Add support for configuring public access prevention on Buckets

apis/storage/v1alpha3/types.go

@@ -22,6 +22,8 @@ import (
 	"cloud.google.com/go/storage"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	gcp "github.com/crossplane-contrib/provider-gcp/pkg/clients"
+
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
@@ -597,6 +599,16 @@ type BucketUpdatableAttrs struct {
 	// for valid values.
 	PredefinedDefaultObjectACL string `json:"predefinedDefaultObjectAcl,omitempty"`
 
+	// PublicAccessPrevention is the setting for the bucket's
+	// PublicAccessPrevention policy, which can be used to prevent public access
+	// of data in the bucket. See
+	// https://cloud.google.com/storage/docs/public-access-prevention for more
+	// information.
+	//
+	// +optional
+	// +kubebuilder:validation:Enum="";unspecified;inherited;enforced
+	PublicAccessPrevention *string `json:"publicAccessPrevention,omitempty"`
+
 	// RequesterPays reports whether the bucket is a Requester Pays bucket.
 	// Clients performing operations on Requester Pays buckets must provide
 	// a user project (see BucketHandle.UserProject), which will be billed
@@ -635,13 +647,42 @@ func NewBucketUpdatableAttrs(ba *storage.BucketAttrs) *BucketUpdatableAttrs {
 		Logging:                    NewBucketLogging(ba.Logging),
 		PredefinedACL:              ba.PredefinedACL,
 		PredefinedDefaultObjectACL: ba.PredefinedDefaultObjectACL,
+		PublicAccessPrevention:     convertPublicAccessPreventionEnumToStringPtr(ba.PublicAccessPrevention),
 		RequesterPays:              ba.RequesterPays,
 		RetentionPolicy:            NewRetentionPolicy(ba.RetentionPolicy),
 		VersioningEnabled:          ba.VersioningEnabled,
 		Website:                    NewBucketWebsite(ba.Website),
 	}
 }
 
+// convertPublicAccessPreventionStringToEnum converts a string representation of storage.PublicAccessPrevention to its
+// enum value.
+func convertPublicAccessPreventionStringToEnum(pap *string) storage.PublicAccessPrevention {
+	// if the field is not set, treat it as unknown
+	if pap == nil {
+		return storage.PublicAccessPreventionUnknown
+	}
+
+	switch *pap {
+	case "unspecified", "inherited":
+		return storage.PublicAccessPreventionInherited
+	case "enforced":
+		return storage.PublicAccessPreventionEnforced
+	default:
+		return storage.PublicAccessPreventionUnknown
+	}
+}
+
+// convertPublicAccessPreventionEnumToStringPtr converts an enum value of storage.PublicAccessPrevention to its
+// string pointer value used in BucketUpdatableAttrs.
+func convertPublicAccessPreventionEnumToStringPtr(pap storage.PublicAccessPrevention) *string {
+	if pap == storage.PublicAccessPreventionUnknown {
+		return nil
+	}
+
+	return gcp.StringPtr(pap.String())
+}
+
 // CopyToBucketAttrs create a copy in storage format
 func CopyToBucketAttrs(ba *BucketUpdatableAttrs) *storage.BucketAttrs {
 	if ba == nil {
@@ -658,6 +699,7 @@ func CopyToBucketAttrs(ba *BucketUpdatableAttrs) *storage.BucketAttrs {
 		Logging:                    CopyToBucketLogging(ba.Logging),
 		PredefinedACL:              ba.PredefinedACL,
 		PredefinedDefaultObjectACL: ba.PredefinedDefaultObjectACL,
+		PublicAccessPrevention:     convertPublicAccessPreventionStringToEnum(ba.PublicAccessPrevention),
 		RequesterPays:              ba.RequesterPays,
 		RetentionPolicy:            CopyToRetentionPolicy(ba.RetentionPolicy),
 		VersioningEnabled:          ba.VersioningEnabled,
@@ -679,6 +721,7 @@ func CopyToBucketUpdateAttrs(ba BucketUpdatableAttrs, labels map[string]string)
 		Logging:                    CopyToBucketLogging(ba.Logging),
 		PredefinedACL:              ba.PredefinedACL,
 		PredefinedDefaultObjectACL: ba.PredefinedDefaultObjectACL,
+		PublicAccessPrevention:     convertPublicAccessPreventionStringToEnum(ba.PublicAccessPrevention),
 		RequesterPays:              ba.RequesterPays,
 		RetentionPolicy:            CopyToRetentionPolicy(ba.RetentionPolicy),
 		VersioningEnabled:          ba.VersioningEnabled,
@@ -723,7 +766,7 @@ type BucketSpecAttrs struct {
 	StorageClass string `json:"storageClass,omitempty"`
 }
 
-// NewBucketSpecAttrs create new instance from storage BuckateAttrs
+// NewBucketSpecAttrs create new instance from storage.BucketAttrs
 func NewBucketSpecAttrs(ba *storage.BucketAttrs) BucketSpecAttrs {
 	if ba == nil {
 		return BucketSpecAttrs{}

package/crds/storage.gcp.crossplane.io_buckets.yaml

@@ -399,6 +399,17 @@ spec:
                 required:
                 - name
                 type: object
+              publicAccessPrevention:
+                description: PublicAccessPrevention is the setting for the bucket's
+                  PublicAccessPrevention policy, which can be used to prevent public
+                  access of data in the bucket. See https://cloud.google.com/storage/docs/public-access-prevention
+                  for more information.
+                enum:
+                - ""
+                - unspecified
+                - inherited
+                - enforced
+                type: string
               publishConnectionDetailsTo:
                 description: PublishConnectionDetailsTo specifies the connection secret
                   config which contains a name, metadata and a reference to secret

pkg/controller/storage/bucket.go

@@ -142,7 +142,16 @@ func (e *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex
 	}
 
 	proposed := cr.Spec.BucketSpecAttrs.DeepCopy()
-	if err := mergo.Merge(proposed, v1alpha3.NewBucketSpecAttrs(a)); err != nil {
+	bsa := v1alpha3.NewBucketSpecAttrs(a)
+
+	// If the spec has no value set for the PublicAccessPrevention field, ignore the one stored in GCP API for the
+	// purposes of comparison. This allows public access prevention to be managed in the GCP console independently of
+	// the Bucket CR if the field is not set.
+	if proposed.PublicAccessPrevention == nil {
+		bsa.PublicAccessPrevention = nil
+	}
+
+	if err := mergo.Merge(proposed, bsa); err != nil {
 		return managed.ExternalObservation{}, errors.Wrap(err, errLateInit)
 	}
 	if !cmp.Equal(*proposed, cr.Spec.BucketSpecAttrs) {