Add iamConfiguration support to gcp_storage_bucket

You can now set the iam configuration for a given bucket, you can set: 1. publicAccessPrevention and 2. uniformBucketLevelAccess no support for bucketPolicyOnly because according to the storage docs: Note: iamConfiguration also includes the bucketPolicyOnly field, which uses a legacy name but has the same functionality as the uniformBucketLevelAccess field. We recommend only using uniformBucketLevelAccess, as specifying both fields may result in unreliable behavior. Also added integration tests for this feature Signed-off-by: Jorge Gallegos <jgallego@redhat.com>
2025-08-10 16:14:27 -07:00 · 2025-06-26 12:00:00 -06:00 · 2025-06-26 12:00:00 -06:00 · f9f0b33542
commit f9f0b33542
parent 8863545bef
3 changed files with 180 additions and 2 deletions
--- a/tests/integration/targets/gcp_storage_bucket/tasks/iam_configuration.yml
+++ b/tests/integration/targets/gcp_storage_bucket/tasks/iam_configuration.yml
@ -0,0 +1,86 @@
+---
+- name: Run test cases
+  block:
+  # --------------------------------------------------------------------------
+  - name: Create default bucket
+    google.cloud.gcp_storage_bucket:
+      name: "{{ resource_name }}-default"
+      project: "{{ gcp_project }}"
+      auth_kind: "{{ gcp_cred_kind }}"
+      service_account_file: "{{ gcp_cred_file | default(omit) }}"
+      state: present
+    register: result
+
+  - name: Assert changed is true and default values are returned
+    ansible.builtin.assert:
+      that:
+        - result.changed == true
+        - result.iamConfiguration.publicAccessPrevention == 'inherited'
+        - result.iamConfiguration.uniformBucketLevelAccess.enabled == false
+  # --------------------------------------------------------------------------
+  - name: Create bucket with enforced PAP
+    google.cloud.gcp_storage_bucket:
+      name: "{{ resource_name }}-pap"
+      project: "{{ gcp_project }}"
+      auth_kind: "{{ gcp_cred_kind }}"
+      service_account_file: "{{ gcp_cred_file | default(omit) }}"
+      state: present
+      iam_configuration:
+        public_access_prevention: enforced
+    register: result
+
+  - name: Assert changed is true and IAM PAP is 'enforced'
+    ansible.builtin.assert:
+      that:
+        - result.changed == true
+        - result.iamConfiguration.publicAccessPrevention == 'enforced'
+  # --------------------------------------------------------------------------
+  - name: Create bucket with UBLA enabled
+    google.cloud.gcp_storage_bucket:
+      name: "{{ resource_name }}-ublae"
+      project: "{{ gcp_project }}"
+      auth_kind: "{{ gcp_cred_kind }}"
+      service_account_file: "{{ gcp_cred_file | default(omit) }}"
+      state: present
+      iam_configuration:
+        uniform_bucket_level_access:
+          enabled: true
+    register: result
+
+  - name: Assert changed is true and IAM UBLA is enabled
+    ansible.builtin.assert:
+      that:
+        - result.changed == true
+        - result.iamConfiguration.uniformBucketLevelAccess.enabled == true
+  # --------------------------------------------------------------------------
+  - name: Create bucket with UBLA disabled
+    google.cloud.gcp_storage_bucket:
+      name: "{{ resource_name }}-ublad"
+      project: "{{ gcp_project }}"
+      auth_kind: "{{ gcp_cred_kind }}"
+      service_account_file: "{{ gcp_cred_file | default(omit) }}"
+      state: present
+      iam_configuration:
+        uniform_bucket_level_access:
+          enabled: false
+    register: result
+
+  - name: Assert changed is true and IAM UBLA is disabled
+    ansible.builtin.assert:
+      that:
+        - result.changed == true
+        - result.iamConfiguration.uniformBucketLevelAccess.enabled == false
+  # --------------------------------------------------------------------------
+  always:
+    - name: Clean up buckets
+      google.cloud.gcp_storage_bucket:
+        name: "{{ resource_name }}-{{ item }}"
+        project: "{{ gcp_project }}"
+        auth_kind: "{{ gcp_cred_kind }}"
+        service_account_file: "{{ gcp_cred_file | default(omit) }}"
+        state: absent
+      loop:
+        - default
+        - pap
+        - ublae
+        - ublad
--- a/tests/integration/targets/gcp_storage_bucket/tasks/main.yml
+++ b/tests/integration/targets/gcp_storage_bucket/tasks/main.yml
@ -1,3 +1,6 @@
 ---
 - name: Generated tests
  ansible.builtin.include_tasks: autogen.yml
+
+- name: Tests for IAM Configuration support
+  ansible.builtin.include_tasks: iam_configuration.yml