Add new provider google_organization_iam_audit_config.

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Nov 25, 2019 · c189bb1 · c189bb1
1 parent b278a0a
commit c189bb1
Show file tree

Hide file tree

Showing 2 changed files with 316 additions and 0 deletions.
diff --git a/google/provider.go b/google/provider.go
@@ -656,6 +656,7 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_organization_iam_custom_role":          resourceGoogleOrganizationIamCustomRole(),
 			"google_organization_iam_member":               ResourceIamMember(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
 			"google_organization_iam_policy":               ResourceIamPolicy(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
+			"google_organization_iam_audit_config":         ResourceIamAuditConfig(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
 			"google_organization_policy":                   resourceGoogleOrganizationPolicy(),
 			"google_project":                               resourceGoogleProject(),
 			"google_project_iam_policy":                    resourceGoogleProjectIamPolicy(),

diff --git a/google/resource_google_organization_iam_audit_config_test.go b/google/resource_google_organization_iam_audit_config_test.go
@@ -0,0 +1,315 @@
+package google
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func organizationIamAuditConfigImportStep(resourceName, org, service string) resource.TestStep {
+	return resource.TestStep{
+		ResourceName:      resourceName,
+		ImportStateId:     fmt.Sprintf("%s %s", org, service),
+		ImportState:       true,
+		ImportStateVerify: true,
+	}
+}
+
+// Test that an IAM audit config can be applied to an organization
+func TestAccOrganizationIamAuditConfig_basic(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply an IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigBasic(org, service),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+		},
+	})
+}
+
+// Test that multiple IAM audit configs can be applied to an organization, one at a time
+func TestAccOrganizationIamAuditConfig_multiple(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+	service2 := "cloudsql.googleapis.com"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply an IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigBasic(org, service),
+			},
+			// Apply another IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigMultiple(org, service, service2),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.multiple", org, service2),
+		},
+	})
+}
+
+// Test that multiple IAM audit configs can be applied to an organization all at once
+func TestAccOrganizationIamAuditConfig_multipleAtOnce(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+	service2 := "cloudsql.googleapis.com"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply an IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigMultiple(org, service, service2),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.multiple", org, service2),
+		},
+	})
+}
+
+// Test that an IAM audit config can be updated once applied to an organization
+func TestAccOrganizationIamAuditConfig_update(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply an IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigBasic(org, service),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+
+			// Apply an updated IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigUpdated(org, service),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+
+			// Drop the original member
+			{
+				Config: testAccOrganizationAssociateAuditConfigDropMemberFromBasic(org, service),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+		},
+	})
+}
+
+// Test that an IAM audit config can be removed from an organization
+func TestAccOrganizationIamAuditConfig_remove(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+	service2 := "cloudsql.googleapis.com"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply multiple IAM audit configs
+			{
+				Config: testAccOrganizationAssociateAuditConfigMultiple(org, service, service2),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.multiple", org, service2),
+
+			// Remove one IAM audit config
+			{
+				Config: testAccOrganizationAssociateAuditConfigBasic(org, service),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+		},
+	})
+}
+
+// Test adding exempt first exempt member
+func TestAccOrganizationIamAuditConfig_addFirstExemptMember(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+	members := []string{}
+	members2 := []string{"user:[email protected]"}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply IAM audit config with no members
+			{
+				Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+
+			// Apply IAM audit config with one member
+			{
+				Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members2),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+		},
+	})
+}
+
+// test removing last exempt member
+func TestAccOrganizationIamAuditConfig_removeLastExemptMember(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	service := "cloudkms.googleapis.com"
+	members := []string{"user:[email protected]"}
+	members2 := []string{}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply IAM audit config with member
+			{
+				Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+
+			// Apply IAM audit config with no members
+			{
+				Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members2),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+		},
+	})
+}
+
+// test changing service with no exempt members
+func TestAccOrganizationIamAuditConfig_updateNoExemptMembers(t *testing.T) {
+	org := getTestOrgFromEnv(t)
+	logType := "DATA_READ"
+	logType2 := "DATA_WRITE"
+	service := "cloudkms.googleapis.com"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Apply IAM audit config with DATA_READ
+			{
+				Config: testAccOrganizationAssociateAuditConfigLogType(org, service, logType),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+
+			// Apply IAM audit config with DATA_WRITe
+			{
+				Config: testAccOrganizationAssociateAuditConfigLogType(org, service, logType2),
+			},
+			organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service),
+		},
+	})
+}
+
+func testAccOrganizationAssociateAuditConfigBasic(org, service string) string {
+	return fmt.Sprintf(`
+resource "google_organization_iam_audit_config" "acceptance" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "DATA_READ"
+    exempted_members = [
+		  "user:[email protected]",
+      "user:[email protected]",
+    ]
+  }
+}
+`, org, service)
+}
+
+func testAccOrganizationAssociateAuditConfigMultiple(org, service, service2 string) string {
+	return fmt.Sprintf(`
+resource "google_organization_iam_audit_config" "acceptance" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "DATA_READ"
+    exempted_members = [
+		  "user:[email protected]",
+      "user:[email protected]",
+    ]
+  }
+}
+
+resource "google_organization_iam_audit_config" "multiple" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "DATA_WRITE"
+  }
+}
+`, org, service, org, service2)
+}
+
+func testAccOrganizationAssociateAuditConfigUpdated(org, service string) string {
+	return fmt.Sprintf(`
+resource "google_organization_iam_audit_config" "acceptance" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "DATA_WRITE"
+    exempted_members = [
+      "user:[email protected]",
+      "user:[email protected]",
+    ]
+  }
+}
+`, org, service)
+}
+
+func testAccOrganizationAssociateAuditConfigDropMemberFromBasic(org, service string) string {
+	return fmt.Sprintf(`
+resource "google_organization_iam_audit_config" "acceptance" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "DATA_READ"
+    exempted_members = [
+      "user:[email protected]",
+    ]
+  }
+}
+`, org, service)
+}
+
+func testAccOrganizationAssociateAuditConfigMembers(org, service string, members []string) string {
+	var memberStr string
+	if len(members) > 0 {
+		for pos, member := range members {
+			members[pos] = "\"" + member + "\","
+		}
+		memberStr = "\n    exempted_members = [" + strings.Join(members, "\n") + "\n    ]"
+	}
+	return fmt.Sprintf(`
+resource "google_organization_iam_audit_config" "acceptance" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "DATA_READ"%s
+  }
+}
+`, org, service, memberStr)
+}
+
+func testAccOrganizationAssociateAuditConfigLogType(org, service, logType string) string {
+	return fmt.Sprintf(`
+resource "google_organization_iam_audit_config" "acceptance" {
+  org_id = "%s"
+  service = "%s"
+  audit_log_config {
+    log_type = "%s"
+  }
+}
+`, org, service, logType)
+}