Add securityProfileGroup and tlsInspect in firewall policy Rule

[imrannayer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

1. Add securityProfileGroup and tlsInspect in google_compute_firewall_policy_rule, google_compute_network_firewall_policy_rule and google_compute_region_network_firewall_policy_rule.
2. Allow APPLY_SECURITY_PROFILE_GROUP value in action field

https://cloud.google.com/compute/docs/reference/rest/beta/firewallPolicies

New or Affected Resource(s)

• google_compute_network_firewall_policy_rule
• google_compute_firewall_policy_rule
• google_compute_region_network_firewall_policy_rule

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

References

• #0000

b/321386368

[LucaPrete]

Working on this. You can assign it to me.

[imrannayer]

@LucaPrete is there an ETA on this?

[LucaPrete]

Yes. This is already done. It should be published by May 6th. Il giorno lun 29 apr 2024 alle 13:37 Imran Nayer ***@***.***> ha scritto:

…

@LucaPrete <https://github.com/LucaPrete> is there an ETA on this? — Reply to this email directly, view it on GitHub <#17030 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARY7UDLTWF6NGAGJYQOUULY7YWJLAVCNFSM6AAAAABB7AK6GKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBSGQ4TANRUHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[imrannayer]

@LucaPrete whats the PR for this? I dont see anything in May 6 release.

[LucaPrete]

Hello @imrannayer.

These resources are DCL based. Code was developed internally. This is the PR where I upgraded DCL to 1.66.0.

Unfortunately, this hasn't made it to the release yet because we lack some acceptance tests, which I've committed in a draft PR.
FYI this is still failing because we need to wait to send all NGFW resources to GA first.

We can definitely reopen if you wish.

[LucaPrete]

FYI code is there since three weeks. The only reason I left this open is that we still miss tests, which we had to commit separately and are still under review.

The PR is also waiting for review, as we've found a bug in for tlsInspect which we need to fix and revalidate first. WIP. I'll update the thread as soon as I'll have news.

[imrannayer]

@LucaPrete thx. I tested it when it was released. It is working fine. Waiting for this PR so I can test tlsinspect.

[LucaPrete]

Imran, the PR was merged about a week ago and you can test it. Keep in mind we still have a bug in firewall policy rules when you set tls_inspect = false. We're working on it but nothing should prevent you from using it. Il giorno lun 20 mag 2024 alle ore 16:27 Imran Nayer < ***@***.***> ha scritto:

…

@LucaPrete <https://github.com/LucaPrete> thx. I tested it when it was released. It is working fine. Waiting for this PR <#18139> so I can test tlsinspect. — Reply to this email directly, view it on GitHub <#17030 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARY7UHZI7MXSNVUGAY6HK3ZDIB6PAVCNFSM6AAAAABB7AK6GKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQGU3TKNJSGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.