Add new compute-network-firewall-policy-with-rules resource (#11524)

Co-authored-by: Nick Elliot <[email protected]>

mmv1/templates/terraform/constants/resource_compute_network_firewall_policy_with_rules.go.erb

@@ -0,0 +1,54 @@
+func networkFirewallPolicyWithRulesConvertPriorityToInt(v interface {}) (int64, error) {
+  if strVal, ok := v.(string); ok {
+		if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+			return intVal, nil
+		}
+	}
+
+  if intVal, ok := v.(int64); ok {
+    return intVal, nil
+  }
+
+  if floatVal, ok := v.(float64); ok {
+ 	  intVal := int64(floatVal)
+ 	  return intVal, nil
+ 	}
+
+  return 0, fmt.Errorf("Incorrect rule priority: %s. Priority must be a number", v)
+}
+
+func  networkFirewallPolicyWithRulesIsPredefinedRule(rule map[string]interface{}) (bool, error) {
+  // Priorities from 2147483548 to 2147483647 are reserved and cannot be modified by the user.
+  const ReservedPriorityStart = 2147483548
+
+  priority := rule["priority"]
+  priorityInt, err :=  networkFirewallPolicyWithRulesConvertPriorityToInt(priority)
+
+  if err != nil {
+      return false, err
+    }
+
+  return priorityInt >= ReservedPriorityStart, nil
+
+}
+
+func networkFirewallPolicyWithRulesSplitPredefinedRules(allRules []interface{}) ([]interface{}, []interface{}, error) {
+	predefinedRules := make([]interface{}, 0)
+	rules := make([]interface{}, 0)
+
+	for _, rule := range allRules {
+	  isPredefined, err :=  networkFirewallPolicyWithRulesIsPredefinedRule(rule.(map[string]interface{}))
+	  if err != nil {
+	    return nil, nil, err
+	  }
+
+		if isPredefined {
+		 predefinedRules = append(predefinedRules, rule)
+		} else {
+			rules = append(rules, rule)
+		}
+	}
+
+  return rules, predefinedRules, nil
+}
+

mmv1/templates/terraform/decoders/resource_compute_network_firewall_policy_with_rules.go.erb

@@ -0,0 +1,16 @@
+rules, predefinedRules, err := networkFirewallPolicyWithRulesSplitPredefinedRules(res["rules"].([]interface{}))
+
+if err != nil {
+	return nil, fmt.Errorf("Error occurred while splitting pre-defined rules: %s", err)
+}
+
+res["rules"] = rules
+res["predefinedRules"] = predefinedRules
+
+config := meta.(*transport_tpg.Config)
+
+if err := d.Set("predefined_rules", flattenComputeNetworkFirewallPolicyWithRulesPredefinedRules(predefinedRules, d, config)); err != nil {
+	return nil, fmt.Errorf("Error occurred while setting pre-defined rules: %s", err)
+}
+
+return res, nil

mmv1/templates/terraform/encoders/resource_compute_network_firewall_policy_with_rules.go.erb

@@ -0,0 +1,3 @@
+delete(obj, "rules") // Rules are not supported in the create API 
+return obj, nil
+

mmv1/templates/terraform/examples/compute_network_firewall_policy_with_rules_full.tf.erb

@@ -0,0 +1,116 @@
+data "google_project" "project" {
+  provider = google-beta
+}
+
+resource "google_compute_network_firewall_policy_with_rules" "<%= ctx[:primary_resource_id] %>" {
+  name = "<%= ctx[:vars]['policy_name'] %>"
+  description = "Terraform test"
+  provider = google-beta
+
+  rule {
+    description    = "tcp rule"
+    priority       = 1000
+    enable_logging = true
+    action         = "allow"
+    direction      = "EGRESS"
+    match {
+      layer4_config {
+        ip_protocol = "tcp"
+        ports       = [8080, 7070]
+      }
+      dest_ip_ranges = ["11.100.0.1/32"]
+      dest_fqdns = ["www.yyy.com", "www.zzz.com"]
+      dest_region_codes = ["HK", "IN"]
+      dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"]
+      dest_address_groups = [google_network_security_address_group.address_group_1.id]
+    }
+    target_secure_tag {
+      name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+    }
+  }
+  rule {
+      description    = "udp rule"
+      priority       = 2000
+      enable_logging = false
+      action         = "deny"
+      direction      = "INGRESS"
+      match {
+        layer4_config {
+          ip_protocol = "udp"
+        }
+        src_ip_ranges = ["0.0.0.0/0"]
+        src_fqdns = ["www.abc.com", "www.def.com"]
+        src_region_codes = ["US", "CA"]
+        src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"]
+        src_address_groups = [google_network_security_address_group.address_group_1.id]
+        src_secure_tag {
+          name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+        }
+      }
+      disabled = true
+   }
+
+    rule {
+         description    = "security profile group rule"
+         rule_name      = "tcp rule"
+         priority       = 3000
+         enable_logging = false
+         action         = "apply_security_profile_group"
+         direction      = "INGRESS"
+         match {
+           layer4_config {
+             ip_protocol = "tcp"
+           }
+           src_ip_ranges = ["0.0.0.0/0"]
+         }
+         target_service_accounts = ["[email protected]"]
+         security_profile_group = "//networksecurity.googleapis.com/${google_network_security_security_profile_group.security_profile_group_1.id}"
+         tls_inspect = true
+    }
+}
+
+resource "google_network_security_address_group" "address_group_1" {
+  provider    = google-beta
+  name        = "<%= ctx[:vars]['address_group_name'] %>"
+  parent      = "projects/${data.google_project.project.name}"
+  description = "Global address group"
+  location    = "global"
+  items       = ["208.80.154.224/32"]
+  type        = "IPV4"
+  capacity    = 100
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+  provider    = google-beta
+  description = "Tag key"
+  parent      = "projects/${data.google_project.project.name}"
+  purpose     = "GCE_FIREWALL"
+  short_name  = "<%= ctx[:vars]['tag_key_name'] %>"
+  purpose_data = {
+    network = "${data.google_project.project.name}/default"
+  }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+  provider    = google-beta
+  description = "Tag value"
+  parent      = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}"
+  short_name  = "<%= ctx[:vars]['tag_value_name'] %>"
+}
+
+resource "google_network_security_security_profile_group" "security_profile_group_1" {
+  provider                  = google-beta
+  name                      = "<%= ctx[:vars]['security_profile_group_name'] %>"
+  parent                    = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
+  description               = "my description"
+  threat_prevention_profile = google_network_security_security_profile.security_profile_1.id
+}
+
+resource "google_network_security_security_profile" "security_profile_1" {
+  provider    = google-beta
+  name        = "<%= ctx[:vars]['security_profile_name'] %>"
+  type        = "THREAT_PREVENTION"
+  parent      = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
+  location    = "global"
+}
+

mmv1/templates/terraform/post_create/resource_compute_network_firewall_policy_with_rules.go.erb

@@ -0,0 +1,31 @@
+log.Printf("[DEBUG] Post-create for NetworkFirewallPolicyWithRules %q", d.Id())
+
+url, err = tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/global/firewallPolicies/{{name}}")
+if err != nil {
+  return err
+}
+
+headers = make(http.Header)
+res, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+  Config:    config,
+	Method:    "GET",
+	Project:   billingProject,
+	RawURL:    url,
+	UserAgent: userAgent,
+	Headers:   headers,
+})
+if err != nil {
+ return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("ComputeNetworkFirewallPolicyWithRules %q", d.Id()))
+}
+
+if err := d.Set("fingerprint", flattenComputeNetworkFirewallPolicyWithRulesFingerprint(res["fingerprint"], d, config)); err != nil {
+  return fmt.Errorf("Error reading NetworkFirewallPolicyWithRules: %s", err)
+}
+
+res, err = resourceComputeNetworkFirewallPolicyWithRulesDecoder(d, meta, res)
+if err != nil {
+	return err
+}
+
+log.Printf("[DEBUG] Updating NetworkFirewallPolicyWithRules %q", d.Id())
+return resourceComputeNetworkFirewallPolicyWithRulesUpdate(d, meta)

mmv1/templates/terraform/update_encoder/resource_compute_network_firewall_policy_with_rules.go.erb

@@ -0,0 +1,15 @@
+config := meta.(*transport_tpg.Config)
+
+predefinedRulesProp, err := expandComputeNetworkFirewallPolicyWithRulesRule(d.Get("predefined_rules"), d, config)
+if err != nil {
+  return nil, err
+}
+
+rules := obj["rules"].([]interface{})
+obj["rules"] = append(rules, predefinedRulesProp)
+
+return obj, nil
+
+
+
+