From 51ba8a0cc8ebd9dd47e84246201d63b0bb084e3a Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Mon, 8 Sep 2025 22:06:44 +0000 Subject: [PATCH] Add Big Query Data Policy V2 resource (#14979) [upstream:d6be8f03fe6b7e39e3b2ff647dbb2b6149949ca6] Signed-off-by: Modular Magician --- .../backing_file.tf | 15 ++++ .../main.tf | 5 ++ bigquery_datapolicyv2_datapolicy_basic/motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ .../main.tf | 8 ++ .../motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ .../main.tf | 28 +++++++ bigquery_datapolicyv2_datapolicy_routine/motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ .../main.tf | 8 ++ .../motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ 16 files changed, 453 insertions(+) create mode 100644 bigquery_datapolicyv2_datapolicy_basic/backing_file.tf create mode 100644 bigquery_datapolicyv2_datapolicy_basic/main.tf create mode 100644 bigquery_datapolicyv2_datapolicy_basic/motd create mode 100644 bigquery_datapolicyv2_datapolicy_basic/tutorial.md create mode 100644 bigquery_datapolicyv2_datapolicy_predefined_masking/backing_file.tf create mode 100644 bigquery_datapolicyv2_datapolicy_predefined_masking/main.tf create mode 100644 bigquery_datapolicyv2_datapolicy_predefined_masking/motd create mode 100644 bigquery_datapolicyv2_datapolicy_predefined_masking/tutorial.md create mode 100644 bigquery_datapolicyv2_datapolicy_routine/backing_file.tf create mode 100644 bigquery_datapolicyv2_datapolicy_routine/main.tf create mode 100644 bigquery_datapolicyv2_datapolicy_routine/motd create mode 100644 bigquery_datapolicyv2_datapolicy_routine/tutorial.md create mode 100644 bigquery_datapolicyv2_datapolicy_withgrantees_test/backing_file.tf create mode 100644 bigquery_datapolicyv2_datapolicy_withgrantees_test/main.tf create mode 100644 bigquery_datapolicyv2_datapolicy_withgrantees_test/motd create mode 100644 bigquery_datapolicyv2_datapolicy_withgrantees_test/tutorial.md diff --git a/bigquery_datapolicyv2_datapolicy_basic/backing_file.tf b/bigquery_datapolicyv2_datapolicy_basic/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_basic/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/bigquery_datapolicyv2_datapolicy_basic/main.tf b/bigquery_datapolicyv2_datapolicy_basic/main.tf new file mode 100644 index 00000000..46e26e30 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_basic/main.tf @@ -0,0 +1,5 @@ +resource "google_bigquery_datapolicyv2_data_policy" "basic_data_policy" { + location = "us-central1" + data_policy_type = "RAW_DATA_ACCESS_POLICY" + data_policy_id = "basic_data_policy-${local.name_suffix}" +} diff --git a/bigquery_datapolicyv2_datapolicy_basic/motd b/bigquery_datapolicyv2_datapolicy_basic/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_basic/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/bigquery_datapolicyv2_datapolicy_basic/tutorial.md b/bigquery_datapolicyv2_datapolicy_basic/tutorial.md new file mode 100644 index 00000000..692bf266 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_basic/tutorial.md @@ -0,0 +1,79 @@ +# Bigquery Datapolicyv2 Datapolicy Basic - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/bigquery_datapolicyv2_datapolicy_predefined_masking/backing_file.tf b/bigquery_datapolicyv2_datapolicy_predefined_masking/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_predefined_masking/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/bigquery_datapolicyv2_datapolicy_predefined_masking/main.tf b/bigquery_datapolicyv2_datapolicy_predefined_masking/main.tf new file mode 100644 index 00000000..00aa784d --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_predefined_masking/main.tf @@ -0,0 +1,8 @@ +resource "google_bigquery_datapolicyv2_data_policy" "predefined_masking_data_policy" { + location = "us-central1" + data_policy_type = "DATA_MASKING_POLICY" + data_masking_policy { + predefined_expression = "SHA256" + } + data_policy_id = "predefined_masking_data_policy-${local.name_suffix}" +} diff --git a/bigquery_datapolicyv2_datapolicy_predefined_masking/motd b/bigquery_datapolicyv2_datapolicy_predefined_masking/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_predefined_masking/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/bigquery_datapolicyv2_datapolicy_predefined_masking/tutorial.md b/bigquery_datapolicyv2_datapolicy_predefined_masking/tutorial.md new file mode 100644 index 00000000..32605f7e --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_predefined_masking/tutorial.md @@ -0,0 +1,79 @@ +# Bigquery Datapolicyv2 Datapolicy Predefined Masking - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/bigquery_datapolicyv2_datapolicy_routine/backing_file.tf b/bigquery_datapolicyv2_datapolicy_routine/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_routine/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/bigquery_datapolicyv2_datapolicy_routine/main.tf b/bigquery_datapolicyv2_datapolicy_routine/main.tf new file mode 100644 index 00000000..c997dc61 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_routine/main.tf @@ -0,0 +1,28 @@ +resource "google_bigquery_datapolicyv2_data_policy" "routine_data_policy" { + location = "us-central1" + data_policy_id = "routine_data_policy-${local.name_suffix}" + data_policy_type = "DATA_MASKING_POLICY" + data_masking_policy { + routine = google_bigquery_routine.custom_masking_routine.id + } +} + +resource "google_bigquery_dataset" "test" { + dataset_id = "dataset_id-${local.name_suffix}" + location = "us-central1" +} + +resource "google_bigquery_routine" "custom_masking_routine" { + dataset_id = google_bigquery_dataset.test.dataset_id + routine_id = "custom_masking_routine" + routine_type = "SCALAR_FUNCTION" + language = "SQL" + data_governance_type = "DATA_MASKING" + definition_body = "SAFE.REGEXP_REPLACE(ssn, '[0-9]', 'X')" + return_type = "{\"typeKind\" : \"STRING\"}" + + arguments { + name = "ssn" + data_type = "{\"typeKind\" : \"STRING\"}" + } +} diff --git a/bigquery_datapolicyv2_datapolicy_routine/motd b/bigquery_datapolicyv2_datapolicy_routine/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_routine/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/bigquery_datapolicyv2_datapolicy_routine/tutorial.md b/bigquery_datapolicyv2_datapolicy_routine/tutorial.md new file mode 100644 index 00000000..11d0d3d1 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_routine/tutorial.md @@ -0,0 +1,79 @@ +# Bigquery Datapolicyv2 Datapolicy Routine - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/bigquery_datapolicyv2_datapolicy_withgrantees_test/backing_file.tf b/bigquery_datapolicyv2_datapolicy_withgrantees_test/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_withgrantees_test/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/bigquery_datapolicyv2_datapolicy_withgrantees_test/main.tf b/bigquery_datapolicyv2_datapolicy_withgrantees_test/main.tf new file mode 100644 index 00000000..9610740e --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_withgrantees_test/main.tf @@ -0,0 +1,8 @@ +resource "google_bigquery_datapolicyv2_data_policy" "data_policy_with_grantees" { + location = "us-central1" + data_policy_type = "RAW_DATA_ACCESS_POLICY" + grantees = [ + "principalSet://goog/group/bigquery-datamasking-swe@google.com" + ] + data_policy_id = "data_policy_with_grantees-${local.name_suffix}" +} diff --git a/bigquery_datapolicyv2_datapolicy_withgrantees_test/motd b/bigquery_datapolicyv2_datapolicy_withgrantees_test/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_withgrantees_test/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/bigquery_datapolicyv2_datapolicy_withgrantees_test/tutorial.md b/bigquery_datapolicyv2_datapolicy_withgrantees_test/tutorial.md new file mode 100644 index 00000000..cdb0e5e3 --- /dev/null +++ b/bigquery_datapolicyv2_datapolicy_withgrantees_test/tutorial.md @@ -0,0 +1,79 @@ +# Bigquery Datapolicyv2 Datapolicy Withgrantees Test - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +```