feat: Add client for IAM Deny v2 API (#230)

* feat: Create the public IAM Deny v2 API

PiperOrigin-RevId: 470600752

Source-Link: googleapis/googleapis@dac66f6

Source-Link: https://github.com/googleapis/googleapis-gen/commit/729529edc103e45087ffae8353eaf009ad7fe8c2
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNzI5NTI5ZWRjMTAzZTQ1MDg3ZmZhZTgzNTNlYWYwMDlhZDdmZThjMiJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* regenerate files using cl/470713093

* workaround docstring formatting issue

* add pytest to samples CI

* lint

* fix import statement in samples/snippets

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* docs(samples): migrate samples from iam_v2beta to iam_v2

* update required checks to include samples

* use GOOGLE_CLOUD_PROJECT

* fix imports in samples/snippets

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* add pytest

* chore(python): prepare for release of the iam/v2 python client

PiperOrigin-RevId: 471240188

Source-Link: googleapis/googleapis@ea847a1

Source-Link: https://github.com/googleapis/googleapis-gen/commit/6f1e4cd013ab2914773826e68b2a2d0763030a39
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNmYxZTRjZDAxM2FiMjkxNDc3MzgyNmU2OGIyYTJkMDc2MzAzMGEzOSJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* feat: Bump gapic-generator-python version to 1.3.0

PiperOrigin-RevId: 472561635

Source-Link: googleapis/googleapis@332ecf5

Source-Link: https://github.com/googleapis/googleapis-gen/commit/4313d682880fd9d7247291164d4e9d3d5bd9f177
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNDMxM2Q2ODI4ODBmZDlkNzI0NzI5MTE2NGQ0ZTlkM2Q1YmQ5ZjE3NyJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* chore: use gapic-generator-python 1.3.1

PiperOrigin-RevId: 472772457

Source-Link: googleapis/googleapis@855b74d

Source-Link: https://github.com/googleapis/googleapis-gen/commit/b64b1e7da3e138f15ca361552ef0545e54891b4f
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiYjY0YjFlN2RhM2UxMzhmMTVjYTM2MTU1MmVmMDU0NWU1NDg5MWI0ZiJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* fix: integrate  gapic-generator-python-1.4.1 and enable more py_test targets

PiperOrigin-RevId: 473833416

Source-Link: googleapis/googleapis@565a550

Source-Link: https://github.com/googleapis/googleapis-gen/commit/1ee1a06c6de3ca8b843572c1fde0548f84236989
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiMWVlMWEwNmM2ZGUzY2E4Yjg0MzU3MmMxZmRlMDU0OGY4NDIzNjk4OSJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* updated test to delete stale policies and avoid quota error

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* feat!: remove ListApplicablePolicies

PiperOrigin-RevId: 475955031

Source-Link: googleapis/googleapis@65376f4

Source-Link: https://github.com/googleapis/googleapis-gen/commit/c8504e97891ed9e664cf68270d7e61bec160fe57
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiYzg1MDRlOTc4OTFlZDllNjY0Y2Y2ODI3MGQ3ZTYxYmVjMTYwZmU1NyJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* samples: wait for the operation to complete

* samples: minor refactoring

* use project `python-docs-samples-tests`

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Anthonios Partheniou <[email protected]>
Co-authored-by: Sita Lakshmi Sangameswaran <[email protected]>
Co-authored-by: SitaLakshmi <[email protected]>

Author: 3 people

iam/cloud-client/__init__.py

@@ -16,19 +16,22 @@
 import re
 import uuid
 
-from _pytest.capture import CaptureFixture
+from google.cloud import iam_v2
+from google.cloud.iam_v2 import types
 import pytest
-
-from create_deny_policy import create_deny_policy
-from delete_deny_policy import delete_deny_policy
+from samples.snippets.create_deny_policy import create_deny_policy
+from samples.snippets.delete_deny_policy import delete_deny_policy
 
 PROJECT_ID = os.environ["GOOGLE_CLOUD_PROJECT"]
 GOOGLE_APPLICATION_CREDENTIALS = os.environ["GOOGLE_APPLICATION_CREDENTIALS"]
 
 
 @pytest.fixture
-def deny_policy(capsys: CaptureFixture) -> None:
-    policy_id = f"limit-project-deletion-{uuid.uuid4()}"
+def deny_policy(capsys: "pytest.CaptureFixture[str]") -> None:
+    policy_id = f"test-deny-policy-{uuid.uuid4()}"
+
+    # Delete any existing policies. Otherwise it might throw quota issue.
+    delete_existing_deny_policies(PROJECT_ID, "test-deny-policy")
 
     # Create the Deny policy.
     create_deny_policy(PROJECT_ID, policy_id)
@@ -39,3 +42,15 @@ def deny_policy(capsys: CaptureFixture) -> None:
     delete_deny_policy(PROJECT_ID, policy_id)
     out, _ = capsys.readouterr()
     assert re.search(f"Deleted the deny policy: {policy_id}", out)
+
+
+def delete_existing_deny_policies(project_id: str, delete_name_prefix: str) -> None:
+    policies_client = iam_v2.PoliciesClient()
+
+    attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
+
+    request = types.ListPoliciesRequest()
+    request.parent = f"policies/{attachment_point}/denypolicies"
+    for policy in policies_client.list_policies(request=request):
+        if delete_name_prefix in policy.name:
+            delete_deny_policy(PROJECT_ID, str(policy.name).rsplit("/", 1)[-1])

iam/cloud-client/snippets/conftest.py

@@ -18,9 +18,8 @@
 
 
 def create_deny_policy(project_id: str, policy_id: str) -> None:
-    from google.cloud import iam_v2beta
-    from google.cloud.iam_v2beta import types
-    from google.type import expr_pb2
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
 
     """
       Create a deny policy.
@@ -36,7 +35,7 @@ def create_deny_policy(project_id: str, policy_id: str) -> None:
       project_id: ID or number of the Google Cloud project you want to use.
       policy_id: Specify the ID of the deny policy you want to create.
     """
-    policies_client = iam_v2beta.PoliciesClient()
+    policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
     # To work with deny policies, specify the attachment point.
@@ -100,9 +99,9 @@ def create_deny_policy(project_id: str, policy_id: str) -> None:
     request.policy = policy
     request.policy_id = policy_id
 
-    # Build the create policy request.
-    policies_client.create_policy(request=request)
-    print(f"Created the deny policy: {policy_id}")
+    # Build the create policy request and wait for the operation to complete.
+    result = policies_client.create_policy(request=request).result()
+    print(f"Created the deny policy: {result.name.rsplit('/')[-1]}")
 
 
 if __name__ == "__main__":

iam/cloud-client/snippets/create_deny_policy.py

@@ -16,16 +16,16 @@
 
 # [START iam_delete_deny_policy]
 def delete_deny_policy(project_id: str, policy_id: str) -> None:
-    from google.cloud import iam_v2beta
-    from google.cloud.iam_v2beta import types
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
 
     """
     Delete the policy if you no longer want to enforce the rules in a deny policy.
 
     project_id: ID or number of the Google Cloud project you want to use.
     policy_id: The ID of the deny policy you want to retrieve.
     """
-    policies_client = iam_v2beta.PoliciesClient()
+    policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
     # To work with deny policies, specify the attachment point.
@@ -45,8 +45,8 @@ def delete_deny_policy(project_id: str, policy_id: str) -> None:
     request.name = f"policies/{attachment_point}/denypolicies/{policy_id}"
 
     # Create the DeletePolicy request.
-    policies_client.delete_policy(request=request)
-    print(f"Deleted the deny policy: {policy_id}")
+    result = policies_client.delete_policy(request=request).result()
+    print(f"Deleted the deny policy: {result.name.rsplit('/')[-1]}")
 
 
 if __name__ == "__main__":

iam/cloud-client/snippets/delete_deny_policy.py

@@ -15,17 +15,18 @@
 # This file contains code samples that demonstrate how to get IAM deny policies.
 
 # [START iam_get_deny_policy]
-def get_deny_policy(project_id: str, policy_id: str):
-    from google.cloud import iam_v2beta
-    from google.cloud.iam_v2beta import Policy, types
+from google.cloud import iam_v2
+from google.cloud.iam_v2 import Policy, types
 
+
+def get_deny_policy(project_id: str, policy_id: str) -> Policy:
     """
     Retrieve the deny policy given the project ID and policy ID.
 
     project_id: ID or number of the Google Cloud project you want to use.
     policy_id: The ID of the deny policy you want to retrieve.
     """
-    policies_client = iam_v2beta.PoliciesClient()
+    policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
     # To work with deny policies, specify the attachment point.

iam/cloud-client/snippets/get_deny_policy.py

@@ -16,16 +16,16 @@
 
 # [START iam_list_deny_policy]
 def list_deny_policy(project_id: str) -> None:
-    from google.cloud import iam_v2beta
-    from google.cloud.iam_v2beta import types
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
 
     """
     List all the deny policies that are attached to a resource.
     A resource can have up to 5 deny policies.
 
     project_id: ID or number of the Google Cloud project you want to use.
     """
-    policies_client = iam_v2beta.PoliciesClient()
+    policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
     # To work with deny policies, specify the attachment point.

iam/cloud-client/snippets/list_deny_policies.py

@@ -31,7 +31,7 @@
     # build specific Cloud project. You can also use your own string
     # to use your own Cloud project.
     # "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
-    "gcloud_project_env": "BUILD_SPECIFIC_GCLOUD_PROJECT",
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
     # A dictionary you want to inject into your test. Don't put any
     # secrets here. These values will override predefined values.
     "envs": {},

iam/cloud-client/snippets/noxfile_config.py

@@ -0,0 +1 @@
+pytest==7.1.2

iam/cloud-client/snippets/requirements-test.txt

@@ -15,31 +15,35 @@
 import os
 import re
 
-from _pytest.capture import CaptureFixture
+import pytest
 from samples.snippets.get_deny_policy import get_deny_policy
 from samples.snippets.list_deny_policies import list_deny_policy
 from samples.snippets.update_deny_policy import update_deny_policy
 
-PROJECT_ID = os.environ["PROJECT_ID"]
+PROJECT_ID = os.environ["GOOGLE_CLOUD_PROJECT"]
 GOOGLE_APPLICATION_CREDENTIALS = os.environ["GOOGLE_APPLICATION_CREDENTIALS"]
 
 
-def test_retrieve_policy(capsys: CaptureFixture, deny_policy) -> None:
+def test_retrieve_policy(
+    capsys: "pytest.CaptureFixture[str]", deny_policy: str
+) -> None:
     # Test policy retrieval, given the policy id.
     get_deny_policy(PROJECT_ID, deny_policy)
     out, _ = capsys.readouterr()
     assert re.search(f"Retrieved the deny policy: {deny_policy}", out)
 
 
-def test_list_policies(capsys: CaptureFixture, deny_policy) -> None:
+def test_list_policies(capsys: "pytest.CaptureFixture[str]", deny_policy: str) -> None:
     # Check if the created policy is listed.
     list_deny_policy(PROJECT_ID)
     out, _ = capsys.readouterr()
     assert re.search(deny_policy, out)
     assert re.search("Listed all deny policies", out)
 
 
-def test_update_deny_policy(capsys: CaptureFixture, deny_policy) -> None:
+def test_update_deny_policy(
+    capsys: "pytest.CaptureFixture[str]", deny_policy: str
+) -> None:
     # Check if the policy rule is updated.
     policy = get_deny_policy(PROJECT_ID, deny_policy)
     update_deny_policy(PROJECT_ID, deny_policy, policy.etag)

iam/cloud-client/snippets/test_deny_policies.py

@@ -16,9 +16,8 @@
 
 # [START iam_update_deny_policy]
 def update_deny_policy(project_id: str, policy_id: str, etag: str) -> None:
-    from google.cloud import iam_v2beta
-    from google.cloud.iam_v2beta import types
-    from google.type import expr_pb2
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
 
     """
     Update the deny rules and/ or its display name after policy creation.
@@ -30,7 +29,7 @@ def update_deny_policy(project_id: str, policy_id: str, etag: str) -> None:
     etag: Etag field that identifies the policy version. The etag changes each time
     you update the policy. Get the etag of an existing policy by performing a GetPolicy request.
     """
-    policies_client = iam_v2beta.PoliciesClient()
+    policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
     # To work with deny policies, specify the attachment point.
@@ -94,8 +93,8 @@ def update_deny_policy(project_id: str, policy_id: str, etag: str) -> None:
     request = types.UpdatePolicyRequest()
     request.policy = policy
 
-    policies_client.update_policy(request=request)
-    print(f"Updated the deny policy: {policy_id}")
+    result = policies_client.update_policy(request=request).result()
+    print(f"Updated the deny policy: {result.name.rsplit('/')[-1]}")
 
 
 if __name__ == "__main__":