Org Security Policies (Hierarchical Firewalls) (#3626)

Co-authored-by: Dana Hoffman <[email protected]>

products/compute/api.yaml

@@ -7853,6 +7853,247 @@ objects:
           - :ENABLED
           - :NONE
         default_value: :NONE
+  - !ruby/object:Api::Resource
+    name: 'OrganizationSecurityPolicy'
+    min_version: beta
+    base_url: 'locations/global/securityPolicies?parentId={{parent}}'
+    self_link: 'locations/global/securityPolicies/{{id}}'
+    create_url: 'locations/global/securityPolicies?parentId={{parent}}'
+    update_verb: :PATCH
+    description: |
+      Organization security policies are used to control incoming/outgoing traffic.
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Creating a firewall policy':
+          'https://cloud.google.com/vpc/docs/using-firewall-policies#create-policy'
+      api: 'https://cloud.google.com/compute/docs/reference/rest/beta/organizationSecurityPolicies'
+    parameters:
+      - !ruby/object:Api::Type::String
+        name: parent
+        description: |
+          The parent of this OrganizationSecurityPolicy in the Cloud Resource Hierarchy.
+          Format: organizations/{organization_id} or folders/{folder_id}
+        required: true
+        input: true
+    properties:
+      - !ruby/object:Api::Type::String
+        name: displayName
+        description: |
+          A textual name of the security policy.
+        input: true
+        required: true
+      - !ruby/object:Api::Type::String
+        name: description
+        description: |
+          A textual description for the organization security policy.
+      - !ruby/object:Api::Type::Fingerprint
+        name: 'fingerprint'
+        description: |
+          Fingerprint of this resource. This field is used internally during
+          updates of this resource.
+        output: true
+      - !ruby/object:Api::Type::String
+        name: id
+        description: |
+          The unique identifier for the resource. This identifier is defined by the server.
+        output: true
+      - !ruby/object:Api::Type::Enum
+        name: type
+        description: |
+          The type indicates the intended use of the security policy.
+          For organization security policies, the only supported type
+          is "FIREWALL".
+        input: true
+        values:
+          - :FIREWALL
+        default_value: :FIREWALL
+  - !ruby/object:Api::Resource
+    name: 'OrganizationSecurityPolicyAssociation'
+    min_version: beta
+    base_url: 'locations/global/securityPolicies/{{policy_id}}'
+    self_link: 'locations/global/securityPolicies/{{policy_id}}/getAssociation?name={{name}}'
+    create_url: 'locations/global/securityPolicies/{{policy_id}}/addAssociation'
+    delete_verb: :POST
+    delete_url: 'locations/global/securityPolicies/{{policy_id}}/removeAssociation?name={{name}}'
+    description: |
+      An association for the OrganizationSecurityPolicy.
+    input: true
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Associating a policy with the organization or folder':
+          'https://cloud.google.com/vpc/docs/using-firewall-policies#associate'
+      api: 'https://cloud.google.com/compute/docs/reference/rest/beta/organizationSecurityPolicies/addAssociation'
+    parameters:
+      - !ruby/object:Api::Type::String
+        name: 'policyId'
+        description: |
+          The security policy ID of the association.
+        required: true
+        url_param_only: true
+        api_name: 'securityPolicyId'
+    properties:
+      - !ruby/object:Api::Type::String
+        name: name
+        description: |
+          The name for an association.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: 'attachmentId'
+        description: |
+          The resource that the security policy is attached to.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: 'displayName'
+        description: |
+          The display name of the security policy of the association.
+        output: true
+  - !ruby/object:Api::Resource
+    name: 'OrganizationSecurityPolicyRule'
+    min_version: beta
+    base_url: 'locations/global/securityPolicies/{{policy_id}}'
+    self_link: 'locations/global/securityPolicies/{{policy_id}}/getRule?priority={{priority}}'
+    create_url: 'locations/global/securityPolicies/{{policy_id}}/addRule?priority={{priority}}'
+    update_verb: :POST
+    update_url: 'locations/global/securityPolicies/{{policy_id}}/patchRule?priority={{priority}}'
+    delete_verb: :POST
+    delete_url: 'locations/global/securityPolicies/{{policy_id}}/removeRule?priority={{priority}}'
+    description: |
+      A rule for the OrganizationSecurityPolicy.
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Creating firewall rules':
+          'https://cloud.google.com/vpc/docs/using-firewall-policies#create-rules'
+      api: 'https://cloud.google.com/compute/docs/reference/rest/beta/organizationSecurityPolicies/addRule'
+    parameters:
+      - !ruby/object:Api::Type::String
+        name: policyId
+        description: |
+          The ID of the OrganizationSecurityPolicy this rule applies to.
+        required: true
+        input: true
+        url_param_only: true
+    properties:
+      - !ruby/object:Api::Type::String
+        name: 'description'
+        description: |
+          A description of the rule.
+      - !ruby/object:Api::Type::Integer
+        name: 'priority'
+        description: |
+          An integer indicating the priority of a rule in the list. The priority must be a value
+          between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the
+          highest priority and 2147483647 is the lowest prority.
+        required: true
+        input: true
+      - !ruby/object:Api::Type::NestedObject
+        name: 'match'
+        description:
+          A match condition that incoming traffic is evaluated against. If it evaluates to true,
+          the corresponding 'action' is enforced.
+        required: true
+        properties:
+          - !ruby/object:Api::Type::String
+            name: 'description'
+            description: |
+              A description of the rule.
+          - !ruby/object:Api::Type::Enum
+            name: 'versionedExpr'
+            description: |
+              Preconfigured versioned expression. For organization security policy rules,
+              the only supported type is "FIREWALL".
+            values:
+              - :FIREWALL
+            default_value: :FIREWALL
+          - !ruby/object:Api::Type::NestedObject
+            name: 'config'
+            description:
+              The configuration options for matching the rule.
+            required: true
+            properties:
+            - !ruby/object:Api::Type::Array
+              name: 'srcIpRanges'
+              description: |
+                Source IP address range in CIDR format. Required for
+                INGRESS rules.
+              item_type: Api::Type::String
+              exactly_one_of:
+                - match.0.config.0.src_ip_ranges
+                - match.0.config.0.dest_ip_ranges
+            - !ruby/object:Api::Type::Array
+              name: 'destIpRanges'
+              description: |
+                Destination IP address range in CIDR format. Required for
+                EGRESS rules.
+              item_type: Api::Type::String
+              exactly_one_of:
+                - match.0.config.0.src_ip_ranges
+                - match.0.config.0.dest_ip_ranges
+            - !ruby/object:Api::Type::Array
+              name: 'layer4Config'
+              api_name: 'layer4Configs'
+              description: |
+                Pairs of IP protocols and ports that the rule should match.
+              required: true
+              item_type: !ruby/object:Api::Type::NestedObject
+                properties:
+                  - !ruby/object:Api::Type::String
+                    name: 'ipProtocol'
+                    description: |
+                      The IP protocol to which this rule applies. The protocol
+                      type is required when creating a firewall rule.
+                      This value can either be one of the following well
+                      known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),
+                      or the IP protocol number.
+                    required: true
+                  - !ruby/object:Api::Type::Array
+                    item_type: Api::Type::String
+                    name: 'ports'
+                    description: |
+                      An optional list of ports to which this rule applies. This field
+                      is only applicable for UDP or TCP protocol. Each entry must be
+                      either an integer or a range. If not specified, this rule
+                      applies to connections through any port.
+
+                      Example inputs include: ["22"], ["80","443"], and
+                      ["12345-12349"].
+      - !ruby/object:Api::Type::String
+        name: 'action'
+        description: |
+          The Action to perform when the client connection triggers the rule. Can currently be either
+          "allow", "deny" or "goto_next".
+        required: true
+      - !ruby/object:Api::Type::Boolean
+        name: 'preview'
+        description: |
+          If set to true, the specified action is not enforced.
+      - !ruby/object:Api::Type::Enum
+        name: 'direction'
+        description: |
+          The direction in which this rule applies. If unspecified an INGRESS rule is created.
+        values:
+        - :INGRESS
+        - :EGRESS
+      - !ruby/object:Api::Type::Array
+        name: 'targetResources'
+        description: |
+          A list of network resource URLs to which this rule applies.
+          This field allows you to control which network's VMs get
+          this rule. If this field is left blank, all VMs
+          within the organization will receive the rule.
+        item_type: Api::Type::String
+      - !ruby/object:Api::Type::Boolean
+        name: 'enableLogging'
+        description: |
+          Denotes whether to enable logging for a particular rule.
+          If logging is enabled, logs will be exported to the
+          configured export destination in Stackdriver.
+        send_empty_value: true
+      - !ruby/object:Api::Type::Array
+        name: 'targetServiceAccounts'
+        description: |
+          A list of service accounts indicating the sets of
+          instances that are applied with this rule.
+        item_type: Api::Type::String
   - !ruby/object:Api::Resource
     name: 'PacketMirroring'
     min_version: beta
@@ -12090,7 +12331,7 @@ objects:
             - !ruby/object:Api::Type::Integer
               name: 'priority'
               description: |
-                An integer indicating the priority of a rule in the list. The priority must be a positive value
+                An integer indicating the priority of a rule in the list. The priority must be a value
                 between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the
                 highest priority and 2147483647 is the lowest prority.
             - !ruby/object:Api::Type::String

products/compute/inspec.yaml

@@ -114,6 +114,12 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     exclude: true
   NetworkPeeringRoutesConfig: !ruby/object:Overrides::Inspec::ResourceOverride
     exclude: true
+  OrganizationSecurityPolicy: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
+  OrganizationSecurityPolicyAssociation: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
+  OrganizationSecurityPolicyRule: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
   PacketMirroring:  !ruby/object:Overrides::Inspec::ResourceOverride
     exclude: true
   ProjectInfo:  !ruby/object:Overrides::Inspec::ResourceOverride

products/compute/terraform.yaml

@@ -1275,6 +1275,71 @@ overrides: !ruby/object:Overrides::ResourceOverrides
           If it is not provided, the provider region is used.
       serverBinding: !ruby/object:Overrides::Terraform::PropertyOverride
         default_from_api: true
+  OrganizationSecurityPolicy: !ruby/object:Overrides::Terraform::ResourceOverride
+    id_format: "locations/global/securityPolicies/{{policy_id}}"
+    self_link: "locations/global/securityPolicies/{{policy_id}}"
+    import_format: ["locations/global/securityPolicies/{{policy_id}}"]
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "organization_security_policy_basic"
+        primary_resource_id: "policy"
+        min_version: 'beta'
+        test_env_vars:
+          org_id: :ORG_ID
+    parameters:
+      displayName: !ruby/object:Overrides::Terraform::PropertyOverride
+        validation: !ruby/object:Provider::Terraform::Validation
+          function: 'validateRFC1035Name(2, 63)'
+    properties:
+      id: !ruby/object:Overrides::Terraform::PropertyOverride
+        name: policy_id
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      post_create: templates/terraform/post_create/org_security_policy.go.erb
+      post_update: templates/terraform/post_update/org_security_policy.go.erb
+      post_delete: templates/terraform/post_delete/org_security_policy.go.erb
+      # TODO: Remove once b/154369201 is closed.
+      test_check_destroy: templates/terraform/custom_check_destroy/skip_delete_during_test.go.erb
+  OrganizationSecurityPolicyAssociation: !ruby/object:Overrides::Terraform::ResourceOverride
+    id_format: "{{policy_id}}/association/{{name}}"
+    import_format: ["{{policy_id}}/association/{{name}}"]
+    base_url: '{{policy_id}}'
+    self_link: '{{policy_id}}/getAssociation?name={{name}}'
+    create_url: '{{policy_id}}/addAssociation'
+    delete_url: '{{policy_id}}/removeAssociation?name={{name}}'
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "organization_security_policy_association_basic"
+        primary_resource_id: "policy"
+        min_version: 'beta'
+        test_env_vars:
+          org_id: :ORG_ID
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      post_create: templates/terraform/post_create/org_security_policy_association.go.erb
+      post_delete: templates/terraform/post_create/org_security_policy_association.go.erb
+      # TODO: Remove once b/154369201 is closed.
+      test_check_destroy: templates/terraform/custom_check_destroy/skip_delete_during_test.go.erb
+  OrganizationSecurityPolicyRule: !ruby/object:Overrides::Terraform::ResourceOverride
+    id_format: "{{policy_id}}/priority/{{priority}}"
+    import_format: ["{{policy_id}}/priority/{{priority}}"]
+    base_url: '{{policy_id}}'
+    self_link: '{{policy_id}}/getRule?priority={{priority}}'
+    create_url: '{{policy_id}}/addRule?priority={{priority}}'
+    update_url: '{{policy_id}}/patchRule?priority={{priority}}'
+    delete_url: '{{policy_id}}/removeRule?priority={{priority}}'
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "organization_security_policy_rule_basic"
+        primary_resource_id: "policy"
+        min_version: 'beta'
+        test_env_vars:
+          org_id: :ORG_ID
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      custom_import: templates/terraform/custom_import/organization_security_policy_rule.go.erb
+      post_create: templates/terraform/post_create/org_security_policy_rule.go.erb
+      post_delete: templates/terraform/post_create/org_security_policy_rule.go.erb
+      post_update: templates/terraform/post_create/org_security_policy_rule.go.erb
+      # TODO: Remove once b/154369201 is closed.
+      test_check_destroy: templates/terraform/custom_check_destroy/skip_delete_during_test.go.erb
   PacketMirroring: !ruby/object:Overrides::Terraform::ResourceOverride
     examples:
       - !ruby/object:Provider::Terraform::Examples

provider/terraform.rb

@@ -229,6 +229,7 @@ def generate_resource_sweepers(pwd, data)
       return if data.object.skip_sweeper ||
                 data.object.custom_code.custom_delete ||
                 data.object.custom_code.pre_delete ||
+                data.object.custom_code.post_delete ||
                 data.object.skip_delete
 
       name = data.object.filename_override || data.object.name.underscore

provider/terraform/custom_code.rb

@@ -103,6 +103,8 @@ class CustomCode < Api::Object
       # useful to prepare an object for deletion, e.g. by detaching
       # a disk before deleting it.
       attr_reader :pre_delete
+      # This code is run just after the Delete call happens.
+      attr_reader :post_delete
       # This code replaces the entire delete method.  Since the delete
       # method's function header can't be changed, the template
       # inserts that for you - do not include it in your custom code.

provider/terraform_object_library.rb

@@ -50,6 +50,8 @@ def compile_common_files(output_folder, products, _common_compile_file)
         products
       )
       compile_file_list(output_folder, [
+                          ['google/compute_operation.go',
+                           'third_party/terraform/utils/compute_operation.go.erb'],
                           ['google/config.go',
                            'third_party/terraform/utils/config.go.erb'],
                           ['google/utils.go',
@@ -111,8 +113,6 @@ def copy_common_files(output_folder)
                         'third_party/terraform/utils/bigtable_client_factory.go'],
                        ['google/common_operation.go',
                         'third_party/terraform/utils/common_operation.go'],
-                       ['google/compute_operation.go',
-                        'third_party/terraform/utils/compute_operation.go'],
                        ['google/compute_shared_operation.go',
                         'third_party/terraform/utils/compute_shared_operation.go'],
                        ['google/compute_instance_helpers.go',