Search code examples
terraformgoogle-data-catalog

Manage Google Data Catalog in Terraform - Set Tag Template's visibility

I'm trying to create a tag template in Google Data Catalog using Terraform.

Once created - the tag template's visibility is set to "Private".

enter image description here

Looking for a way to set the visibility to Public.

My code:

resource "google_data_catalog_tag_template" "data_category" {
  project = var.project_id
  region = var.location
  tag_template_id = "data_category"
  display_name = "Data Category"
  is_publicly_readable = true
  fields {
      field_id = "data_category1" 
      display_name = "Data Category 1" 
      description = ""
      is_required = true
      order = 3
      type {
        enum_type {
              allowed_values {display_name = "Category A"}
              allowed_values {display_name = "Category B"}
            }
        }
      }
}

When creating a tag template through the API there's an attribute "isPubliclyReadable" that I could set, but when trying to use it in TF I get an error:

An argument named "is_publicly_readable" is not expected here.

Which is expected since I've seen no mention of such argument in TF's documentation.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/data_catalog_tag_template_iam

Solution

  • Seeing as the only way to set the visibility of a tag template (Not through the UI) was by using a PATCH API (As documented here).

    And seeing as TF's http resource only supports GET\HEAD\POST methods.

    I've managed to set the visibility using null_resource that executed a python script which called the API.

    TF resource:

    resource "null_resource" "update_data_category_visibility" { 
  depends_on = [google_data_catalog_tag_template.data_category]
  provisioner "local-exec" { 
    command = "python set_tag_template_visibility.py '${var.project_id}' '${var.location}' 'data_category'" 
    interpreter = ["powershell"] 
  }
}

    And the python code:

    #set_tag_template_visibility.py:
import sys
from google.auth import default
from google.auth.transport.requests import AuthorizedSession

def update_visibility(project_id, location, tag_template):
    # Set up authentication using the default credentials
    credentials, _ = default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
    session = AuthorizedSession(credentials)
    # Build the API request
    url = f"https://datacatalog.googleapis.com/v1/projects/{project_id}/locations/{location}/tagTemplates/{tag_template}?updateMask=isPubliclyReadable"
    data = "{\"isPubliclyReadable\": true}"
    # Make the API request
    session.patch(url, data)
    
if __name__ == '__main__':
    # Extract the arguments from sys.argv
    project_id = sys.argv[1]
    location = sys.argv[2]
    tag_template = sys.argv[3]

    # Call the function with the arguments
    update_visibility(project_id, location, tag_template)