Add support for IAM policies on Security Command Center sources

[mdietzer-fn]

If this PR is for Terraform, I acknowledge that I have:

• Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes). I consider this a very small change.
• Generated Terraform, and ran make test and make lint to ensure it passes unit and linter tests.
• Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests). I didn't find any other examples for basic IAM resources, so I am unsure if this is needed here.
• Ran relevant acceptance tests (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• Read the Release Notes Guide before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

Enable IAM resources for Security Command Center sources

[modular-magician]

Hello! I am a robot who works on Magic Modules PRs.

I've detected that you're a community contributor. @melinath, a repository maintainer, has been assigned to assist you and help review your changes.

❓ First time contributing? Click here for more details

---

Your assigned reviewer will help review your code by:

• Ensuring it's backwards compatible, covers common error cases, etc.
• Summarizing the change into a user-facing changelog note.
• Passes tests, either our "VCR" suite, a set of presubmit tests, or with manual test runs.

You can help make sure that review is quick by running local tests and ensuring they're passing in between each push you make to your PR's branch. Also, try to leave a comment with each push you make, as pushes generally don't generate emails.

If your reviewer doesn't get back to you within a week after your most recent change, please feel free to leave a comment on the issue asking them to take a look! In the absence of a dedicated review dashboard most maintainers manage their pending reviews through email, and those will sometimes get lost in their inbox.

---

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 4 files changed, 323 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 4 files changed, 323 insertions(+), 3 deletions(-))
TF Validator: Diff ( 5 files changed, 311 insertions(+), 3 deletions(-))

[modular-magician]

Tests analytics

Total tests: 2151
Passed tests 1912
Skipped tests: 233
Failed tests: 6

Action taken

Triggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed tests

TestAccSqlDatabaseInstance_withPrivateNetwork_withAllocatedIpRange|TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateExample|TestAccComputeGlobalForwardingRule_internalLoadBalancing|TestAccCloudRunService_cloudRunServiceStaticOutboundExample|TestAccComputeInstance_soleTenantNodeAffinities|TestAccSqlDatabaseInstance_SqlServerAuditConfig

[modular-magician]

Tests passed during RECORDING mode:
TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateExample[Debug log]

Tests failed during RECORDING mode:
TestAccSqlDatabaseInstance_withPrivateNetwork_withAllocatedIpRange[Error message] [Debug log]
TestAccComputeGlobalForwardingRule_internalLoadBalancing[Error message] [Debug log]
TestAccCloudRunService_cloudRunServiceStaticOutboundExample[Error message] [Debug log]
TestAccComputeInstance_soleTenantNodeAffinities[Error message] [Debug log]
TestAccSqlDatabaseInstance_SqlServerAuditConfig[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[mdietzer-fn]

I cannot view these test results. Also, nothing I changed seems even tangentially related to these errors.
If there is anything in those tests that I broke, someone with access to those logs, please let me know.

[melinath]

The current test failures are unrelated to your changes.

Please add tests for the new resource. Usually IAM tests are autogenerated; however, SCC sources are an unusual resource that can't be deleted, so you will need to handwrite the tests for the IAM resource as well.

The easiest way to do this would probably be:

1. Remove skip_test from the Source example in terraform.yaml
2. Generate the beta provider locally - this should generate tests for the iam resources
3. Make any changes to the IAM tests that are necessary to account for the fact that SCC sources can't be deleted - for reference, compare the generated source tests from the previous step with the handwritten test that works around this.
4. After making sure the IAM tests run locally with your modifications, copy the test file to magic modules as if it was a handwritten test file.
5. You will need to add guards around the parts of the tests that test beta-only features. Basically: conditions. For comparison, here are the iam tests for kms crypto key, which also can't be deleted: https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/third_party/terraform/tests/resource_kms_key_ring_iam_test.go.erb

[mdietzer-fn]

I have added tests as requested, they all seem to pass.

Trying to add conditions to the IAM policies in SCC always yields 400, so I assume the API does not support these, yet? I tried the /v1/ and /v1beta1/ endpoints, neither accepted any condition I tried (including the same one used in other tests)

Note: I did have iam_conditions_request_type: :REQUEST_BODY in when testing this, and set TF_LOG=DEBUG to make sure the requests were sent correctly (to /v1beta1/ when I set it etc).

I have attached a (with private details removed) request log:
test.txt

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 5 files changed, 542 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 7 files changed, 545 insertions(+), 6 deletions(-))
TF Validator: Diff ( 5 files changed, 311 insertions(+), 3 deletions(-))

[modular-magician]

Tests analytics

Total tests: 2159
Passed tests 1911
Skipped tests: 234
Failed tests: 14

Action taken

Triggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed tests

TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateExample|TestAccComputeInstance_soleTenantNodeAffinities|TestAccComputeGlobalForwardingRule_internalLoadBalancing|TestAccCloudRunService_cloudRunServiceStaticOutboundExample|TestAccCGCSnippet_eventarcWorkflowsExample|TestAccSecurityCenterSourceIamMember|TestAccSecurityCenterSourceIamPolicy|TestAccSecurityCenterSourceIamBinding|TestAccSecurityCenterNotificationConfig_updateStreamingConfigFilter|TestAccSecurityCenterNotificationConfig_sccNotificationConfigBasicExample|TestAccSqlDatabaseInstance_withPrivateNetwork_withAllocatedIpRange|TestAccSecurityCenterSource_basic|TestAccSqlDatabaseInstance_SqlServerAuditConfig|TestAccFirebaserulesRelease_BasicRelease

[mdietzer-fn]

Seems my tests are failing here, but they all pass locally for me. I just checked again and they still pass just fine.

//EDIT: I guess disregard that, they passed in the second round...

[modular-magician]

Tests passed during RECORDING mode:
TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateExample[Debug log]
TestAccSecurityCenterSourceIamMember[Debug log]
TestAccSecurityCenterSourceIamPolicy[Debug log]
TestAccSecurityCenterSourceIamBinding[Debug log]
TestAccSecurityCenterSource_basic[Debug log]
TestAccFirebaserulesRelease_BasicRelease[Debug log]

Tests failed during RECORDING mode:
TestAccComputeInstance_soleTenantNodeAffinities[Error message] [Debug log]
TestAccComputeGlobalForwardingRule_internalLoadBalancing[Error message] [Debug log]
TestAccCloudRunService_cloudRunServiceStaticOutboundExample[Error message] [Debug log]
TestAccCGCSnippet_eventarcWorkflowsExample[Error message] [Debug log]
TestAccSecurityCenterNotificationConfig_updateStreamingConfigFilter[Error message] [Debug log]
TestAccSecurityCenterNotificationConfig_sccNotificationConfigBasicExample[Error message] [Debug log]
TestAccSqlDatabaseInstance_withPrivateNetwork_withAllocatedIpRange[Error message] [Debug log]
TestAccSqlDatabaseInstance_SqlServerAuditConfig[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[melinath]

One quick change request; I'll look into the question of whether the conditions are supported. b/246645013

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 5 files changed, 542 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 5 files changed, 542 insertions(+), 3 deletions(-))
TF Validator: Diff ( 5 files changed, 311 insertions(+), 3 deletions(-))

[modular-magician]

Tests analytics

Total tests: 2174
Passed tests 1931
Skipped tests: 238
Failed tests: 5

Action taken

Triggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed tests

TestAccComputeInstance_soleTenantNodeAffinities|TestAccSecurityCenterSourceIamPolicy|TestAccSecurityCenterSourceIamMember|TestAccSecurityCenterSourceIamBinding|TestAccSecurityCenterSource_basic

[modular-magician]

Tests passed during RECORDING mode:
TestAccSecurityCenterSourceIamPolicy[Debug log]
TestAccSecurityCenterSourceIamMember[Debug log]
TestAccSecurityCenterSourceIamBinding[Debug log]
TestAccSecurityCenterSource_basic[Debug log]

Tests failed during RECORDING mode:
TestAccComputeInstance_soleTenantNodeAffinities[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[mdietzer-fn]

@melinath Just reaching out, how are we looking on this?

[melinath]

apologies for the delay; I'm still waiting to hear back on this.

[melinath]

@mdietzer-fn looking at this again, it looks like your current implementation actually excludes support for conditions by not passing iam_conditions_request_type - since that's an option, this actually isn't blocked by the lack of conditions support per se. We can likely merge it as-is and add conditions support separately later. Would you want to do that?

[mdietzer-fn]

@melinath Sure, lets do that.

As mentioned, I had tried setting that in a local build and the conditions did not work at all either:

Note: I did have iam_conditions_request_type: :REQUEST_BODY in when testing this, and set TF_LOG=DEBUG to make sure the requests were sent correctly (to /v1beta1/ when I set it etc).

[melinath]

LGTM