From cd986171e14ea511213cb4972b20c27d9622dc72 Mon Sep 17 00:00:00 2001 From: The Magician Date: Thu, 19 Sep 2024 18:52:10 -0700 Subject: [PATCH] Add new compute-region-network-firewall-policy-with-rules resource (#11526) (#8225) [upstream:e1416b1dcbefbaa3202443aa2396f7001ad95eb8] Signed-off-by: Modular Magician --- .changelog/11526.txt | 3 + .../provider/provider_mmv1_resources.go | 5 +- ...gion_network_firewall_policy_with_rules.go | 2039 +++++++++++++++++ ...rewall_policy_with_rules_generated_test.go | 185 ++ ...work_firewall_policy_with_rules_sweeper.go | 139 ++ ...network_firewall_policy_with_rules_test.go | 213 ++ ...k_firewall_policy_with_rules.html.markdown | 608 +++++ 7 files changed, 3190 insertions(+), 2 deletions(-) create mode 100644 .changelog/11526.txt create mode 100644 google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go create mode 100644 google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go create mode 100644 google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go create mode 100644 google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go create mode 100644 website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown diff --git a/.changelog/11526.txt b/.changelog/11526.txt new file mode 100644 index 0000000000..ccc0b4a068 --- /dev/null +++ b/.changelog/11526.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +`google_compute_region_network_firewall_policy_with_rules` (beta) +``` \ No newline at end of file diff --git a/google-beta/provider/provider_mmv1_resources.go b/google-beta/provider/provider_mmv1_resources.go index 82eaee6b53..a141c64ad1 100644 --- a/google-beta/provider/provider_mmv1_resources.go +++ b/google-beta/provider/provider_mmv1_resources.go @@ -485,9 +485,9 @@ var handwrittenIAMDatasources = map[string]*schema.Resource{ } // Resources -// Generated resources: 527 +// Generated resources: 528 // Generated IAM resources: 291 -// Total generated resources: 818 +// Total generated resources: 819 var generatedResources = map[string]*schema.Resource{ "google_folder_access_approval_settings": accessapproval.ResourceAccessApprovalFolderSettings(), "google_organization_access_approval_settings": accessapproval.ResourceAccessApprovalOrganizationSettings(), @@ -747,6 +747,7 @@ var generatedResources = map[string]*schema.Resource{ "google_compute_region_network_endpoint": compute.ResourceComputeRegionNetworkEndpoint(), "google_compute_region_network_endpoint_group": compute.ResourceComputeRegionNetworkEndpointGroup(), "google_compute_region_network_firewall_policy": compute.ResourceComputeRegionNetworkFirewallPolicy(), + "google_compute_region_network_firewall_policy_with_rules": compute.ResourceComputeRegionNetworkFirewallPolicyWithRules(), "google_compute_region_per_instance_config": compute.ResourceComputeRegionPerInstanceConfig(), "google_compute_region_security_policy": compute.ResourceComputeRegionSecurityPolicy(), "google_compute_region_security_policy_rule": compute.ResourceComputeRegionSecurityPolicyRule(), diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go new file mode 100644 index 0000000000..1b254184f3 --- /dev/null +++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules.go @@ -0,0 +1,2039 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package compute + +import ( + "fmt" + "log" + "net/http" + "reflect" + "strings" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/verify" +) + +func regionNetworkFirewallPolicyWithRulesConvertPriorityToInt(v interface{}) (int64, error) { + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal, nil + } + } + + if intVal, ok := v.(int64); ok { + return intVal, nil + } + + if floatVal, ok := v.(float64); ok { + intVal := int64(floatVal) + return intVal, nil + } + return 0, fmt.Errorf("Incorrect rule priority: %s. Priority must be a number", v) +} + +func regionNetworkFirewallPolicyWithRulesIsPredefinedRule(rule map[string]interface{}) (bool, error) { + // Priorities from 2147483548 to 2147483647 are reserved and cannot be modified by the user. + const ReservedPriorityStart = 2147483548 + + priority := rule["priority"] + priorityInt, err := regionNetworkFirewallPolicyWithRulesConvertPriorityToInt(priority) + + if err != nil { + return false, err + } + + return priorityInt >= ReservedPriorityStart, nil +} + +func regionNetworkFirewallPolicyWithRulesSplitPredefinedRules(allRules []interface{}) ([]interface{}, []interface{}, error) { + predefinedRules := make([]interface{}, 0) + rules := make([]interface{}, 0) + + for _, rule := range allRules { + isPredefined, err := regionNetworkFirewallPolicyWithRulesIsPredefinedRule(rule.(map[string]interface{})) + if err != nil { + return nil, nil, err + } + + if isPredefined { + predefinedRules = append(predefinedRules, rule) + } else { + rules = append(rules, rule) + } + } + + return rules, predefinedRules, nil +} + +func ResourceComputeRegionNetworkFirewallPolicyWithRules() *schema.Resource { + return &schema.Resource{ + Create: resourceComputeRegionNetworkFirewallPolicyWithRulesCreate, + Read: resourceComputeRegionNetworkFirewallPolicyWithRulesRead, + Update: resourceComputeRegionNetworkFirewallPolicyWithRulesUpdate, + Delete: resourceComputeRegionNetworkFirewallPolicyWithRulesDelete, + + Importer: &schema.ResourceImporter{ + State: resourceComputeRegionNetworkFirewallPolicyWithRulesImport, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(20 * time.Minute), + Update: schema.DefaultTimeout(20 * time.Minute), + Delete: schema.DefaultTimeout(20 * time.Minute), + }, + + CustomizeDiff: customdiff.All( + tpgresource.DefaultProviderProject, + ), + + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `User-provided name of the Network firewall policy. +The name should be unique in the project in which the firewall policy is created. +The name must be 1-63 characters long, and comply with RFC1035. Specifically, +the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? +which means the first character must be a lowercase letter, and all following characters must be a dash, +lowercase letter, or digit, except the last character, which cannot be a dash.`, + }, + "rule": { + Type: schema.TypeList, + Required: true, + Description: `A list of firewall policy rules.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Required: true, + Description: `The Action to perform when the client connection triggers the rule. Can currently be either +"allow", "deny", "apply_security_profile_group" or "goto_next".`, + }, + "match": { + Type: schema.TypeList, + Required: true, + Description: `A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "layer4_config": { + Type: schema.TypeList, + Required: true, + Description: `Pairs of IP protocols and ports that the rule should match.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ip_protocol": { + Type: schema.TypeString, + Required: true, + Description: `The IP protocol to which this rule applies. The protocol +type is required when creating a firewall rule. +This value can either be one of the following well +known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), +or the IP protocol number.`, + }, + "ports": { + Type: schema.TypeList, + Optional: true, + Description: `An optional list of ports to which this rule applies. This field +is only applicable for UDP or TCP protocol. Each entry must be +either an integer or a range. If not specified, this rule +applies to connections through any port. +Example inputs include: ["22"], ["80","443"], and +["12345-12349"].`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + "dest_address_groups": { + Type: schema.TypeList, + Optional: true, + Description: `Address groups which should be matched against the traffic destination. +Maximum number of destination address groups is 10.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_fqdns": { + Type: schema.TypeList, + Optional: true, + Description: `Fully Qualified Domain Name (FQDN) which should be matched against +traffic destination. Maximum number of destination fqdn allowed is 100.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_ip_ranges": { + Type: schema.TypeList, + Optional: true, + Description: `Destination IP address range in CIDR format. Required for +EGRESS rules.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_region_codes": { + Type: schema.TypeList, + Optional: true, + Description: `Region codes whose IP addresses will be used to match for destination +of traffic. Should be specified as 2 letter country code defined as per +ISO 3166 alpha-2 country codes. ex."US" +Maximum number of destination region codes allowed is 5000.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_threat_intelligences": { + Type: schema.TypeList, + Optional: true, + Description: `Names of Network Threat Intelligence lists. +The IPs in these lists will be matched against traffic destination.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_address_groups": { + Type: schema.TypeList, + Optional: true, + Description: `Address groups which should be matched against the traffic source. +Maximum number of source address groups is 10.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_fqdns": { + Type: schema.TypeList, + Optional: true, + Description: `Fully Qualified Domain Name (FQDN) which should be matched against +traffic source. Maximum number of source fqdn allowed is 100.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_ip_ranges": { + Type: schema.TypeList, + Optional: true, + Description: `Source IP address range in CIDR format. Required for +INGRESS rules.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_region_codes": { + Type: schema.TypeList, + Optional: true, + Description: `Region codes whose IP addresses will be used to match for source +of traffic. Should be specified as 2 letter country code defined as per +ISO 3166 alpha-2 country codes. ex."US" +Maximum number of source region codes allowed is 5000.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_secure_tag": { + Type: schema.TypeList, + Optional: true, + Description: `List of secure tag values, which should be matched at the source +of the traffic. +For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, +and there is no srcIpRange, this rule will be ignored. +Maximum number of source tag values allowed is 256.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Optional: true, + Description: `Name of the secure tag, created with TagManager's TagValue API. +@pattern tagValues/[0-9]+`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or +'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted +or its network is deleted.`, + }, + }, + }, + }, + "src_threat_intelligences": { + Type: schema.TypeList, + Optional: true, + Description: `Names of Network Threat Intelligence lists. +The IPs in these lists will be matched against traffic source.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + "priority": { + Type: schema.TypeInt, + Required: true, + Description: `An integer indicating the priority of a rule in the list. The priority must be a value +between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the +highest priority and 2147483647 is the lowest priority.`, + }, + "description": { + Type: schema.TypeString, + Optional: true, + Description: `A description of the rule.`, + }, + "direction": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: verify.ValidateEnum([]string{"INGRESS", "EGRESS", ""}), + Description: `The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values: ["INGRESS", "EGRESS"]`, + }, + "disabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Denotes whether the firewall policy rule is disabled. When set to true, +the firewall policy rule is not enforced and traffic behaves as if it did +not exist. If this is unspecified, the firewall policy rule will be +enabled.`, + }, + "enable_logging": { + Type: schema.TypeBool, + Optional: true, + Description: `Denotes whether to enable logging for a particular rule. +If logging is enabled, logs will be exported to the +configured export destination in Stackdriver.`, + }, + "rule_name": { + Type: schema.TypeString, + Optional: true, + Description: `An optional name for the rule. This field is not a unique identifier +and can be updated.`, + }, + "security_profile_group": { + Type: schema.TypeString, + Optional: true, + Description: `A fully-qualified URL of a SecurityProfile resource instance. +Example: +https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group +Must be specified if action is 'apply_security_profile_group'.`, + }, + "target_secure_tag": { + Type: schema.TypeList, + Optional: true, + Description: `A list of secure tags that controls which instances the firewall rule +applies to. If targetSecureTag are specified, then the +firewall rule applies only to instances in the VPC network that have one +of those EFFECTIVE secure tags, if all the target_secure_tag are in +INEFFECTIVE state, then this rule will be ignored. +targetSecureTag may not be set at the same time as +targetServiceAccounts. +If neither targetServiceAccounts nor +targetSecureTag are specified, the firewall rule applies +to all instances on the specified network. +Maximum number of target label tags allowed is 256.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Optional: true, + Description: `Name of the secure tag, created with TagManager's TagValue API. +@pattern tagValues/[0-9]+`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or +'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted +or its network is deleted.`, + }, + }, + }, + }, + "target_service_accounts": { + Type: schema.TypeList, + Optional: true, + Description: `A list of service accounts indicating the sets of +instances that are applied with this rule.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "tls_inspect": { + Type: schema.TypeBool, + Optional: true, + Description: `Boolean flag indicating if the traffic should be TLS decrypted. +It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.`, + }, + }, + }, + }, + "description": { + Type: schema.TypeString, + Optional: true, + Description: `An optional description of this resource.`, + }, + "region": { + Type: schema.TypeString, + Computed: true, + Optional: true, + ForceNew: true, + Description: `The region of this resource.`, + }, + "creation_timestamp": { + Type: schema.TypeString, + Computed: true, + Description: `Creation timestamp in RFC3339 text format.`, + }, + "fingerprint": { + Type: schema.TypeString, + Computed: true, + Description: `Fingerprint of the resource. This field is used internally during updates of this resource.`, + }, + "network_firewall_policy_id": { + Type: schema.TypeString, + Computed: true, + Description: `The unique identifier for the resource. This identifier is defined by the server.`, + }, + "predefined_rules": { + Type: schema.TypeList, + Computed: true, + Description: `A list of firewall policy pre-defined rules.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Computed: true, + Description: `The Action to perform when the client connection triggers the rule. Can currently be either +"allow", "deny", "apply_security_profile_group" or "goto_next".`, + }, + "description": { + Type: schema.TypeString, + Computed: true, + Description: `A description of the rule.`, + }, + "direction": { + Type: schema.TypeString, + Computed: true, + Description: `The direction in which this rule applies. If unspecified an INGRESS rule is created.`, + }, + "disabled": { + Type: schema.TypeBool, + Computed: true, + Description: `Denotes whether the firewall policy rule is disabled. When set to true, +the firewall policy rule is not enforced and traffic behaves as if it did +not exist. If this is unspecified, the firewall policy rule will be +enabled.`, + }, + "enable_logging": { + Type: schema.TypeBool, + Computed: true, + Description: `Denotes whether to enable logging for a particular rule. +If logging is enabled, logs will be exported to the +configured export destination in Stackdriver.`, + }, + "match": { + Type: schema.TypeList, + Computed: true, + Description: `A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "dest_address_groups": { + Type: schema.TypeList, + Computed: true, + Description: `Address groups which should be matched against the traffic destination. +Maximum number of destination address groups is 10.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_fqdns": { + Type: schema.TypeList, + Computed: true, + Description: `Fully Qualified Domain Name (FQDN) which should be matched against +traffic destination. Maximum number of destination fqdn allowed is 100.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_ip_ranges": { + Type: schema.TypeList, + Computed: true, + Description: `Destination IP address range in CIDR format. Required for +EGRESS rules.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_region_codes": { + Type: schema.TypeList, + Computed: true, + Description: `Region codes whose IP addresses will be used to match for destination +of traffic. Should be specified as 2 letter country code defined as per +ISO 3166 alpha-2 country codes. ex."US" +Maximum number of destination region codes allowed is 5000.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "dest_threat_intelligences": { + Type: schema.TypeList, + Computed: true, + Description: `Names of Network Threat Intelligence lists. +The IPs in these lists will be matched against traffic destination.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "layer4_config": { + Type: schema.TypeList, + Computed: true, + Description: `Pairs of IP protocols and ports that the rule should match.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ip_protocol": { + Type: schema.TypeString, + Computed: true, + Description: `The IP protocol to which this rule applies. The protocol +type is required when creating a firewall rule. +This value can either be one of the following well +known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), +or the IP protocol number.`, + }, + "ports": { + Type: schema.TypeList, + Computed: true, + Description: `An optional list of ports to which this rule applies. This field +is only applicable for UDP or TCP protocol. Each entry must be +either an integer or a range. If not specified, this rule +applies to connections through any port. +Example inputs include: ["22"], ["80","443"], and +["12345-12349"].`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + "src_address_groups": { + Type: schema.TypeList, + Computed: true, + Description: `Address groups which should be matched against the traffic source. +Maximum number of source address groups is 10.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_fqdns": { + Type: schema.TypeList, + Computed: true, + Description: `Fully Qualified Domain Name (FQDN) which should be matched against +traffic source. Maximum number of source fqdn allowed is 100.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_ip_ranges": { + Type: schema.TypeList, + Computed: true, + Description: `Source IP address range in CIDR format. Required for +INGRESS rules.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_region_codes": { + Type: schema.TypeList, + Computed: true, + Description: `Region codes whose IP addresses will be used to match for source +of traffic. Should be specified as 2 letter country code defined as per +ISO 3166 alpha-2 country codes. ex."US" +Maximum number of source region codes allowed is 5000.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "src_secure_tag": { + Type: schema.TypeList, + Computed: true, + Description: `List of secure tag values, which should be matched at the source +of the traffic. +For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, +and there is no srcIpRange, this rule will be ignored. +Maximum number of source tag values allowed is 256.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Computed: true, + Description: `Name of the secure tag, created with TagManager's TagValue API. +@pattern tagValues/[0-9]+`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or +'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted +or its network is deleted.`, + }, + }, + }, + }, + "src_threat_intelligences": { + Type: schema.TypeList, + Computed: true, + Description: `Names of Network Threat Intelligence lists. +The IPs in these lists will be matched against traffic source.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + "priority": { + Type: schema.TypeInt, + Computed: true, + Description: `An integer indicating the priority of a rule in the list. The priority must be a value +between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the +highest priority and 2147483647 is the lowest priority.`, + }, + "rule_name": { + Type: schema.TypeString, + Computed: true, + Description: `An optional name for the rule. This field is not a unique identifier +and can be updated.`, + }, + "security_profile_group": { + Type: schema.TypeString, + Computed: true, + Description: `A fully-qualified URL of a SecurityProfile resource instance. +Example: +https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group +Must be specified if action is 'apply_security_profile_group'.`, + }, + "target_secure_tag": { + Type: schema.TypeList, + Computed: true, + Description: `A list of secure tags that controls which instances the firewall rule +applies to. If targetSecureTag are specified, then the +firewall rule applies only to instances in the VPC network that have one +of those EFFECTIVE secure tags, if all the target_secure_tag are in +INEFFECTIVE state, then this rule will be ignored. +targetSecureTag may not be set at the same time as +targetServiceAccounts. +If neither targetServiceAccounts nor +targetSecureTag are specified, the firewall rule applies +to all instances on the specified network. +Maximum number of target label tags allowed is 256.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Computed: true, + Description: `Name of the secure tag, created with TagManager's TagValue API. +@pattern tagValues/[0-9]+`, + }, + "state": { + Type: schema.TypeString, + Computed: true, + Description: `[Output Only] State of the secure tag, either 'EFFECTIVE' or +'INEFFECTIVE'. A secure tag is 'INEFFECTIVE' when it is deleted +or its network is deleted.`, + }, + }, + }, + }, + "target_service_accounts": { + Type: schema.TypeList, + Computed: true, + Description: `A list of service accounts indicating the sets of +instances that are applied with this rule.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "tls_inspect": { + Type: schema.TypeBool, + Computed: true, + Description: `Boolean flag indicating if the traffic should be TLS decrypted. +It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.`, + }, + }, + }, + }, + "rule_tuple_count": { + Type: schema.TypeInt, + Computed: true, + Description: `Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.`, + }, + "self_link": { + Type: schema.TypeString, + Computed: true, + Description: `Server-defined URL for the resource.`, + }, + "self_link_with_id": { + Type: schema.TypeString, + Computed: true, + Description: `Server-defined URL for this resource with the resource id.`, + }, + "project": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + }, + }, + UseJSONNumber: true, + } +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + obj := make(map[string]interface{}) + nameProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesName(d.Get("name"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("name"); !tpgresource.IsEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) { + obj["name"] = nameProp + } + descriptionProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + rulesProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesRule(d.Get("rule"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("rule"); !tpgresource.IsEmptyValue(reflect.ValueOf(rulesProp)) && (ok || !reflect.DeepEqual(v, rulesProp)) { + obj["rules"] = rulesProp + } + fingerprintProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesFingerprint(d.Get("fingerprint"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("fingerprint"); !tpgresource.IsEmptyValue(reflect.ValueOf(fingerprintProp)) && (ok || !reflect.DeepEqual(v, fingerprintProp)) { + obj["fingerprint"] = fingerprintProp + } + + obj, err = resourceComputeRegionNetworkFirewallPolicyWithRulesEncoder(d, meta, obj) + if err != nil { + return err + } + + url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new RegionNetworkFirewallPolicyWithRules: %#v", obj) + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err) + } + billingProject = strings.TrimPrefix(project, "projects/") + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "POST", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutCreate), + Headers: headers, + }) + if err != nil { + return fmt.Errorf("Error creating RegionNetworkFirewallPolicyWithRules: %s", err) + } + + // Store the ID now + id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + err = ComputeOperationWaitTime( + config, res, tpgresource.GetResourceNameFromSelfLink(project), "Creating RegionNetworkFirewallPolicyWithRules", userAgent, + d.Timeout(schema.TimeoutCreate)) + + if err != nil { + // The resource didn't actually create + d.SetId("") + return fmt.Errorf("Error waiting to create RegionNetworkFirewallPolicyWithRules: %s", err) + } + + log.Printf("[DEBUG] Post-create for RegionNetworkFirewallPolicyWithRules %q", d.Id()) + + url, err = tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return err + } + + headers = make(http.Header) + res, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("ComputeRegionNetworkFirewallPolicyWithRules %q", d.Id())) + } + + if err := d.Set("fingerprint", flattenComputeRegionNetworkFirewallPolicyWithRulesFingerprint(res["fingerprint"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + + res, err = resourceComputeRegionNetworkFirewallPolicyWithRulesDecoder(d, meta, res) + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating RegionNetworkFirewallPolicyWithRules %q", d.Id()) + return resourceComputeRegionNetworkFirewallPolicyWithRulesUpdate(d, meta) + + log.Printf("[DEBUG] Finished creating RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), res) + + return resourceComputeRegionNetworkFirewallPolicyWithRulesRead(d, meta) +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return err + } + + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err) + } + billingProject = strings.TrimPrefix(project, "projects/") + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("ComputeRegionNetworkFirewallPolicyWithRules %q", d.Id())) + } + + res, err = resourceComputeRegionNetworkFirewallPolicyWithRulesDecoder(d, meta, res) + if err != nil { + return err + } + + if res == nil { + // Decoding the object has resulted in it being gone. It may be marked deleted + log.Printf("[DEBUG] Removing ComputeRegionNetworkFirewallPolicyWithRules because it no longer exists.") + d.SetId("") + return nil + } + + if err := d.Set("project", project); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + + if err := d.Set("creation_timestamp", flattenComputeRegionNetworkFirewallPolicyWithRulesCreationTimestamp(res["creationTimestamp"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("name", flattenComputeRegionNetworkFirewallPolicyWithRulesName(res["name"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("network_firewall_policy_id", flattenComputeRegionNetworkFirewallPolicyWithRulesNetworkFirewallPolicyId(res["id"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("description", flattenComputeRegionNetworkFirewallPolicyWithRulesDescription(res["description"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("rule", flattenComputeRegionNetworkFirewallPolicyWithRulesRule(res["rules"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("predefined_rules", flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRules(res["predefinedRules"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("fingerprint", flattenComputeRegionNetworkFirewallPolicyWithRulesFingerprint(res["fingerprint"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("self_link", flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLink(res["selfLink"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("self_link_with_id", flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLinkWithId(res["selfLinkWithId"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + if err := d.Set("rule_tuple_count", flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTupleCount(res["ruleTupleCount"], d, config)); err != nil { + return fmt.Errorf("Error reading RegionNetworkFirewallPolicyWithRules: %s", err) + } + + return nil +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err) + } + billingProject = strings.TrimPrefix(project, "projects/") + + obj := make(map[string]interface{}) + descriptionProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + rulesProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesRule(d.Get("rule"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("rule"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, rulesProp)) { + obj["rules"] = rulesProp + } + fingerprintProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesFingerprint(d.Get("fingerprint"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("fingerprint"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, fingerprintProp)) { + obj["fingerprint"] = fingerprintProp + } + + obj, err = resourceComputeRegionNetworkFirewallPolicyWithRulesUpdateEncoder(d, meta, obj) + if err != nil { + return err + } + + url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), obj) + headers := make(http.Header) + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "PATCH", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutUpdate), + Headers: headers, + }) + + if err != nil { + return fmt.Errorf("Error updating RegionNetworkFirewallPolicyWithRules %q: %s", d.Id(), err) + } else { + log.Printf("[DEBUG] Finished updating RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), res) + } + + err = ComputeOperationWaitTime( + config, res, tpgresource.GetResourceNameFromSelfLink(project), "Updating RegionNetworkFirewallPolicyWithRules", userAgent, + d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return err + } + + return resourceComputeRegionNetworkFirewallPolicyWithRulesRead(d, meta) +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for RegionNetworkFirewallPolicyWithRules: %s", err) + } + billingProject = strings.TrimPrefix(project, "projects/") + + url, err := tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return err + } + + var obj map[string]interface{} + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + + log.Printf("[DEBUG] Deleting RegionNetworkFirewallPolicyWithRules %q", d.Id()) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutDelete), + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, "RegionNetworkFirewallPolicyWithRules") + } + + err = ComputeOperationWaitTime( + config, res, tpgresource.GetResourceNameFromSelfLink(project), "Deleting RegionNetworkFirewallPolicyWithRules", userAgent, + d.Timeout(schema.TimeoutDelete)) + + if err != nil { + return err + } + + log.Printf("[DEBUG] Finished deleting RegionNetworkFirewallPolicyWithRules %q: %#v", d.Id(), res) + return nil +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*transport_tpg.Config) + if err := tpgresource.ParseImportId([]string{ + "^projects/(?P[^/]+)/regions/(?P[^/]+)/firewallPolicies/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)$", + "^(?P[^/]+)$", + }, d, config); err != nil { + return nil, err + } + + // Replace import id for the resource id + id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesCreationTimestamp(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesNetworkFirewallPolicyId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRule(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "description": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(original["description"], d, config), + "rule_name": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(original["ruleName"], d, config), + "priority": flattenComputeRegionNetworkFirewallPolicyWithRulesRulePriority(original["priority"], d, config), + "match": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(original["match"], d, config), + "target_secure_tag": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(original["targetSecureTags"], d, config), + "action": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleAction(original["action"], d, config), + "direction": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(original["direction"], d, config), + "enable_logging": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(original["enableLogging"], d, config), + "target_service_accounts": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(original["targetServiceAccounts"], d, config), + "security_profile_group": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(original["securityProfileGroup"], d, config), + "tls_inspect": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(original["tlsInspect"], d, config), + "disabled": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(original["disabled"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRulePriority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } + } + + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } + + return v // let terraform core handle it otherwise +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["src_ip_ranges"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(original["srcIpRanges"], d, config) + transformed["dest_ip_ranges"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(original["destIpRanges"], d, config) + transformed["src_address_groups"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(original["srcAddressGroups"], d, config) + transformed["dest_address_groups"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(original["destAddressGroups"], d, config) + transformed["src_fqdns"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(original["srcFqdns"], d, config) + transformed["dest_fqdns"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(original["destFqdns"], d, config) + transformed["src_region_codes"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(original["srcRegionCodes"], d, config) + transformed["dest_region_codes"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(original["destRegionCodes"], d, config) + transformed["src_threat_intelligences"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(original["srcThreatIntelligences"], d, config) + transformed["dest_threat_intelligences"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(original["destThreatIntelligences"], d, config) + transformed["layer4_config"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(original["layer4Configs"], d, config) + transformed["src_secure_tag"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(original["srcSecureTags"], d, config) + return []interface{}{transformed} +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "ip_protocol": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(original["ipProtocol"], d, config), + "ports": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(original["ports"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "name": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(original["name"], d, config), + "state": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(original["state"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "name": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(original["name"], d, config), + "state": flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(original["state"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRules(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "description": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDescription(original["description"], d, config), + "rule_name": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesRuleName(original["ruleName"], d, config), + "priority": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesPriority(original["priority"], d, config), + "match": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatch(original["match"], d, config), + "target_secure_tag": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTag(original["targetSecureTags"], d, config), + "action": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesAction(original["action"], d, config), + "direction": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDirection(original["direction"], d, config), + "enable_logging": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesEnableLogging(original["enableLogging"], d, config), + "target_service_accounts": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetServiceAccounts(original["targetServiceAccounts"], d, config), + "security_profile_group": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesSecurityProfileGroup(original["securityProfileGroup"], d, config), + "tls_inspect": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTlsInspect(original["tlsInspect"], d, config), + "disabled": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDisabled(original["disabled"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesRuleName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesPriority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } + } + + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } + + return v // let terraform core handle it otherwise +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatch(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["src_ip_ranges"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcIpRanges(original["srcIpRanges"], d, config) + transformed["dest_ip_ranges"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestIpRanges(original["destIpRanges"], d, config) + transformed["src_address_groups"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcAddressGroups(original["srcAddressGroups"], d, config) + transformed["dest_address_groups"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestAddressGroups(original["destAddressGroups"], d, config) + transformed["src_fqdns"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcFqdns(original["srcFqdns"], d, config) + transformed["dest_fqdns"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestFqdns(original["destFqdns"], d, config) + transformed["src_region_codes"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcRegionCodes(original["srcRegionCodes"], d, config) + transformed["dest_region_codes"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestRegionCodes(original["destRegionCodes"], d, config) + transformed["src_threat_intelligences"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcThreatIntelligences(original["srcThreatIntelligences"], d, config) + transformed["dest_threat_intelligences"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestThreatIntelligences(original["destThreatIntelligences"], d, config) + transformed["layer4_config"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4Config(original["layer4Configs"], d, config) + transformed["src_secure_tag"] = + flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTag(original["srcSecureTags"], d, config) + return []interface{}{transformed} +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestRegionCodes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchDestThreatIntelligences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4Config(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "ip_protocol": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigIpProtocol(original["ipProtocol"], d, config), + "ports": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigPorts(original["ports"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigIpProtocol(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchLayer4ConfigPorts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "name": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagName(original["name"], d, config), + "state": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagState(original["state"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesMatchSrcSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "name": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagName(original["name"], d, config), + "state": flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagState(original["state"], d, config), + }) + } + return transformed +} +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetSecureTagState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDirection(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesEnableLogging(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTargetServiceAccounts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesSecurityProfileGroup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesTlsInspect(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRulesDisabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesFingerprint(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLink(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesSelfLinkWithId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenComputeRegionNetworkFirewallPolicyWithRulesRuleTupleCount(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } + } + + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } + + return v // let terraform core handle it otherwise +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRule(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedDescription, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(original["description"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDescription); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["description"] = transformedDescription + } + + transformedRuleName, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(original["rule_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedRuleName); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["ruleName"] = transformedRuleName + } + + transformedPriority, err := expandComputeRegionNetworkFirewallPolicyWithRulesRulePriority(original["priority"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPriority); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["priority"] = transformedPriority + } + + transformedMatch, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(original["match"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMatch); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["match"] = transformedMatch + } + + transformedTargetSecureTag, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(original["target_secure_tag"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedTargetSecureTag); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["targetSecureTags"] = transformedTargetSecureTag + } + + transformedAction, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleAction(original["action"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAction); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["action"] = transformedAction + } + + transformedDirection, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(original["direction"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDirection); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["direction"] = transformedDirection + } + + transformedEnableLogging, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(original["enable_logging"], d, config) + if err != nil { + return nil, err + } else { + transformed["enableLogging"] = transformedEnableLogging + } + + transformedTargetServiceAccounts, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(original["target_service_accounts"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedTargetServiceAccounts); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["targetServiceAccounts"] = transformedTargetServiceAccounts + } + + transformedSecurityProfileGroup, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(original["security_profile_group"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSecurityProfileGroup); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["securityProfileGroup"] = transformedSecurityProfileGroup + } + + transformedTlsInspect, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(original["tls_inspect"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedTlsInspect); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["tlsInspect"] = transformedTlsInspect + } + + transformedDisabled, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(original["disabled"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDisabled); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["disabled"] = transformedDisabled + } + + req = append(req, transformed) + } + return req, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleRuleName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRulePriority(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatch(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedSrcIpRanges, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(original["src_ip_ranges"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSrcIpRanges); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["srcIpRanges"] = transformedSrcIpRanges + } + + transformedDestIpRanges, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(original["dest_ip_ranges"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDestIpRanges); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["destIpRanges"] = transformedDestIpRanges + } + + transformedSrcAddressGroups, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(original["src_address_groups"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSrcAddressGroups); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["srcAddressGroups"] = transformedSrcAddressGroups + } + + transformedDestAddressGroups, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(original["dest_address_groups"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDestAddressGroups); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["destAddressGroups"] = transformedDestAddressGroups + } + + transformedSrcFqdns, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(original["src_fqdns"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSrcFqdns); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["srcFqdns"] = transformedSrcFqdns + } + + transformedDestFqdns, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(original["dest_fqdns"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDestFqdns); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["destFqdns"] = transformedDestFqdns + } + + transformedSrcRegionCodes, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(original["src_region_codes"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSrcRegionCodes); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["srcRegionCodes"] = transformedSrcRegionCodes + } + + transformedDestRegionCodes, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(original["dest_region_codes"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDestRegionCodes); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["destRegionCodes"] = transformedDestRegionCodes + } + + transformedSrcThreatIntelligences, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(original["src_threat_intelligences"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSrcThreatIntelligences); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["srcThreatIntelligences"] = transformedSrcThreatIntelligences + } + + transformedDestThreatIntelligences, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(original["dest_threat_intelligences"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDestThreatIntelligences); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["destThreatIntelligences"] = transformedDestThreatIntelligences + } + + transformedLayer4Config, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(original["layer4_config"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedLayer4Config); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["layer4Configs"] = transformedLayer4Config + } + + transformedSrcSecureTag, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(original["src_secure_tag"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSrcSecureTag); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["srcSecureTags"] = transformedSrcSecureTag + } + + return transformed, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcIpRanges(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestIpRanges(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcAddressGroups(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestAddressGroups(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcFqdns(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestFqdns(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcRegionCodes(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestRegionCodes(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcThreatIntelligences(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchDestThreatIntelligences(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIpProtocol, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(original["ip_protocol"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIpProtocol); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["ipProtocol"] = transformedIpProtocol + } + + transformedPorts, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(original["ports"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPorts); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["ports"] = transformedPorts + } + + req = append(req, transformed) + } + return req, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigIpProtocol(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigPorts(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedName, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(original["name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["name"] = transformedName + } + + transformedState, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(original["state"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedState); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["state"] = transformedState + } + + req = append(req, transformed) + } + return req, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedName, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(original["name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["name"] = transformedName + } + + transformedState, err := expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(original["state"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedState); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["state"] = transformedState + } + + req = append(req, transformed) + } + return req, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleAction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleDirection(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleEnableLogging(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTargetServiceAccounts(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleSecurityProfileGroup(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleTlsInspect(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesRuleDisabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandComputeRegionNetworkFirewallPolicyWithRulesFingerprint(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) { + delete(obj, "rules") // Rules are not supported in the create API + return obj, nil +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesUpdateEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) { + config := meta.(*transport_tpg.Config) + + predefinedRulesProp, err := expandComputeRegionNetworkFirewallPolicyWithRulesRule(d.Get("predefined_rules"), d, config) + if err != nil { + return nil, err + } + + rules := obj["rules"].([]interface{}) + obj["rules"] = append(rules, predefinedRulesProp) + + return obj, nil +} + +func resourceComputeRegionNetworkFirewallPolicyWithRulesDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) { + rules, predefinedRules, err := regionNetworkFirewallPolicyWithRulesSplitPredefinedRules(res["rules"].([]interface{})) + + if err != nil { + return nil, fmt.Errorf("Error occurred while splitting pre-defined rules: %s", err) + } + + res["rules"] = rules + res["predefinedRules"] = predefinedRules + + config := meta.(*transport_tpg.Config) + + if err := d.Set("predefined_rules", flattenComputeRegionNetworkFirewallPolicyWithRulesPredefinedRules(predefinedRules, d, config)); err != nil { + return nil, fmt.Errorf("Error occurred while setting pre-defined rules: %s", err) + } + + return res, nil +} diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go new file mode 100644 index 0000000000..ecb878c05e --- /dev/null +++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_generated_test.go @@ -0,0 +1,185 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package compute_test + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/terraform" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" +) + +func TestAccComputeRegionNetworkFirewallPolicyWithRules_computeRegionNetworkFirewallPolicyWithRulesFullExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "org_id": envvar.GetTestOrgFromEnv(t), + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckComputeRegionNetworkFirewallPolicyWithRulesDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeRegionNetworkFirewallPolicyWithRules_computeRegionNetworkFirewallPolicyWithRulesFullExample(context), + }, + { + ResourceName: "google_compute_region_network_firewall_policy_with_rules.region-network-firewall-policy-with-rules", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"region"}, + }, + }, + }) +} + +func testAccComputeRegionNetworkFirewallPolicyWithRules_computeRegionNetworkFirewallPolicyWithRulesFullExample(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + provider = google-beta +} + +resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" { + name = "tf-test-tf-region-fw-policy-with-rules%{random_suffix}" + region = "us-west2" + description = "Terraform test" + provider = google-beta + + rule { + description = "tcp rule" + priority = 1000 + enable_logging = true + action = "allow" + direction = "EGRESS" + match { + layer4_config { + ip_protocol = "tcp" + ports = [8080, 7070] + } + dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = ["www.yyy.com", "www.zzz.com"] + dest_region_codes = ["HK", "IN"] + dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"] + dest_address_groups = [google_network_security_address_group.address_group_1.id] + } + target_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + rule { + description = "udp rule" + rule_name = "test-rule" + priority = 2000 + enable_logging = false + action = "deny" + direction = "INGRESS" + match { + layer4_config { + ip_protocol = "udp" + } + src_ip_ranges = ["0.0.0.0/0"] + src_fqdns = ["www.abc.com", "www.def.com"] + src_region_codes = ["US", "CA"] + src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"] + src_address_groups = [google_network_security_address_group.address_group_1.id] + src_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + disabled = true + } +} + +resource "google_network_security_address_group" "address_group_1" { + provider = google-beta + name = "tf-test-tf-address-group%{random_suffix}" + parent = "projects/${data.google_project.project.name}" + description = "Regional address group" + location = "us-west2" + items = ["208.80.154.224/32"] + type = "IPV4" + capacity = 100 +} + +resource "google_tags_tag_key" "secure_tag_key_1" { + provider = google-beta + description = "Tag key" + parent = "projects/${data.google_project.project.name}" + purpose = "GCE_FIREWALL" + short_name = "tf-test-tf-tag-key%{random_suffix}" + purpose_data = { + network = "${data.google_project.project.name}/default" + } +} + +resource "google_tags_tag_value" "secure_tag_value_1" { + provider = google-beta + description = "Tag value" + parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}" + short_name = "tf-test-tf-tag-value%{random_suffix}" +} +`, context) +} + +func testAccCheckComputeRegionNetworkFirewallPolicyWithRulesDestroyProducer(t *testing.T) func(s *terraform.State) error { + return func(s *terraform.State) error { + for name, rs := range s.RootModule().Resources { + if rs.Type != "google_compute_region_network_firewall_policy_with_rules" { + continue + } + if strings.HasPrefix(name, "data.") { + continue + } + + config := acctest.GoogleProviderConfig(t) + + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}") + if err != nil { + return err + } + + billingProject := "" + + if config.BillingProject != "" { + billingProject = config.BillingProject + } + + _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: config.UserAgent, + }) + if err == nil { + return fmt.Errorf("ComputeRegionNetworkFirewallPolicyWithRules still exists at %s", url) + } + } + + return nil + } +} diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go new file mode 100644 index 0000000000..7c19a251bb --- /dev/null +++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_sweeper.go @@ -0,0 +1,139 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package compute + +import ( + "context" + "log" + "strings" + "testing" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/sweeper" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" +) + +func init() { + sweeper.AddTestSweepers("ComputeRegionNetworkFirewallPolicyWithRules", testSweepComputeRegionNetworkFirewallPolicyWithRules) +} + +// At the time of writing, the CI only passes us-central1 as the region +func testSweepComputeRegionNetworkFirewallPolicyWithRules(region string) error { + resourceName := "ComputeRegionNetworkFirewallPolicyWithRules" + log.Printf("[INFO][SWEEPER_LOG] Starting sweeper for %s", resourceName) + + config, err := sweeper.SharedConfigForRegion(region) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err) + return err + } + + err = config.LoadAndValidate(context.Background()) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err) + return err + } + + t := &testing.T{} + billingId := envvar.GetTestBillingAccountFromEnv(t) + + // Setup variables to replace in list template + d := &tpgresource.ResourceDataMock{ + FieldsInSchema: map[string]interface{}{ + "project": config.Project, + "region": region, + "location": region, + "zone": "-", + "billing_account": billingId, + }, + } + + listTemplate := strings.Split("https://compute.googleapis.com/compute/beta/projects/{{project}}/regions/{{region}}/firewallPolicies", "?")[0] + listUrl, err := tpgresource.ReplaceVars(d, config, listTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing sweeper list url: %s", err) + return nil + } + + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: config.Project, + RawURL: listUrl, + UserAgent: config.UserAgent, + }) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", listUrl, err) + return nil + } + + resourceList, ok := res["regionNetworkFirewallPolicyWithRules"] + if !ok { + log.Printf("[INFO][SWEEPER_LOG] Nothing found in response.") + return nil + } + + rl := resourceList.([]interface{}) + + log.Printf("[INFO][SWEEPER_LOG] Found %d items in %s list response.", len(rl), resourceName) + // Keep count of items that aren't sweepable for logging. + nonPrefixCount := 0 + for _, ri := range rl { + obj := ri.(map[string]interface{}) + if obj["name"] == nil { + log.Printf("[INFO][SWEEPER_LOG] %s resource name was nil", resourceName) + return nil + } + + name := tpgresource.GetResourceNameFromSelfLink(obj["name"].(string)) + // Skip resources that shouldn't be sweeped + if !sweeper.IsSweepableTestResource(name) { + nonPrefixCount++ + continue + } + + deleteTemplate := "https://compute.googleapis.com/compute/beta/projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}" + deleteUrl, err := tpgresource.ReplaceVars(d, config, deleteTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing delete url: %s", err) + return nil + } + deleteUrl = deleteUrl + name + + // Don't wait on operations as we may have a lot to delete + _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: config.Project, + RawURL: deleteUrl, + UserAgent: config.UserAgent, + }) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error deleting for url %s : %s", deleteUrl, err) + } else { + log.Printf("[INFO][SWEEPER_LOG] Sent delete request for %s resource: %s", resourceName, name) + } + } + + if nonPrefixCount > 0 { + log.Printf("[INFO][SWEEPER_LOG] %d items were non-sweepable and skipped.", nonPrefixCount) + } + + return nil +} diff --git a/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go new file mode 100644 index 0000000000..8f2d904c52 --- /dev/null +++ b/google-beta/services/compute/resource_compute_region_network_firewall_policy_with_rules_test.go @@ -0,0 +1,213 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 +package compute_test + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest" +) + +func TestAccComputeRegionNetworkFirewallPolicyWithRules_update(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckComputeRegionNetworkFirewallPolicyWithRulesDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeRegionNetworkFirewallPolicyWithRules_full(context), + }, + { + ResourceName: "google_compute_region_network_firewall_policy_with_rules.region-network-firewall-policy-with-rules", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"region"}, + }, + { + Config: testAccComputeRegionNetworkFirewallPolicyWithRules_update(context), + }, + { + ResourceName: "google_compute_region_network_firewall_policy_with_rules.region-network-firewall-policy-with-rules", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"region"}, + }, + }, + }) +} + +func testAccComputeRegionNetworkFirewallPolicyWithRules_full(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + provider = google-beta +} + +resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" { + name = "tf-test-tf-region-fw-policy-with-rules%{random_suffix}" + region = "us-west2" + description = "Terraform test" + provider = google-beta + + rule { + description = "tcp rule" + priority = 1000 + enable_logging = true + action = "allow" + direction = "EGRESS" + match { + layer4_config { + ip_protocol = "tcp" + ports = [8080, 7070] + } + dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = ["www.yyy.com", "www.zzz.com"] + dest_region_codes = ["HK", "IN"] + dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"] + dest_address_groups = [google_network_security_address_group.address_group_1.id] + } + target_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + rule { + description = "udp rule" + rule_name = "test-rule" + priority = 2000 + enable_logging = false + action = "deny" + direction = "INGRESS" + match { + layer4_config { + ip_protocol = "udp" + } + src_ip_ranges = ["0.0.0.0/0"] + src_fqdns = ["www.abc.com", "www.def.com"] + src_region_codes = ["US", "CA"] + src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"] + src_address_groups = [google_network_security_address_group.address_group_1.id] + src_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + disabled = true + } +} + +resource "google_network_security_address_group" "address_group_1" { + provider = google-beta + name = "tf-test-tf-address-group%{random_suffix}" + parent = "projects/${data.google_project.project.name}" + description = "Regional address group" + location = "us-west2" + items = ["208.80.154.224/32"] + type = "IPV4" + capacity = 100 +} + +resource "google_tags_tag_key" "secure_tag_key_1" { + provider = google-beta + description = "Tag key" + parent = "projects/${data.google_project.project.name}" + purpose = "GCE_FIREWALL" + short_name = "tf-test-tf-tag-key%{random_suffix}" + purpose_data = { + network = "${data.google_project.project.name}/default" + } +} + +resource "google_tags_tag_value" "secure_tag_value_1" { + provider = google-beta + description = "Tag value" + parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}" + short_name = "tf-test-tf-tag-value%{random_suffix}" +} +`, context) +} + +func testAccComputeRegionNetworkFirewallPolicyWithRules_update(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + provider = google-beta +} + +resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" { + name = "tf-test-tf-fw-policy-with-rules%{random_suffix}" + description = "Terraform test - update" + region = "us-west2" + provider = google-beta + + rule { + description = "tcp rule - changed" + priority = 1000 + enable_logging = false + action = "allow" + direction = "EGRESS" + match { + layer4_config { + ip_protocol = "tcp" + ports = [8080, 7070] + } + dest_ip_ranges = ["11.100.0.1/32"] + } + } + rule { + description = "new udp rule" + priority = 4000 + enable_logging = true + action = "deny" + direction = "INGRESS" + match { + layer4_config { + ip_protocol = "udp" + } + src_ip_ranges = ["0.0.0.0/0"] + src_fqdns = ["www.abc.com", "www.ghi.com"] + src_region_codes = ["IT", "FR"] + src_threat_intelligences = ["iplist-public-clouds"] + src_address_groups = [google_network_security_address_group.address_group_1.id] + src_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + disabled = false + } +} + +resource "google_network_security_address_group" "address_group_1" { + provider = google-beta + name = "tf-test-tf-address-group%{random_suffix}" + parent = "projects/${data.google_project.project.name}" + description = "Regional address group" + location = "us-west2" + items = ["208.80.154.224/32"] + type = "IPV4" + capacity = 100 +} + +resource "google_tags_tag_key" "secure_tag_key_1" { + provider = google-beta + description = "Tag key" + parent = "projects/${data.google_project.project.name}" + purpose = "GCE_FIREWALL" + short_name = "tf-test-tf-tag-key%{random_suffix}" + purpose_data = { + network = "${data.google_project.project.name}/default" + } +} + +resource "google_tags_tag_value" "secure_tag_value_1" { + provider = google-beta + description = "Tag value" + parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}" + short_name = "tf-test-tf-tag-value%{random_suffix}" +} +`, context) +} diff --git a/website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown b/website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown new file mode 100644 index 0000000000..8e45d97d07 --- /dev/null +++ b/website/docs/r/compute_region_network_firewall_policy_with_rules.html.markdown @@ -0,0 +1,608 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. +# +# ---------------------------------------------------------------------------- +subcategory: "Compute Engine" +description: |- + The Compute NetworkFirewallPolicy with rules resource +--- + +# google_compute_region_network_firewall_policy_with_rules + +The Compute NetworkFirewallPolicy with rules resource + +~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. +See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. + + +## Example Usage - Compute Region Network Firewall Policy With Rules Full + + +```hcl +data "google_project" "project" { + provider = google-beta +} + +resource "google_compute_region_network_firewall_policy_with_rules" "region-network-firewall-policy-with-rules" { + name = "tf-region-fw-policy-with-rules" + region = "us-west2" + description = "Terraform test" + provider = google-beta + + rule { + description = "tcp rule" + priority = 1000 + enable_logging = true + action = "allow" + direction = "EGRESS" + match { + layer4_config { + ip_protocol = "tcp" + ports = [8080, 7070] + } + dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = ["www.yyy.com", "www.zzz.com"] + dest_region_codes = ["HK", "IN"] + dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"] + dest_address_groups = [google_network_security_address_group.address_group_1.id] + } + target_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + rule { + description = "udp rule" + rule_name = "test-rule" + priority = 2000 + enable_logging = false + action = "deny" + direction = "INGRESS" + match { + layer4_config { + ip_protocol = "udp" + } + src_ip_ranges = ["0.0.0.0/0"] + src_fqdns = ["www.abc.com", "www.def.com"] + src_region_codes = ["US", "CA"] + src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"] + src_address_groups = [google_network_security_address_group.address_group_1.id] + src_secure_tag { + name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}" + } + } + disabled = true + } +} + +resource "google_network_security_address_group" "address_group_1" { + provider = google-beta + name = "tf-address-group" + parent = "projects/${data.google_project.project.name}" + description = "Regional address group" + location = "us-west2" + items = ["208.80.154.224/32"] + type = "IPV4" + capacity = 100 +} + +resource "google_tags_tag_key" "secure_tag_key_1" { + provider = google-beta + description = "Tag key" + parent = "projects/${data.google_project.project.name}" + purpose = "GCE_FIREWALL" + short_name = "tf-tag-key" + purpose_data = { + network = "${data.google_project.project.name}/default" + } +} + +resource "google_tags_tag_value" "secure_tag_value_1" { + provider = google-beta + description = "Tag value" + parent = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}" + short_name = "tf-tag-value" +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `name` - + (Required) + User-provided name of the Network firewall policy. + The name should be unique in the project in which the firewall policy is created. + The name must be 1-63 characters long, and comply with RFC1035. Specifically, + the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? + which means the first character must be a lowercase letter, and all following characters must be a dash, + lowercase letter, or digit, except the last character, which cannot be a dash. + +* `rule` - + (Required) + A list of firewall policy rules. + Structure is [documented below](#nested_rule). + + +The `rule` block supports: + +* `description` - + (Optional) + A description of the rule. + +* `rule_name` - + (Optional) + An optional name for the rule. This field is not a unique identifier + and can be updated. + +* `priority` - + (Required) + An integer indicating the priority of a rule in the list. The priority must be a value + between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the + highest priority and 2147483647 is the lowest priority. + +* `match` - + (Required) + A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. + Structure is [documented below](#nested_match). + +* `target_secure_tag` - + (Optional) + A list of secure tags that controls which instances the firewall rule + applies to. If targetSecureTag are specified, then the + firewall rule applies only to instances in the VPC network that have one + of those EFFECTIVE secure tags, if all the target_secure_tag are in + INEFFECTIVE state, then this rule will be ignored. + targetSecureTag may not be set at the same time as + targetServiceAccounts. + If neither targetServiceAccounts nor + targetSecureTag are specified, the firewall rule applies + to all instances on the specified network. + Maximum number of target label tags allowed is 256. + Structure is [documented below](#nested_target_secure_tag). + +* `action` - + (Required) + The Action to perform when the client connection triggers the rule. Can currently be either + "allow", "deny", "apply_security_profile_group" or "goto_next". + +* `direction` - + (Optional) + The direction in which this rule applies. If unspecified an INGRESS rule is created. + Possible values are: `INGRESS`, `EGRESS`. + +* `enable_logging` - + (Optional) + Denotes whether to enable logging for a particular rule. + If logging is enabled, logs will be exported to the + configured export destination in Stackdriver. + +* `target_service_accounts` - + (Optional) + A list of service accounts indicating the sets of + instances that are applied with this rule. + +* `security_profile_group` - + (Optional) + A fully-qualified URL of a SecurityProfile resource instance. + Example: + https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group + Must be specified if action is 'apply_security_profile_group'. + +* `tls_inspect` - + (Optional) + Boolean flag indicating if the traffic should be TLS decrypted. + It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. + +* `disabled` - + (Optional) + Denotes whether the firewall policy rule is disabled. When set to true, + the firewall policy rule is not enforced and traffic behaves as if it did + not exist. If this is unspecified, the firewall policy rule will be + enabled. + + +The `match` block supports: + +* `src_ip_ranges` - + (Optional) + Source IP address range in CIDR format. Required for + INGRESS rules. + +* `dest_ip_ranges` - + (Optional) + Destination IP address range in CIDR format. Required for + EGRESS rules. + +* `src_address_groups` - + (Optional) + Address groups which should be matched against the traffic source. + Maximum number of source address groups is 10. + +* `dest_address_groups` - + (Optional) + Address groups which should be matched against the traffic destination. + Maximum number of destination address groups is 10. + +* `src_fqdns` - + (Optional) + Fully Qualified Domain Name (FQDN) which should be matched against + traffic source. Maximum number of source fqdn allowed is 100. + +* `dest_fqdns` - + (Optional) + Fully Qualified Domain Name (FQDN) which should be matched against + traffic destination. Maximum number of destination fqdn allowed is 100. + +* `src_region_codes` - + (Optional) + Region codes whose IP addresses will be used to match for source + of traffic. Should be specified as 2 letter country code defined as per + ISO 3166 alpha-2 country codes. ex."US" + Maximum number of source region codes allowed is 5000. + +* `dest_region_codes` - + (Optional) + Region codes whose IP addresses will be used to match for destination + of traffic. Should be specified as 2 letter country code defined as per + ISO 3166 alpha-2 country codes. ex."US" + Maximum number of destination region codes allowed is 5000. + +* `src_threat_intelligences` - + (Optional) + Names of Network Threat Intelligence lists. + The IPs in these lists will be matched against traffic source. + +* `dest_threat_intelligences` - + (Optional) + Names of Network Threat Intelligence lists. + The IPs in these lists will be matched against traffic destination. + +* `layer4_config` - + (Required) + Pairs of IP protocols and ports that the rule should match. + Structure is [documented below](#nested_layer4_config). + +* `src_secure_tag` - + (Optional) + List of secure tag values, which should be matched at the source + of the traffic. + For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, + and there is no srcIpRange, this rule will be ignored. + Maximum number of source tag values allowed is 256. + Structure is [documented below](#nested_src_secure_tag). + + +The `layer4_config` block supports: + +* `ip_protocol` - + (Required) + The IP protocol to which this rule applies. The protocol + type is required when creating a firewall rule. + This value can either be one of the following well + known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), + or the IP protocol number. + +* `ports` - + (Optional) + An optional list of ports to which this rule applies. This field + is only applicable for UDP or TCP protocol. Each entry must be + either an integer or a range. If not specified, this rule + applies to connections through any port. + Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + +The `src_secure_tag` block supports: + +* `name` - + (Optional) + Name of the secure tag, created with TagManager's TagValue API. + @pattern tagValues/[0-9]+ + +* `state` - + (Output) + [Output Only] State of the secure tag, either `EFFECTIVE` or + `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted + or its network is deleted. + +The `target_secure_tag` block supports: + +* `name` - + (Optional) + Name of the secure tag, created with TagManager's TagValue API. + @pattern tagValues/[0-9]+ + +* `state` - + (Output) + [Output Only] State of the secure tag, either `EFFECTIVE` or + `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted + or its network is deleted. + +- - - + + +* `description` - + (Optional) + An optional description of this resource. + +* `region` - + (Optional) + The region of this resource. + +* `project` - (Optional) The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + +* `id` - an identifier for the resource with format `projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}` + +* `creation_timestamp` - + Creation timestamp in RFC3339 text format. + +* `network_firewall_policy_id` - + The unique identifier for the resource. This identifier is defined by the server. + +* `predefined_rules` - + A list of firewall policy pre-defined rules. + Structure is [documented below](#nested_predefined_rules). + +* `fingerprint` - + Fingerprint of the resource. This field is used internally during updates of this resource. + +* `self_link` - + Server-defined URL for the resource. + +* `self_link_with_id` - + Server-defined URL for this resource with the resource id. + +* `rule_tuple_count` - + Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples. + + +The `predefined_rules` block contains: + +* `description` - + (Output) + A description of the rule. + +* `rule_name` - + (Output) + An optional name for the rule. This field is not a unique identifier + and can be updated. + +* `priority` - + (Output) + An integer indicating the priority of a rule in the list. The priority must be a value + between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the + highest priority and 2147483647 is the lowest priority. + +* `match` - + (Output) + A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. + Structure is [documented below](#nested_match). + +* `target_secure_tag` - + (Output) + A list of secure tags that controls which instances the firewall rule + applies to. If targetSecureTag are specified, then the + firewall rule applies only to instances in the VPC network that have one + of those EFFECTIVE secure tags, if all the target_secure_tag are in + INEFFECTIVE state, then this rule will be ignored. + targetSecureTag may not be set at the same time as + targetServiceAccounts. + If neither targetServiceAccounts nor + targetSecureTag are specified, the firewall rule applies + to all instances on the specified network. + Maximum number of target label tags allowed is 256. + Structure is [documented below](#nested_target_secure_tag). + +* `action` - + (Output) + The Action to perform when the client connection triggers the rule. Can currently be either + "allow", "deny", "apply_security_profile_group" or "goto_next". + +* `direction` - + (Output) + The direction in which this rule applies. If unspecified an INGRESS rule is created. + +* `enable_logging` - + (Output) + Denotes whether to enable logging for a particular rule. + If logging is enabled, logs will be exported to the + configured export destination in Stackdriver. + +* `target_service_accounts` - + (Output) + A list of service accounts indicating the sets of + instances that are applied with this rule. + +* `security_profile_group` - + (Output) + A fully-qualified URL of a SecurityProfile resource instance. + Example: + https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group + Must be specified if action is 'apply_security_profile_group'. + +* `tls_inspect` - + (Output) + Boolean flag indicating if the traffic should be TLS decrypted. + It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. + +* `disabled` - + (Output) + Denotes whether the firewall policy rule is disabled. When set to true, + the firewall policy rule is not enforced and traffic behaves as if it did + not exist. If this is unspecified, the firewall policy rule will be + enabled. + + +The `match` block contains: + +* `src_ip_ranges` - + (Output) + Source IP address range in CIDR format. Required for + INGRESS rules. + +* `dest_ip_ranges` - + (Output) + Destination IP address range in CIDR format. Required for + EGRESS rules. + +* `src_address_groups` - + (Output) + Address groups which should be matched against the traffic source. + Maximum number of source address groups is 10. + +* `dest_address_groups` - + (Output) + Address groups which should be matched against the traffic destination. + Maximum number of destination address groups is 10. + +* `src_fqdns` - + (Output) + Fully Qualified Domain Name (FQDN) which should be matched against + traffic source. Maximum number of source fqdn allowed is 100. + +* `dest_fqdns` - + (Output) + Fully Qualified Domain Name (FQDN) which should be matched against + traffic destination. Maximum number of destination fqdn allowed is 100. + +* `src_region_codes` - + (Output) + Region codes whose IP addresses will be used to match for source + of traffic. Should be specified as 2 letter country code defined as per + ISO 3166 alpha-2 country codes. ex."US" + Maximum number of source region codes allowed is 5000. + +* `dest_region_codes` - + (Output) + Region codes whose IP addresses will be used to match for destination + of traffic. Should be specified as 2 letter country code defined as per + ISO 3166 alpha-2 country codes. ex."US" + Maximum number of destination region codes allowed is 5000. + +* `src_threat_intelligences` - + (Output) + Names of Network Threat Intelligence lists. + The IPs in these lists will be matched against traffic source. + +* `dest_threat_intelligences` - + (Output) + Names of Network Threat Intelligence lists. + The IPs in these lists will be matched against traffic destination. + +* `layer4_config` - + (Output) + Pairs of IP protocols and ports that the rule should match. + Structure is [documented below](#nested_layer4_config). + +* `src_secure_tag` - + (Output) + List of secure tag values, which should be matched at the source + of the traffic. + For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, + and there is no srcIpRange, this rule will be ignored. + Maximum number of source tag values allowed is 256. + Structure is [documented below](#nested_src_secure_tag). + + +The `layer4_config` block contains: + +* `ip_protocol` - + (Output) + The IP protocol to which this rule applies. The protocol + type is required when creating a firewall rule. + This value can either be one of the following well + known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), + or the IP protocol number. + +* `ports` - + (Output) + An optional list of ports to which this rule applies. This field + is only applicable for UDP or TCP protocol. Each entry must be + either an integer or a range. If not specified, this rule + applies to connections through any port. + Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + +The `src_secure_tag` block contains: + +* `name` - + (Output) + Name of the secure tag, created with TagManager's TagValue API. + @pattern tagValues/[0-9]+ + +* `state` - + (Output) + [Output Only] State of the secure tag, either `EFFECTIVE` or + `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted + or its network is deleted. + +The `target_secure_tag` block contains: + +* `name` - + (Output) + Name of the secure tag, created with TagManager's TagValue API. + @pattern tagValues/[0-9]+ + +* `state` - + (Output) + [Output Only] State of the secure tag, either `EFFECTIVE` or + `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted + or its network is deleted. + +## Timeouts + +This resource provides the following +[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options: + +- `create` - Default is 20 minutes. +- `update` - Default is 20 minutes. +- `delete` - Default is 20 minutes. + +## Import + + +RegionNetworkFirewallPolicyWithRules can be imported using any of these accepted formats: + +* `projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}` +* `{{project}}/{{region}}/{{name}}` +* `{{region}}/{{name}}` +* `{{name}}` + + +In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import RegionNetworkFirewallPolicyWithRules using one of the formats above. For example: + +```tf +import { + id = "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}" + to = google_compute_region_network_firewall_policy_with_rules.default +} +``` + +When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), RegionNetworkFirewallPolicyWithRules can be imported using one of the formats above. For example: + +``` +$ terraform import google_compute_region_network_firewall_policy_with_rules.default projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}} +$ terraform import google_compute_region_network_firewall_policy_with_rules.default {{project}}/{{region}}/{{name}} +$ terraform import google_compute_region_network_firewall_policy_with_rules.default {{region}}/{{name}} +$ terraform import google_compute_region_network_firewall_policy_with_rules.default {{name}} +``` + +## User Project Overrides + +This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).