feat: migrate code from googleapis/python-iam

.github/CODEOWNERS

@@ -53,7 +53,8 @@
 /functions/**/*                        @GoogleCloudPlatform/aap-dpes  @GoogleCloudPlatform/python-samples-reviewers
 /functions/spanner/*                   @GoogleCloudPlatform/api-spanner-python @GoogleCloudPlatform/python-samples-reviewers
 /healthcare/**/*                       @noerog @GoogleCloudPlatform/python-samples-reviewers
-/iam/**/*                              @GoogleCloudPlatform/python-samples-reviewers
+/iam/api-client/**/*                   @GoogleCloudPlatform/python-samples-reviewers
+/iam/cloud-client/**/*                 @GoogleCloudPlatform/dee-infra @GoogleCloudPlatform/python-samples-reviewers
 /iap/**/*                              @GoogleCloudPlatform/python-samples-reviewers
 /iot/**/*                              @gcseh @GoogleCloudPlatform/api-iot @GoogleCloudPlatform/python-samples-reviewers
 /jobs/**/*                             @GoogleCloudPlatform/python-samples-reviewers

.github/blunderbuss.yml

@@ -78,6 +78,10 @@ assign_issues_by:
   - 'api: healthcare'
   to:
   - noerog
+- labels:
+  - 'api: iam'
+  to:
+  - GoogleCloudPlatform/dee-infra
 - labels:
   - 'api: iot'
   - 'api: cloudiot'

iam/cloud-client/AUTHORING_GUIDE.md

@@ -0,0 +1 @@
+See https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/AUTHORING_GUIDE.md

iam/cloud-client/CONTRIBUTING.md

@@ -0,0 +1 @@
+See https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/CONTRIBUTING.md

iam/cloud-client/snippets/conftest.py

@@ -0,0 +1,56 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import re
+import uuid
+
+from google.cloud import iam_v2
+from google.cloud.iam_v2 import types
+import pytest
+from snippets.create_deny_policy import create_deny_policy
+from snippets.delete_deny_policy import delete_deny_policy
+
+PROJECT_ID = os.environ["IAM_PROJECT_ID"]
+GOOGLE_APPLICATION_CREDENTIALS = os.environ["IAM_CREDENTIALS"]
+
+
+@pytest.fixture
+def deny_policy(capsys: "pytest.CaptureFixture[str]") -> None:
+    policy_id = f"test-deny-policy-{uuid.uuid4()}"
+
+    # Delete any existing policies. Otherwise it might throw quota issue.
+    delete_existing_deny_policies(PROJECT_ID, "test-deny-policy")
+
+    # Create the Deny policy.
+    create_deny_policy(PROJECT_ID, policy_id)
+
+    yield policy_id
+
+    # Delete the Deny policy and assert if deleted.
+    delete_deny_policy(PROJECT_ID, policy_id)
+    out, _ = capsys.readouterr()
+    assert re.search(f"Deleted the deny policy: {policy_id}", out)
+
+
+def delete_existing_deny_policies(project_id: str, delete_name_prefix: str) -> None:
+    policies_client = iam_v2.PoliciesClient()
+
+    attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
+
+    request = types.ListPoliciesRequest()
+    request.parent = f"policies/{attachment_point}/denypolicies"
+    for policy in policies_client.list_policies(request=request):
+        if delete_name_prefix in policy.name:
+            delete_deny_policy(PROJECT_ID, str(policy.name).rsplit("/", 1)[-1])

iam/cloud-client/snippets/create_deny_policy.py

@@ -0,0 +1,118 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains code samples that demonstrate how to create IAM deny policies.
+
+# [START iam_create_deny_policy]
+
+
+def create_deny_policy(project_id: str, policy_id: str) -> None:
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
+
+    """
+      Create a deny policy.
+      You can add deny policies to organizations, folders, and projects.
+      Each of these resources can have up to 5 deny policies.
+
+      Deny policies contain deny rules, which specify the following:
+      1. The permissions to deny and/or exempt.
+      2. The principals that are denied, or exempted from denial.
+      3. An optional condition on when to enforce the deny rules.
+
+      Params:
+      project_id: ID or number of the Google Cloud project you want to use.
+      policy_id: Specify the ID of the deny policy you want to create.
+    """
+    policies_client = iam_v2.PoliciesClient()
+
+    # Each deny policy is attached to an organization, folder, or project.
+    # To work with deny policies, specify the attachment point.
+    #
+    # Its format can be one of the following:
+    # 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
+    # 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
+    # 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
+    #
+    # The attachment point is identified by its URL-encoded resource name. Hence, replace
+    # the "/" with "%2F".
+    attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
+
+    deny_rule = types.DenyRule()
+    # Add one or more principals who should be denied the permissions specified in this rule.
+    # For more information on allowed values, see: https://cloud.google.com/iam/help/deny/principal-identifiers
+    deny_rule.denied_principals = ["principalSet://goog/public:all"]
+
+    # Optionally, set the principals who should be exempted from the
+    # list of denied principals. For example, if you want to deny certain permissions
+    # to a group but exempt a few principals, then add those here.
+    # deny_rule.exception_principals = ["principalSet://goog/group/[email protected]"]
+
+    # Set the permissions to deny.
+    # The permission value is of the format: service_fqdn/resource.action
+    # For the list of supported permissions, see: https://cloud.google.com/iam/help/deny/supported-permissions
+    deny_rule.denied_permissions = [
+        "cloudresourcemanager.googleapis.com/projects.delete"
+    ]
+
+    # Optionally, add the permissions to be exempted from this rule.
+    # Meaning, the deny rule will not be applicable to these permissions.
+    # deny_rule.exception_permissions = ["cloudresourcemanager.googleapis.com/projects.create"]
+
+    # Set the condition which will enforce the deny rule.
+    # If this condition is true, the deny rule will be applicable. Else, the rule will not be enforced.
+    # The expression uses Common Expression Language syntax (CEL).
+    # Here we block access based on tags.
+    #
+    # Here, we create a deny rule that denies the cloudresourcemanager.googleapis.com/projects.delete permission to everyone except [email protected] for resources that are tagged test.
+    # A tag is a key-value pair that can be attached to an organization, folder, or project.
+    # For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
+    deny_rule.denial_condition = {
+        "expression": "!resource.matchTag('12345678/env', 'test')"
+    }
+
+    # Add the deny rule and a description for it.
+    policy_rule = types.PolicyRule()
+    policy_rule.description = "block all principals from deleting projects, unless the principal is a member of [email protected] and the project being deleted has a tag with the value test"
+    policy_rule.deny_rule = deny_rule
+
+    policy = types.Policy()
+    policy.display_name = "Restrict project deletion access"
+    policy.rules = [policy_rule]
+
+    # Set the policy resource path, policy rules and a unique ID for the policy.
+    request = types.CreatePolicyRequest()
+    # Construct the full path of the resource's deny policies.
+    # Its format is: "policies/{attachmentPoint}/denypolicies"
+    request.parent = f"policies/{attachment_point}/denypolicies"
+    request.policy = policy
+    request.policy_id = policy_id
+
+    # Build the create policy request and wait for the operation to complete.
+    result = policies_client.create_policy(request=request).result()
+    print(f"Created the deny policy: {result.name.rsplit('/')[-1]}")
+
+
+if __name__ == "__main__":
+    import uuid
+
+    # Your Google Cloud project ID.
+    project_id = "your-google-cloud-project-id"
+    # Any unique ID (0 to 63 chars) starting with a lowercase letter.
+    policy_id = f"deny-{uuid.uuid4()}"
+
+    # Test the policy lifecycle.
+    create_deny_policy(project_id, policy_id)
+
+# [END iam_create_deny_policy]

iam/cloud-client/snippets/delete_deny_policy.py

@@ -0,0 +1,62 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains code samples that demonstrate how to delete IAM deny policies.
+
+# [START iam_delete_deny_policy]
+def delete_deny_policy(project_id: str, policy_id: str) -> None:
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
+
+    """
+    Delete the policy if you no longer want to enforce the rules in a deny policy.
+
+    project_id: ID or number of the Google Cloud project you want to use.
+    policy_id: The ID of the deny policy you want to retrieve.
+    """
+    policies_client = iam_v2.PoliciesClient()
+
+    # Each deny policy is attached to an organization, folder, or project.
+    # To work with deny policies, specify the attachment point.
+    #
+    # Its format can be one of the following:
+    # 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
+    # 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
+    # 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
+    #
+    # The attachment point is identified by its URL-encoded resource name. Hence, replace
+    # the "/" with "%2F".
+    attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
+
+    request = types.DeletePolicyRequest()
+    # Construct the full path of the policy.
+    # Its format is: "policies/{attachmentPoint}/denypolicies/{policyId}"
+    request.name = f"policies/{attachment_point}/denypolicies/{policy_id}"
+
+    # Create the DeletePolicy request.
+    result = policies_client.delete_policy(request=request).result()
+    print(f"Deleted the deny policy: {result.name.rsplit('/')[-1]}")
+
+
+if __name__ == "__main__":
+    import uuid
+
+    # Your Google Cloud project ID.
+    project_id = "your-google-cloud-project-id"
+    # Any unique ID (0 to 63 chars) starting with a lowercase letter.
+    policy_id = f"deny-{uuid.uuid4()}"
+
+    delete_deny_policy(project_id, policy_id)
+
+# [END iam_delete_deny_policy]

iam/cloud-client/snippets/get_deny_policy.py

@@ -0,0 +1,64 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains code samples that demonstrate how to get IAM deny policies.
+
+# [START iam_get_deny_policy]
+from google.cloud import iam_v2
+from google.cloud.iam_v2 import Policy, types
+
+
+def get_deny_policy(project_id: str, policy_id: str) -> Policy:
+    """
+    Retrieve the deny policy given the project ID and policy ID.
+
+    project_id: ID or number of the Google Cloud project you want to use.
+    policy_id: The ID of the deny policy you want to retrieve.
+    """
+    policies_client = iam_v2.PoliciesClient()
+
+    # Each deny policy is attached to an organization, folder, or project.
+    # To work with deny policies, specify the attachment point.
+    #
+    # Its format can be one of the following:
+    # 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
+    # 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
+    # 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
+    #
+    # The attachment point is identified by its URL-encoded resource name. Hence, replace
+    # the "/" with "%2F".
+    attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
+
+    request = types.GetPolicyRequest()
+    # Construct the full path of the policy.
+    # Its format is: "policies/{attachmentPoint}/denypolicies/{policyId}"
+    request.name = f"policies/{attachment_point}/denypolicies/{policy_id}"
+
+    # Execute the GetPolicy request.
+    policy = policies_client.get_policy(request=request)
+    print(f"Retrieved the deny policy: {policy_id} : {policy}")
+    return policy
+
+
+if __name__ == "__main__":
+    import uuid
+
+    # Your Google Cloud project ID.
+    project_id = "your-google-cloud-project-id"
+    # Any unique ID (0 to 63 chars) starting with a lowercase letter.
+    policy_id = f"deny-{uuid.uuid4()}"
+
+    policy = get_deny_policy(project_id, policy_id)
+
+# [END iam_get_deny_policy]

iam/cloud-client/snippets/list_deny_policies.py

@@ -0,0 +1,65 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains code samples that demonstrate how to list IAM deny policies.
+
+# [START iam_list_deny_policy]
+def list_deny_policy(project_id: str) -> None:
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
+
+    """
+    List all the deny policies that are attached to a resource.
+    A resource can have up to 5 deny policies.
+
+    project_id: ID or number of the Google Cloud project you want to use.
+    """
+    policies_client = iam_v2.PoliciesClient()
+
+    # Each deny policy is attached to an organization, folder, or project.
+    # To work with deny policies, specify the attachment point.
+    #
+    # Its format can be one of the following:
+    # 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
+    # 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
+    # 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
+    #
+    # The attachment point is identified by its URL-encoded resource name. Hence, replace
+    # the "/" with "%2F".
+    attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
+
+    request = types.ListPoliciesRequest()
+    # Construct the full path of the resource's deny policies.
+    # Its format is: "policies/{attachmentPoint}/denypolicies"
+    request.parent = f"policies/{attachment_point}/denypolicies"
+
+    # Create a list request and iterate over the returned policies.
+    policies = policies_client.list_policies(request=request)
+
+    for policy in policies:
+        print(policy.name)
+    print("Listed all deny policies")
+
+
+if __name__ == "__main__":
+    import uuid
+
+    # Your Google Cloud project ID.
+    project_id = "your-google-cloud-project-id"
+    # Any unique ID (0 to 63 chars) starting with a lowercase letter.
+    policy_id = f"deny-{uuid.uuid4()}"
+
+    list_deny_policy(project_id)
+
+# [END iam_list_deny_policy]