identityplatform: add IAM resources for Tenant (#18809)#17497
Open
jbbqqf wants to merge 2 commits intoGoogleCloudPlatform:mainfrom
Open
identityplatform: add IAM resources for Tenant (#18809)#17497jbbqqf wants to merge 2 commits intoGoogleCloudPlatform:mainfrom
jbbqqf wants to merge 2 commits intoGoogleCloudPlatform:mainfrom
Conversation
Adds google_identity_platform_tenant_iam_binding, _iam_member, and
_iam_policy by enabling the iam_policy block on Tenant.yaml. The
identitytoolkit v2 API supports get/set/testIamPolicy on
projects/{p}/tenants/{t} (POST verb on getIamPolicy), which lets users
manage per-tenant access control instead of project-wide grants.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
modular-magician
added
the
awaiting-approval
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Googlers: For automatic test runs see go/terraform-auto-test-runs. @c2thorn, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
google_identity_platform_tenant_iam_binding,google_identity_platform_tenant_iam_member, andgoogle_identity_platform_tenant_iam_policyby enabling theiam_policyblock on theTenantmmv1 resource.Fixes hashicorp/terraform-provider-google#18809 — see hashicorp/terraform-provider-google#18809
Why
Today, granting access to Identity Platform multi-tenancy resources requires giving service accounts project-wide IAM roles, since per-tenant IAM is only available through the Cloud Console. This forces users into an over-permissioned setup. The
identitytoolkit.googleapis.comv2 API explicitly supportssetIamPolicy/getIamPolicy/testIamPermissionson theprojects/{project}/tenants/{tenant}resource, so wiring it through mmv1 is straightforward.GCP API reference:
What changed
mmv1 schema-only change. Adds
iam_policy:block tommv1/products/identityplatform/Tenant.yaml:fetch_iam_policy_verb: 'POST'matches the API discovery (getIamPolicyis a POST in the discovery doc, like all v2 IAM endpoints on identitytoolkit).Test protocol
make build OUTPUT_PATH=... VERSION=ga PRODUCT=identityplatformiam_identity_platform_tenant.goandiam_identity_platform_tenant_generated_test.gogo vet ./google/services/identityplatform/...go build ./...(full TPG)The mmv1 generator produces the standard IAM trio (
*_iam_binding,*_iam_member,*_iam_policy) plus generated acceptance tests. The acceptance tests run during the standard CI matrix on this PR.Edge cases tested by the auto-generated test
The generated
iam_identity_platform_tenant_generated_test.gocovers (per the standard mmv1 IAM template):_iam_memberadd and remove_iam_bindingadd, update members list_iam_policyset, replace, importResources
identitytoolkit.projects.tenants.getIamPolicy(POST) andsetIamPolicy(POST) atprojects/{p}/tenants/{t}:setIamPolicy.Release notes
Disclosure
This PR was implemented with assistance from Claude Code as part of a focused contribution batch. The
iam_policyblock format was reviewed against existing precedents (identitytoolkit-style resources are similar toiambeta/WorkloadIdentityPool.yaml, both POST-based getIamPolicy). The generated code (iam_identity_platform_tenant.go) was reviewed andgo vet+ full TPG build pass. No live smoke was run for this purely additive mmv1 schema change; CI's acceptance tests on this PR will exercise the generated IAM resources end-to-end.