Read-after-write consistency issue on google_tags_tag_key_iam_member with conditions

mmv1/products/tags/TagKey.yaml

@@ -45,6 +45,7 @@ iam_policy:
   method_name_separator: ':'
   fetch_iam_policy_verb: 'POST'
   parent_resource_attribute: 'tag_key'
+  iam_conditions_request_type: 'REQUEST_BODY'
 custom_code:
 exclude_tgc: true
 examples:

mmv1/products/tags/TagValue.yaml

@@ -46,6 +46,7 @@ iam_policy:
   method_name_separator: ':'
   fetch_iam_policy_verb: 'POST'
   parent_resource_attribute: 'tag_value'
+  iam_conditions_request_type: 'REQUEST_BODY'
 custom_code:
 exclude_tgc: true
 exclude_sweeper: true

mmv1/third_party/terraform/services/tags/resource_tags_test.go

@@ -674,7 +674,7 @@ func testAccTagsTagKeyIamBinding(t *testing.T) {
 
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"role":          "roles/viewer",
+		"role":          "roles/resourcemanager.tagAdmin",
 		"org_id":        envvar.GetTestOrgFromEnv(t),
 
 		"short_name": "tf-test-key-" + acctest.RandString(t, 10),
@@ -687,6 +687,9 @@ func testAccTagsTagKeyIamBinding(t *testing.T) {
 			{
 				Config: testAccTagsTagKeyIamBinding_basicGenerated(context),
 			},
+			{
+				Config: testAccTagsTagKeyIamBinding_withCondition(context),
+			},
 			{
 				// Test Iam Binding update
 				Config: testAccTagsTagKeyIamBinding_updateGenerated(context),
@@ -700,7 +703,7 @@ func testAccTagsTagKeyIamMember(t *testing.T) {
 
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"role":          "roles/viewer",
+		"role":          "roles/resourcemanager.tagAdmin",
 		"org_id":        envvar.GetTestOrgFromEnv(t),
 
 		"short_name": "tf-test-key-" + acctest.RandString(t, 10),
@@ -714,6 +717,9 @@ func testAccTagsTagKeyIamMember(t *testing.T) {
 				// Test Iam Member creation (no update for member, no need to test)
 				Config: testAccTagsTagKeyIamMember_basicGenerated(context),
 			},
+			{
+				Config: testAccTagsTagKeyIamMember_withCondition(context),
+			},
 		},
 	})
 }
@@ -723,7 +729,7 @@ func testAccTagsTagKeyIamPolicy(t *testing.T) {
 
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"role":          "roles/viewer",
+		"role":          "roles/resourcemanager.tagAdmin",
 		"org_id":        envvar.GetTestOrgFromEnv(t),
 
 		"short_name": "tf-test-key-" + acctest.RandString(t, 10),
@@ -739,6 +745,9 @@ func testAccTagsTagKeyIamPolicy(t *testing.T) {
 			{
 				Config: testAccTagsTagKeyIamPolicy_emptyBinding(context),
 			},
+			{
+				Config: testAccTagsTagKeyIamPolicy_withCondition(context),
+			},
 		},
 	})
 }
@@ -760,6 +769,28 @@ resource "google_tags_tag_key_iam_member" "foo" {
 `, context)
 }
 
+func testAccTagsTagKeyIamMember_withCondition(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_tags_tag_key" "key" {
+
+  parent = "organizations/%{org_id}"
+  short_name = "%{short_name}"
+  description = "For %{short_name} resources."
+}
+
+resource "google_tags_tag_key_iam_member" "foo" {
+  tag_key = google_tags_tag_key.key.name
+  role = "%{role}"
+  member = "user:admin@hashicorptest.com"
+  condition {
+    description = "Allow tagUser grant."
+    expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
+    title       = "only_taguser_delegation"
+  }
+}
+`, context)
+}
+
 func testAccTagsTagKeyIamPolicy_basicGenerated(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_tags_tag_key" "key" {
@@ -802,6 +833,34 @@ resource "google_tags_tag_key_iam_policy" "foo" {
 `, context)
 }
 
+func testAccTagsTagKeyIamPolicy_withCondition(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_tags_tag_key" "key" {
+
+  parent = "organizations/%{org_id}"
+  short_name = "%{short_name}"
+  description = "For %{short_name} resources."
+}
+
+data "google_iam_policy" "foo" {
+  binding {
+    role = "%{role}"
+    members = ["user:admin@hashicorptest.com"]
+    condition {
+      description = "Allow tagUser grant."
+      expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
+      title       = "only_taguser_delegation"
+    }
+  }
+}
+
+resource "google_tags_tag_key_iam_policy" "foo" {
+  tag_key = google_tags_tag_key.key.name
+  policy_data = data.google_iam_policy.foo.policy_data
+}
+`, context)
+}
+
 func testAccTagsTagKeyIamBinding_basicGenerated(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_tags_tag_key" "key" {
@@ -819,6 +878,28 @@ resource "google_tags_tag_key_iam_binding" "foo" {
 `, context)
 }
 
+func testAccTagsTagKeyIamBinding_withCondition(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_tags_tag_key" "key" {
+
+  parent = "organizations/%{org_id}"
+  short_name = "%{short_name}"
+  description = "For %{short_name} resources."
+}
+
+resource "google_tags_tag_key_iam_binding" "foo" {
+  tag_key = google_tags_tag_key.key.name
+  role = "%{role}"
+  members = ["user:admin@hashicorptest.com"]
+  condition {
+    description = "Allow tagUser grant."
+    expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
+    title       = "only_taguser_delegation"
+  }
+}
+`, context)
+}
+
 func testAccTagsTagKeyIamBinding_updateGenerated(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_tags_tag_key" "key" {
@@ -841,7 +922,7 @@ func testAccTagsTagValueIamBinding(t *testing.T) {
 
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"role":          "roles/viewer",
+		"role":          "roles/resourcemanager.tagAdmin",
 		"org_id":        envvar.GetTestOrgFromEnv(t),
 
 		"key_short_name":   "tf-test-key-" + acctest.RandString(t, 10),
@@ -855,6 +936,9 @@ func testAccTagsTagValueIamBinding(t *testing.T) {
 			{
 				Config: testAccTagsTagValueIamBinding_basicGenerated(context),
 			},
+			{
+				Config: testAccTagsTagValueIamBinding_withCondition(context),
+			},
 			{
 				// Test Iam Binding update
 				Config: testAccTagsTagValueIamBinding_updateGenerated(context),
@@ -868,7 +952,7 @@ func testAccTagsTagValueIamMember(t *testing.T) {
 
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"role":          "roles/viewer",
+		"role":          "roles/resourcemanager.tagAdmin",
 		"org_id":        envvar.GetTestOrgFromEnv(t),
 
 		"key_short_name":   "tf-test-key-" + acctest.RandString(t, 10),
@@ -883,6 +967,9 @@ func testAccTagsTagValueIamMember(t *testing.T) {
 				// Test Iam Member creation (no update for member, no need to test)
 				Config: testAccTagsTagValueIamMember_basicGenerated(context),
 			},
+			{
+				Config: testAccTagsTagValueIamMember_withCondition(context),
+			},
 		},
 	})
 }
@@ -892,7 +979,7 @@ func testAccTagsTagValueIamPolicy(t *testing.T) {
 
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"role":          "roles/viewer",
+		"role":          "roles/resourcemanager.tagAdmin",
 		"org_id":        envvar.GetTestOrgFromEnv(t),
 
 		"key_short_name":   "tf-test-key-" + acctest.RandString(t, 10),
@@ -909,6 +996,9 @@ func testAccTagsTagValueIamPolicy(t *testing.T) {
 			{
 				Config: testAccTagsTagValueIamPolicy_emptyBinding(context),
 			},
+			{
+				Config: testAccTagsTagValueIamPolicy_withCondition(context),
+			},
 		},
 	})
 }
@@ -935,6 +1025,33 @@ resource "google_tags_tag_value_iam_member" "foo" {
 `, context)
 }
 
+func testAccTagsTagValueIamMember_withCondition(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_tags_tag_key" "key" {
+	parent = "organizations/%{org_id}"
+	short_name = "%{key_short_name}"
+	description = "For %{key_short_name} resources."
+}
+
+resource "google_tags_tag_value" "value" {
+	parent      = google_tags_tag_key.key.id
+	short_name  = "%{value_short_name}"
+	description = "For %{value_short_name} resources."
+}
+
+resource "google_tags_tag_value_iam_member" "foo" {
+  tag_value = google_tags_tag_value.value.name
+  role = "%{role}"
+  member = "user:admin@hashicorptest.com"
+  condition {
+    description = "Allow tagUser grant."
+    expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
+    title       = "only_taguser_delegation"
+  }
+}
+`, context)
+}
+
 func testAccTagsTagValueIamPolicy_basicGenerated(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_tags_tag_key" "key" {
@@ -963,6 +1080,39 @@ resource "google_tags_tag_value_iam_policy" "foo" {
 `, context)
 }
 
+func testAccTagsTagValueIamPolicy_withCondition(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_tags_tag_key" "key" {
+	parent = "organizations/%{org_id}"
+	short_name = "%{key_short_name}"
+	description = "For %{key_short_name} resources."
+}
+
+resource "google_tags_tag_value" "value" {
+	parent      = google_tags_tag_key.key.id
+	short_name  = "%{value_short_name}"
+	description = "For %{value_short_name} resources."
+}
+
+data "google_iam_policy" "foo" {
+  binding {
+    role = "%{role}"
+    members = ["user:admin@hashicorptest.com"]
+	condition {
+        description = "Allow tagUser grant."
+        expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
+        title       = "only_taguser_delegation"
+    }
+  }
+}
+
+resource "google_tags_tag_value_iam_policy" "foo" {
+  tag_value = google_tags_tag_value.value.name
+  policy_data = data.google_iam_policy.foo.policy_data
+}
+`, context)
+}
+
 func testAccTagsTagValueIamPolicy_emptyBinding(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_tags_tag_key" "key" {
@@ -1009,6 +1159,33 @@ resource "google_tags_tag_value_iam_binding" "foo" {
 `, context)
 }
 
+func testAccTagsTagValueIamBinding_withCondition(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_tags_tag_key" "key" {
+	parent = "organizations/%{org_id}"
+	short_name = "%{key_short_name}"
+	description = "For %{key_short_name} resources."
+}
+
+resource "google_tags_tag_value" "value" {
+	parent      = google_tags_tag_key.key.id
+	short_name  = "%{value_short_name}"
+	description = "For %{value_short_name} resources."
+}
+
+resource "google_tags_tag_value_iam_binding" "foo" {
+  tag_value = google_tags_tag_value.value.name
+  role = "%{role}"
+  members = ["user:admin@hashicorptest.com"]
+  condition {
+      description = "Allow tagUser grant."
+      expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
+      title       = "only_taguser_delegation"
+  }
+}
+`, context)
+}
+
 func testAccTagsTagValueIamBinding_updateGenerated(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_tags_tag_key" "key" {