Pull request #1045: Support storage mounts

Merge in CLOUD/terraform-provider-yandex-mirror from feature/SERVERLESS-597-support-serverless-storage-mounts to master

Squashed commit of the following:

commit 4d12faa6f3bceead68b3ad617f4181509834bccb
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Mon Dec 11 18:41:43 2023 +0300

    Update docs

commit be0d1f56f8d4924e4138c47d52697b35e033fb3c
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Mon Dec 11 17:33:05 2023 +0300

    Update CHANGELOG.md

commit 7001b1728e48eefdac897d3480645b8aac30b0d0
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Fri Dec 8 17:13:42 2023 +0300

    Fix variable name

commit bcace7d6b4b959fdd4db60a35f9a498e0e6b7e37
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Thu Dec 7 14:00:28 2023 +0300

    Fix assert statements for "read_only" and "prefix" params

commit 425b37de84d0ca3b9cfb1dea4aab803701fb42f9
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Thu Dec 7 13:17:49 2023 +0300

    Fix service account tf config

commit a8b33afce58123aaeaa19392c355348448048b8a
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Thu Dec 7 00:05:46 2023 +0300

    Make bucket name unique

commit f211a664c584f450971b093331202446472fef9d
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Wed Dec 6 19:55:07 2023 +0300

    Make sa name unique

commit 8fa63b5e205fda2b66149547220e6ea7f00ecc27
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Wed Dec 6 17:43:06 2023 +0300

    Fix tf storage mounts config for data_source_yandex_function_test.go

commit 0c6d64031b9ec8a718f37ebb62bd4836fdb2594d
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Wed Dec 6 16:36:05 2023 +0300

    Add storage mounts to data_source_yandex_function.go

commit dde3f7edb5d513eb0e24ec271c5fb401660231dc
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Fri Dec 1 16:01:56 2023 +0300

    Fix terraform test config

commit e69cdf805f2e5b06a572bc00f948e16120d67d77
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Thu Nov 30 20:39:20 2023 +0300

    Complete tests

commit f6e47390f097f9f720cc138ac28c8e68100ab57e
Author: Daniil Sharko <integrex@yandex.ru>
Date:   Thu Nov 30 20:00:45 2023 +0300

    Support storage mounts

CHANGELOG.md

@@ -1,6 +1,8 @@
 ## 0.104.0 (Unreleased)
 FEATURES:
 * serverless: support Container Registry, Yandex Data Streams and Mail triggers.
+* serverless: support `storage_mounts` in `yandex_function` resource and data source
+* serverless: support `storage_mounts` in `yandex_serverless_container` resource and data source
 * cdn: add `secure_key` and `enable_ip_url_signing` parameters to resource options.
 * greenplum: add PXF daemon settings to config
 * compute: changes in instance's DNS records are now done without instance restart

website/docs/d/datasource_function.html.markdown

@@ -45,7 +45,8 @@ The following attributes are exported:
 * `service_account_id` - Service account ID for Yandex Cloud Function
 * `environment` - A set of key/value environment variables for Yandex Cloud Function
 * `tags` - Tags for Yandex Cloud Function. Tag "$latest" isn't returned.
-* `secrets` - Secrets for Yandex Cloud Function. 
+* `secrets` - Secrets for Yandex Cloud Function.
+* `storage_mounts` - Storage Mounts for Yandex Cloud Function.
 * `version` - Version for Yandex Cloud Function.
 * `image_size` - Image size for Yandex Cloud Function.
 * `loggroup_id` - Log group ID size for Yandex Cloud Function.

website/docs/d/datasource_serverless_container.html.markdown

@@ -41,6 +41,7 @@ The following attributes are exported:
 * `concurrency` - Concurrency of Yandex Cloud Serverless Container
 * `service_account_id` - Service account ID of Yandex Cloud Serverless Container
 * `secrets` - Secrets for Yandex Cloud Serverless Container
+* `storage_mounts` - Storage Mounts for Yandex Cloud Serverless Container
 * `image.0.url` - URL of image that deployed as Yandex Cloud Serverless Container
 * `image.0.work_dir` - Working directory of Yandex Cloud Serverless Container
 * `image.0.digest` - Digest of image that deployed as Yandex Cloud Serverless Container

website/docs/r/function.html.markdown

@@ -65,6 +65,7 @@ The following arguments are supported:
 * `environment` - A set of key/value environment variables for Yandex Cloud Function
 * `tags` - Tags for Yandex Cloud Function. Tag "$latest" isn't returned.
 * `secrets` - Secrets for Yandex Cloud Function.
+* `storage_mounts` - Storage mounts for Yandex Cloud Function.
 * `version` - Version for Yandex Cloud Function.
 * `image_size` - Image size for Yandex Cloud Function.
 * `loggroup_id` - Loggroup ID size for Yandex Cloud Function.
@@ -106,6 +107,20 @@ The `secrets` block supports:
 
 ---
 
+
+* The `storage_mounts` block supports:
+
+* `mount_point_name` - (Required) Name of the mount point. The directory where the bucket is mounted will be accessible at the `/function/storage/<mount_point>` path.
+
+* `bucket` - (Required) Name of the mounting bucket.
+
+* `prefix` - Prefix within the bucket. If you leave this field empty, the entire bucket will be mounted.
+
+* `read_only` - Mount the bucket in read-only mode.
+
+---
+
+
 The `async_invocation` block supports:
 
 * `retries_count` - Maximum number of retries for async invocation

website/docs/r/serverless_container.html.markdown

@@ -59,6 +59,7 @@ The following arguments are supported:
 * `concurrency` - Concurrency of Yandex Cloud Serverless Container
 * `service_account_id` - Service account ID for Yandex Cloud Serverless Container
 * `secrets` - Secrets for Yandex Cloud Serverless Container
+* `storage_mounts` - Storage mounts for Yandex Cloud Serverless Container
 
 * `connectivity` - Network access. If specified the revision will be attached to specified network
 * `connectivity.0.network_id` - Network the revision will have access to
@@ -93,3 +94,13 @@ The `secrets` block supports:
 * `key` - (Required) Secret's entries key which value will be stored in environment variable.
 
 * `environment_variable` - (Required) Container's environment variable in which secret's value will be stored.
+
+* The `storage_mounts` block supports:
+
+* `mount_point_path` - (Required) Path inside the container to access the directory in which the bucket is mounted.
+
+* `bucket` - (Required) Name of the mounting bucket.
+
+* `prefix` - Prefix within the bucket. If you leave this field empty, the entire bucket will be mounted.
+
+* `read_only` - Mount the bucket in read-only mode.

yandex/data_source_yandex_function.go

@@ -109,6 +109,32 @@ func dataSourceYandexFunction() *schema.Resource {
 				},
 			},
 
+			"storage_mounts": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"mount_point_name": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"bucket": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"prefix": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"read_only": {
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
+					},
+				},
+			},
+
 			"version": {
 				Type:     schema.TypeString,
 				Computed: true,

yandex/data_source_yandex_function_test.go

@@ -91,6 +91,12 @@ func TestAccDataSourceYandexFunction_full(t *testing.T) {
 		secretEnvVar: "TF_FUNCTION_ENV_KEY",
 		secretValue:  "tf-function-secret-value",
 	}
+	params.storageMount = testStorageMountParameters{
+		storageMountPointName: "mp-name",
+		storageMountBucket:    acctest.RandomWithPrefix("tf-function-test-bucket"),
+		storageMountPrefix:    "tf-function-path",
+		storageMountReadOnly:  false,
+	}
 	params.zipFilename = "test-fixtures/serverless/main.zip"
 	params.maxAsyncRetries = "2"
 
@@ -119,6 +125,10 @@ func TestAccDataSourceYandexFunction_full(t *testing.T) {
 					resource.TestCheckResourceAttrSet(functionDataSource, "secrets.0.version_id"),
 					resource.TestCheckResourceAttr(functionDataSource, "secrets.0.key", params.secret.secretKey),
 					resource.TestCheckResourceAttr(functionDataSource, "secrets.0.environment_variable", params.secret.secretEnvVar),
+					resource.TestCheckResourceAttr(functionDataSource, "storage_mounts.0.mount_point_name", params.storageMount.storageMountPointName),
+					resource.TestCheckResourceAttr(functionDataSource, "storage_mounts.0.bucket", params.storageMount.storageMountBucket),
+					resource.TestCheckResourceAttr(functionDataSource, "storage_mounts.0.prefix", params.storageMount.storageMountPrefix),
+					resource.TestCheckResourceAttr(functionDataSource, "storage_mounts.0.read_only", fmt.Sprint(params.storageMount.storageMountReadOnly)),
 					resource.TestCheckResourceAttr(functionDataSource, "async_invocation.0.retries_count", params.maxAsyncRetries),
 					testAccCheckCreatedAtAttr(functionDataSource),
 				),
@@ -199,6 +209,12 @@ resource "yandex_function" "test-function" {
     key = "%s"
     environment_variable = "%s"
   }
+  storage_mounts {
+    mount_point_name = "%s"
+    bucket = yandex_storage_bucket.another-bucket.bucket
+    prefix = "%s"
+    read_only = %v
+  }
   content {
     zip_filename = "%s"
   }
@@ -207,6 +223,22 @@ resource "yandex_function" "test-function" {
   }
 }
 
+resource "yandex_resourcemanager_folder_iam_member" "sa-editor" {
+  folder_id = yandex_iam_service_account.test-account.folder_id
+  role      = "storage.editor"
+  member    = "serviceAccount:${yandex_iam_service_account.test-account.id}"
+}
+
+resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
+  service_account_id = yandex_iam_service_account.test-account.id
+}
+
+resource "yandex_storage_bucket" "another-bucket" {
+  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
+  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
+  bucket = "%s"
+}
+
 resource "yandex_iam_service_account" "test-account" {
   name = "%s"
 }
@@ -244,8 +276,12 @@ resource "yandex_lockbox_secret_version" "secret_version" {
 		params.tags,
 		params.secret.secretKey,
 		params.secret.secretEnvVar,
+		params.storageMount.storageMountPointName,
+		params.storageMount.storageMountPrefix,
+		params.storageMount.storageMountReadOnly,
 		params.zipFilename,
 		params.maxAsyncRetries,
+		params.storageMount.storageMountBucket,
 		params.serviceAccount,
 		params.secret.secretName,
 		params.secret.secretKey,

yandex/data_source_yandex_serverless_container.go

@@ -98,6 +98,32 @@ func dataSourceYandexServerlessContainer() *schema.Resource {
 				},
 			},
 
+			"storage_mounts": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"mount_point_path": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"bucket": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"prefix": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"read_only": {
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
+					},
+				},
+			},
+
 			"image": {
 				Type:     schema.TypeList,
 				Computed: true,

yandex/data_source_yandex_serverless_container_test.go

@@ -102,6 +102,13 @@ func TestAccDataSourceYandexServerlessContainer_full(t *testing.T) {
 		secretValue:  "tf-container-secret-value",
 	}
 
+	params.storageMount = testStorageMountParameters{
+		storageMountPointPath: "/mount/point/path",
+		storageMountBucket:    acctest.RandomWithPrefix("tf-function-test-bucket"),
+		storageMountPrefix:    "tf-container-path",
+		storageMountReadOnly:  false,
+	}
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -134,6 +141,10 @@ func TestAccDataSourceYandexServerlessContainer_full(t *testing.T) {
 					resource.TestCheckResourceAttrSet(serverlessContainerDataSource, "secrets.0.version_id"),
 					resource.TestCheckResourceAttr(serverlessContainerDataSource, "secrets.0.key", params.secret.secretKey),
 					resource.TestCheckResourceAttr(serverlessContainerDataSource, "secrets.0.environment_variable", params.secret.secretEnvVar),
+					resource.TestCheckResourceAttr(serverlessContainerDataSource, "storage_mounts.0.mount_point_path", params.storageMount.storageMountPointPath),
+					resource.TestCheckResourceAttr(serverlessContainerDataSource, "storage_mounts.0.bucket", params.storageMount.storageMountBucket),
+					resource.TestCheckResourceAttr(serverlessContainerDataSource, "storage_mounts.0.prefix", params.storageMount.storageMountPrefix),
+					resource.TestCheckResourceAttr(serverlessContainerDataSource, "storage_mounts.0.read_only", fmt.Sprint(params.storageMount.storageMountReadOnly)),
 					resource.TestCheckResourceAttrSet(serverlessContainerResource, "revision_id"),
 					resource.TestCheckResourceAttrSet(serverlessContainerResource, "folder_id"),
 					resource.TestCheckResourceAttrSet(serverlessContainerResource, "url"),

yandex/resource_yandex_function.go

@@ -195,6 +195,32 @@ func resourceYandexFunction() *schema.Resource {
 				},
 			},
 
+			"storage_mounts": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"mount_point_name": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"bucket": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"prefix": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"read_only": {
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
+					},
+				},
+			},
+
 			"connectivity": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
@@ -358,7 +384,7 @@ func resourceYandexFunctionUpdate(d *schema.ResourceData, meta interface{}) erro
 
 	lastVersionPaths := []string{
 		"user_hash", "runtime", "entrypoint", "memory", "execution_timeout", "service_account_id",
-		"environment", "tags", "package", "content", "secrets", "connectivity",
+		"environment", "tags", "package", "content", "secrets", "connectivity", "storage_mounts",
 	}
 	var versionPartialPaths []string
 	for _, p := range lastVersionPaths {
@@ -534,6 +560,32 @@ func expandLastVersion(d *schema.ResourceData) (*functions.CreateFunctionVersion
 			versionReq.Secrets[i] = fs
 		}
 	}
+
+	if v, ok := d.GetOk("storage_mounts"); ok {
+		storageMountsList := v.([]interface{})
+
+		versionReq.StorageMounts = make([]*functions.StorageMount, len(storageMountsList))
+		for i, sm := range storageMountsList {
+			storageMount := sm.(map[string]interface{})
+
+			fsm := &functions.StorageMount{}
+			if mountPointName, ok := storageMount["mount_point_name"]; ok {
+				fsm.MountPointName = mountPointName.(string)
+			}
+			if bucket, ok := storageMount["bucket"]; ok {
+				fsm.BucketId = bucket.(string)
+			}
+			if prefix, ok := storageMount["prefix"]; ok {
+				fsm.Prefix = prefix.(string)
+			}
+			if readOnly, ok := storageMount["read_only"]; ok {
+				fsm.ReadOnly = readOnly.(bool)
+			}
+
+			versionReq.StorageMounts[i] = fsm
+		}
+	}
+
 	if connectivity := expandFunctionConnectivity(d); connectivity != nil {
 		versionReq.Connectivity = connectivity
 	}
@@ -597,6 +649,8 @@ func flattenYandexFunction(d *schema.ResourceData, function *functions.Function,
 	}
 
 	d.Set("secrets", flattenFunctionSecrets(version.Secrets))
+	d.Set("storage_mounts", flattenVersionStorageMounts(version.StorageMounts))
+
 	return d.Set("tags", tags)
 }
 
@@ -693,6 +747,20 @@ func flattenFunctionSecrets(secrets []*functions.Secret) []map[string]interface{
 	return s
 }
 
+func flattenVersionStorageMounts(storageMounts []*functions.StorageMount) []map[string]interface{} {
+	s := make([]map[string]interface{}, len(storageMounts))
+
+	for i, storageMount := range storageMounts {
+		s[i] = map[string]interface{}{
+			"mount_point_name": storageMount.MountPointName,
+			"bucket":           storageMount.BucketId,
+			"prefix":           storageMount.Prefix,
+			"read_only":        storageMount.ReadOnly,
+		}
+	}
+	return s
+}
+
 func expandFunctionConnectivity(d *schema.ResourceData) *functions.Connectivity {
 	if id, ok := d.GetOk("connectivity.0.network_id"); ok {
 		return &functions.Connectivity{NetworkId: id.(string)}