Add Firestore deletion protection (#8906)

* Add Firestore deletion protection * Reformat * Add test for updating delete_protection_state * Make deleteProtectionState skip auto-generated tests * Add a dedicated example for delete protection
GoogleCloudPlatform · Sep 15, 2023 · 56aed36 · 56aed36
1 parent 110956f
commit 56aed36
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/mmv1/products/firestore/Database.yaml b/mmv1/products/firestore/Database.yaml
@@ -99,6 +99,10 @@ examples:
       - etag
     vars:
       project_id: 'my-project'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'firestore_database_with_delete_protection'
+    primary_resource_id: 'database'
+    skip_test: true
 properties:
   - !ruby/object:Api::Type::String
     name: name
@@ -167,6 +171,15 @@ properties:
       that is returned from the Cloud Datastore APIs in Google App Engine first generation runtimes.
       This value may be empty in which case the appid to use for URL-encoded keys is the project_id (eg: foo instead of v~foo).
     output: true
+  - !ruby/object:Api::Type::Enum
+    name: deleteProtectionState
+    description: |
+      State of delete protection for the database.
+    values:
+      - :DELETE_PROTECTION_STATE_UNSPECIFIED
+      - :DELETE_PROTECTION_ENABLED
+      - :DELETE_PROTECTION_DISABLED
+    default_from_api: true
   - !ruby/object:Api::Type::Fingerprint
     name: etag
     description: |

diff --git a/mmv1/templates/terraform/examples/firestore_database_with_delete_protection.tf.erb b/mmv1/templates/terraform/examples/firestore_database_with_delete_protection.tf.erb
@@ -0,0 +1,13 @@
+resource "google_firestore_database" "<%= ctx[:primary_resource_id] %>" {
+  project                           = google_project.project.project_id
+  name                              = "my-database"
+  location_id                       = "nam5"
+  type                              = "FIRESTORE_NATIVE"
+
+  # Prevents accidental deletion of the database.
+  # To delete the database, first set this field to `DELETE_PROTECTION_DISABLED`, apply the changes.
+  # Then delete the database resource and apply the changes again.
+  delete_protection_state           = "DELETE_PROTECTION_ENABLED"
+
+  depends_on = [google_project_service.firestore]
+}
diff --git a/mmv1/third_party/terraform/services/firestore/resource_firestore_database_update_test.go.erb b/mmv1/third_party/terraform/services/firestore/resource_firestore_database_update_test.go.erb
@@ -82,6 +82,42 @@ func TestAccFirestoreDatabase_updatePitrEnablement(t *testing.T) {
 	})
 }
 
+func TestAccFirestoreDatabase_updateDeleteProtectionState(t *testing.T) {
+	t.Parallel()
+
+	orgId := envvar.GetTestOrgFromEnv(t)
+	billingAccount := envvar.GetTestBillingAccountFromEnv(t)
+	randomSuffix := acctest.RandString(t, 10)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"time": {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccFirestoreDatabase_deleteProtectionState(orgId, billingAccount, randomSuffix, "DELETE_PROTECTION_ENABLED"),
+			},
+			{
+				ResourceName:      "google_firestore_database.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"etag", "project"},
+			},
+			{
+				Config: testAccFirestoreDatabase_deleteProtectionState(orgId, billingAccount, randomSuffix, "DELETE_PROTECTION_DISABLED"),
+			},
+			{
+				ResourceName:      "google_firestore_database.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"etag", "project"},
+			},
+		},
+	})
+}
+
 func testAccFirestoreDatabase_basicDependencies(orgId, billingAccount string, randomSuffix string) string {
 	return fmt.Sprintf(`
 resource "google_project" "default" {
@@ -138,3 +174,19 @@ resource "google_firestore_database" "default" {
 }
 `, pointInTimeRecoveryEnablement)
 }
+
+func testAccFirestoreDatabase_deleteProtectionState(orgId, billingAccount string, randomSuffix string, deleteProtectionState string) string {
+	return testAccFirestoreDatabase_basicDependencies(orgId, billingAccount, randomSuffix) + fmt.Sprintf(`
+
+resource "google_firestore_database" "default" {
+  name                    = "(default)"
+  type                    = "DATASTORE_MODE"
+  location_id             = "nam5"
+  delete_protection_state = "%s"
+
+  project = google_project.default.project_id
+
+  depends_on = [google_project_service.firestore]
+}
+`, deleteProtectionState)
+}