add restrictedFields functionality

GoogleCloudPlatform · Sep 29, 2024 · 0676162 · 0676162
1 parent abefe83
commit 0676162
Show file tree

Hide file tree

Showing 6 changed files with 224 additions and 0 deletions.
diff --git a/mmv1/third_party/terraform/services/logging/resource_logging_bucket_config.go b/mmv1/third_party/terraform/services/logging/resource_logging_bucket_config.go
@@ -36,6 +36,14 @@ var loggingBucketConfigSchema = map[string]*schema.Schema{
 		Computed:    true,
 		Description: `An optional description for this bucket.`,
 	},
+	"restricted_fields": {
+		Type:        schema.TypeList,
+		Optional:    true,
+		Description: `Optional fields to configure with field-level access`,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+	},
 	"retention_days": {
 		Type:        schema.TypeInt,
 		Optional:    true,
@@ -228,6 +236,7 @@ func resourceLoggingBucketConfigCreate(d *schema.ResourceData, meta interface{},
 	obj := make(map[string]interface{})
 	obj["name"] = d.Get("name")
 	obj["description"] = d.Get("description")
+	obj["restrictedFields"] = d.Get("restricted_fields")
 	obj["retentionDays"] = d.Get("retention_days")
 	obj["cmekSettings"] = expandCmekSettings(d.Get("cmek_settings"))
 	obj["indexConfigs"] = expandIndexConfigs(d.Get("index_configs"))
@@ -304,6 +313,9 @@ func resourceLoggingBucketConfigRead(d *schema.ResourceData, meta interface{}) e
 	if err := d.Set("description", res["description"]); err != nil {
 		return fmt.Errorf("Error setting description: %s", err)
 	}
+	if err := d.Set("restricted_fields", res["restrictedFields"]); err != nil {
+		return fmt.Errorf("Error setting restricted_fields: %s", err)
+	}
 	if err := d.Set("lifecycle_state", res["lifecycleState"]); err != nil {
 		return fmt.Errorf("Error setting lifecycle_state: %s", err)
 	}
@@ -338,6 +350,7 @@ func resourceLoggingBucketConfigUpdate(d *schema.ResourceData, meta interface{})
 
 	obj["retentionDays"] = d.Get("retention_days")
 	obj["description"] = d.Get("description")
+	obj["restrictedFields"] = d.Get("restricted_fields")
 	obj["cmekSettings"] = expandCmekSettings(d.Get("cmek_settings"))
 	obj["indexConfigs"] = expandIndexConfigs(d.Get("index_configs"))
 
@@ -348,6 +361,9 @@ func resourceLoggingBucketConfigUpdate(d *schema.ResourceData, meta interface{})
 	if d.HasChange("description") {
 		updateMask = append(updateMask, "description")
 	}
+	if d.HasChange("restricted_fields") {
+		updateMask = append(updateMask, "restrictedFields")
+	}
 	if d.HasChange("cmek_settings") {
 		updateMask = append(updateMask, "cmekSettings")
 	}

diff --git a/mmv1/third_party/terraform/services/logging/resource_logging_bucket_config_test.go b/mmv1/third_party/terraform/services/logging/resource_logging_bucket_config_test.go
@@ -216,6 +216,77 @@ func TestAccLoggingBucketConfigBillingAccount_basic(t *testing.T) {
 	})
 }
 
+func testAccLoggingBucketConfigBillingAccount_restrictedFields(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":        acctest.RandString(t, 10),
+		"billing_account_name": "billingAccounts/" + envvar.GetTestMasterBillingAccountFromEnv(t),
+		"org_id":               envvar.GetTestOrgFromEnv(t),
+		"bucket_id":            "_Default",
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingBucketConfigBillingAccount_restrictedFields(context, "jsonPayload"),
+			},
+			{
+				ResourceName:            "google_logging_billing_account_bucket_config.restricted_fields",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"billing_account"},
+			},
+			{
+				Config: testAccLoggingBucketConfigBillingAccount_restrictedFields(context, "jsonPayload.url"),
+			},
+			{
+				ResourceName:            "google_logging_billing_account_bucket_config.restricted_fields",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"billing_account"},
+			},
+		},
+	})
+}
+
+func TestAccLoggingBucketConfigOrganization_restrictedFields(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"bucket_id":     "_Default",
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingBucketConfigOrganization_restrictedFields(context, "jsonPayload"),
+			},
+			{
+				ResourceName:            "google_logging_organization_bucket_config.restricted_fields",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"organization"},
+			},
+			{
+				Config: testAccLoggingBucketConfigOrganization_restrictedFields(context, "jsonPayload.url"),
+			},
+			{
+				ResourceName:            "google_logging_organization_bucket_config.restricted_fields",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"organization"},
+			},
+		},
+	})
+}
+
 func TestAccLoggingBucketConfigOrganization_basic(t *testing.T) {
 	t.Parallel()
 
@@ -485,6 +556,22 @@ resource "google_logging_billing_account_bucket_config" "basic" {
 `, context), retention, retention)
 }
 
+func testAccLoggingBucketConfigBillingAccount_restrictedFields(context map[string]interface{}, restrictedField string) string {
+	return fmt.Sprintf(acctest.Nprintf(`
+
+data "google_billing_account" "default" {
+	billing_account = "%{billing_account_name}"
+}
+
+resource "google_logging_billing_account_bucket_config" "restricted_fields" {
+	billing_account    = data.google_billing_account.default.billing_account
+	location  = "global"
+	restricted_fields = ["%s"]
+	bucket_id = "_Default"
+}
+`, context), restrictedField)
+}
+
 func testAccLoggingBucketConfigOrganization_basic(context map[string]interface{}, retention int) string {
 	return fmt.Sprintf(acctest.Nprintf(`
 data "google_organization" "default" {
@@ -501,6 +588,21 @@ resource "google_logging_organization_bucket_config" "basic" {
 `, context), retention, retention)
 }
 
+func testAccLoggingBucketConfigOrganization_restrictedFields(context map[string]interface{}, restrictedField int) string {
+	return fmt.Sprintf(acctest.Nprintf(`
+data "google_organization" "default" {
+	organization = "%{org_id}"
+}
+
+resource "google_logging_organization_bucket_config" "restricted_fields" {
+	organization    = data.google_organization.default.organization
+	location  = "global"
+	restricted_fields = ["%s"]
+	bucket_id = "_Default"
+}
+`, context), restrictedField)
+}
+
 func getLoggingBucketConfigs(context map[string]interface{}) map[string]string {
 	return map[string]string{
 		"project": acctest.Nprintf(`resource "google_project" "default" {
@@ -649,3 +751,61 @@ resource "google_logging_project_bucket_config" "basic" {
 }
 `, context), urlIndexType, statusIndexType)
 }
+
+func TestAccLoggingBucketConfigProject_restrictedFields(t *testing.T) {
+
+	context := map[string]interface{}{
+		"project_name":    "tf-test-" + acctest.RandString(t, 10),
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+		"bucket_id":       "tf-test-bucket-" + acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingBucketConfigProject_restrictedFields(context, "jsonPayload"),
+			},
+			{
+				ResourceName:            "google_logging_project_bucket_config.basic",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"project"},
+			},
+			{
+				Config: testAccLoggingBucketConfigProject_restrictedFields(context, "jsonPayload.url"),
+			},
+			{
+				ResourceName:            "google_logging_project_bucket_config.basic",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"project"},
+			},
+		},
+	})
+}
+
+func testAccLoggingBucketConfigProject_restrictedFields(context map[string]interface{}, restrictedField string) string {
+	return fmt.Sprintf(acctest.Nprintf(`
+
+resource "google_project" "default" {
+	project_id      = "%{project_name}"
+	name            = "%{project_name}"
+	org_id          = "%{org_id}"
+	billing_account = "%{billing_account}"
+}
+
+resource "google_logging_project_bucket_config" "basic" {
+	project        	= google_project.default.name
+	location       	= "us-east1"
+	retention_days 	= 30
+	description    	= "restrictedFields test"
+	bucket_id      	= "%{bucket_id}"
+
+	restricted_fields = ["%s"]
+
+}
+`, context), restrictedField)
+}
diff --git a/mmv1/third_party/terraform/services/logging/resource_logging_project_bucket_config.go b/mmv1/third_party/terraform/services/logging/resource_logging_project_bucket_config.go
@@ -42,6 +42,14 @@ var loggingProjectBucketConfigSchema = map[string]*schema.Schema{
 		Computed:    true,
 		Description: `An optional description for this bucket.`,
 	},
+	"restricted_fields": {
+		Type:        schema.TypeList,
+		Optional:    true,
+		Description: `Optional fields to configure with field-level access`,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+	},
 	"locked": {
 		Type:        schema.TypeBool,
 		Optional:    true,
@@ -210,6 +218,7 @@ func resourceLoggingProjectBucketConfigCreate(d *schema.ResourceData, meta inter
 	obj := make(map[string]interface{})
 	obj["name"] = d.Get("name")
 	obj["description"] = d.Get("description")
+	obj["restrictedFields"] = d.Get("restricted_fields")
 	obj["locked"] = d.Get("locked")
 	obj["retentionDays"] = d.Get("retention_days")
 	// Only set analyticsEnabled if it has been explicitly preferenced.
@@ -299,6 +308,9 @@ func resourceLoggingProjectBucketConfigRead(d *schema.ResourceData, meta interfa
 	if err := d.Set("description", res["description"]); err != nil {
 		return fmt.Errorf("Error setting description: %s", err)
 	}
+	if err := d.Set("restricted_fields", res["restrictedFields"]); err != nil {
+		return fmt.Errorf("Error setting restricted_fields: %s", err)
+	}
 	if err := d.Set("locked", res["locked"]); err != nil {
 		return fmt.Errorf("Error setting locked: %s", err)
 	}
@@ -367,6 +379,7 @@ func resourceLoggingProjectBucketConfigUpdate(d *schema.ResourceData, meta inter
 
 	obj["retentionDays"] = d.Get("retention_days")
 	obj["description"] = d.Get("description")
+	obj["restrictedFields"] = d.Get("restricted_fields")
 	obj["cmekSettings"] = expandCmekSettings(d.Get("cmek_settings"))
 	obj["indexConfigs"] = expandIndexConfigs(d.Get("index_configs"))
 
@@ -377,6 +390,9 @@ func resourceLoggingProjectBucketConfigUpdate(d *schema.ResourceData, meta inter
 	if d.HasChange("description") {
 		updateMask = append(updateMask, "description")
 	}
+	if d.HasChange("restricted_fields") {
+		updateMask = append(updateMask, "restrictedFields")
+	}
 	if d.HasChange("cmek_settings") {
 		updateMask = append(updateMask, "cmekSettings")
 	}

diff --git a/...third_party/terraform/website/docs/r/logging_folder_bucket_config.html.markdown b/...third_party/terraform/website/docs/r/logging_folder_bucket_config.html.markdown
@@ -30,6 +30,11 @@ resource "google_logging_folder_bucket_config" "basic" {
     field_path = "jsonPayload.request.status"
     type       = "INDEX_TYPE_STRING"
   }
+
+  restricted_fields = [
+    "jsonPayload.url",
+    "jsonPayload.data"
+  ]
 }
 ```
 
@@ -56,6 +61,8 @@ The following arguments are supported:
 
 * `type` - The type of data in this index. Allowed types include `INDEX_TYPE_UNSPECIFIED`, `INDEX_TYPE_STRING` and `INDEX_TYPE_INTEGER`.
 
+* `restricted_fields` - (Optional) A list of restricted fields requiring `logging.fields.access` permission to view. See [field-level access documentation](https://cloud.google.com/logging/docs/field-level-acl)
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are

diff --git a/...party/terraform/website/docs/r/logging_organization_bucket_config.html.markdown b/...party/terraform/website/docs/r/logging_organization_bucket_config.html.markdown
@@ -29,6 +29,11 @@ resource "google_logging_organization_bucket_config" "basic" {
     field_path = "jsonPayload.request.status"
     type       = "INDEX_TYPE_STRING"
   }
+
+  restricted_fields = [
+    "jsonPayload.url",
+    "jsonPayload.data"
+  ]
 }
 ```
 
@@ -55,6 +60,8 @@ The following arguments are supported:
 
 * `type` - The type of data in this index. Allowed types include `INDEX_TYPE_UNSPECIFIED`, `INDEX_TYPE_STRING` and `INDEX_TYPE_INTEGER`.
 
+* `restricted_fields` - (Optional) A list of restricted fields requiring `logging.fields.access` permission to view. See [field-level access documentation](https://cloud.google.com/logging/docs/field-level-acl)
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are

diff --git a/...hird_party/terraform/website/docs/r/logging_project_bucket_config.html.markdown b/...hird_party/terraform/website/docs/r/logging_project_bucket_config.html.markdown
@@ -109,6 +109,22 @@ resource "google_logging_project_bucket_config" "example-project-bucket-index-co
 }
 ```
 
+Create logging bucket with field-level access
+
+```hcl
+resource "google_logging_project_bucket_config" "example-project-bucket-restricted-fields" {
+  project          = "project_id"
+  location         = "global"
+  retention_days   = 30
+  bucket_id        = "custom-bucket"
+
+  restricted_fields = [
+    "jsonPayload.url",
+    "jsonPayload.data"
+  ]
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -131,6 +147,8 @@ The following arguments are supported:
 
 * `index_configs` - (Optional) A list of indexed fields and related configuration data. Structure is [documented below](#nested_index_configs).
 
+* `restricted_fields` - (Optional) A list of restricted fields requiring `logging.fields.access` permission to view. See [field-level access documentation](https://cloud.google.com/logging/docs/field-level-acl)
+
 <a name="nested_cmek_settings"></a>The `cmek_settings` block supports:
 
 * `name` - The resource name of the CMEK settings.