diff --git a/mmv1/products/artifactregistry/Repository.yaml b/mmv1/products/artifactregistry/Repository.yaml index 965a3fab1923..5823b5f4a1c2 100644 --- a/mmv1/products/artifactregistry/Repository.yaml +++ b/mmv1/products/artifactregistry/Repository.yaml @@ -101,18 +101,79 @@ examples: repository_id: 'my-repository' description: 'example docker repository with cleanup policies' - !ruby/object:Provider::Terraform::Examples - name: 'artifact_registry_repository_remote_custom' + name: 'artifact_registry_repository_remote_dockerhub_auth' primary_resource_id: 'my-repo' + # Ignore this field as it is INPUT_ONLY. AR will not return this in the + # response. + ignore_read_extra: + - 'remote_repository_config.0.disable_upstream_validation' vars: - repository_id: 'example-custom-remote' - description: 'example remote docker repository with credentials' + repository_id: 'example-dockerhub-remote' + description: 'example remote dockerhub repository with credentials' secret_id: 'example-secret' - secret_resource_id: 'example-custom-remote-secret' + secret_resource_id: 'example-remote-secret' + username: 'remote-username' + secret_data: 'remote-password' + - !ruby/object:Provider::Terraform::Examples + name: 'artifact_registry_repository_remote_docker_custom_with_auth' + primary_resource_id: 'my-repo' + ignore_read_extra: + # Ignore this field as it is INPUT_ONLY. AR will not return this in the + # response. + - 'remote_repository_config.0.disable_upstream_validation' + vars: + repository_id: 'example-docker-custom-remote' + description: 'example remote custom docker repository with credentials' + secret_id: 'example-secret' + secret_resource_id: 'example-remote-secret' + username: 'remote-username' + secret_data: 'remote-password' + - !ruby/object:Provider::Terraform::Examples + name: 'artifact_registry_repository_remote_maven_custom_with_auth' + primary_resource_id: 'my-repo' + ignore_read_extra: + # Ignore this field as it is INPUT_ONLY. AR will not return this in the + # response. + - 'remote_repository_config.0.disable_upstream_validation' + vars: + repository_id: 'example-maven-custom-remote' + description: 'example remote custom maven repository with credentials' + secret_id: 'example-secret' + secret_resource_id: 'example-remote-secret' + username: 'remote-username' + secret_data: 'remote-password' + - !ruby/object:Provider::Terraform::Examples + name: 'artifact_registry_repository_remote_npm_custom_with_auth' + primary_resource_id: 'my-repo' + ignore_read_extra: + # Ignore this field as it is INPUT_ONLY. AR will not return this in the + # response. + - 'remote_repository_config.0.disable_upstream_validation' + vars: + repository_id: 'example-npm-custom-remote' + description: 'example remote custom npm repository with credentials' + secret_id: 'example-secret' + secret_resource_id: 'example-remote-secret' + username: 'remote-username' + secret_data: 'remote-password' + - !ruby/object:Provider::Terraform::Examples + name: 'artifact_registry_repository_remote_python_custom_with_auth' + primary_resource_id: 'my-repo' + ignore_read_extra: + # Ignore this field as it is INPUT_ONLY. AR will not return this in the + # response. + - 'remote_repository_config.0.disable_upstream_validation' + vars: + repository_id: 'example-python-custom-remote' + description: 'example remote custom python repository with credentials' + secret_id: 'example-secret' + secret_resource_id: 'example-remote-secret' username: 'remote-username' secret_data: 'remote-password' custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/artifact_registry_repository.go.erb encoder: templates/terraform/encoders/location_from_region.go.erb + pre_create: templates/terraform/pre_create/artifact_registry_remote_repository.go.erb properties: - !ruby/object:Api::Type::String name: name @@ -388,14 +449,29 @@ properties: properties: - !ruby/object:Api::Type::Enum name: 'publicRepository' - exactly_one_of: - - remoteRepositoryConfig.0.docker_repository.0.public_repository description: |- Address of the remote repository. immutable: true + conflicts: + - remoteRepositoryConfig.0.docker_repository.0.custom_repository values: - :DOCKER_HUB + # Eventually lets delete default_value and custom_flatten in a major release default_value: :DOCKER_HUB + custom_flatten: 'templates/terraform/custom_flatten/default_if_empty.erb' + - !ruby/object:Api::Type::NestedObject + name: 'customRepository' + description: |- + Settings for a remote repository with a custom uri. + immutable: true + conflicts: + - remoteRepositoryConfig.0.docker_repository.0.public_repository + properties: + - !ruby/object:Api::Type::String + name: 'uri' + description: |- + Specific uri to the registry, e.g. `"https://registry-1.docker.io"` + immutable: true - !ruby/object:Api::Type::NestedObject name: 'mavenRepository' exactly_one_of: @@ -411,14 +487,29 @@ properties: properties: - !ruby/object:Api::Type::Enum name: 'publicRepository' - exactly_one_of: - - remoteRepositoryConfig.0.maven_repository.0.public_repository description: |- Address of the remote repository. immutable: true + conflicts: + - remoteRepositoryConfig.0.maven_repository.0.custom_repository values: - :MAVEN_CENTRAL + # Eventually lets delete default_value and custom_flatten in a major release default_value: :MAVEN_CENTRAL + custom_flatten: 'templates/terraform/custom_flatten/default_if_empty.erb' + - !ruby/object:Api::Type::NestedObject + name: 'customRepository' + description: |- + Settings for a remote repository with a custom uri. + immutable: true + conflicts: + - remoteRepositoryConfig.0.maven_repository.0.public_repository + properties: + - !ruby/object:Api::Type::String + name: 'uri' + description: |- + Specific uri to the registry, e.g. `"https://repo.maven.apache.org/maven2"` + immutable: true - !ruby/object:Api::Type::NestedObject name: 'npmRepository' exactly_one_of: @@ -434,14 +525,29 @@ properties: properties: - !ruby/object:Api::Type::Enum name: 'publicRepository' - exactly_one_of: - - remoteRepositoryConfig.0.npm_repository.0.public_repository description: |- Address of the remote repository. immutable: true + conflicts: + - remoteRepositoryConfig.0.npm_repository.0.custom_repository values: - :NPMJS + # Eventually lets delete default_value and custom_flatten in a major release default_value: :NPMJS + custom_flatten: 'templates/terraform/custom_flatten/default_if_empty.erb' + - !ruby/object:Api::Type::NestedObject + name: 'customRepository' + description: |- + Settings for a remote repository with a custom uri. + immutable: true + conflicts: + - remoteRepositoryConfig.0.npm_repository.0.public_repository + properties: + - !ruby/object:Api::Type::String + name: 'uri' + description: |- + Specific uri to the registry, e.g. `"https://registry.npmjs.org"` + immutable: true - !ruby/object:Api::Type::NestedObject name: 'pythonRepository' exactly_one_of: @@ -457,14 +563,29 @@ properties: properties: - !ruby/object:Api::Type::Enum name: 'publicRepository' - exactly_one_of: - - remoteRepositoryConfig.0.python_repository.0.public_repository description: |- Address of the remote repository. immutable: true + conflicts: + - remoteRepositoryConfig.0.python_repository.0.custom_repository values: - :PYPI + # Eventually lets delete default_value and custom_flatten in a major release default_value: :PYPI + custom_flatten: 'templates/terraform/custom_flatten/default_if_empty.erb' + - !ruby/object:Api::Type::NestedObject + name: 'customRepository' + description: |- + Settings for a remote repository with a custom uri. + immutable: true + conflicts: + - remoteRepositoryConfig.0.python_repository.0.public_repository + properties: + - !ruby/object:Api::Type::String + name: 'uri' + description: |- + Specific uri to the registry, e.g. `"https://pypi.io"` + immutable: true - !ruby/object:Api::Type::NestedObject name: 'yumRepository' exactly_one_of: @@ -527,6 +648,14 @@ properties: remote repository. Must be in the format of `projects/{project}/secrets/{secret}/versions/{version}`. immutable: true + - !ruby/object:Api::Type::Boolean + name: 'disableUpstreamValidation' + # Ignore read on this field because it is INPUT_ONLY. + # Need to use custom flatten because ignore_read doesn't work with nested fields. + custom_flatten: 'templates/terraform/custom_flatten/artifactregistry_rr_disable_upstream_validation.go.erb' + description: |- + If true, the remote repository upstream and upstream credentials will + not be validated. - !ruby/object:Api::Type::Boolean name: 'cleanupPolicyDryRun' description: |- diff --git a/mmv1/templates/terraform/custom_flatten/artifactregistry_rr_disable_upstream_validation.go.erb b/mmv1/templates/terraform/custom_flatten/artifactregistry_rr_disable_upstream_validation.go.erb new file mode 100644 index 000000000000..197ec87c1b13 --- /dev/null +++ b/mmv1/templates/terraform/custom_flatten/artifactregistry_rr_disable_upstream_validation.go.erb @@ -0,0 +1,3 @@ +func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return d.Get("remote_repository_config.0.disable_upstream_validation") +} diff --git a/mmv1/templates/terraform/examples/artifact_registry_repository_remote_docker_custom_with_auth.tf.erb b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_docker_custom_with_auth.tf.erb new file mode 100644 index 000000000000..ef515c550631 --- /dev/null +++ b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_docker_custom_with_auth.tf.erb @@ -0,0 +1,42 @@ +data "google_project" "project" {} + +resource "google_secret_manager_secret" "<%= ctx[:vars]['secret_resource_id'] %>" { + secret_id = "<%= ctx[:vars]['secret_id'] %>" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "<%= ctx[:vars]['secret_resource_id'] %>_version" { + secret = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + secret_data = "<%= ctx[:vars]['secret_data'] %>" +} + +resource "google_secret_manager_secret_iam_member" "secret-access" { + secret_id = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +resource "google_artifact_registry_repository" "<%= ctx[:primary_resource_id] %>" { + location = "us-central1" + repository_id = "<%= ctx[:vars]['repository_id'] %>" + description = "<%= ctx[:vars]['description'] %>" + format = "DOCKER" + mode = "REMOTE_REPOSITORY" + remote_repository_config { + description = "custom docker remote with credentials" + disable_upstream_validation = true + docker_repository { + custom_repository { + uri = "https://registry-1.docker.io" + } + } + upstream_credentials { + username_password_credentials { + username = "<%= ctx[:vars]['username'] %>" + password_secret_version = google_secret_manager_secret_version.<%= ctx[:vars]['secret_resource_id'] %>_version.name + } + } + } +} diff --git a/mmv1/templates/terraform/examples/artifact_registry_repository_remote_custom.tf.erb b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_dockerhub_auth.tf.erb similarity index 97% rename from mmv1/templates/terraform/examples/artifact_registry_repository_remote_custom.tf.erb rename to mmv1/templates/terraform/examples/artifact_registry_repository_remote_dockerhub_auth.tf.erb index 082e3d7f80da..00f616fc8306 100644 --- a/mmv1/templates/terraform/examples/artifact_registry_repository_remote_custom.tf.erb +++ b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_dockerhub_auth.tf.erb @@ -26,6 +26,7 @@ resource "google_artifact_registry_repository" "<%= ctx[:primary_resource_id] %> mode = "REMOTE_REPOSITORY" remote_repository_config { description = "docker hub with custom credentials" + disable_upstream_validation = true docker_repository { public_repository = "DOCKER_HUB" } diff --git a/mmv1/templates/terraform/examples/artifact_registry_repository_remote_maven_custom_with_auth.tf.erb b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_maven_custom_with_auth.tf.erb new file mode 100644 index 000000000000..9b07a1e78cdc --- /dev/null +++ b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_maven_custom_with_auth.tf.erb @@ -0,0 +1,42 @@ +data "google_project" "project" {} + +resource "google_secret_manager_secret" "<%= ctx[:vars]['secret_resource_id'] %>" { + secret_id = "<%= ctx[:vars]['secret_id'] %>" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "<%= ctx[:vars]['secret_resource_id'] %>_version" { + secret = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + secret_data = "<%= ctx[:vars]['secret_data'] %>" +} + +resource "google_secret_manager_secret_iam_member" "secret-access" { + secret_id = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +resource "google_artifact_registry_repository" "<%= ctx[:primary_resource_id] %>" { + location = "us-central1" + repository_id = "<%= ctx[:vars]['repository_id'] %>" + description = "<%= ctx[:vars]['description'] %>" + format = "MAVEN" + mode = "REMOTE_REPOSITORY" + remote_repository_config { + description = "custom maven remote with credentials" + disable_upstream_validation = true + maven_repository { + custom_repository { + uri = "https://my.maven.registry" + } + } + upstream_credentials { + username_password_credentials { + username = "<%= ctx[:vars]['username'] %>" + password_secret_version = google_secret_manager_secret_version.<%= ctx[:vars]['secret_resource_id'] %>_version.name + } + } + } +} \ No newline at end of file diff --git a/mmv1/templates/terraform/examples/artifact_registry_repository_remote_npm_custom_with_auth.tf.erb b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_npm_custom_with_auth.tf.erb new file mode 100644 index 000000000000..81d3e70b6021 --- /dev/null +++ b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_npm_custom_with_auth.tf.erb @@ -0,0 +1,42 @@ +data "google_project" "project" {} + +resource "google_secret_manager_secret" "<%= ctx[:vars]['secret_resource_id'] %>" { + secret_id = "<%= ctx[:vars]['secret_id'] %>" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "<%= ctx[:vars]['secret_resource_id'] %>_version" { + secret = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + secret_data = "<%= ctx[:vars]['secret_data'] %>" +} + +resource "google_secret_manager_secret_iam_member" "secret-access" { + secret_id = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +resource "google_artifact_registry_repository" "<%= ctx[:primary_resource_id] %>" { + location = "us-central1" + repository_id = "<%= ctx[:vars]['repository_id'] %>" + description = "<%= ctx[:vars]['description'] %>" + format = "NPM" + mode = "REMOTE_REPOSITORY" + remote_repository_config { + description = "custom npm with credentials" + disable_upstream_validation = true + npm_repository { + custom_repository { + uri = "https://my.npm.registry" + } + } + upstream_credentials { + username_password_credentials { + username = "<%= ctx[:vars]['username'] %>" + password_secret_version = google_secret_manager_secret_version.<%= ctx[:vars]['secret_resource_id'] %>_version.name + } + } + } +} diff --git a/mmv1/templates/terraform/examples/artifact_registry_repository_remote_python_custom_with_auth.tf.erb b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_python_custom_with_auth.tf.erb new file mode 100644 index 000000000000..d9cbc61d6d05 --- /dev/null +++ b/mmv1/templates/terraform/examples/artifact_registry_repository_remote_python_custom_with_auth.tf.erb @@ -0,0 +1,42 @@ +data "google_project" "project" {} + +resource "google_secret_manager_secret" "<%= ctx[:vars]['secret_resource_id'] %>" { + secret_id = "<%= ctx[:vars]['secret_id'] %>" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "<%= ctx[:vars]['secret_resource_id'] %>_version" { + secret = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + secret_data = "<%= ctx[:vars]['secret_data'] %>" +} + +resource "google_secret_manager_secret_iam_member" "secret-access" { + secret_id = google_secret_manager_secret.<%= ctx[:vars]['secret_resource_id'] %>.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +resource "google_artifact_registry_repository" "<%= ctx[:primary_resource_id] %>" { + location = "us-central1" + repository_id = "<%= ctx[:vars]['repository_id'] %>" + description = "<%= ctx[:vars]['description'] %>" + format = "PYTHON" + mode = "REMOTE_REPOSITORY" + remote_repository_config { + description = "custom npm with credentials" + disable_upstream_validation = true + python_repository { + custom_repository { + uri = "https://my.python.registry" + } + } + upstream_credentials { + username_password_credentials { + username = "<%= ctx[:vars]['username'] %>" + password_secret_version = google_secret_manager_secret_version.<%= ctx[:vars]['secret_resource_id'] %>_version.name + } + } + } +} diff --git a/mmv1/templates/terraform/pre_create/artifact_registry_remote_repository.go.erb b/mmv1/templates/terraform/pre_create/artifact_registry_remote_repository.go.erb new file mode 100644 index 000000000000..bad5d0a9599b --- /dev/null +++ b/mmv1/templates/terraform/pre_create/artifact_registry_remote_repository.go.erb @@ -0,0 +1,18 @@ +// This file should be deleted in the next major terraform release, alongside +// the default values for 'publicRepository'. + +// deletePublicRepoIfCustom deletes the publicRepository key for a given +// pkg type from the remote repository config if customRepository is set. +deletePublicRepoIfCustom := func(pkgType string) { + if _, ok := d.GetOk(fmt.Sprintf("remote_repository_config.0.%s_repository.0.custom_repository", pkgType)); ok { + rrcfg := obj["remoteRepositoryConfig"].(map[string]interface{}) + repo := rrcfg[fmt.Sprintf("%sRepository", pkgType)].(map[string]interface{}) + delete(repo, "publicRepository") + } +} + +// Call above func for all pkg types that support custom remote repos. +deletePublicRepoIfCustom("docker") +deletePublicRepoIfCustom("maven") +deletePublicRepoIfCustom("npm") +deletePublicRepoIfCustom("python") \ No newline at end of file