diff --git a/.changelog/11526.txt b/.changelog/11526.txt
new file mode 100644
index 0000000000..ccc0b4a068
--- /dev/null
+++ b/.changelog/11526.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+`google_compute_region_network_firewall_policy_with_rules` (beta)
+```
\ No newline at end of file
diff --git a/google-beta/provider/provider_mmv1_resources.go b/google-beta/provider/provider_mmv1_resources.go
index 82eaee6b53..a141c64ad1 100644
--- a/google-beta/provider/provider_mmv1_resources.go
+++ b/google-beta/provider/provider_mmv1_resources.go
@@ -485,9 +485,9 @@ var handwrittenIAMDatasources = map[string]*schema.Resource{
}
// Resources
-// Generated resources: 527
+// Generated resources: 528
// Generated IAM resources: 291
-// Total generated resources: 818
+// Total generated resources: 819
var generatedResources = map[string]*schema.Resource{
"google_folder_access_approval_settings": accessapproval.ResourceAccessApprovalFolderSettings(),
"google_organization_access_approval_settings": accessapproval.ResourceAccessApprovalOrganizationSettings(),
@@ -747,6 +747,7 @@ var generatedResources = map[string]*schema.Resource{
"google_compute_region_network_endpoint": compute.ResourceComputeRegionNetworkEndpoint(),
"google_compute_region_network_endpoint_group": compute.ResourceComputeRegionNetworkEndpointGroup(),
"google_compute_region_network_firewall_policy": compute.ResourceComputeRegionNetworkFirewallPolicy(),
+ "google_compute_region_network_firewall_policy_with_rules": compute.ResourceComputeRegionNetworkFirewallPolicyWithRules(),
"google_compute_region_per_instance_config": compute.ResourceComputeRegionPerInstanceConfig(),
"google_compute_region_security_policy": compute.ResourceComputeRegionSecurityPolicy(),
"google_compute_region_security_policy_rule": compute.ResourceComputeRegionSecurityPolicyRule(),
diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go
new file mode 100644
index 0000000000..1b254184f3
--- /dev/null
+++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go
@@ -0,0 +1,2039 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+// ----------------------------------------------------------------------------
+//
+// *** AUTO GENERATED CODE *** Type: MMv1 ***
+//
+// ----------------------------------------------------------------------------
+//
+// This file is automatically generated by Magic Modules and manual
+// changes will be clobbered when the file is regenerated.
+//
+// Please read more about how to change this file in
+// .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package compute
+
+import (
+ "fmt"
+ "log"
+ "net/http"
+ "reflect"
+ "strings"
+ "time"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
+ transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/verify"
+)
+
+func regionNetworkFirewallPolicyWithRulesConvertPriorityToInt(v interface{}) (int64, error) {
+ if strVal, ok := v.(string); ok {
+ if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+ return intVal, nil
+ }
+ }
+
+ if intVal, ok := v.(int64); ok {
+ return intVal, nil
+ }
+
+ if floatVal, ok := v.(float64); ok {
+ intVal := int64(floatVal)
+ return intVal, nil
+ }
+ return 0, fmt.Errorf("Incorrect rule priority: %s. Priority must be a number", v)
+}
+
+func regionNetworkFirewallPolicyWithRulesIsPredefinedRule(rule map[string]interface{}) (bool, error) {
+ // Priorities from 2147483548 to 2147483647 are reserved and cannot be modified by the user.
+ const ReservedPriorityStart = 2147483548
+
+ priority := rule["priority"]
+ priorityInt, err := regionNetworkFirewallPolicyWithRulesConvertPriorityToInt(priority)
+
+ if err != nil {
+ return false, err
+ }
+
+ return priorityInt >= ReservedPriorityStart, nil
+}
+
+func regionNetworkFirewallPolicyWithRulesSplitPredefinedRules(allRules []interface{}) ([]interface{}, []interface{}, error) {
+ predefinedRules := make([]interface{}, 0)
+ rules := make([]interface{}, 0)
+
+ for _, rule := range allRules {
+ isPredefined, err := regionNetworkFirewallPolicyWithRulesIsPredefinedRule(rule.(map[string]interface{}))
+ if err != nil {
+ return nil, nil, err
+ }
+
+ if isPredefined {
+ predefinedRules = append(predefinedRules, rule)
+ } else {
+ rules = append(rules, rule)
+ }
+ }
+
+ return rules, predefinedRules, nil
+}
+
+func ResourceComputeRegionNetworkFirewallPolicyWithRules() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceComputeRegionNetworkFirewallPolicyWithRulesCreate,
+ Read: resourceComputeRegionNetworkFirewallPolicyWithRulesRead,
+ Update: resourceComputeRegionNetworkFirewallPolicyWithRulesUpdate,
+ Delete: resourceComputeRegionNetworkFirewallPolicyWithRulesDelete,
+
+ Importer: &schema.ResourceImporter{
+ State: resourceComputeRegionNetworkFirewallPolicyWithRulesImport,
+ },
+
+ Timeouts: &schema.ResourceTimeout{
+ Create: schema.DefaultTimeout(20 * time.Minute),
+ Update: schema.DefaultTimeout(20 * time.Minute),
+ Delete: schema.DefaultTimeout(20 * time.Minute),
+ },
+
+ CustomizeDiff: customdiff.All(
+ tpgresource.DefaultProviderProject,
+ ),
+
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: `User-provided name of the Network firewall policy.
+The name should be unique in the project in which the firewall policy is created.
+The name must be 1-63 characters long, and comply with RFC1035. Specifically,
+the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?
+which means the first character must be a lowercase letter, and all following characters must be a dash,
+lowercase letter, or digit, except the last character, which cannot be a dash.`,
+ },
+ "rule": {
+ Type: schema.TypeList,
+ Required: true,
+ Description: `A list of firewall policy rules.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "action": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: `The Action to perform when the client connection triggers the rule. Can currently be either
+"allow", "deny", "apply_security_profile_group" or "goto_next".`,
+ },
+ "match": {
+ Type: schema.TypeList,
+ Required: true,
+ Description: `A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.`,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "layer4_config": {
+ Type: schema.TypeList,
+ Required: true,
+ Description: `Pairs of IP protocols and ports that the rule should match.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "ip_protocol": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: `The IP protocol to which this rule applies. The protocol
+type is required when creating a firewall rule.
+This value can either be one of the following well
+known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),
+or the IP protocol number.`,
+ },
+ "ports": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `An optional list of ports to which this rule applies. This field
+is only applicable for UDP or TCP protocol. Each entry must be
+either an integer or a range. If not specified, this rule
+applies to connections through any port.
+Example inputs include: ["22"], ["80","443"], and
+["12345-12349"].`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "dest_address_groups": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Address groups which should be matched against the traffic destination.
+Maximum number of destination address groups is 10.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_fqdns": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Fully Qualified Domain Name (FQDN) which should be matched against
+traffic destination. Maximum number of destination fqdn allowed is 100.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_ip_ranges": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Destination IP address range in CIDR format. Required for
+EGRESS rules.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_region_codes": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Region codes whose IP addresses will be used to match for destination
+of traffic. Should be specified as 2 letter country code defined as per
+ISO 3166 alpha-2 country codes. ex."US"
+Maximum number of destination region codes allowed is 5000.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_threat_intelligences": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Names of Network Threat Intelligence lists.
+The IPs in these lists will be matched against traffic destination.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_address_groups": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Address groups which should be matched against the traffic source.
+Maximum number of source address groups is 10.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_fqdns": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Fully Qualified Domain Name (FQDN) which should be matched against
+traffic source. Maximum number of source fqdn allowed is 100.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_ip_ranges": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Source IP address range in CIDR format. Required for
+INGRESS rules.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_region_codes": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Region codes whose IP addresses will be used to match for source
+of traffic. Should be specified as 2 letter country code defined as per
+ISO 3166 alpha-2 country codes. ex."US"
+Maximum number of source region codes allowed is 5000.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_secure_tag": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `List of secure tag values, which should be matched at the source
+of the traffic.
+For INGRESS rule, if all the srcSecureTag are INEFFECTIVE,
+and there is no srcIpRange, this rule will be ignored.
+Maximum number of source tag values allowed is 256.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: `Name of the secure tag, created with TagManager's TagValue API.
+@pattern tagValues/[0-9]+`,
+ },
+ "state": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or
+'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted
+or its network is deleted.`,
+ },
+ },
+ },
+ },
+ "src_threat_intelligences": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `Names of Network Threat Intelligence lists.
+The IPs in these lists will be matched against traffic source.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "priority": {
+ Type: schema.TypeInt,
+ Required: true,
+ Description: `An integer indicating the priority of a rule in the list. The priority must be a value
+between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the
+highest priority and 2147483647 is the lowest priority.`,
+ },
+ "description": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: `A description of the rule.`,
+ },
+ "direction": {
+ Type: schema.TypeString,
+ Optional: true,
+ ValidateFunc: verify.ValidateEnum([]string{"INGRESS", "EGRESS", ""}),
+ Description: `The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values: ["INGRESS", "EGRESS"]`,
+ },
+ "disabled": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: `Denotes whether the firewall policy rule is disabled. When set to true,
+the firewall policy rule is not enforced and traffic behaves as if it did
+not exist. If this is unspecified, the firewall policy rule will be
+enabled.`,
+ },
+ "enable_logging": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: `Denotes whether to enable logging for a particular rule.
+If logging is enabled, logs will be exported to the
+configured export destination in Stackdriver.`,
+ },
+ "rule_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: `An optional name for the rule. This field is not a unique identifier
+and can be updated.`,
+ },
+ "security_profile_group": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: `A fully-qualified URL of a SecurityProfile resource instance.
+Example:
+https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
+Must be specified if action is 'apply_security_profile_group'.`,
+ },
+ "target_secure_tag": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `A list of secure tags that controls which instances the firewall rule
+applies to. If targetSecureTag are specified, then the
+firewall rule applies only to instances in the VPC network that have one
+of those EFFECTIVE secure tags, if all the target_secure_tag are in
+INEFFECTIVE state, then this rule will be ignored.
+targetSecureTag may not be set at the same time as
+targetServiceAccounts.
+If neither targetServiceAccounts nor
+targetSecureTag are specified, the firewall rule applies
+to all instances on the specified network.
+Maximum number of target label tags allowed is 256.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: `Name of the secure tag, created with TagManager's TagValue API.
+@pattern tagValues/[0-9]+`,
+ },
+ "state": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or
+'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted
+or its network is deleted.`,
+ },
+ },
+ },
+ },
+ "target_service_accounts": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: `A list of service accounts indicating the sets of
+instances that are applied with this rule.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "tls_inspect": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: `Boolean flag indicating if the traffic should be TLS decrypted.
+It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.`,
+ },
+ },
+ },
+ },
+ "description": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: `An optional description of this resource.`,
+ },
+ "region": {
+ Type: schema.TypeString,
+ Computed: true,
+ Optional: true,
+ ForceNew: true,
+ Description: `The region of this resource.`,
+ },
+ "creation_timestamp": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `Creation timestamp in RFC3339 text format.`,
+ },
+ "fingerprint": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `Fingerprint of the resource. This field is used internally during updates of this resource.`,
+ },
+ "network_firewall_policy_id": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `The unique identifier for the resource. This identifier is defined by the server.`,
+ },
+ "predefined_rules": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `A list of firewall policy pre-defined rules.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "action": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `The Action to perform when the client connection triggers the rule. Can currently be either
+"allow", "deny", "apply_security_profile_group" or "goto_next".`,
+ },
+ "description": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `A description of the rule.`,
+ },
+ "direction": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `The direction in which this rule applies. If unspecified an INGRESS rule is created.`,
+ },
+ "disabled": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: `Denotes whether the firewall policy rule is disabled. When set to true,
+the firewall policy rule is not enforced and traffic behaves as if it did
+not exist. If this is unspecified, the firewall policy rule will be
+enabled.`,
+ },
+ "enable_logging": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: `Denotes whether to enable logging for a particular rule.
+If logging is enabled, logs will be exported to the
+configured export destination in Stackdriver.`,
+ },
+ "match": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "dest_address_groups": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Address groups which should be matched against the traffic destination.
+Maximum number of destination address groups is 10.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_fqdns": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Fully Qualified Domain Name (FQDN) which should be matched against
+traffic destination. Maximum number of destination fqdn allowed is 100.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_ip_ranges": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Destination IP address range in CIDR format. Required for
+EGRESS rules.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_region_codes": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Region codes whose IP addresses will be used to match for destination
+of traffic. Should be specified as 2 letter country code defined as per
+ISO 3166 alpha-2 country codes. ex."US"
+Maximum number of destination region codes allowed is 5000.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "dest_threat_intelligences": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Names of Network Threat Intelligence lists.
+The IPs in these lists will be matched against traffic destination.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "layer4_config": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Pairs of IP protocols and ports that the rule should match.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "ip_protocol": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `The IP protocol to which this rule applies. The protocol
+type is required when creating a firewall rule.
+This value can either be one of the following well
+known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),
+or the IP protocol number.`,
+ },
+ "ports": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `An optional list of ports to which this rule applies. This field
+is only applicable for UDP or TCP protocol. Each entry must be
+either an integer or a range. If not specified, this rule
+applies to connections through any port.
+Example inputs include: ["22"], ["80","443"], and
+["12345-12349"].`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "src_address_groups": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Address groups which should be matched against the traffic source.
+Maximum number of source address groups is 10.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_fqdns": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Fully Qualified Domain Name (FQDN) which should be matched against
+traffic source. Maximum number of source fqdn allowed is 100.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_ip_ranges": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Source IP address range in CIDR format. Required for
+INGRESS rules.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_region_codes": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Region codes whose IP addresses will be used to match for source
+of traffic. Should be specified as 2 letter country code defined as per
+ISO 3166 alpha-2 country codes. ex."US"
+Maximum number of source region codes allowed is 5000.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "src_secure_tag": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `List of secure tag values, which should be matched at the source
+of the traffic.
+For INGRESS rule, if all the srcSecureTag are INEFFECTIVE,
+and there is no srcIpRange, this rule will be ignored.
+Maximum number of source tag values allowed is 256.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `Name of the secure tag, created with TagManager's TagValue API.
+@pattern tagValues/[0-9]+`,
+ },
+ "state": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or
+'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted
+or its network is deleted.`,
+ },
+ },
+ },
+ },
+ "src_threat_intelligences": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `Names of Network Threat Intelligence lists.
+The IPs in these lists will be matched against traffic source.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "priority": {
+ Type: schema.TypeInt,
+ Computed: true,
+ Description: `An integer indicating the priority of a rule in the list. The priority must be a value
+between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the
+highest priority and 2147483647 is the lowest priority.`,
+ },
+ "rule_name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `An optional name for the rule. This field is not a unique identifier
+and can be updated.`,
+ },
+ "security_profile_group": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `A fully-qualified URL of a SecurityProfile resource instance.
+Example:
+https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
+Must be specified if action is 'apply_security_profile_group'.`,
+ },
+ "target_secure_tag": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `A list of secure tags that controls which instances the firewall rule
+applies to. If targetSecureTag are specified, then the
+firewall rule applies only to instances in the VPC network that have one
+of those EFFECTIVE secure tags, if all the target_secure_tag are in
+INEFFECTIVE state, then this rule will be ignored.
+targetSecureTag may not be set at the same time as
+targetServiceAccounts.
+If neither targetServiceAccounts nor
+targetSecureTag are specified, the firewall rule applies
+to all instances on the specified network.
+Maximum number of target label tags allowed is 256.`,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `Name of the secure tag, created with TagManager's TagValue API.
+@pattern tagValues/[0-9]+`,
+ },
+ "state": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or
+'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted
+or its network is deleted.`,
+ },
+ },
+ },
+ },
+ "target_service_accounts": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: `A list of service accounts indicating the sets of
+instances that are applied with this rule.`,
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "tls_inspect": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: `Boolean flag indicating if the traffic should be TLS decrypted.
+It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.`,
+ },
+ },
+ },
+ },
+ "rule_tuple_count": {
+ Type: schema.TypeInt,
+ Computed: true,
+ Description: `Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.`,
+ },
+ "self_link": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `Server-defined URL for the resource.`,
+ },
+ "self_link_with_id": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: `Server-defined URL for this resource with the resource id.`,
+ },
+ "project": {
+ Type: schema.TypeString,
+ Optional: true,
+ Computed: true,
+ ForceNew: true,
+ },
+ },
+ UseJSONNumber: true,
+ }
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesCreate(d *schema.ResourceData, meta interface{}) error {
+ config := meta.(*transport_tpg.Config)
+ userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+ if err != nil {
+ return err
+ }
+
+ obj := make(map[string]interface{})
+ nameProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesName(d.Get("name"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("name"); !tpgresource.IsEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) {
+ obj["name"] = nameProp
+ }
+ descriptionProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesDescription(d.Get("description"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
+ obj["description"] = descriptionProp
+ }
+ rulesProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesRule(d.Get("rule"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("rule"); !tpgresource.IsEmptyValue(reflect.ValueOf(rulesProp)) && (ok || !reflect.DeepEqual(v, rulesProp)) {
+ obj["rules"] = rulesProp
+ }
+ fingerprintProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesFingerprint(d.Get("fingerprint"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("fingerprint"); !tpgresource.IsEmptyValue(reflect.ValueOf(fingerprintProp)) && (ok || !reflect.DeepEqual(v, fingerprintProp)) {
+ obj["fingerprint"] = fingerprintProp
+ }
+
+ obj, err = resourceComputeRegionNetworkFirewallPolicyWithRulesEncoder(d, meta, obj)
+ if err != nil {
+ return err
+ }
+
+ url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies")
+ if err != nil {
+ return err
+ }
+
+ log.Printf("[DEBUG] Creating new RegionNetworkFirewallPolicyWithRules: %#v", obj)
+ billingProject := ""
+
+ project, err := tpgresource.GetProject(d, config)
+ if err != nil {
+ return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ billingProject = strings.TrimPrefix(project, "projects/")
+
+ // err == nil indicates that the billing_project value was found
+ if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+ billingProject = bp
+ }
+
+ headers := make(http.Header)
+ res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "POST",
+ Project: billingProject,
+ RawURL: url,
+ UserAgent: userAgent,
+ Body: obj,
+ Timeout: d.Timeout(schema.TimeoutCreate),
+ Headers: headers,
+ })
+ if err != nil {
+ return fmt.Errorf("Error creating RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+
+ // Store the ID now
+ id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return fmt.Errorf("Error constructing id: %s", err)
+ }
+ d.SetId(id)
+
+ err = ComputeOperationWaitTime(
+ config, res, tpgresource.GetResourceNameFromSelfLink(project), "Creating RegionNetworkFirewallPolicyWithRules", userAgent,
+ d.Timeout(schema.TimeoutCreate))
+
+ if err != nil {
+ // The resource didn't actually create
+ d.SetId("")
+ return fmt.Errorf("Error waiting to create RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+
+ log.Printf("[DEBUG] Post-create for RegionNetworkFirewallPolicyWithRules %q", d.Id())
+
+ url, err = tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return err
+ }
+
+ headers = make(http.Header)
+ res, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "GET",
+ Project: billingProject,
+ RawURL: url,
+ UserAgent: userAgent,
+ Headers: headers,
+ })
+ if err != nil {
+ return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("ComputeRegionNetworkFirewallPolicyWithRules %q", d.Id()))
+ }
+
+ if err := d.Set("fingerprint", flattenComputeRegionNetworkFirewallPolicyWithRulesFingerprint(res["fingerprint"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+
+ res, err = resourceComputeRegionNetworkFirewallPolicyWithRulesDecoder(d, meta, res)
+ if err != nil {
+ return err
+ }
+
+ log.Printf("[DEBUG] Updating RegionNetworkFirewallPolicyWithRules %q", d.Id())
+ return resourceComputeRegionNetworkFirewallPolicyWithRulesUpdate(d, meta)
+
+ log.Printf("[DEBUG] Finished creating RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), res)
+
+ return resourceComputeRegionNetworkFirewallPolicyWithRulesRead(d, meta)
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesRead(d *schema.ResourceData, meta interface{}) error {
+ config := meta.(*transport_tpg.Config)
+ userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+ if err != nil {
+ return err
+ }
+
+ url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return err
+ }
+
+ billingProject := ""
+
+ project, err := tpgresource.GetProject(d, config)
+ if err != nil {
+ return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ billingProject = strings.TrimPrefix(project, "projects/")
+
+ // err == nil indicates that the billing_project value was found
+ if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+ billingProject = bp
+ }
+
+ headers := make(http.Header)
+ res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "GET",
+ Project: billingProject,
+ RawURL: url,
+ UserAgent: userAgent,
+ Headers: headers,
+ })
+ if err != nil {
+ return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("ComputeRegionNetworkFirewallPolicyWithRules %q", d.Id()))
+ }
+
+ res, err = resourceComputeRegionNetworkFirewallPolicyWithRulesDecoder(d, meta, res)
+ if err != nil {
+ return err
+ }
+
+ if res == nil {
+ // Decoding the object has resulted in it being gone. It may be marked deleted
+ log.Printf("[DEBUG] Removing ComputeRegionNetworkFirewallPolicyWithRules because it no longer exists.")
+ d.SetId("")
+ return nil
+ }
+
+ if err := d.Set("project", project); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+
+ if err := d.Set("creation_timestamp", flattenComputeRegionNetworkFirewallPolicyWithRulesCreationTimestamp(res["creationTimestamp"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("name", flattenComputeRegionNetworkFirewallPolicyWithRulesName(res["name"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("network_firewall_policy_id", flattenComputeRegionNetworkFirewallPolicyWithRulesNetworkFirewallPolicyId(res["id"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("description", flattenComputeRegionNetworkFirewallPolicyWithRulesDescription(res["description"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("rule", flattenComputeRegionNetworkFirewallPolicyWithRulesRule(res["rules"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("predefined_rules", flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRules(res["predefinedRules"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("fingerprint", flattenComputeRegionNetworkFirewallPolicyWithRulesFingerprint(res["fingerprint"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("self_link", flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLink(res["selfLink"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("self_link_with_id", flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLinkWithId(res["selfLinkWithId"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ if err := d.Set("rule_tuple_count", flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTupleCount(res["ruleTupleCount"], d, config)); err != nil {
+ return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+
+ return nil
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesUpdate(d *schema.ResourceData, meta interface{}) error {
+ config := meta.(*transport_tpg.Config)
+ userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+ if err != nil {
+ return err
+ }
+
+ billingProject := ""
+
+ project, err := tpgresource.GetProject(d, config)
+ if err != nil {
+ return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ billingProject = strings.TrimPrefix(project, "projects/")
+
+ obj := make(map[string]interface{})
+ descriptionProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesDescription(d.Get("description"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
+ obj["description"] = descriptionProp
+ }
+ rulesProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesRule(d.Get("rule"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("rule"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, rulesProp)) {
+ obj["rules"] = rulesProp
+ }
+ fingerprintProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesFingerprint(d.Get("fingerprint"), d, config)
+ if err != nil {
+ return err
+ } else if v, ok := d.GetOkExists("fingerprint"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, fingerprintProp)) {
+ obj["fingerprint"] = fingerprintProp
+ }
+
+ obj, err = resourceComputeRegionNetworkFirewallPolicyWithRulesUpdateEncoder(d, meta, obj)
+ if err != nil {
+ return err
+ }
+
+ url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return err
+ }
+
+ log.Printf("[DEBUG] Updating RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), obj)
+ headers := make(http.Header)
+
+ // err == nil indicates that the billing_project value was found
+ if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+ billingProject = bp
+ }
+
+ res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "PATCH",
+ Project: billingProject,
+ RawURL: url,
+ UserAgent: userAgent,
+ Body: obj,
+ Timeout: d.Timeout(schema.TimeoutUpdate),
+ Headers: headers,
+ })
+
+ if err != nil {
+ return fmt.Errorf("Error updating RegionNetworkFirewallPolicyWithRules %q: %s", d.Id(), err)
+ } else {
+ log.Printf("[DEBUG] Finished updating RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), res)
+ }
+
+ err = ComputeOperationWaitTime(
+ config, res, tpgresource.GetResourceNameFromSelfLink(project), "Updating RegionNetworkFirewallPolicyWithRules", userAgent,
+ d.Timeout(schema.TimeoutUpdate))
+
+ if err != nil {
+ return err
+ }
+
+ return resourceComputeRegionNetworkFirewallPolicyWithRulesRead(d, meta)
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesDelete(d *schema.ResourceData, meta interface{}) error {
+ config := meta.(*transport_tpg.Config)
+ userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+ if err != nil {
+ return err
+ }
+
+ billingProject := ""
+
+ project, err := tpgresource.GetProject(d, config)
+ if err != nil {
+ return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err)
+ }
+ billingProject = strings.TrimPrefix(project, "projects/")
+
+ url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return err
+ }
+
+ var obj map[string]interface{}
+
+ // err == nil indicates that the billing_project value was found
+ if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+ billingProject = bp
+ }
+
+ headers := make(http.Header)
+
+ log.Printf("[DEBUG] Deleting RegionNetworkFirewallPolicyWithRules %q", d.Id())
+ res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "DELETE",
+ Project: billingProject,
+ RawURL: url,
+ UserAgent: userAgent,
+ Body: obj,
+ Timeout: d.Timeout(schema.TimeoutDelete),
+ Headers: headers,
+ })
+ if err != nil {
+ return transport_tpg.HandleNotFoundError(err, d, "RegionNetworkFirewallPolicyWithRules")
+ }
+
+ err = ComputeOperationWaitTime(
+ config, res, tpgresource.GetResourceNameFromSelfLink(project), "Deleting RegionNetworkFirewallPolicyWithRules", userAgent,
+ d.Timeout(schema.TimeoutDelete))
+
+ if err != nil {
+ return err
+ }
+
+ log.Printf("[DEBUG] Finished deleting RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), res)
+ return nil
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+ config := meta.(*transport_tpg.Config)
+ if err := tpgresource.ParseImportId([]string{
+ "^projects/(?P[^/]+)/regions/(?P[^/]+)/firewallPolicies/(?P[^/]+)$",
+ "^(?P[^/]+)/(?P[^/]+)/(?P[^/]+)$",
+ "^(?P[^/]+)/(?P[^/]+)$",
+ "^(?P[^/]+)$",
+ }, d, config); err != nil {
+ return nil, err
+ }
+
+ // Replace import id for the resource id
+ id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return nil, fmt.Errorf("Error constructing id: %s", err)
+ }
+ d.SetId(id)
+
+ return []*schema.ResourceData{d}, nil
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesCreationTimestamp(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesNetworkFirewallPolicyId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRule(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "description": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(original["description"], d, config),
+ "rule_name": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(original["ruleName"], d, config),
+ "priority": flattenComputeRegionNetworkFirewallPolicyWithRulesRulePriority(original["priority"], d, config),
+ "match": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(original["match"], d, config),
+ "target_secure_tag": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(original["targetSecureTags"], d, config),
+ "action": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleAction(original["action"], d, config),
+ "direction": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(original["direction"], d, config),
+ "enable_logging": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(original["enableLogging"], d, config),
+ "target_service_accounts": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(original["targetServiceAccounts"], d, config),
+ "security_profile_group": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(original["securityProfileGroup"], d, config),
+ "tls_inspect": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(original["tlsInspect"], d, config),
+ "disabled": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(original["disabled"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRulePriority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ // Handles the string fixed64 format
+ if strVal, ok := v.(string); ok {
+ if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+ return intVal
+ }
+ }
+
+ // number values are represented as float64
+ if floatVal, ok := v.(float64); ok {
+ intVal := int(floatVal)
+ return intVal
+ }
+
+ return v // let terraform core handle it otherwise
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return nil
+ }
+ original := v.(map[string]interface{})
+ if len(original) == 0 {
+ return nil
+ }
+ transformed := make(map[string]interface{})
+ transformed["src_ip_ranges"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(original["srcIpRanges"], d, config)
+ transformed["dest_ip_ranges"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(original["destIpRanges"], d, config)
+ transformed["src_address_groups"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(original["srcAddressGroups"], d, config)
+ transformed["dest_address_groups"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(original["destAddressGroups"], d, config)
+ transformed["src_fqdns"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(original["srcFqdns"], d, config)
+ transformed["dest_fqdns"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(original["destFqdns"], d, config)
+ transformed["src_region_codes"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(original["srcRegionCodes"], d, config)
+ transformed["dest_region_codes"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(original["destRegionCodes"], d, config)
+ transformed["src_threat_intelligences"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(original["srcThreatIntelligences"], d, config)
+ transformed["dest_threat_intelligences"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(original["destThreatIntelligences"], d, config)
+ transformed["layer4_config"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(original["layer4Configs"], d, config)
+ transformed["src_secure_tag"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(original["srcSecureTags"], d, config)
+ return []interface{}{transformed}
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "ip_protocol": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(original["ipProtocol"], d, config),
+ "ports": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(original["ports"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "name": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(original["name"], d, config),
+ "state": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(original["state"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "name": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(original["name"], d, config),
+ "state": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(original["state"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRules(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "description": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDescription(original["description"], d, config),
+ "rule_name": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesRuleName(original["ruleName"], d, config),
+ "priority": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesPriority(original["priority"], d, config),
+ "match": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatch(original["match"], d, config),
+ "target_secure_tag": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTag(original["targetSecureTags"], d, config),
+ "action": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesAction(original["action"], d, config),
+ "direction": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDirection(original["direction"], d, config),
+ "enable_logging": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesEnableLogging(original["enableLogging"], d, config),
+ "target_service_accounts": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetServiceAccounts(original["targetServiceAccounts"], d, config),
+ "security_profile_group": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesSecurityProfileGroup(original["securityProfileGroup"], d, config),
+ "tls_inspect": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTlsInspect(original["tlsInspect"], d, config),
+ "disabled": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDisabled(original["disabled"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesRuleName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesPriority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ // Handles the string fixed64 format
+ if strVal, ok := v.(string); ok {
+ if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+ return intVal
+ }
+ }
+
+ // number values are represented as float64
+ if floatVal, ok := v.(float64); ok {
+ intVal := int(floatVal)
+ return intVal
+ }
+
+ return v // let terraform core handle it otherwise
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatch(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return nil
+ }
+ original := v.(map[string]interface{})
+ if len(original) == 0 {
+ return nil
+ }
+ transformed := make(map[string]interface{})
+ transformed["src_ip_ranges"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcIpRanges(original["srcIpRanges"], d, config)
+ transformed["dest_ip_ranges"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestIpRanges(original["destIpRanges"], d, config)
+ transformed["src_address_groups"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcAddressGroups(original["srcAddressGroups"], d, config)
+ transformed["dest_address_groups"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestAddressGroups(original["destAddressGroups"], d, config)
+ transformed["src_fqdns"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcFqdns(original["srcFqdns"], d, config)
+ transformed["dest_fqdns"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestFqdns(original["destFqdns"], d, config)
+ transformed["src_region_codes"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcRegionCodes(original["srcRegionCodes"], d, config)
+ transformed["dest_region_codes"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestRegionCodes(original["destRegionCodes"], d, config)
+ transformed["src_threat_intelligences"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcThreatIntelligences(original["srcThreatIntelligences"], d, config)
+ transformed["dest_threat_intelligences"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestThreatIntelligences(original["destThreatIntelligences"], d, config)
+ transformed["layer4_config"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4Config(original["layer4Configs"], d, config)
+ transformed["src_secure_tag"] =
+ flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTag(original["srcSecureTags"], d, config)
+ return []interface{}{transformed}
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4Config(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "ip_protocol": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigIpProtocol(original["ipProtocol"], d, config),
+ "ports": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigPorts(original["ports"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigIpProtocol(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigPorts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "name": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagName(original["name"], d, config),
+ "state": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagState(original["state"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ if v == nil {
+ return v
+ }
+ l := v.([]interface{})
+ transformed := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ original := raw.(map[string]interface{})
+ if len(original) < 1 {
+ // Do not include empty json objects coming back from the api
+ continue
+ }
+ transformed = append(transformed, map[string]interface{}{
+ "name": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagName(original["name"], d, config),
+ "state": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagState(original["state"], d, config),
+ })
+ }
+ return transformed
+}
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDirection(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesEnableLogging(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetServiceAccounts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesSecurityProfileGroup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTlsInspect(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDisabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesFingerprint(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLink(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLinkWithId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ return v
+}
+
+func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTupleCount(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+ // Handles the string fixed64 format
+ if strVal, ok := v.(string); ok {
+ if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+ return intVal
+ }
+ }
+
+ // number values are represented as float64
+ if floatVal, ok := v.(float64); ok {
+ intVal := int(floatVal)
+ return intVal
+ }
+
+ return v // let terraform core handle it otherwise
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRule(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ l := v.([]interface{})
+ req := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ if raw == nil {
+ continue
+ }
+ original := raw.(map[string]interface{})
+ transformed := make(map[string]interface{})
+
+ transformedDescription, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(original["description"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDescription); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["description"] = transformedDescription
+ }
+
+ transformedRuleName, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(original["rule_name"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedRuleName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["ruleName"] = transformedRuleName
+ }
+
+ transformedPriority, err := expandComputeRegionNetworkFirewallPolicyWithRulesRulePriority(original["priority"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedPriority); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["priority"] = transformedPriority
+ }
+
+ transformedMatch, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(original["match"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedMatch); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["match"] = transformedMatch
+ }
+
+ transformedTargetSecureTag, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(original["target_secure_tag"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedTargetSecureTag); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["targetSecureTags"] = transformedTargetSecureTag
+ }
+
+ transformedAction, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleAction(original["action"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedAction); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["action"] = transformedAction
+ }
+
+ transformedDirection, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(original["direction"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDirection); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["direction"] = transformedDirection
+ }
+
+ transformedEnableLogging, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(original["enable_logging"], d, config)
+ if err != nil {
+ return nil, err
+ } else {
+ transformed["enableLogging"] = transformedEnableLogging
+ }
+
+ transformedTargetServiceAccounts, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(original["target_service_accounts"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedTargetServiceAccounts); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["targetServiceAccounts"] = transformedTargetServiceAccounts
+ }
+
+ transformedSecurityProfileGroup, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(original["security_profile_group"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSecurityProfileGroup); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["securityProfileGroup"] = transformedSecurityProfileGroup
+ }
+
+ transformedTlsInspect, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(original["tls_inspect"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedTlsInspect); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["tlsInspect"] = transformedTlsInspect
+ }
+
+ transformedDisabled, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(original["disabled"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDisabled); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["disabled"] = transformedDisabled
+ }
+
+ req = append(req, transformed)
+ }
+ return req, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRulePriority(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ l := v.([]interface{})
+ if len(l) == 0 || l[0] == nil {
+ return nil, nil
+ }
+ raw := l[0]
+ original := raw.(map[string]interface{})
+ transformed := make(map[string]interface{})
+
+ transformedSrcIpRanges, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(original["src_ip_ranges"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSrcIpRanges); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["srcIpRanges"] = transformedSrcIpRanges
+ }
+
+ transformedDestIpRanges, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(original["dest_ip_ranges"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDestIpRanges); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["destIpRanges"] = transformedDestIpRanges
+ }
+
+ transformedSrcAddressGroups, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(original["src_address_groups"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSrcAddressGroups); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["srcAddressGroups"] = transformedSrcAddressGroups
+ }
+
+ transformedDestAddressGroups, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(original["dest_address_groups"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDestAddressGroups); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["destAddressGroups"] = transformedDestAddressGroups
+ }
+
+ transformedSrcFqdns, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(original["src_fqdns"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSrcFqdns); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["srcFqdns"] = transformedSrcFqdns
+ }
+
+ transformedDestFqdns, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(original["dest_fqdns"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDestFqdns); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["destFqdns"] = transformedDestFqdns
+ }
+
+ transformedSrcRegionCodes, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(original["src_region_codes"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSrcRegionCodes); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["srcRegionCodes"] = transformedSrcRegionCodes
+ }
+
+ transformedDestRegionCodes, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(original["dest_region_codes"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDestRegionCodes); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["destRegionCodes"] = transformedDestRegionCodes
+ }
+
+ transformedSrcThreatIntelligences, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(original["src_threat_intelligences"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSrcThreatIntelligences); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["srcThreatIntelligences"] = transformedSrcThreatIntelligences
+ }
+
+ transformedDestThreatIntelligences, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(original["dest_threat_intelligences"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedDestThreatIntelligences); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["destThreatIntelligences"] = transformedDestThreatIntelligences
+ }
+
+ transformedLayer4Config, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(original["layer4_config"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedLayer4Config); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["layer4Configs"] = transformedLayer4Config
+ }
+
+ transformedSrcSecureTag, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(original["src_secure_tag"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedSrcSecureTag); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["srcSecureTags"] = transformedSrcSecureTag
+ }
+
+ return transformed, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ l := v.([]interface{})
+ req := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ if raw == nil {
+ continue
+ }
+ original := raw.(map[string]interface{})
+ transformed := make(map[string]interface{})
+
+ transformedIpProtocol, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(original["ip_protocol"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedIpProtocol); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["ipProtocol"] = transformedIpProtocol
+ }
+
+ transformedPorts, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(original["ports"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedPorts); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["ports"] = transformedPorts
+ }
+
+ req = append(req, transformed)
+ }
+ return req, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ l := v.([]interface{})
+ req := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ if raw == nil {
+ continue
+ }
+ original := raw.(map[string]interface{})
+ transformed := make(map[string]interface{})
+
+ transformedName, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(original["name"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["name"] = transformedName
+ }
+
+ transformedState, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(original["state"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedState); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["state"] = transformedState
+ }
+
+ req = append(req, transformed)
+ }
+ return req, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ l := v.([]interface{})
+ req := make([]interface{}, 0, len(l))
+ for _, raw := range l {
+ if raw == nil {
+ continue
+ }
+ original := raw.(map[string]interface{})
+ transformed := make(map[string]interface{})
+
+ transformedName, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(original["name"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["name"] = transformedName
+ }
+
+ transformedState, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(original["state"], d, config)
+ if err != nil {
+ return nil, err
+ } else if val := reflect.ValueOf(transformedState); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+ transformed["state"] = transformedState
+ }
+
+ req = append(req, transformed)
+ }
+ return req, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleAction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func expandComputeRegionNetworkFirewallPolicyWithRulesFingerprint(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+ return v, nil
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
+ delete(obj, "rules") // Rules are not supported in the create API
+ return obj, nil
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesUpdateEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
+ config := meta.(*transport_tpg.Config)
+
+ predefinedRulesProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesRule(d.Get("predefined_rules"), d, config)
+ if err != nil {
+ return nil, err
+ }
+
+ rules := obj["rules"].([]interface{})
+ obj["rules"] = append(rules, predefinedRulesProp)
+
+ return obj, nil
+}
+
+func resourceComputeRegionNetworkFirewallPolicyWithRulesDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
+ rules, predefinedRules, err := regionNetworkFirewallPolicyWithRulesSplitPredefinedRules(res["rules"].([]interface{}))
+
+ if err != nil {
+ return nil, fmt.Errorf("Error occurred while splitting pre-defined rules: %s", err)
+ }
+
+ res["rules"] = rules
+ res["predefinedRules"] = predefinedRules
+
+ config := meta.(*transport_tpg.Config)
+
+ if err := d.Set("predefined_rules", flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRules(predefinedRules, d, config)); err != nil {
+ return nil, fmt.Errorf("Error occurred while setting pre-defined rules: %s", err)
+ }
+
+ return res, nil
+}
diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go
new file mode 100644
index 0000000000..ecb878c05e
--- /dev/null
+++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go
@@ -0,0 +1,185 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+// ----------------------------------------------------------------------------
+//
+// *** AUTO GENERATED CODE *** Type: MMv1 ***
+//
+// ----------------------------------------------------------------------------
+//
+// This file is automatically generated by Magic Modules and manual
+// changes will be clobbered when the file is regenerated.
+//
+// Please read more about how to change this file in
+// .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package compute_test
+
+import (
+ "fmt"
+ "strings"
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+ "github.com/hashicorp/terraform-plugin-testing/terraform"
+
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest"
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar"
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
+ transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
+)
+
+func TestAccComputeRegionNetworkFirewallPolicyWithRules_computeRegionNetworkFirewallPolicyWithRulesFullExample(t *testing.T) {
+ t.Parallel()
+
+ context := map[string]interface{}{
+ "org_id": envvar.GetTestOrgFromEnv(t),
+ "random_suffix": acctest.RandString(t, 10),
+ }
+
+ acctest.VcrTest(t, resource.TestCase{
+ PreCheck: func() { acctest.AccTestPreCheck(t) },
+ ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+ CheckDestroy: testAccCheckComputeRegionNetworkFirewallPolicyWithRulesDestroyProducer(t),
+ Steps: []resource.TestStep{
+ {
+ Config: testAccComputeRegionNetworkFirewallPolicyWithRules_computeRegionNetworkFirewallPolicyWithRulesFullExample(context),
+ },
+ {
+ ResourceName: "google_compute_region_network_firewall_policy_with_rules.region-network-firewall-policy-with-rules",
+ ImportState: true,
+ ImportStateVerify: true,
+ ImportStateVerifyIgnore: []string{"region"},
+ },
+ },
+ })
+}
+
+func testAccComputeRegionNetworkFirewallPolicyWithRules_computeRegionNetworkFirewallPolicyWithRulesFullExample(context map[string]interface{}) string {
+ return acctest.Nprintf(`
+data "google_project" "project" {
+ provider = google-beta
+}
+
+resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" {
+ name = "tf-test-tf-region-fw-policy-with-rules%{random_suffix}"
+ region = "us-west2"
+ description = "Terraform test"
+ provider = google-beta
+
+ rule {
+ description = "tcp rule"
+ priority = 1000
+ enable_logging = true
+ action = "allow"
+ direction = "EGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "tcp"
+ ports = [8080, 7070]
+ }
+ dest_ip_ranges = ["11.100.0.1/32"]
+ dest_fqdns = ["www.yyy.com", "www.zzz.com"]
+ dest_region_codes = ["HK", "IN"]
+ dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"]
+ dest_address_groups = [google_network_security_address_group.address_group_1.id]
+ }
+ target_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ rule {
+ description = "udp rule"
+ rule_name = "test-rule"
+ priority = 2000
+ enable_logging = false
+ action = "deny"
+ direction = "INGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "udp"
+ }
+ src_ip_ranges = ["0.0.0.0/0"]
+ src_fqdns = ["www.abc.com", "www.def.com"]
+ src_region_codes = ["US", "CA"]
+ src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"]
+ src_address_groups = [google_network_security_address_group.address_group_1.id]
+ src_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ disabled = true
+ }
+}
+
+resource "google_network_security_address_group" "address_group_1" {
+ provider = google-beta
+ name = "tf-test-tf-address-group%{random_suffix}"
+ parent = "projects/${data.google_project.project.name}"
+ description = "Regional address group"
+ location = "us-west2"
+ items = ["208.80.154.224/32"]
+ type = "IPV4"
+ capacity = 100
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+ provider = google-beta
+ description = "Tag key"
+ parent = "projects/${data.google_project.project.name}"
+ purpose = "GCE_FIREWALL"
+ short_name = "tf-test-tf-tag-key%{random_suffix}"
+ purpose_data = {
+ network = "${data.google_project.project.name}/default"
+ }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+ provider = google-beta
+ description = "Tag value"
+ parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}"
+ short_name = "tf-test-tf-tag-value%{random_suffix}"
+}
+`, context)
+}
+
+func testAccCheckComputeRegionNetworkFirewallPolicyWithRulesDestroyProducer(t *testing.T) func(s *terraform.State) error {
+ return func(s *terraform.State) error {
+ for name, rs := range s.RootModule().Resources {
+ if rs.Type != "google_compute_region_network_firewall_policy_with_rules" {
+ continue
+ }
+ if strings.HasPrefix(name, "data.") {
+ continue
+ }
+
+ config := acctest.GoogleProviderConfig(t)
+
+ url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+ if err != nil {
+ return err
+ }
+
+ billingProject := ""
+
+ if config.BillingProject != "" {
+ billingProject = config.BillingProject
+ }
+
+ _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "GET",
+ Project: billingProject,
+ RawURL: url,
+ UserAgent: config.UserAgent,
+ })
+ if err == nil {
+ return fmt.Errorf("ComputeRegionNetworkFirewallPolicyWithRules still exists at %s", url)
+ }
+ }
+
+ return nil
+ }
+}
diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go
new file mode 100644
index 0000000000..7c19a251bb
--- /dev/null
+++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go
@@ -0,0 +1,139 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+// ----------------------------------------------------------------------------
+//
+// *** AUTO GENERATED CODE *** Type: MMv1 ***
+//
+// ----------------------------------------------------------------------------
+//
+// This file is automatically generated by Magic Modules and manual
+// changes will be clobbered when the file is regenerated.
+//
+// Please read more about how to change this file in
+// .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package compute
+
+import (
+ "context"
+ "log"
+ "strings"
+ "testing"
+
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar"
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/sweeper"
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
+ transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
+)
+
+func init() {
+ sweeper.AddTestSweepers("ComputeRegionNetworkFirewallPolicyWithRules", testSweepComputeRegionNetworkFirewallPolicyWithRules)
+}
+
+// At the time of writing, the CI only passes us-central1 as the region
+func testSweepComputeRegionNetworkFirewallPolicyWithRules(region string) error {
+ resourceName := "ComputeRegionNetworkFirewallPolicyWithRules"
+ log.Printf("[INFO][SWEEPER_LOG] Starting sweeper for %s", resourceName)
+
+ config, err := sweeper.SharedConfigForRegion(region)
+ if err != nil {
+ log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err)
+ return err
+ }
+
+ err = config.LoadAndValidate(context.Background())
+ if err != nil {
+ log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err)
+ return err
+ }
+
+ t := &testing.T{}
+ billingId := envvar.GetTestBillingAccountFromEnv(t)
+
+ // Setup variables to replace in list template
+ d := &tpgresource.ResourceDataMock{
+ FieldsInSchema: map[string]interface{}{
+ "project": config.Project,
+ "region": region,
+ "location": region,
+ "zone": "-",
+ "billing_account": billingId,
+ },
+ }
+
+ listTemplate := strings.Split("https://compute.googleapis.com/compute/beta/projects/{{project}}/regions/{{region}}/firewallPolicies", "?")[0]
+ listUrl, err := tpgresource.ReplaceVars(d, config, listTemplate)
+ if err != nil {
+ log.Printf("[INFO][SWEEPER_LOG] error preparing sweeper list url: %s", err)
+ return nil
+ }
+
+ res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "GET",
+ Project: config.Project,
+ RawURL: listUrl,
+ UserAgent: config.UserAgent,
+ })
+ if err != nil {
+ log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", listUrl, err)
+ return nil
+ }
+
+ resourceList, ok := res["regionNetworkFirewallPolicyWithRules"]
+ if !ok {
+ log.Printf("[INFO][SWEEPER_LOG] Nothing found in response.")
+ return nil
+ }
+
+ rl := resourceList.([]interface{})
+
+ log.Printf("[INFO][SWEEPER_LOG] Found %d items in %s list response.", len(rl), resourceName)
+ // Keep count of items that aren't sweepable for logging.
+ nonPrefixCount := 0
+ for _, ri := range rl {
+ obj := ri.(map[string]interface{})
+ if obj["name"] == nil {
+ log.Printf("[INFO][SWEEPER_LOG] %s resource name was nil", resourceName)
+ return nil
+ }
+
+ name := tpgresource.GetResourceNameFromSelfLink(obj["name"].(string))
+ // Skip resources that shouldn't be sweeped
+ if !sweeper.IsSweepableTestResource(name) {
+ nonPrefixCount++
+ continue
+ }
+
+ deleteTemplate := "https://compute.googleapis.com/compute/beta/projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}"
+ deleteUrl, err := tpgresource.ReplaceVars(d, config, deleteTemplate)
+ if err != nil {
+ log.Printf("[INFO][SWEEPER_LOG] error preparing delete url: %s", err)
+ return nil
+ }
+ deleteUrl = deleteUrl + name
+
+ // Don't wait on operations as we may have a lot to delete
+ _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+ Config: config,
+ Method: "DELETE",
+ Project: config.Project,
+ RawURL: deleteUrl,
+ UserAgent: config.UserAgent,
+ })
+ if err != nil {
+ log.Printf("[INFO][SWEEPER_LOG] Error deleting for url %s : %s", deleteUrl, err)
+ } else {
+ log.Printf("[INFO][SWEEPER_LOG] Sent delete request for %s resource: %s", resourceName, name)
+ }
+ }
+
+ if nonPrefixCount > 0 {
+ log.Printf("[INFO][SWEEPER_LOG] %d items were non-sweepable and skipped.", nonPrefixCount)
+ }
+
+ return nil
+}
diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go
new file mode 100644
index 0000000000..8f2d904c52
--- /dev/null
+++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go
@@ -0,0 +1,213 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+package compute_test
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+
+ "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest"
+)
+
+func TestAccComputeRegionNetworkFirewallPolicyWithRules_update(t *testing.T) {
+ t.Parallel()
+
+ context := map[string]interface{}{
+ "random_suffix": acctest.RandString(t, 10),
+ }
+
+ acctest.VcrTest(t, resource.TestCase{
+ PreCheck: func() { acctest.AccTestPreCheck(t) },
+ ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+ CheckDestroy: testAccCheckComputeRegionNetworkFirewallPolicyWithRulesDestroyProducer(t),
+ Steps: []resource.TestStep{
+ {
+ Config: testAccComputeRegionNetworkFirewallPolicyWithRules_full(context),
+ },
+ {
+ ResourceName: "google_compute_region_network_firewall_policy_with_rules.region-network-firewall-policy-with-rules",
+ ImportState: true,
+ ImportStateVerify: true,
+ ImportStateVerifyIgnore: []string{"region"},
+ },
+ {
+ Config: testAccComputeRegionNetworkFirewallPolicyWithRules_update(context),
+ },
+ {
+ ResourceName: "google_compute_region_network_firewall_policy_with_rules.region-network-firewall-policy-with-rules",
+ ImportState: true,
+ ImportStateVerify: true,
+ ImportStateVerifyIgnore: []string{"region"},
+ },
+ },
+ })
+}
+
+func testAccComputeRegionNetworkFirewallPolicyWithRules_full(context map[string]interface{}) string {
+ return acctest.Nprintf(`
+data "google_project" "project" {
+ provider = google-beta
+}
+
+resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" {
+ name = "tf-test-tf-region-fw-policy-with-rules%{random_suffix}"
+ region = "us-west2"
+ description = "Terraform test"
+ provider = google-beta
+
+ rule {
+ description = "tcp rule"
+ priority = 1000
+ enable_logging = true
+ action = "allow"
+ direction = "EGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "tcp"
+ ports = [8080, 7070]
+ }
+ dest_ip_ranges = ["11.100.0.1/32"]
+ dest_fqdns = ["www.yyy.com", "www.zzz.com"]
+ dest_region_codes = ["HK", "IN"]
+ dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"]
+ dest_address_groups = [google_network_security_address_group.address_group_1.id]
+ }
+ target_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ rule {
+ description = "udp rule"
+ rule_name = "test-rule"
+ priority = 2000
+ enable_logging = false
+ action = "deny"
+ direction = "INGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "udp"
+ }
+ src_ip_ranges = ["0.0.0.0/0"]
+ src_fqdns = ["www.abc.com", "www.def.com"]
+ src_region_codes = ["US", "CA"]
+ src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"]
+ src_address_groups = [google_network_security_address_group.address_group_1.id]
+ src_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ disabled = true
+ }
+}
+
+resource "google_network_security_address_group" "address_group_1" {
+ provider = google-beta
+ name = "tf-test-tf-address-group%{random_suffix}"
+ parent = "projects/${data.google_project.project.name}"
+ description = "Regional address group"
+ location = "us-west2"
+ items = ["208.80.154.224/32"]
+ type = "IPV4"
+ capacity = 100
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+ provider = google-beta
+ description = "Tag key"
+ parent = "projects/${data.google_project.project.name}"
+ purpose = "GCE_FIREWALL"
+ short_name = "tf-test-tf-tag-key%{random_suffix}"
+ purpose_data = {
+ network = "${data.google_project.project.name}/default"
+ }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+ provider = google-beta
+ description = "Tag value"
+ parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}"
+ short_name = "tf-test-tf-tag-value%{random_suffix}"
+}
+`, context)
+}
+
+func testAccComputeRegionNetworkFirewallPolicyWithRules_update(context map[string]interface{}) string {
+ return acctest.Nprintf(`
+data "google_project" "project" {
+ provider = google-beta
+}
+
+resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" {
+ name = "tf-test-tf-fw-policy-with-rules%{random_suffix}"
+ description = "Terraform test - update"
+ region = "us-west2"
+ provider = google-beta
+
+ rule {
+ description = "tcp rule - changed"
+ priority = 1000
+ enable_logging = false
+ action = "allow"
+ direction = "EGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "tcp"
+ ports = [8080, 7070]
+ }
+ dest_ip_ranges = ["11.100.0.1/32"]
+ }
+ }
+ rule {
+ description = "new udp rule"
+ priority = 4000
+ enable_logging = true
+ action = "deny"
+ direction = "INGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "udp"
+ }
+ src_ip_ranges = ["0.0.0.0/0"]
+ src_fqdns = ["www.abc.com", "www.ghi.com"]
+ src_region_codes = ["IT", "FR"]
+ src_threat_intelligences = ["iplist-public-clouds"]
+ src_address_groups = [google_network_security_address_group.address_group_1.id]
+ src_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ disabled = false
+ }
+}
+
+resource "google_network_security_address_group" "address_group_1" {
+ provider = google-beta
+ name = "tf-test-tf-address-group%{random_suffix}"
+ parent = "projects/${data.google_project.project.name}"
+ description = "Regional address group"
+ location = "us-west2"
+ items = ["208.80.154.224/32"]
+ type = "IPV4"
+ capacity = 100
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+ provider = google-beta
+ description = "Tag key"
+ parent = "projects/${data.google_project.project.name}"
+ purpose = "GCE_FIREWALL"
+ short_name = "tf-test-tf-tag-key%{random_suffix}"
+ purpose_data = {
+ network = "${data.google_project.project.name}/default"
+ }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+ provider = google-beta
+ description = "Tag value"
+ parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}"
+ short_name = "tf-test-tf-tag-value%{random_suffix}"
+}
+`, context)
+}
diff --git a/website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown b/website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown
new file mode 100644
index 0000000000..8e45d97d07
--- /dev/null
+++ b/website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown
@@ -0,0 +1,608 @@
+---
+# ----------------------------------------------------------------------------
+#
+# *** AUTO GENERATED CODE *** Type: MMv1 ***
+#
+# ----------------------------------------------------------------------------
+#
+# This file is automatically generated by Magic Modules and manual
+# changes will be clobbered when the file is regenerated.
+#
+# Please read more about how to change this file in
+# .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+subcategory: "Compute Engine"
+description: |-
+ The Compute NetworkFirewallPolicy with rules resource
+---
+
+# google_compute_region_network_firewall_policy_with_rules
+
+The Compute NetworkFirewallPolicy with rules resource
+
+~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+
+## Example Usage - Compute Region Network Firewall Policy With Rules Full
+
+
+```hcl
+data "google_project" "project" {
+ provider = google-beta
+}
+
+resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" {
+ name = "tf-region-fw-policy-with-rules"
+ region = "us-west2"
+ description = "Terraform test"
+ provider = google-beta
+
+ rule {
+ description = "tcp rule"
+ priority = 1000
+ enable_logging = true
+ action = "allow"
+ direction = "EGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "tcp"
+ ports = [8080, 7070]
+ }
+ dest_ip_ranges = ["11.100.0.1/32"]
+ dest_fqdns = ["www.yyy.com", "www.zzz.com"]
+ dest_region_codes = ["HK", "IN"]
+ dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"]
+ dest_address_groups = [google_network_security_address_group.address_group_1.id]
+ }
+ target_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ rule {
+ description = "udp rule"
+ rule_name = "test-rule"
+ priority = 2000
+ enable_logging = false
+ action = "deny"
+ direction = "INGRESS"
+ match {
+ layer4_config {
+ ip_protocol = "udp"
+ }
+ src_ip_ranges = ["0.0.0.0/0"]
+ src_fqdns = ["www.abc.com", "www.def.com"]
+ src_region_codes = ["US", "CA"]
+ src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"]
+ src_address_groups = [google_network_security_address_group.address_group_1.id]
+ src_secure_tag {
+ name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+ }
+ }
+ disabled = true
+ }
+}
+
+resource "google_network_security_address_group" "address_group_1" {
+ provider = google-beta
+ name = "tf-address-group"
+ parent = "projects/${data.google_project.project.name}"
+ description = "Regional address group"
+ location = "us-west2"
+ items = ["208.80.154.224/32"]
+ type = "IPV4"
+ capacity = 100
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+ provider = google-beta
+ description = "Tag key"
+ parent = "projects/${data.google_project.project.name}"
+ purpose = "GCE_FIREWALL"
+ short_name = "tf-tag-key"
+ purpose_data = {
+ network = "${data.google_project.project.name}/default"
+ }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+ provider = google-beta
+ description = "Tag value"
+ parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}"
+ short_name = "tf-tag-value"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `name` -
+ (Required)
+ User-provided name of the Network firewall policy.
+ The name should be unique in the project in which the firewall policy is created.
+ The name must be 1-63 characters long, and comply with RFC1035. Specifically,
+ the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?
+ which means the first character must be a lowercase letter, and all following characters must be a dash,
+ lowercase letter, or digit, except the last character, which cannot be a dash.
+
+* `rule` -
+ (Required)
+ A list of firewall policy rules.
+ Structure is [documented below](#nested_rule).
+
+
+The `rule` block supports:
+
+* `description` -
+ (Optional)
+ A description of the rule.
+
+* `rule_name` -
+ (Optional)
+ An optional name for the rule. This field is not a unique identifier
+ and can be updated.
+
+* `priority` -
+ (Required)
+ An integer indicating the priority of a rule in the list. The priority must be a value
+ between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the
+ highest priority and 2147483647 is the lowest priority.
+
+* `match` -
+ (Required)
+ A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
+ Structure is [documented below](#nested_match).
+
+* `target_secure_tag` -
+ (Optional)
+ A list of secure tags that controls which instances the firewall rule
+ applies to. If targetSecureTag are specified, then the
+ firewall rule applies only to instances in the VPC network that have one
+ of those EFFECTIVE secure tags, if all the target_secure_tag are in
+ INEFFECTIVE state, then this rule will be ignored.
+ targetSecureTag may not be set at the same time as
+ targetServiceAccounts.
+ If neither targetServiceAccounts nor
+ targetSecureTag are specified, the firewall rule applies
+ to all instances on the specified network.
+ Maximum number of target label tags allowed is 256.
+ Structure is [documented below](#nested_target_secure_tag).
+
+* `action` -
+ (Required)
+ The Action to perform when the client connection triggers the rule. Can currently be either
+ "allow", "deny", "apply_security_profile_group" or "goto_next".
+
+* `direction` -
+ (Optional)
+ The direction in which this rule applies. If unspecified an INGRESS rule is created.
+ Possible values are: `INGRESS`, `EGRESS`.
+
+* `enable_logging` -
+ (Optional)
+ Denotes whether to enable logging for a particular rule.
+ If logging is enabled, logs will be exported to the
+ configured export destination in Stackdriver.
+
+* `target_service_accounts` -
+ (Optional)
+ A list of service accounts indicating the sets of
+ instances that are applied with this rule.
+
+* `security_profile_group` -
+ (Optional)
+ A fully-qualified URL of a SecurityProfile resource instance.
+ Example:
+ https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
+ Must be specified if action is 'apply_security_profile_group'.
+
+* `tls_inspect` -
+ (Optional)
+ Boolean flag indicating if the traffic should be TLS decrypted.
+ It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
+
+* `disabled` -
+ (Optional)
+ Denotes whether the firewall policy rule is disabled. When set to true,
+ the firewall policy rule is not enforced and traffic behaves as if it did
+ not exist. If this is unspecified, the firewall policy rule will be
+ enabled.
+
+
+The `match` block supports:
+
+* `src_ip_ranges` -
+ (Optional)
+ Source IP address range in CIDR format. Required for
+ INGRESS rules.
+
+* `dest_ip_ranges` -
+ (Optional)
+ Destination IP address range in CIDR format. Required for
+ EGRESS rules.
+
+* `src_address_groups` -
+ (Optional)
+ Address groups which should be matched against the traffic source.
+ Maximum number of source address groups is 10.
+
+* `dest_address_groups` -
+ (Optional)
+ Address groups which should be matched against the traffic destination.
+ Maximum number of destination address groups is 10.
+
+* `src_fqdns` -
+ (Optional)
+ Fully Qualified Domain Name (FQDN) which should be matched against
+ traffic source. Maximum number of source fqdn allowed is 100.
+
+* `dest_fqdns` -
+ (Optional)
+ Fully Qualified Domain Name (FQDN) which should be matched against
+ traffic destination. Maximum number of destination fqdn allowed is 100.
+
+* `src_region_codes` -
+ (Optional)
+ Region codes whose IP addresses will be used to match for source
+ of traffic. Should be specified as 2 letter country code defined as per
+ ISO 3166 alpha-2 country codes. ex."US"
+ Maximum number of source region codes allowed is 5000.
+
+* `dest_region_codes` -
+ (Optional)
+ Region codes whose IP addresses will be used to match for destination
+ of traffic. Should be specified as 2 letter country code defined as per
+ ISO 3166 alpha-2 country codes. ex."US"
+ Maximum number of destination region codes allowed is 5000.
+
+* `src_threat_intelligences` -
+ (Optional)
+ Names of Network Threat Intelligence lists.
+ The IPs in these lists will be matched against traffic source.
+
+* `dest_threat_intelligences` -
+ (Optional)
+ Names of Network Threat Intelligence lists.
+ The IPs in these lists will be matched against traffic destination.
+
+* `layer4_config` -
+ (Required)
+ Pairs of IP protocols and ports that the rule should match.
+ Structure is [documented below](#nested_layer4_config).
+
+* `src_secure_tag` -
+ (Optional)
+ List of secure tag values, which should be matched at the source
+ of the traffic.
+ For INGRESS rule, if all the srcSecureTag are INEFFECTIVE,
+ and there is no srcIpRange, this rule will be ignored.
+ Maximum number of source tag values allowed is 256.
+ Structure is [documented below](#nested_src_secure_tag).
+
+
+The `layer4_config` block supports:
+
+* `ip_protocol` -
+ (Required)
+ The IP protocol to which this rule applies. The protocol
+ type is required when creating a firewall rule.
+ This value can either be one of the following well
+ known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),
+ or the IP protocol number.
+
+* `ports` -
+ (Optional)
+ An optional list of ports to which this rule applies. This field
+ is only applicable for UDP or TCP protocol. Each entry must be
+ either an integer or a range. If not specified, this rule
+ applies to connections through any port.
+ Example inputs include: ["22"], ["80","443"], and
+ ["12345-12349"].
+
+The `src_secure_tag` block supports:
+
+* `name` -
+ (Optional)
+ Name of the secure tag, created with TagManager's TagValue API.
+ @pattern tagValues/[0-9]+
+
+* `state` -
+ (Output)
+ [Output Only] State of the secure tag, either `EFFECTIVE` or
+ `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+ or its network is deleted.
+
+The `target_secure_tag` block supports:
+
+* `name` -
+ (Optional)
+ Name of the secure tag, created with TagManager's TagValue API.
+ @pattern tagValues/[0-9]+
+
+* `state` -
+ (Output)
+ [Output Only] State of the secure tag, either `EFFECTIVE` or
+ `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+ or its network is deleted.
+
+- - -
+
+
+* `description` -
+ (Optional)
+ An optional description of this resource.
+
+* `region` -
+ (Optional)
+ The region of this resource.
+
+* `project` - (Optional) The ID of the project in which the resource belongs.
+ If it is not provided, the provider project is used.
+
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `id` - an identifier for the resource with format `projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}`
+
+* `creation_timestamp` -
+ Creation timestamp in RFC3339 text format.
+
+* `network_firewall_policy_id` -
+ The unique identifier for the resource. This identifier is defined by the server.
+
+* `predefined_rules` -
+ A list of firewall policy pre-defined rules.
+ Structure is [documented below](#nested_predefined_rules).
+
+* `fingerprint` -
+ Fingerprint of the resource. This field is used internally during updates of this resource.
+
+* `self_link` -
+ Server-defined URL for the resource.
+
+* `self_link_with_id` -
+ Server-defined URL for this resource with the resource id.
+
+* `rule_tuple_count` -
+ Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
+
+
+The `predefined_rules` block contains:
+
+* `description` -
+ (Output)
+ A description of the rule.
+
+* `rule_name` -
+ (Output)
+ An optional name for the rule. This field is not a unique identifier
+ and can be updated.
+
+* `priority` -
+ (Output)
+ An integer indicating the priority of a rule in the list. The priority must be a value
+ between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the
+ highest priority and 2147483647 is the lowest priority.
+
+* `match` -
+ (Output)
+ A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
+ Structure is [documented below](#nested_match).
+
+* `target_secure_tag` -
+ (Output)
+ A list of secure tags that controls which instances the firewall rule
+ applies to. If targetSecureTag are specified, then the
+ firewall rule applies only to instances in the VPC network that have one
+ of those EFFECTIVE secure tags, if all the target_secure_tag are in
+ INEFFECTIVE state, then this rule will be ignored.
+ targetSecureTag may not be set at the same time as
+ targetServiceAccounts.
+ If neither targetServiceAccounts nor
+ targetSecureTag are specified, the firewall rule applies
+ to all instances on the specified network.
+ Maximum number of target label tags allowed is 256.
+ Structure is [documented below](#nested_target_secure_tag).
+
+* `action` -
+ (Output)
+ The Action to perform when the client connection triggers the rule. Can currently be either
+ "allow", "deny", "apply_security_profile_group" or "goto_next".
+
+* `direction` -
+ (Output)
+ The direction in which this rule applies. If unspecified an INGRESS rule is created.
+
+* `enable_logging` -
+ (Output)
+ Denotes whether to enable logging for a particular rule.
+ If logging is enabled, logs will be exported to the
+ configured export destination in Stackdriver.
+
+* `target_service_accounts` -
+ (Output)
+ A list of service accounts indicating the sets of
+ instances that are applied with this rule.
+
+* `security_profile_group` -
+ (Output)
+ A fully-qualified URL of a SecurityProfile resource instance.
+ Example:
+ https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
+ Must be specified if action is 'apply_security_profile_group'.
+
+* `tls_inspect` -
+ (Output)
+ Boolean flag indicating if the traffic should be TLS decrypted.
+ It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
+
+* `disabled` -
+ (Output)
+ Denotes whether the firewall policy rule is disabled. When set to true,
+ the firewall policy rule is not enforced and traffic behaves as if it did
+ not exist. If this is unspecified, the firewall policy rule will be
+ enabled.
+
+
+The `match` block contains:
+
+* `src_ip_ranges` -
+ (Output)
+ Source IP address range in CIDR format. Required for
+ INGRESS rules.
+
+* `dest_ip_ranges` -
+ (Output)
+ Destination IP address range in CIDR format. Required for
+ EGRESS rules.
+
+* `src_address_groups` -
+ (Output)
+ Address groups which should be matched against the traffic source.
+ Maximum number of source address groups is 10.
+
+* `dest_address_groups` -
+ (Output)
+ Address groups which should be matched against the traffic destination.
+ Maximum number of destination address groups is 10.
+
+* `src_fqdns` -
+ (Output)
+ Fully Qualified Domain Name (FQDN) which should be matched against
+ traffic source. Maximum number of source fqdn allowed is 100.
+
+* `dest_fqdns` -
+ (Output)
+ Fully Qualified Domain Name (FQDN) which should be matched against
+ traffic destination. Maximum number of destination fqdn allowed is 100.
+
+* `src_region_codes` -
+ (Output)
+ Region codes whose IP addresses will be used to match for source
+ of traffic. Should be specified as 2 letter country code defined as per
+ ISO 3166 alpha-2 country codes. ex."US"
+ Maximum number of source region codes allowed is 5000.
+
+* `dest_region_codes` -
+ (Output)
+ Region codes whose IP addresses will be used to match for destination
+ of traffic. Should be specified as 2 letter country code defined as per
+ ISO 3166 alpha-2 country codes. ex."US"
+ Maximum number of destination region codes allowed is 5000.
+
+* `src_threat_intelligences` -
+ (Output)
+ Names of Network Threat Intelligence lists.
+ The IPs in these lists will be matched against traffic source.
+
+* `dest_threat_intelligences` -
+ (Output)
+ Names of Network Threat Intelligence lists.
+ The IPs in these lists will be matched against traffic destination.
+
+* `layer4_config` -
+ (Output)
+ Pairs of IP protocols and ports that the rule should match.
+ Structure is [documented below](#nested_layer4_config).
+
+* `src_secure_tag` -
+ (Output)
+ List of secure tag values, which should be matched at the source
+ of the traffic.
+ For INGRESS rule, if all the srcSecureTag are INEFFECTIVE,
+ and there is no srcIpRange, this rule will be ignored.
+ Maximum number of source tag values allowed is 256.
+ Structure is [documented below](#nested_src_secure_tag).
+
+
+The `layer4_config` block contains:
+
+* `ip_protocol` -
+ (Output)
+ The IP protocol to which this rule applies. The protocol
+ type is required when creating a firewall rule.
+ This value can either be one of the following well
+ known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),
+ or the IP protocol number.
+
+* `ports` -
+ (Output)
+ An optional list of ports to which this rule applies. This field
+ is only applicable for UDP or TCP protocol. Each entry must be
+ either an integer or a range. If not specified, this rule
+ applies to connections through any port.
+ Example inputs include: ["22"], ["80","443"], and
+ ["12345-12349"].
+
+The `src_secure_tag` block contains:
+
+* `name` -
+ (Output)
+ Name of the secure tag, created with TagManager's TagValue API.
+ @pattern tagValues/[0-9]+
+
+* `state` -
+ (Output)
+ [Output Only] State of the secure tag, either `EFFECTIVE` or
+ `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+ or its network is deleted.
+
+The `target_secure_tag` block contains:
+
+* `name` -
+ (Output)
+ Name of the secure tag, created with TagManager's TagValue API.
+ @pattern tagValues/[0-9]+
+
+* `state` -
+ (Output)
+ [Output Only] State of the secure tag, either `EFFECTIVE` or
+ `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+ or its network is deleted.
+
+## Timeouts
+
+This resource provides the following
+[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
+- `delete` - Default is 20 minutes.
+
+## Import
+
+
+RegionNetworkFirewallPolicyWithRules can be imported using any of these accepted formats:
+
+* `projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}`
+* `{{project}}/{{region}}/{{name}}`
+* `{{region}}/{{name}}`
+* `{{name}}`
+
+
+In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import RegionNetworkFirewallPolicyWithRules using one of the formats above. For example:
+
+```tf
+import {
+ id = "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}"
+ to = google_compute_region_network_firewall_policy_with_rules.default
+}
+```
+
+When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), RegionNetworkFirewallPolicyWithRules can be imported using one of the formats above. For example:
+
+```
+$ terraform import google_compute_region_network_firewall_policy_with_rules.default projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}
+$ terraform import google_compute_region_network_firewall_policy_with_rules.default {{project}}/{{region}}/{{name}}
+$ terraform import google_compute_region_network_firewall_policy_with_rules.default {{region}}/{{name}}
+$ terraform import google_compute_region_network_firewall_policy_with_rules.default {{name}}
+```
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).