auth config. + values: + - VALID + - INVALID + - SOFT_DELETED + - EXPIRED + - UNAUTHORIZED + - UNSUPPORTED + output: true + - !ruby/object:Api::Type::String + name: 'reason' + description: | + The reason / details of the current status. + output: true + - !ruby/object:Api::Type::Array + name: 'expiryNotificationDuration' + description: | + User can define the time to receive notification after which the auth config becomes invalid. Support up to 30 days. Support granularity in hours. + + A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s". + item_type: Api::Type::String + - !ruby/object:Api::Type::String + name: 'validTime' + description: | + The time until the auth config is valid. Empty or max value is considered the auth config won't expire. + + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + output: true + - !ruby/object:Api::Type::String + name: 'overrideValidTime' + description: | + User provided expiry time to override. For the example of Salesforce, username/password credentials can be valid for 6 months depending on the instance settings. + + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + - !ruby/object:Api::Type::String + name: 'encryptedCredential' + description: | + Auth credential encrypted by Cloud KMS. Can be decrypted as Credential with proper KMS key. + + A base64-encoded string. + output: true + - !ruby/object:Api::Type::NestedObject + name: 'decryptedCredential' + description: | + Raw auth credentials. + properties: + - !ruby/object:Api::Type::ResourceRef + name: 'credentialType' + description: | + Credential type associated with auth configs. + resource: 'AuthConfig' + imports: 'credentialType' + required: true + - !ruby/object:Api::Type::NestedObject + name: 'usernameAndPassword' + description: | + Username and password credential. + conflicts: + - decryptedCredential.0.oauth2_authorization_code + - decryptedCredential.0.oauth2_client_credentials + - decryptedCredential.0.jwt + - decryptedCredential.0.auth_token + - decryptedCredential.0.service_account_credentials + - decryptedCredential.0.oidc_token + properties: + - !ruby/object:Api::Type::String + name: 'username' + description: | + Username to be used. + - !ruby/object:Api::Type::String + name: 'password' + description: | + Password to be used. + - !ruby/object:Api::Type::NestedObject + name: 'oauth2AuthorizationCode' + description: | + OAuth2 authorization code credential. + conflicts: + - decryptedCredential.0.username_and_password + - decryptedCredential.0.oauth2_client_credentials + - decryptedCredential.0.jwt + - decryptedCredential.0.auth_token + - decryptedCredential.0.service_account_credentials + - decryptedCredential.0.oidc_token + properties: + - !ruby/object:Api::Type::String + name: 'clientId' + description: | + The client's id. + - !ruby/object:Api::Type::String + name: 'clientSecret' + description: | + The client's secret. + - !ruby/object:Api::Type::String + name: 'scope' + description: | + A space-delimited list of requested scope permissions. + - !ruby/object:Api::Type::String + name: 'authEndpoint' + description: | + The auth url endpoint to send the auth code request to. + - !ruby/object:Api::Type::String + name: 'tokenEndpoint' + description: | + The token url endpoint to send the token request to. + - !ruby/object:Api::Type::NestedObject + name: 'oauth2ClientCredentials' + description: | + OAuth2 client credentials. + conflicts: + - decryptedCredential.0.username_and_password + - decryptedCredential.0.oauth2_authorization_code + - decryptedCredential.0.jwt + - decryptedCredential.0.auth_token + - decryptedCredential.0.service_account_credentials + - decryptedCredential.0.oidc_token + properties: + - !ruby/object:Api::Type::String + name: 'clientId' + description: | + The client's ID. + - !ruby/object:Api::Type::String + name: 'clientSecret' + description: | + The client's secret. + - !ruby/object:Api::Type::String + name: 'tokenEndpoint' + description: | + The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. + - !ruby/object:Api::Type::String + name: 'scope' + description: | + A space-delimited list of requested scope permissions. + - !ruby/object:Api::Type::NestedObject + name: 'tokenParams' + description: | + Token parameters for the auth request. + properties: # ParameterMap + - !ruby/object:Api::Type::Array + name: 'entries' + description: | + A list of parameter map entries. + item_type: !ruby/object:Api::Type::NestedObject + properties: # ParameterMapEntry + - !ruby/object:Api::Type::NestedObject + name: 'key' + description: | + Key of the map entry. + properties: # ParameterMapField + - !ruby/object:Api::Type::NestedObject + name: 'literalValue' + description: | + Passing a literal value + properties: # ValueType + - !ruby/object:Api::Type::String + name: 'stringValue' + description: | + String. + - !ruby/object:Api::Type::NestedObject + name: 'value' + description: | + Value of the map entry. + properties: # ParameterMapField + - !ruby/object:Api::Type::NestedObject + name: 'literalValue' + description: | + Passing a literal value + properties: # ValueType + - !ruby/object:Api::Type::String + name: 'stringValue' + description: | + String. + - !ruby/object:Api::Type::Enum + name: 'requestType' + description: | + Represent how to pass parameters to fetch access token + values: + - REQUEST_TYPE_UNSPECIFIED + - REQUEST_BODY + - QUERY_PARAMETERS + - ENCODED_HEADER + - !ruby/object:Api::Type::NestedObject + name: 'jwt' + description: | + JWT credential. + conflicts: + - decryptedCredential.0.username_and_password + - decryptedCredential.0.oauth2_authorization_code + - decryptedCredential.0.oauth2_client_credentials + - decryptedCredential.0.auth_token + - decryptedCredential.0.service_account_credentials + - decryptedCredential.0.oidc_token + properties: + - !ruby/object:Api::Type::String + name: 'jwtHeader' + description: | + Identifies which algorithm is used to generate the signature. + - !ruby/object:Api::Type::String + name: 'jwtPayload' + description: | + Contains a set of claims. The JWT specification defines seven Registered Claim Names which are the standard fields commonly included in tokens. Custom claims are usually also included, depending on the purpose of the token. + - !ruby/object:Api::Type::String + name: 'secret' + description: | + User's pre-shared secret to sign the token. + - !ruby/object:Api::Type::String + name: 'jwt' + description: | + The token calculated by the header, payload and signature. + output: true + - !ruby/object:Api::Type::NestedObject + name: 'authToken' + description: | + Auth token credential. + conflicts: + - decryptedCredential.0.username_and_password + - decryptedCredential.0.oauth2_authorization_code + - decryptedCredential.0.oauth2_client_credentials + - decryptedCredential.0.jwt + - decryptedCredential.0.service_account_credentials + - decryptedCredential.0.oidc_token + properties: + - !ruby/object:Api::Type::String + name: 'type' + description: | + Authentication type, e.g. "Basic", "Bearer", etc. + - !ruby/object:Api::Type::String + name: 'token' + description: | + The token for the auth type. + - !ruby/object:Api::Type::NestedObject + name: 'serviceAccountCredentials' + description: | + Service account credential. + conflicts: + - decryptedCredential.0.username_and_password + - decryptedCredential.0.oauth2_authorization_code + - decryptedCredential.0.oauth2_client_credentials + - decryptedCredential.0.jwt + - decryptedCredential.0.auth_token + - decryptedCredential.0.oidc_token + properties: + - !ruby/object:Api::Type::String + name: 'serviceAccount' + description: | + Name of the service account that has the permission to make the request. + - !ruby/object:Api::Type::String + name: 'scope' + description: | + A space-delimited list of requested scope permissions. + - !ruby/object:Api::Type::NestedObject + name: 'oidcToken' + description: | + Google OIDC ID Token. + conflicts: + - decryptedCredential.0.username_and_password + - decryptedCredential.0.oauth2_authorization_code + - decryptedCredential.0.oauth2_client_credentials + - decryptedCredential.0.jwt + - decryptedCredential.0.auth_token + - decryptedCredential.0.service_account_credentials + properties: + - !ruby/object:Api::Type::String + name: 'serviceAccountEmail' + description: | + The service account email to be used as the identity for the token. + - !ruby/object:Api::Type::String + name: 'audience' + description: | + Audience to be used when generating OIDC token. The audience claim identifies the recipients that the JWT is intended for. + - !ruby/object:Api::Type::String + name: 'token' + description: | + ID token obtained for the service account. + output: true + - !ruby/object:Api::Type::String + name: 'tokenExpireTime' + description: | + The approximate time until the token retrieved is valid. + + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + output: true + - !ruby/object:Api::Type::NestedObject + name: 'client_certificate' + description: | + Raw client certificate + ignore_read: true + properties: + - !ruby/object:Api::Type::String + name: 'ssl_certificate' + description: | + The ssl certificate encoded in PEM format. This string must include the begin header and end footer lines. + required: true + - !ruby/object:Api::Type::String + name: 'encrypted_private_key' + description: | + The ssl certificate encoded in PEM format. This string must include the begin header and end footer lines. + required: true + - !ruby/object:Api::Type::String + name: 'passphrase' + description: | + 'passphrase' should be left unset if private key is not encrypted. + Note that 'passphrase' is not the password for web server, but an extra layer of security to protected private key. +examples: + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_basic" + primary_resource_id: "basic_example" + vars: + auth_config_name: 'test-authconfig' + skip_test: true # This is already part of other examples. + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_advance" + primary_resource_id: "advance_example" + vars: + auth_config_name: 'test-authconfig' + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_username_and_password" + primary_resource_id: "username_and_password_example" + vars: + auth_config_name: 'test-authconfig-username-and-password' + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_oauth2_authorization_code" + primary_resource_id: "oauth2_authotization_code_example" + vars: + auth_config_name: 'test-authconfig-oauth2-authorization-code' + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_oauth2_client_credentials" + primary_resource_id: "oauth2_client_credentials_example" + vars: + auth_config_name: 'test-authconfig-oauth2-client-credentials' + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_jwt" + primary_resource_id: "jwt_example" + vars: + auth_config_name: 'test-authconfig-jwt' + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_auth_token" + primary_resource_id: "auth_token_example" + vars: + auth_config_name: 'test-authconfig-auth-token' + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_service_account" + primary_resource_id: "service_account_example" + vars: + auth_config_name: 'test-authconfig-service-account' + service_account_id: sa + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_oidc_token" + primary_resource_id: "oidc_token_example" + vars: + auth_config_name: 'test-authconfig-oidc-token' + service_account_id: sa + skip_docs: true + - !ruby/object:Provider::Terraform::Examples + name: "integrations_auth_config_client_certificate_only" + primary_resource_id: "client_certificate_example" + vars: + auth_config_name: 'test-authconfig-client-certificate' + skip_docs: true diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_advance.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_advance.tf.erb new file mode 100644 index 000000000000..d0aeb4c13158 --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_advance.tf.erb @@ -0,0 +1,21 @@ +resource "google_integrations_client" "client" { + location = "asia-east2" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "asia-east2" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + visibility = "CLIENT_VISIBLE" + expiry_notification_duration = ["3.500s"] + override_valid_time = "2014-10-02T15:01:23Z" + decrypted_credential { + credential_type = "USERNAME_AND_PASSWORD" + username_and_password { + username = "test-username" + password = "test-password" + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_auth_token.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_auth_token.tf.erb new file mode 100644 index 000000000000..b9f2e7892548 --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_auth_token.tf.erb @@ -0,0 +1,18 @@ +resource "google_integrations_client" "client" { + location = "us-west2" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "us-west2" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "AUTH_TOKEN" + auth_token { + type = "Basic" + token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_basic.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_basic.tf.erb new file mode 100644 index 000000000000..13b1a5be514a --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_basic.tf.erb @@ -0,0 +1,18 @@ +resource "google_integrations_client" "client" { + location = "us-west1" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "us-west1" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "USERNAME_AND_PASSWORD" + username_and_password { + username = "test-username" + password = "test-password" + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_client_certificate_only.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_client_certificate_only.tf.erb new file mode 100644 index 000000000000..95707a3a4a0f --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_client_certificate_only.tf.erb @@ -0,0 +1,64 @@ +resource "google_integrations_client" "client" { + location = "us-west3" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "us-west3" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "CLIENT_CERTIFICATE_ONLY" + } + client_certificate { + ssl_certificate = <" { + location = "us-west4" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "JWT" + jwt { + jwt_header = "{\"alg\": \"HS256\", \"typ\": \"JWT\"}" + jwt_payload = "{\"sub\": \"1234567890\", \"name\": \"John Doe\", \"iat\": 1516239022}" + secret = "secret" + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_oauth2_authorization_code.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_oauth2_authorization_code.tf.erb new file mode 100644 index 000000000000..d51cf5563ac9 --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_oauth2_authorization_code.tf.erb @@ -0,0 +1,21 @@ +resource "google_integrations_client" "client" { + location = "asia-east1" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "asia-east1" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "OAUTH2_AUTHORIZATION_CODE" + oauth2_authorization_code { + client_id = "Kf7utRvgr95oGO5YMmhFOLo8" + client_secret = "D-XXFDDMLrg2deDgczzHTBwC3p16wRK1rdKuuoFdWqO0wliJ" + scope = "photo offline_access" + auth_endpoint = "https://authorization-server.com/authorize" + token_endpoint = "https://authorization-server.com/token" + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_oauth2_client_credentials.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_oauth2_client_credentials.tf.erb new file mode 100644 index 000000000000..8683a5d94413 --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_oauth2_client_credentials.tf.erb @@ -0,0 +1,35 @@ +resource "google_integrations_client" "client" { + location = "southamerica-east1" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "southamerica-east1" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "OAUTH2_CLIENT_CREDENTIALS" + oauth2_client_credentials { + client_id = "demo-backend-client" + client_secret = "MJlO3binatD9jk1" + scope = "read" + token_endpoint = "https://login-demo.curity.io/oauth/v2/oauth-token" + request_type = "ENCODED_HEADER" + token_params { + entries { + key { + literal_value { + string_value = "string-key" + } + } + value { + literal_value { + string_value = "string-value" + } + } + } + } + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_oidc_token.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_oidc_token.tf.erb new file mode 100644 index 000000000000..c4714366144d --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_oidc_token.tf.erb @@ -0,0 +1,23 @@ +resource "google_integrations_client" "client" { + location = "us-south1" + provision_gmek = true +} + +resource "google_service_account" "service_account" { + account_id = "<%= ctx[:vars]['service_account_id'] %>" + display_name = "Service Account" +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "us-south1" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "OIDC_TOKEN" + oidc_token { + service_account_email = google_service_account.service_account.email + audience = "https://us-south1-project.cloudfunctions.net/functionA 1234987819200.apps.googleusercontent.com" + } + } + depends_on = [google_service_account.service_account, google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_service_account.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_service_account.tf.erb new file mode 100644 index 000000000000..2408065c04a2 --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_service_account.tf.erb @@ -0,0 +1,23 @@ +resource "google_integrations_client" "client" { + location = "northamerica-northeast1" + provision_gmek = true +} + +resource "google_service_account" "service_account" { + account_id = "<%= ctx[:vars]['service_account_id'] %>" + display_name = "Service Account" +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "northamerica-northeast1" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "SERVICE_ACCOUNT" + service_account_credentials { + service_account = google_service_account.service_account.email + scope = "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/adexchange.buyer https://www.googleapis.com/auth/admob.readonly" + } + } + depends_on = [google_service_account.service_account, google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/integrations_auth_config_username_and_password.tf.erb b/mmv1/templates/terraform/examples/integrations_auth_config_username_and_password.tf.erb new file mode 100644 index 000000000000..d7283675acc4 --- /dev/null +++ b/mmv1/templates/terraform/examples/integrations_auth_config_username_and_password.tf.erb @@ -0,0 +1,18 @@ +resource "google_integrations_client" "client" { + location = "northamerica-northeast2" + provision_gmek = true +} + +resource "google_integrations_auth_config" "<%= ctx[:primary_resource_id] %>" { + location = "northamerica-northeast2" + display_name = "<%= ctx[:vars]['auth_config_name'] %>" + description = "Test auth config created via terraform" + decrypted_credential { + credential_type = "USERNAME_AND_PASSWORD" + username_and_password { + username = "test-username" + password = "test-password" + } + } + depends_on = [google_integrations_client.client] +} \ No newline at end of file diff --git a/mmv1/templates/terraform/pre_create/integrations_auth_config.go.erb b/mmv1/templates/terraform/pre_create/integrations_auth_config.go.erb new file mode 100644 index 000000000000..05a310754583 --- /dev/null +++ b/mmv1/templates/terraform/pre_create/integrations_auth_config.go.erb @@ -0,0 +1,17 @@ +// Move client certificate to url param from request body +if cc, ok := obj["client_certificate"]; ok { + ccm := cc.(map[string]any) + + params := map[string]string { + "clientCertificate.sslCertificate": ccm["ssl_certificate"].(string), + "clientCertificate.encryptedPrivateKey": ccm["encrypted_private_key"].(string), + } + if pp, ok := ccm["passphrase"]; ok { + params["clientCertificate.passphrase"] = pp.(string) + } + url, err = transport_tpg.AddQueryParams(url, params) + if err != nil { + return err + } + delete(obj, "client_certificate") +} \ No newline at end of file diff --git a/mmv1/templates/terraform/pre_update/integrations_auth_config.go.erb b/mmv1/templates/terraform/pre_update/integrations_auth_config.go.erb new file mode 100644 index 000000000000..fce7a33fa0ee --- /dev/null +++ b/mmv1/templates/terraform/pre_update/integrations_auth_config.go.erb @@ -0,0 +1,21 @@ +params := map[string]string {} + +// Move client certificate to url param from request body +if cc, ok := obj["client_certificate"]; ok { + ccm := cc.(map[string]any) + + params["clientCertificate.sslCertificate"] = ccm["ssl_certificate"].(string) + params["clientCertificate.encryptedPrivateKey"] = ccm["encrypted_private_key"].(string) + if pp, ok := ccm["passphrase"]; ok { + params["clientCertificate.passphrase"] = pp.(string) + } + delete(obj, "client_certificate") +} + +// By default allow all fields to be updated via terraform +params["updateMask"] = "*" + +url, err = transport_tpg.AddQueryParams(url, params) +if err != nil { + return err +} diff --git a/mmv1/third_party/terraform/services/integrations/resource_integrations_auth_config_test.go b/mmv1/third_party/terraform/services/integrations/resource_integrations_auth_config_test.go new file mode 100644 index 000000000000..f0eff0c1a50e --- /dev/null +++ b/mmv1/third_party/terraform/services/integrations/resource_integrations_auth_config_test.go @@ -0,0 +1,141 @@ +package integrations_test + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + "github.com/hashicorp/terraform-provider-google/google/acctest" +) + +func TestAccIntegrationsAuthConfig_update(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckIntegrationsAuthConfigDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccIntegrationsAuthConfig_full(context), + }, + { + ResourceName: "google_integrations_auth_config.update_example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"client_certificate", "location"}, + }, + { + Config: testAccIntegrationsAuthConfig_update(context), + }, + { + ResourceName: "google_integrations_auth_config.update_example", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"client_certificate", "location"}, + }, + }, + }) +} + +func testAccIntegrationsAuthConfig_full(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_integrations_client" "client" { + location = "southamerica-west1" + provision_gmek = true +} + +resource "google_integrations_auth_config" "update_example" { + location = "southamerica-west1" + display_name = "tf-test-test-authconfig%{random_suffix}" + description = "Test auth config created via terraform" + visibility = "CLIENT_VISIBLE" + expiry_notification_duration = ["3.500s"] + override_valid_time = "2014-10-02T15:01:23Z" + decrypted_credential { + credential_type = "USERNAME_AND_PASSWORD" + username_and_password { + username = "test-username" + password = "test-password" + } + } + depends_on = [google_integrations_client.client] +} +`, context) +} + +func testAccIntegrationsAuthConfig_update(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_integrations_client" "client" { + location = "southamerica-west1" + provision_gmek = true +} + +resource "google_integrations_auth_config" "update_example" { + location = "southamerica-west1" + display_name = "tf-test-test-authconfig-update%{random_suffix}" + description = "Test auth config updated via terraform" + visibility = "CLIENT_VISIBLE" + expiry_notification_duration = ["4s"] + override_valid_time = "2014-10-10T15:01:23Z" + decrypted_credential { + credential_type = "CLIENT_CERTIFICATE_ONLY" + } + client_certificate { + ssl_certificate = <