Merge pull request #5142 from modular-magician/codegen-pr-2819

Handle deleted: prefix when deduplicating IAM member map
hashicorp · Dec 11, 2019 · d5d951e · d5d951e
2 parents 3d8c561 + 56e367a
commit d5d951e
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 3 deletions.
diff --git a/google/iam.go b/google/iam.go
@@ -232,10 +232,21 @@ func createIamBindingsMap(bindings []*cloudresourcemanager.Binding) map[iamBindi
 			// <type> is case sensitive
 			// <value> isn't
 			// so let's lowercase the value and leave the type alone
-			pieces := strings.SplitN(m, ":", 2)
-			if len(pieces) > 1 {
-				pieces[1] = strings.ToLower(pieces[1])
+			// since Dec '19 members can be prefixed with "deleted:" to indicate the principal
+			// has been deleted
+			var pieces []string
+			if strings.HasPrefix(m, "deleted:") {
+				pieces = strings.SplitN(m, ":", 3)
+				if len(pieces) > 2 {
+					pieces[2] = strings.ToLower(pieces[2])
+				}
+			} else {
+				pieces = strings.SplitN(m, ":", 2)
+				if len(pieces) > 1 {
+					pieces[1] = strings.ToLower(pieces[1])
+				}
 			}
+
 			m = strings.Join(pieces, ":")
 
 			// Add the member

diff --git a/google/iam_test.go b/google/iam_test.go
@@ -489,6 +489,35 @@ func TestIamCreateIamBindingsMap(t *testing.T) {
 				{"role-3", conditionKey{}}: {"user-3": {}},
 			},
 		},
+		{
+			input: []*cloudresourcemanager.Binding{
+				{
+					Role:    "role-1",
+					Members: []string{"deleted:serviceAccount:user-1", "user-2"},
+				},
+				{
+					Role:    "role-2",
+					Members: []string{"deleted:user:user-1"},
+				},
+				{
+					Role:    "role-1",
+					Members: []string{"serviceAccount:user-3"},
+				},
+				{
+					Role:    "role-2",
+					Members: []string{"user-2"},
+				},
+				{
+					Role:    "role-3",
+					Members: []string{"user-3"},
+				},
+			},
+			expect: map[iamBindingKey]map[string]struct{}{
+				{"role-1", conditionKey{}}: {"deleted:serviceAccount:user-1": {}, "user-2": {}, "serviceAccount:user-3": {}},
+				{"role-2", conditionKey{}}: {"deleted:user:user-1": {}, "user-2": {}},
+				{"role-3", conditionKey{}}: {"user-3": {}},
+			},
+		},
 	}
 
 	for _, tc := range testCases {