Merge pull request GoogleCloudPlatform#2892 from maqiuyujoyce/202410-…

…remove-pam-fields Remove non-configurable fields in PrivilegedAccessManagerEntitlement
nb-goog · Oct 11, 2024 · 4b35c75 · 4b35c75
2 parents 2cb4d57 + 274c3e5
commit 4b35c75
Show file tree

Hide file tree

Showing 10 changed files with 70 additions and 231 deletions.
diff --git a/apis/privilegedaccessmanager/v1alpha1/types.generated.go b/apis/privilegedaccessmanager/v1alpha1/types.generated.go
diff --git a/apis/privilegedaccessmanager/v1alpha1/zz_generated.deepcopy.go b/apis/privilegedaccessmanager/v1alpha1/zz_generated.deepcopy.go
diff --git a/...on_privilegedaccessmanagerentitlements.privilegedaccessmanager.cnrm.cloud.google.com.yaml b/...on_privilegedaccessmanagerentitlements.privilegedaccessmanager.cnrm.cloud.google.com.yaml
@@ -214,93 +214,6 @@ spec:
                   gcpIAMAccess:
                     description: Access to a Google Cloud resource through IAM.
                     properties:
-                      folderRef:
-                        description: The Folder that this privileged access is granted
-                          to. One and only one of 'projectRef', 'folderRef', or 'organizationRef'
-                          must be set.
-                        oneOf:
-                        - not:
-                            required:
-                            - external
-                          required:
-                          - name
-                        - not:
-                            anyOf:
-                            - required:
-                              - name
-                            - required:
-                              - namespace
-                          required:
-                          - external
-                        properties:
-                          external:
-                            description: The 'name' field of a folder, when not managed
-                              by Config Connector. This field must be set when 'name'
-                              field is not set.
-                            type: string
-                          name:
-                            description: The 'name' field of a 'Folder' resource.
-                              This field must be set when 'external' field is not
-                              set.
-                            type: string
-                          namespace:
-                            description: The 'namespace' field of a 'Folder' resource.
-                              If unset, the namespace is defaulted to the namespace
-                              of the referencer resource.
-                            type: string
-                        type: object
-                      organizationRef:
-                        description: The Organization that this privileged access
-                          is granted to. One and only one of 'projectRef', 'folderRef',
-                          or 'organizationRef' must be set.
-                        properties:
-                          external:
-                            description: The 'name' field of an organization, when
-                              not managed by Config Connector.
-                            type: string
-                        required:
-                        - external
-                        type: object
-                      projectRef:
-                        description: The Project that this privileged access is granted
-                          to. One and only one of 'projectRef', 'folderRef', or 'organizationRef'
-                          must be set.
-                        oneOf:
-                        - not:
-                            required:
-                            - external
-                          required:
-                          - name
-                          - kind
-                        - not:
-                            anyOf:
-                            - required:
-                              - name
-                            - required:
-                              - namespace
-                            - required:
-                              - kind
-                          required:
-                          - external
-                        properties:
-                          external:
-                            description: The `projectID` field of a project, when
-                              not managed by Config Connector.
-                            type: string
-                          kind:
-                            description: The kind of the Project resource; optional
-                              but must be `Project` if provided.
-                            type: string
-                          name:
-                            description: The `name` field of a `Project` resource.
-                            type: string
-                          namespace:
-                            description: The `namespace` field of a `Project` resource.
-                            type: string
-                        type: object
-                      resourceType:
-                        description: Required. The type of this resource.
-                        type: string
                       roleBindings:
                         description: Required. Role bindings that are created on successful
                           grant.
@@ -328,7 +241,6 @@ spec:
                           type: object
                         type: array
                     required:
-                    - resourceType
                     - roleBindings
                     type: object
                 required:

diff --git a/...nerated/apis/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement_types.go b/...nerated/apis/privilegedaccessmanager/v1alpha1/privilegedaccessmanagerentitlement_types.go
diff --git a/pkg/clients/generated/apis/privilegedaccessmanager/v1alpha1/zz_generated.deepcopy.go b/pkg/clients/generated/apis/privilegedaccessmanager/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/controller/direct/privilegedaccessmanager/entitlement_controller.go b/pkg/controller/direct/privilegedaccessmanager/entitlement_controller.go
@@ -122,45 +122,6 @@ func (m *entitlementModel) AdapterForObject(ctx context.Context, reader client.R
 		}
 	}
 
-	iamAccessResource, err := oneOfContainer(ctx, reader, obj,
-		obj.Spec.PrivilegedAccess.GcpIAMAccess.ProjectRef,
-		obj.Spec.PrivilegedAccess.GcpIAMAccess.FolderRef,
-		obj.Spec.PrivilegedAccess.GcpIAMAccess.OrganizationRef)
-	if err != nil {
-		return nil, fmt.Errorf("error resolving 'obj.Spec.PrivilegedAccess.GcpIAMAccess.ProjectRef', "+
-			"'obj.Spec.PrivilegedAccess.GcpIAMAccess.FolderRef' and "+
-			"'obj.Spec.PrivilegedAccess.GcpIAMAccess.OrganizationRef': %w", err)
-	}
-	switch *obj.Spec.PrivilegedAccess.GcpIAMAccess.ResourceType {
-	case "cloudresourcemanager.googleapis.com/Project":
-		if !strings.HasPrefix(iamAccessResource, "projects/") {
-			return nil, fmt.Errorf("only 'spec.privilegedAccess.gcpIAMAccess.projectRef' "+
-				"should be configured because the corresponding resourceType is "+
-				"'cloudresourcemanager.googleapis.com/Project', but got resource %s", iamAccessResource)
-		}
-		obj.Spec.PrivilegedAccess.GcpIAMAccess.ProjectRef.External = iamAccessResource
-	case "cloudresourcemanager.googleapis.com/Folder":
-		if !strings.HasPrefix(iamAccessResource, "folders/") {
-			return nil, fmt.Errorf("only 'spec.privilegedAccess.gcpIAMAccess.folderRef' "+
-				"should be configured because the corresponding resourceType is "+
-				"'cloudresourcemanager.googleapis.com/Folder', but got resource %s", iamAccessResource)
-		}
-		obj.Spec.PrivilegedAccess.GcpIAMAccess.FolderRef.External = iamAccessResource
-	case "cloudresourcemanager.googleapis.com/Organization":
-		if !strings.HasPrefix(iamAccessResource, "organizations/") {
-			return nil, fmt.Errorf("only 'spec.privilegedAccess.gcpIAMAccess.organizationRef' "+
-				"should be configured because the corresponding resourceType is "+
-				"'cloudresourcemanager.googleapis.com/Organization', but got resource %s", iamAccessResource)
-		}
-		obj.Spec.PrivilegedAccess.GcpIAMAccess.OrganizationRef.External = iamAccessResource
-	default:
-		return nil, fmt.Errorf("unrecoganizable resourceType: %v; must be one of "+
-			"'cloudresourcemanager.googleapis.com/Project', "+
-			"'cloudresourcemanager.googleapis.com/Folder', "+
-			"'cloudresourcemanager.googleapis.com/Organization'",
-			*obj.Spec.PrivilegedAccess.GcpIAMAccess.ResourceType)
-	}
-
 	if obj.Spec.RequesterJustificationConfig.NotMandatory == nil && obj.Spec.RequesterJustificationConfig.Unstructured == nil {
 		return nil, fmt.Errorf("one and only one of 'spec.requesterJustificationConfig.notMandatory' " +
 			"and 'spec.requesterJustificationConfig.unstructured' should be configured: neither is configured")
@@ -275,6 +236,26 @@ func (a *Adapter) Find(ctx context.Context) (bool, error) {
 	return true, nil
 }
 
+func getResourceTypeAndResourceFromContainer(container string) (string, string, error) {
+	tokens := strings.Split(container, "/")
+	if len(tokens) != 2 {
+		return "", "", fmt.Errorf("container should be one of projects/<project>, "+
+			"folders/<folder> or organizations/<organization>, but got %s", container)
+	}
+	resource := fmt.Sprintf("//cloudresourcemanager.googleapis.com/%s", container)
+	switch tokens[0] {
+	case "projects":
+		return "cloudresourcemanager.googleapis.com/Project", resource, nil
+	case "folders":
+		return "cloudresourcemanager.googleapis.com/Folder", resource, nil
+	case "organizations":
+		return "cloudresourcemanager.googleapis.com/Organization", resource, nil
+	default:
+		return "", "", fmt.Errorf("container must start with 'projects', "+
+			"'folders', or 'organizations', but it starts with %v", tokens[0])
+	}
+}
+
 func (a *Adapter) Create(ctx context.Context, createOp *directbase.CreateOperation) error {
 	u := createOp.GetUnstructured()
 
@@ -283,15 +264,20 @@ func (a *Adapter) Create(ctx context.Context, createOp *directbase.CreateOperati
 	mapCtx := &direct.MapContext{}
 
 	desired := a.desired.DeepCopy()
-	resource := PrivilegedAccessManagerEntitlementSpec_ToProto(mapCtx, &desired.Spec)
+	resourceType, resource, err := getResourceTypeAndResourceFromContainer(a.id.Parent.Container)
+	if err != nil {
+		return fmt.Errorf("error getting resourceType and resource from container: %w", err)
+	}
+	hiddenFields := gcpIAMAccessResource{resourceType: resourceType, resource: resource}
+	entitlement := PrivilegedAccessManagerEntitlementSpec_ToProto(mapCtx, &desired.Spec, hiddenFields)
 	if mapCtx.Err() != nil {
 		return mapCtx.Err()
 	}
 
 	req := &privilegedaccessmanagerpb.CreateEntitlementRequest{
 		Parent:        a.id.Parent.String(),
 		EntitlementId: a.id.Entitlement,
-		Entitlement:   resource,
+		Entitlement:   entitlement,
 	}
 	op, err := a.gcpClient.CreateEntitlement(ctx, req)
 	if err != nil {
@@ -361,16 +347,22 @@ func (a *Adapter) Update(ctx context.Context, updateOp *directbase.UpdateOperati
 		status.ObservedState = observedState
 		return setStatus(u, status)
 	}
+
 	desired := a.desired.DeepCopy()
-	resource := PrivilegedAccessManagerEntitlementSpec_ToProto(mapCtx, &desired.Spec)
+	resourceType, resource, err := getResourceTypeAndResourceFromContainer(a.id.Parent.Container)
+	if err != nil {
+		return fmt.Errorf("error getting resourceType and resource from container: %w", err)
+	}
+	hiddenFields := gcpIAMAccessResource{resourceType: resourceType, resource: resource}
+	entitlement := PrivilegedAccessManagerEntitlementSpec_ToProto(mapCtx, &desired.Spec, hiddenFields)
 	if mapCtx.Err() != nil {
 		return mapCtx.Err()
 	}
-	resource.Name = a.id.FullyQualifiedName()
-	resource.Etag = a.actual.Etag
+	entitlement.Name = a.id.FullyQualifiedName()
+	entitlement.Etag = a.actual.Etag
 	req := &privilegedaccessmanagerpb.UpdateEntitlementRequest{
 		UpdateMask:  updateMask,
-		Entitlement: resource,
+		Entitlement: entitlement,
 	}
 	op, err := a.gcpClient.UpdateEntitlement(ctx, req)
 	if err != nil {