- release_tracks: [ALPHA, BETA, GA]

  help_text:
    brief: |
      Create a Managed Microsoft AD domain.
    description: |
      Create a new Managed Microsoft AD domain with the given name using Google Cloud's
      Managed Service for Microsoft Active Directory.

      This command can fail for the following reasons:
        * An AD domain with the same name already exists.
        * The active account does not have permission to create AD domains.
        * There is an overlap between the provided CIDR range and authorized network's CIDR.
        * A valid region was not provided.
    examples: |
      The following command creates an AD domain with the name
      `my-domain.com` in region `us-central1`, a network peering to `my-network` and
      consuming the IP address range `10.172.0.0/24`.

        $ {command} my-domain.com --region=us-central1 --reserved-ip-range="10.172.0.0/24"
        --authorized-networks=projects/my-project/global/networks/my-network

  async:
    collection: managedidentities.projects.locations.global.operations

  request: &request
    collection: managedidentities.projects.locations.global.domains
    modify_request_hooks:
    - googlecloudsdk.command_lib.active_directory.util:AppendLocationsGlobalToParent
    ALPHA:
      api_version: v1alpha1
    BETA:
      api_version: v1beta1
    GA:
      api_version: v1

  arguments:
    resource:
      spec: !REF googlecloudsdk.command_lib.active_directory.resources:domain
      help_text: |
        Name of the managed Managed Microsoft AD domain you want to create.
    params:
    - arg_name: authorized-networks
      api_field: domain.authorizedNetworks
      help_text: |
          Names of the Google Compute Engine networks to which the domain will be connected.
    - arg_name: region
      api_field: domain.locations
      help_text: |
        Google Compute Engine region in which to provision domain controllers.
      required: true
    - arg_name: admin-name
      ALPHA:
        api_field: domain.managedIdentitiesAdminName
      BETA:
        api_field: domain.admin
      GA:
        api_field: domain.admin
      help_text: |
        Name of the administrator that may be used to perform Active Directory
        operations. This is a delegated administrator account provisioned by our service.
        If left unspecified `MIAdmin` will be used. This is different from both the domain
        administrator and the Directory Services Restore Mode (DSRM) administrator.
    - arg_name: labels
      api_field: domain.labels.additionalProperties
      metavar: KEY=VALUE
      help_text: |
        List of label KEY=VALUE pairs to add.
      type:
        arg_dict:
          flatten: true
          spec:
          - api_field: key
          - api_field: value
    - arg_name: tags
      release_tracks: [GA]
      # TODO(b/338531743): Remove hidden as part of GA launch.
      hidden: true
      api_field: domain.tags.additionalProperties
      metavar: KEY=VALUE
      help_text: |
        List of tag KEY=VALUE pairs to add.
      type:
        arg_dict:
          flatten: true
          spec:
          - api_field: key
          - api_field: value
    - arg_name: reserved-ip-range
      api_field: domain.reservedIpRange
      help_text: |
        Classless Inter-Domain Routing range of internal addresses that
        are reserved for this domain.
      required: true
    - arg_name: enable-audit-logs
      type: bool
      action: store_true
      api_field: domain.auditLogsEnabled
      help_text: |
        If specified, Active Directory data audit logs are enabled for the domain.