From 03204b045888b43b5fc25f50cf65a0625809de91 Mon Sep 17 00:00:00 2001 From: Luca Prete Date: Mon, 11 Mar 2024 18:32:13 +0100 Subject: [PATCH] [#15779] Add google_network_security_firewall_endpoint_association resource (#9815) * [#15779] Add google_network_security_firewall_endpoint_association resource * Fixing tests * Fixes * Add test for update --------- Co-authored-by: Luca Prete --- .../FirewallEndpointAssociation.yaml | 122 ++++++++++++++ ...firewall_endpoint_association_basic.tf.erb | 21 +++ ..._firewall_endpoint_association_test.go.erb | 154 ++++++++++++++++++ 3 files changed, 297 insertions(+) create mode 100644 mmv1/products/networksecurity/FirewallEndpointAssociation.yaml create mode 100644 mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb create mode 100644 mmv1/third_party/terraform/services/networksecurity/resource_network_security_firewall_endpoint_association_test.go.erb diff --git a/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml b/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml new file mode 100644 index 000000000000..9a49eb7496fb --- /dev/null +++ b/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml @@ -0,0 +1,122 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the 'License'); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an 'AS IS' BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- !ruby/object:Api::Resource +name: 'FirewallEndpointAssociation' +base_url: '{{parent}}/locations/{{location}}/firewallEndpointAssociations' +create_url: '{{parent}}/locations/{{location}}/firewallEndpointAssociations?firewallEndpointId={{name}}' +self_link: '{{parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}' +min_version: beta +update_verb: :PATCH +update_mask: true +description: | + Firewall endpoint association links a firewall endpoint to a VPC network in + the same zone. After you define this association, Cloud Firewall forwards the + zonal workload traffic in your VPC network that requires layer 7 inspection to + the attached firewall endpoint. +references: + !ruby/object:Api::Resource::ReferenceLinks + api: 'https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/projects.locations.firewallEndpointAssociations#FirewallEndpointAssociation' + guides: + 'Firewall endpoint overview': 'https://cloud.google.com/firewall/docs/about-firewall-endpoints' + 'Create and associate firewall endpoints': 'https://cloud.google.com/firewall/docs/configure-firewall-endpoints' +async: !ruby/object:Api::OpAsync + include_project: true + operation: !ruby/object:Api::OpAsync::Operation + base_url: '{{op_id}}' + result: !ruby/object:Api::OpAsync::Result + resource_inside_response: true +import_format: [ + '{{%parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}' +] +examples: + - !ruby/object:Provider::Terraform::Examples + name: 'network_security_firewall_endpoint_association_basic' + primary_resource_id: 'default' + # Handwritten test will take care of creates and updates. + # Firewall endpoint association creation is subjet to firewall endpoint creation which is long and expensive. + skip_test: true + min_version: beta + vars: + resource_name_prefix: 'my-firewall-endpoint' + test_env_vars: + org_id: :ORG_ID + project: :PROJECT_NAME +parameters: + - !ruby/object:Api::Type::String + name: 'name' + required: true + immutable: true + url_param_only: true + description: | + The name of the firewall endpoint association resource. + - !ruby/object:Api::Type::String + name: 'location' + required: true + immutable: true + description: | + The location (zone) of the firewall endpoint association. + url_param_only: true + - !ruby/object:Api::Type::String + name: 'parent' + description: | + The name of the parent this firewall endpoint association belongs to. + Format: projects/{project_id}. + immutable: true + url_param_only: true +properties: + - !ruby/object:Api::Type::String + name: 'firewallEndpoint' + required: true + description: | + The URL of the firewall endpoint that is being associated. + - !ruby/object:Api::Type::String + name: 'network' + required: true + description: | + The URL of the network that is being associated. + - !ruby/object:Api::Type::String + name: 'tlsInspectionPolicy' + description: | + The URL of the TlsInspectionPolicy that is being associated. + - !ruby/object:Api::Type::KeyValueLabels + name: 'labels' + description: | + A map of key/value label pairs to assign to the resource. + - !ruby/object:Api::Type::String + name: 'selfLink' + description: | + Server-defined URL of this resource. + output: true + - !ruby/object:Api::Type::Time + name: 'createTime' + description: Time the firewall endpoint was created in UTC. + output: true + - !ruby/object:Api::Type::Time + name: 'updateTime' + description: Time the firewall endpoint was updated in UTC. + output: true + - !ruby/object:Api::Type::Boolean + name: 'reconciling' + description: | + Whether reconciling is in progress, recommended per https://google.aip.dev/128. + output: true + - !ruby/object:Api::Type::Enum + name: 'state' + description: The current state of the endpoint. + output: true + values: + - :ACTIVE + - :CREATING + - :DELETING + - :INACTIVE diff --git a/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb b/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb new file mode 100644 index 000000000000..ce6b59347058 --- /dev/null +++ b/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb @@ -0,0 +1,21 @@ +resource "google_network_security_firewall_endpoint" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + name = "<%= ctx[:vars]['resource_name_prefix'] %>" + parent = "organizations/<%= ctx[:test_env_vars]['org_id'] %>" + location = "us-central1-a" + + labels = { + foo = "bar" + } +} + +resource "google_network_security_firewall_endpoint_association" "<%= ctx[:primary_resource_id] %>_association" { + provider = google-beta + name = "<%= ctx[:vars]['resource_name_prefix'] %>-association" + parent = "projects/<%= ctx[:test_env_vars]['project'] %>" + location = "us-central1-a" + + labels = { + foo = "bar" + } +} diff --git a/mmv1/third_party/terraform/services/networksecurity/resource_network_security_firewall_endpoint_association_test.go.erb b/mmv1/third_party/terraform/services/networksecurity/resource_network_security_firewall_endpoint_association_test.go.erb new file mode 100644 index 000000000000..e10e75113914 --- /dev/null +++ b/mmv1/third_party/terraform/services/networksecurity/resource_network_security_firewall_endpoint_association_test.go.erb @@ -0,0 +1,154 @@ +<% autogen_exception -%> +package networksecurity_test +<% unless version == 'ga' -%> + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + + "github.com/hashicorp/terraform-provider-google/google/acctest" + "github.com/hashicorp/terraform-provider-google/google/envvar" + transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport" + "github.com/hashicorp/terraform-provider-google/google/tpgresource" +) + +func TestAccNetworkSecurityFirewallEndpointAssociations_basic(t *testing.T) { + acctest.SkipIfVcr(t) + t.Parallel() + + orgId := envvar.GetTestOrgFromEnv(t) + randomSuffix := acctest.RandString(t, 10) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckNetworkSecurityFirewallEndpointDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccNetworkSecurityFirewallEndpointAssociation_basic(randomSuffix, orgId, ), + }, + { + ResourceName: "google_network_security_firewall_endpoint_association.foobar", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"labels", "terraform_labels"}, + }, + { + Config: testAccNetworkSecurityFirewallEndpointAssociation_update(randomSuffix, orgId, ), + }, + { + ResourceName: "google_network_security_firewall_endpoint_association.foobar", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"labels", "terraform_labels"}, + }, + }, + }) +} + +func testAccNetworkSecurityFirewallEndpointAssociation_basic(randomSuffix string, orgId string) string { + return fmt.Sprintf(` +resource "google_compute_network" "foobar" { + provider = google-beta + name = "tf-test-my-vpc%s" + auto_create_subnetworks = false +} + +resource "google_network_security_firewall_endpoint" "foobar" { + provider = google-beta + name = "tf-test-my-firewall-endpoint%s" + parent = "organizations/%s" + location = "us-central1-a" +} + +# TODO: add tlsInspectionPolicy once resource is ready +resource "google_network_security_firewall_endpoint_association" "foobar" { + provider = google-beta + name = "tf-test-my-firewall-endpoint%s" + parent = "organizations/%s" + location = "us-central1-a" + firewall_endpoint = google_network_security_firewall_endpoint.foobar.id + network = google_compute_network.foobar.id + + labels = { + foo = "bar" + } +} +`, randomSuffix, randomSuffix, orgId, randomSuffix, orgId) +} + +func testAccNetworkSecurityFirewallEndpointAssociation_update(randomSuffix string, orgId string) string { + return fmt.Sprintf(` +resource "google_compute_network" "foobar" { + provider = google-beta + name = "tf-test-my-vpc%s" + auto_create_subnetworks = false +} + +resource "google_network_security_firewall_endpoint" "foobar" { + provider = google-beta + name = "tf-test-my-firewall-endpoint%s" + parent = "organizations/%s" + location = "us-central1-a" +} + +# TODO: add tlsInspectionPolicy once resource is ready +resource "google_network_security_firewall_endpoint_association" "foobar" { + provider = google-beta + name = "tf-test-my-firewall-endpoint%s" + parent = "organizations/%s" + location = "us-central1-a" + firewall_endpoint = google_network_security_firewall_endpoint.foobar.id + network = google_compute_network.foobar.id + + labels = { + foo = "bar-updated" + } +} +`, randomSuffix, randomSuffix, orgId, randomSuffix, orgId) +} + +func testAccCheckNetworkSecurityFirewallEndpointAssociationDestroyProducer(t *testing.T) func(s *terraform.State) error { + return func(s *terraform.State) error { + for name, rs := range s.RootModule().Resources { + if rs.Type != "google_network_security_firewall_endpoint_association" { + continue + } + if strings.HasPrefix(name, "data.") { + continue + } + + config := acctest.GoogleProviderConfig(t) + + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{NetworkSecurityBasePath}}{{parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}") + if err != nil { + return err + } + + billingProject := "" + + if config.BillingProject != "" { + billingProject = config.BillingProject + } + + _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: config.UserAgent, + }) + if err == nil { + return fmt.Errorf("NetworkSecurityFirewallEndpointAssociation still exists at %s", url) + } + } + + return nil + } +} + +<% end -%>