[DO NOT MERGE] Support IAM conditional policies on managed zones#16748
Draft
shellyvilenko wants to merge 23 commits intoGoogleCloudPlatform:mainfrom
Draft
[DO NOT MERGE] Support IAM conditional policies on managed zones#16748shellyvilenko wants to merge 23 commits intoGoogleCloudPlatform:mainfrom
shellyvilenko wants to merge 23 commits intoGoogleCloudPlatform:mainfrom
Conversation
…Y_PARAM_NESTED' included iam_conditions_request_type: 'QUERY_PARAM_NESTED' I think that QUERY_PARAM_NESTED is appropriate here because of the GetIamPolicyRequest
add example fort he conditions
Resolve conflicts
add usage of template to managedzone.yaml
add managed zone var to template
randomize dns name in tests
use randomized dns name in tests
fix typo
The v1beta2 API requires all method paths to begin with dns/<version>/projects/ to maintain compatibility with legacy documentation . However, per-resource IAM methods (like setIamPolicy) require a different path format (dns/<version>/{+resource}) that breaks this requirement.
it does not work as expected
Add an UpdateMask field to the IamPolicy struct to allow resources to opt-in to sending the mask.
Modify the template to inject "updateMask": "bindings,etag,version" into the request body when UpdateMask is true.
enable update mask
According to IAM internal documentation, conditional bindings are strictly prohibited for legacy "Basic" roles, which include roles/owner, roles/editor, and roles/viewer
Change the expression in dns_managed_zone_iam_condition.tf.tmpl to a single-line string to avoid newline-related parsing errors
try to use admin@hashicorptest.com instead of made up account
Collaborator
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Collaborator
Non-exercised tests🔴 Tests were added that are skipped in VCR:
Tests analyticsTotal tests: 57 Click here to see the affected service packages
Action takenFound 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
|
shellyvilenko
changed the title
slevenick
approved these changes
Mar 18, 2026
Contributor
slevenick
left a comment
slevenick
left a comment
There was a problem hiding this comment.
LGTM, waiting for API release to merge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[DO NOT MERGE]
included iam_conditions_request_type: 'QUERY_PARAM_NESTED'
Support Iam conditional policies on dns managed zones