Skip to content

Commit

Permalink
[#20905] Add network scope and src network fields to fw policy rules …
Browse files Browse the repository at this point in the history 
…(#12762) (#9082)

[upstream:22ebcfbc1bce625abe2a1a382af8c6312fc8032e]

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
@modular-magician
modular-magician authored Jan 17, 2025
1 parent 3c1cc7f commit c23ce7f
Show file tree
Hide file tree
Showing 19 changed files with 1,615 additions and 275 deletions.
18 changes: 18 additions & 0 deletions .changelog/12762.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
```release-note:enhancement
compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_firewall_policy_rule` resource (beta)
```
```release-note:enhancement
compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_firewall_policy_with_rules` resource (beta)
```
```release-note:enhancement
compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_network_firewall_policy_rule` resource (beta)
```
```release-note:enhancement
compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_network_firewall_policy_with_rules` resource (beta)
```
```release-note:enhancement
compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_region_network_firewall_policy_rule` resource (beta)
```
```release-note:enhancement
compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_region_network_firewall_policy_with_rules` resource (beta)
```
71 changes: 71 additions & 0 deletions google-beta/services/compute/resource_compute_firewall_policy_rule.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,12 @@ Example inputs include: ["22"], ["80","443"], and ["12345-12349"].`,
Type: schema.TypeString,
},
},
"dest_network_scope": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidateEnum([]string{"INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS", ""}),
Description: `Network scope of the traffic destination. Possible values: ["INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS"]`,
},
"dest_region_codes": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -167,6 +173,20 @@ Example inputs include: ["22"], ["80","443"], and ["12345-12349"].`,
Type: schema.TypeString,
},
},
"src_network_scope": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidateEnum([]string{"INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS", ""}),
Description: `Network scope of the traffic source. Possible values: ["INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS"]`,
},
"src_networks": {
Type: schema.TypeList,
Optional: true,
Description: `Networks of the traffic source. It can be either a full or partial url.`,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"src_region_codes": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -719,6 +739,12 @@ func flattenComputeFirewallPolicyRuleMatch(v interface{}, d *schema.ResourceData
flattenComputeFirewallPolicyRuleMatchSrcIpRanges(original["srcIpRanges"], d, config)
transformed["dest_ip_ranges"] =
flattenComputeFirewallPolicyRuleMatchDestIpRanges(original["destIpRanges"], d, config)
transformed["src_network_scope"] =
flattenComputeFirewallPolicyRuleMatchSrcNetworkScope(original["srcNetworkScope"], d, config)
transformed["src_networks"] =
flattenComputeFirewallPolicyRuleMatchSrcNetworks(original["srcNetworks"], d, config)
transformed["dest_network_scope"] =
flattenComputeFirewallPolicyRuleMatchDestNetworkScope(original["destNetworkScope"], d, config)
transformed["layer4_configs"] =
flattenComputeFirewallPolicyRuleMatchLayer4Configs(original["layer4Configs"], d, config)
transformed["dest_address_groups"] =
Expand Down Expand Up @@ -747,6 +773,18 @@ func flattenComputeFirewallPolicyRuleMatchDestIpRanges(v interface{}, d *schema.
return v
}

func flattenComputeFirewallPolicyRuleMatchSrcNetworkScope(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenComputeFirewallPolicyRuleMatchSrcNetworks(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenComputeFirewallPolicyRuleMatchDestNetworkScope(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenComputeFirewallPolicyRuleMatchLayer4Configs(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return v
Expand Down Expand Up @@ -886,6 +924,27 @@ func expandComputeFirewallPolicyRuleMatch(v interface{}, d tpgresource.Terraform
transformed["destIpRanges"] = transformedDestIpRanges
}

transformedSrcNetworkScope, err := expandComputeFirewallPolicyRuleMatchSrcNetworkScope(original["src_network_scope"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedSrcNetworkScope); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["srcNetworkScope"] = transformedSrcNetworkScope
}

transformedSrcNetworks, err := expandComputeFirewallPolicyRuleMatchSrcNetworks(original["src_networks"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedSrcNetworks); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["srcNetworks"] = transformedSrcNetworks
}

transformedDestNetworkScope, err := expandComputeFirewallPolicyRuleMatchDestNetworkScope(original["dest_network_scope"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedDestNetworkScope); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["destNetworkScope"] = transformedDestNetworkScope
}

transformedLayer4Configs, err := expandComputeFirewallPolicyRuleMatchLayer4Configs(original["layer4_configs"], d, config)
if err != nil {
return nil, err
Expand Down Expand Up @@ -960,6 +1019,18 @@ func expandComputeFirewallPolicyRuleMatchDestIpRanges(v interface{}, d tpgresour
return v, nil
}

func expandComputeFirewallPolicyRuleMatchSrcNetworkScope(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandComputeFirewallPolicyRuleMatchSrcNetworks(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandComputeFirewallPolicyRuleMatchDestNetworkScope(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandComputeFirewallPolicyRuleMatchLayer4Configs(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
req := make([]interface{}, 0, len(l))
Expand Down
113 changes: 94 additions & 19 deletions google-beta/services/compute/resource_compute_firewall_policy_rule_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"org_id": envvar.GetTestOrgFromEnv(t),
"service_account": envvar.GetTestServiceAccountFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
"org_id": envvar.GetTestOrgFromEnv(t),
"service_acct": envvar.GetTestServiceAccountFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
Expand All @@ -49,7 +49,7 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
Config: testAccComputeFirewallPolicyRule_firewallPolicyRuleExample(context),
},
{
ResourceName: "google_compute_firewall_policy_rule.policy_rule",
ResourceName: "google_compute_firewall_policy_rule.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"firewall_policy"},
Expand All @@ -61,7 +61,7 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
func testAccComputeFirewallPolicyRule_firewallPolicyRuleExample(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
name = "address%{random_suffix}"
name = "tf-test-address-group%{random_suffix}"
parent = "organizations/%{org_id}"
description = "Sample global networksecurity_address_group"
location = "global"
Expand All @@ -78,36 +78,111 @@ resource "google_folder" "folder" {
resource "google_compute_firewall_policy" "default" {
parent = google_folder.folder.id
short_name = "policy%{random_suffix}"
short_name = "tf-test-fw-policy%{random_suffix}"
description = "Resource created for Terraform acceptance testing"
}
resource "google_compute_firewall_policy_rule" "policy_rule" {
resource "google_compute_firewall_policy_rule" "primary" {
firewall_policy = google_compute_firewall_policy.default.name
description = "Resource created for Terraform acceptance testing"
priority = 9000
enable_logging = true
action = "allow"
direction = "EGRESS"
disabled = false
target_service_accounts = ["%{service_acct}"]
match {
dest_ip_ranges = ["11.100.0.1/32"]
dest_fqdns = []
dest_region_codes = ["US"]
dest_threat_intelligences = ["iplist-known-malicious-ips"]
src_address_groups = []
dest_address_groups = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
dest_network_scope = "INTERNET"
layer4_configs {
ip_protocol = "tcp"
ports = [8080]
}
layer4_configs {
ip_protocol = "udp"
ports = [22]
}
}
}
`, context)
}

func TestAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"org_id": envvar.GetTestOrgFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeFirewallPolicyRuleDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(context),
},
{
ResourceName: "google_compute_firewall_policy_rule.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"firewall_policy"},
},
},
})
}

func testAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_folder" "folder" {
display_name = "folder%{random_suffix}"
parent = "organizations/%{org_id}"
deletion_protection = false
}
resource "google_compute_firewall_policy" "default" {
parent = google_folder.folder.id
short_name = "tf-test-fw-policy%{random_suffix}"
description = "Firewall policy"
}
resource "google_compute_firewall_policy_rule" "primary" {
firewall_policy = google_compute_firewall_policy.default.name
description = "Resource created for Terraform acceptance testing"
description = "Firewall policy rule with network scope"
priority = 9000
enable_logging = true
action = "allow"
direction = "EGRESS"
direction = "INGRESS"
disabled = false
match {
src_ip_ranges = ["11.100.0.1/32"]
src_network_scope = "VPC_NETWORKS"
src_networks = [google_compute_network.network.id]
layer4_configs {
ip_protocol = "tcp"
ports = [8080]
ports = [8080]
}
layer4_configs {
ip_protocol = "udp"
ports = [22]
ports = [22]
}
dest_ip_ranges = ["11.100.0.1/32"]
dest_fqdns = []
dest_region_codes = ["US"]
dest_threat_intelligences = ["iplist-known-malicious-ips"]
src_address_groups = []
dest_address_groups = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
}
target_service_accounts = ["%{service_account}"]
}
resource "google_compute_network" "network" {
name = "network%{random_suffix}"
auto_create_subnetworks = false
}
`, context)
}
Expand Down
Loading

0 comments on commit c23ce7f

Please sign in to comment.