From 0d00fff4d486c6c190bcfea475916858aae950c0 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 8 Apr 2026 13:32:08 -0400 Subject: [PATCH 01/17] Add postQuantumKeyExchange field to SslPolicy and RegionSslPolicy resources --- mmv1/products/compute/RegionSslPolicy.yaml | 20 +++++ mmv1/products/compute/SslPolicy.yaml | 15 ++++ .../examples/region_ssl_policy_basic.tf.tmpl | 13 +++ .../examples/ssl_policy_basic.tf.tmpl | 7 ++ ...rce_compute_region_ssl_policy_test.go.tmpl | 69 ++++++++++++++++ .../resource_compute_ssl_policy_test.go.tmpl | 82 +++++++++++++++++++ 6 files changed, 206 insertions(+) create mode 100644 mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index c4ed866b4ec3..7e01574dafa2 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -43,6 +43,12 @@ custom_code: constants: 'templates/terraform/constants/region_ssl_policy.tmpl' custom_diff: - 'regionSslPolicyCustomizeDiff' +examples: + - name: 'region_ssl_policy_basic' + primary_resource_id: 'region-ssl-policy' + vars: + region_ssl_policy_name: 'region-ssl-policy' + post_quantum_region_ssl_policy_name: 'region-post-quantum-ssl-policy' parameters: - name: 'region' type: ResourceRef @@ -129,6 +135,20 @@ properties: send_empty_value: true item_type: type: String + - name: 'postQuantumKeyExchange' + api_name: 'postQuantumKeyExchange' + type: Enum + description: | + Controls whether the load balancer allows negotiating X25519MLKEM768 key exchange when clients advertise support for it. + + When set to `ENABLED`, the load balancer allows X25519MLKEM768 key exchange. + When set to `DEFAULT`, or if no SSL Policy is attached to the Target proxy, the load balancer disallows X25519MLKEM768 key exchange until October 2026, when it will start allowing it. + When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. + default_value: "POST_QUANTUM_KEY_EXCHANGE_UNSPECIFIED" + enum_values: + - 'DEFAULT' + - 'ENABLED' + - 'DEFERRED' - name: 'fingerprint' type: Fingerprint description: | diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index 64954449e8c1..5adb7b4176e7 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -50,6 +50,7 @@ examples: production_ssl_policy_name: 'production-ssl-policy' nonprod_ssl_policy_name: 'nonprod-ssl-policy' custom_ssl_policy_name: 'custom-ssl-policy' + post_quantum_ssl_policy_name: 'post-quantum-ssl-policy' parameters: properties: - name: 'creationTimestamp' @@ -128,6 +129,20 @@ properties: is_set: true item_type: type: String + - name: 'postQuantumKeyExchange' + api_name: 'postQuantumKeyExchange' + type: Enum + description: | + Controls whether the load balancer allows negotiating X25519MLKEM768 key exchange when clients advertise support for it. + + When set to `ENABLED`, the load balancer allows X25519MLKEM768 key exchange. + When set to `DEFAULT`, or if no SSL Policy is attached to the Target proxy, the load balancer disallows X25519MLKEM768 key exchange until October 2026, when it will start allowing it. + When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. + default_value: "POST_QUANTUM_KEY_EXCHANGE_UNSPECIFIED" + enum_values: + - 'DEFAULT' + - 'ENABLED' + - 'DEFERRED' - name: 'fingerprint' type: String description: | diff --git a/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl b/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl new file mode 100644 index 000000000000..e310da3693f8 --- /dev/null +++ b/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl @@ -0,0 +1,13 @@ +resource "google_compute_region_ssl_policy" "region-ssl-policy" { + name = "{{index $.Vars "region_ssl_policy_name"}}" + region = "us-central1" + profile = "MODERN" +} + +resource "google_compute_region_ssl_policy" "region-post-quantum-ssl-policy" { + name = "{{index $.Vars "post_quantum_region_ssl_policy_name"}}" + region = "us-central1" + profile = "MODERN" + min_tls_version = "TLS_1_2" + post_quantum_key_exchange = "ENABLED" +} diff --git a/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl b/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl index e76e691a6d6f..68ddb3060325 100644 --- a/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl +++ b/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl @@ -15,3 +15,10 @@ resource "google_compute_ssl_policy" "custom-ssl-policy" { profile = "CUSTOM" custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] } + +resource "google_compute_ssl_policy" "post-quantum-ssl-policy" { + name = "{{index $.Vars "post_quantum_ssl_policy_name"}}" + profile = "MODERN" + min_tls_version = "TLS_1_2" + post_quantum_key_exchange = "ENABLED" +} diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl index 86d4cf218ece..233870eb8d4e 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl @@ -218,6 +218,63 @@ func TestAccComputeRegionSslPolicy_update_from_custom(t *testing.T) { }) } +func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { + t.Parallel() + + var sslPolicy compute.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckComputeSslPolicyDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "ENABLED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeRegionSslPolicyExists( + t, "google_compute_region_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", "ENABLED"), + ), + }, + { + ResourceName: "google_compute_region_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "DEFERRED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeRegionSslPolicyExists( + t, "google_compute_region_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFERRED"), + ), + }, + { + ResourceName: "google_compute_region_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "DEFAULT"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeRegionSslPolicyExists( + t, "google_compute_region_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFAULT"), + ), + }, + { + ResourceName: "google_compute_region_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccCheckComputeRegionSslPolicyExists(t *testing.T, n string, sslPolicy *compute.SslPolicy) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -336,3 +393,15 @@ resource "google_compute_region_ssl_policy" "foobar" { } `, resourceName) } + +func testAccComputeRegionSslPostQuantum(resourceName, pqke string) string { + return fmt.Sprintf(` +resource "google_compute_region_ssl_policy" "post_quantum" { + name = "%%s" + profile = "MODERN" + min_tls_version = "TLS_1_2" + region = "us-central1" + post_quantum_key_exchange = "%%s" +} +`, resourceName, pqke) +} diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl index 8984a2652c7d..8b1006925c22 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl @@ -188,6 +188,77 @@ func TestAccComputeSslPolicy_update_from_custom(t *testing.T) { }) } +func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { + t.Parallel() + + var sslPolicy compute.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckComputeSslPolicyDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeSslPostQuantum(sslPolicyName, "ENABLED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "ENABLED"), + ), + }, + { + ResourceName: "google_compute_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccComputeSslPostQuantum(sslPolicyName, "DEFAULT"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFAULT"), + ), + }, + { + ResourceName: "google_compute_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccComputeSslPostQuantum(sslPolicyName, "ENABLED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "ENABLED"), + ), + }, + { + ResourceName: "google_compute_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccComputeSslPostQuantum(sslPolicyName, "DEFERRED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFERRED"), + ), + }, + { + ResourceName: "google_compute_ssl_policy.post_quantum", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccCheckComputeSslPolicyExists(t *testing.T, n string, sslPolicy *compute.SslPolicy) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -279,3 +350,14 @@ resource "google_compute_ssl_policy" "update" { } `, resourceName) } + +func testAccComputeSslPostQuantum(resourceName, pqke string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "post_quantum" { + name = "%%s" + profile = "MODERN" + min_tls_version = "TLS_1_2" + post_quantum_key_exchange = "%%s" +} +`, resourceName, pqke) +} From 316e385d81f05a1c3b425dd36cf8be45c32fd20b Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 8 Apr 2026 13:48:31 -0400 Subject: [PATCH 02/17] Update test for region SSL policies & remove pqke default enum --- mmv1/products/compute/RegionSslPolicy.yaml | 1 - mmv1/products/compute/SslPolicy.yaml | 1 - ...rce_compute_region_ssl_policy_test.go.tmpl | 20 ++++++++++++++++++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 7e01574dafa2..1abaac3b375e 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -144,7 +144,6 @@ properties: When set to `ENABLED`, the load balancer allows X25519MLKEM768 key exchange. When set to `DEFAULT`, or if no SSL Policy is attached to the Target proxy, the load balancer disallows X25519MLKEM768 key exchange until October 2026, when it will start allowing it. When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. - default_value: "POST_QUANTUM_KEY_EXCHANGE_UNSPECIFIED" enum_values: - 'DEFAULT' - 'ENABLED' diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index 5adb7b4176e7..067862a26c76 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -138,7 +138,6 @@ properties: When set to `ENABLED`, the load balancer allows X25519MLKEM768 key exchange. When set to `DEFAULT`, or if no SSL Policy is attached to the Target proxy, the load balancer disallows X25519MLKEM768 key exchange until October 2026, when it will start allowing it. When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. - default_value: "POST_QUANTUM_KEY_EXCHANGE_UNSPECIFIED" enum_values: - 'DEFAULT' - 'ENABLED' diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl index 233870eb8d4e..b0e345455470 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl @@ -229,6 +229,24 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckComputeSslPolicyDestroyProducer(t), Steps: []resource.TestStep{ + { + Config: testAccComputeRegionSslUpdate1(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeRegionSslPolicyExists( + t, "google_compute_region_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_region_ssl_policy.update", "profile", "MODERN"), + resource.TestCheckResourceAttr( + "google_compute_region_ssl_policy.update", "min_tls_version", "TLS_1_0"), + resource.TestCheckResourceAttr( + "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", ""), + ), + }, + { + ResourceName: "google_compute_region_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, { Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "ENABLED"), Check: resource.ComposeTestCheckFunc( @@ -396,7 +414,7 @@ resource "google_compute_region_ssl_policy" "foobar" { func testAccComputeRegionSslPostQuantum(resourceName, pqke string) string { return fmt.Sprintf(` -resource "google_compute_region_ssl_policy" "post_quantum" { +resource "google_compute_region_ssl_policy" "postquantum" { name = "%%s" profile = "MODERN" min_tls_version = "TLS_1_2" From b42551ba2139f9aba5093cb9d40ebdc595f44efd Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 8 Apr 2026 15:20:33 -0400 Subject: [PATCH 03/17] Update formatting of ssl policy docstrings --- mmv1/products/compute/RegionSslPolicy.yaml | 15 ++++++++++----- mmv1/products/compute/SslPolicy.yaml | 16 +++++++++++----- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 1abaac3b375e..81d9c78a3682 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -139,11 +139,16 @@ properties: api_name: 'postQuantumKeyExchange' type: Enum description: | - Controls whether the load balancer allows negotiating X25519MLKEM768 key exchange when clients advertise support for it. - - When set to `ENABLED`, the load balancer allows X25519MLKEM768 key exchange. - When set to `DEFAULT`, or if no SSL Policy is attached to the Target proxy, the load balancer disallows X25519MLKEM768 key exchange until October 2026, when it will start allowing it. - When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. + One of `DEFAULT`, `ENABLED`, or + `DEFERRED`. Controls whether the load balancer negotiates + X25519MLKEM768 key exchange when clients advertise support for it. + When set to `DEFAULT`, or if no SSL Policy is attached to + the target proxy, the load balancer disallows X25519MLKEM768 key + exchange before October 2026, and allows it afterward. When set to + `ENABLED`, the load balancer allows X25519MLKEM768 key + exchange. When set to `DEFERRED`, the load balancer + disallows X25519MLKEM768 key exchange until October 2027, and allows + it afterward. enum_values: - 'DEFAULT' - 'ENABLED' diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index 067862a26c76..c004f8f74414 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -133,11 +133,17 @@ properties: api_name: 'postQuantumKeyExchange' type: Enum description: | - Controls whether the load balancer allows negotiating X25519MLKEM768 key exchange when clients advertise support for it. - - When set to `ENABLED`, the load balancer allows X25519MLKEM768 key exchange. - When set to `DEFAULT`, or if no SSL Policy is attached to the Target proxy, the load balancer disallows X25519MLKEM768 key exchange until October 2026, when it will start allowing it. - When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. + One of DEFAULT, ENABLED, or + DEFERRED. Controls whether the load balancer negotiates + X25519MLKEM768 key exchange when clients advertise support for it. + When set to DEFAULT, or if no SSL Policy is attached to + the target proxy, the load balancer disallows X25519MLKEM768 key + exchange before October 2026, and allows it afterward. When set to + ENABLED, the load balancer allows X25519MLKEM768 key + exchange. When set to DEFERRED, the load balancer + disallows X25519MLKEM768 key exchange until October 2027, and allows + it afterward. + default_value: "POST_QUANTUM_KEY_EXCHANGE_UNSPECIFIED" enum_values: - 'DEFAULT' - 'ENABLED' From c78fe85b1770532a0abe130ec8c5a9cbe10274b4 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 8 Apr 2026 15:44:57 -0400 Subject: [PATCH 04/17] Reformat docs --- mmv1/products/compute/RegionSslPolicy.yaml | 3 +-- mmv1/products/compute/SslPolicy.yaml | 10 ++++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 81d9c78a3682..9cedc65bbbd5 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -139,8 +139,7 @@ properties: api_name: 'postQuantumKeyExchange' type: Enum description: | - One of `DEFAULT`, `ENABLED`, or - `DEFERRED`. Controls whether the load balancer negotiates + One of `DEFAULT`, `ENABLED`, or `DEFERRED`. Controls whether the load balancer negotiates X25519MLKEM768 key exchange when clients advertise support for it. When set to `DEFAULT`, or if no SSL Policy is attached to the target proxy, the load balancer disallows X25519MLKEM768 key diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index c004f8f74414..3de0d89bf2c8 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -133,17 +133,15 @@ properties: api_name: 'postQuantumKeyExchange' type: Enum description: | - One of DEFAULT, ENABLED, or - DEFERRED. Controls whether the load balancer negotiates + One of `DEFAULT`, `ENABLED`, or`DEFERRED`. Controls whether the load balancer negotiates X25519MLKEM768 key exchange when clients advertise support for it. - When set to DEFAULT, or if no SSL Policy is attached to + When set to `DEFAULT`, or if no SSL Policy is attached to the target proxy, the load balancer disallows X25519MLKEM768 key exchange before October 2026, and allows it afterward. When set to - ENABLED, the load balancer allows X25519MLKEM768 key - exchange. When set to DEFERRED, the load balancer + `ENABLED`, the load balancer allows X25519MLKEM768 key + exchange. When set to `DEFERRED`, the load balancer disallows X25519MLKEM768 key exchange until October 2027, and allows it afterward. - default_value: "POST_QUANTUM_KEY_EXCHANGE_UNSPECIFIED" enum_values: - 'DEFAULT' - 'ENABLED' From 5ee75ad58f5cc985cfe5cfd6531add2149238d44 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 8 Apr 2026 16:40:54 -0400 Subject: [PATCH 05/17] Update docs and string formatting in tests --- mmv1/products/compute/SslPolicy.yaml | 4 ++-- .../compute/resource_compute_region_ssl_policy_test.go.tmpl | 4 ++-- .../compute/resource_compute_ssl_policy_test.go.tmpl | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index 3de0d89bf2c8..3a5c83634467 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -133,8 +133,8 @@ properties: api_name: 'postQuantumKeyExchange' type: Enum description: | - One of `DEFAULT`, `ENABLED`, or`DEFERRED`. Controls whether the load balancer negotiates - X25519MLKEM768 key exchange when clients advertise support for it. + One of `DEFAULT`, `ENABLED`, or `DEFERRED`. Controls whether the load balancer + negotiates X25519MLKEM768 key exchange when clients advertise support for it. When set to `DEFAULT`, or if no SSL Policy is attached to the target proxy, the load balancer disallows X25519MLKEM768 key exchange before October 2026, and allows it afterward. When set to diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl index b0e345455470..9164d42f724f 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl @@ -415,11 +415,11 @@ resource "google_compute_region_ssl_policy" "foobar" { func testAccComputeRegionSslPostQuantum(resourceName, pqke string) string { return fmt.Sprintf(` resource "google_compute_region_ssl_policy" "postquantum" { - name = "%%s" + name = "%s" profile = "MODERN" min_tls_version = "TLS_1_2" region = "us-central1" - post_quantum_key_exchange = "%%s" + post_quantum_key_exchange = "%s" } `, resourceName, pqke) } diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl index 8b1006925c22..bfca18e55ff3 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl @@ -200,7 +200,7 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { CheckDestroy: testAccCheckComputeSslPolicyDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccComputeSslPostQuantum(sslPolicyName, "ENABLED"), + Config: testAccComputeSslPostQuantum(sslPolicyName, ""), Check: resource.ComposeTestCheckFunc( testAccCheckComputeSslPolicyExists( t, "google_compute_ssl_policy.post_quantum", &sslPolicy), @@ -354,10 +354,10 @@ resource "google_compute_ssl_policy" "update" { func testAccComputeSslPostQuantum(resourceName, pqke string) string { return fmt.Sprintf(` resource "google_compute_ssl_policy" "post_quantum" { - name = "%%s" + name = "%s" profile = "MODERN" min_tls_version = "TLS_1_2" - post_quantum_key_exchange = "%%s" + post_quantum_key_exchange = "%s" } `, resourceName, pqke) } From 7c0ac0970a4beda5fe92b540073c2c5fcefecbff Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Tue, 5 May 2026 14:19:45 -0400 Subject: [PATCH 06/17] Check no setting for postquantum key exchange when not specified --- .../compute/resource_compute_ssl_policy_test.go.tmpl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl index 889aca013433..94495f7a6965 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl @@ -36,6 +36,8 @@ func TestAccComputeSslPolicy_update(t *testing.T) { "google_compute_ssl_policy.update", "profile", "MODERN"), resource.TestCheckResourceAttr( "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_0"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "post_quantum_key_exchange", ""), ), }, { @@ -52,6 +54,8 @@ func TestAccComputeSslPolicy_update(t *testing.T) { "google_compute_ssl_policy.update", "profile", "RESTRICTED"), resource.TestCheckResourceAttr( "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_2"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "post_quantum_key_exchange", ""), ), }, { @@ -68,6 +72,8 @@ func TestAccComputeSslPolicy_update(t *testing.T) { "google_compute_ssl_policy.update", "profile", "FIPS_202205"), resource.TestCheckResourceAttr( "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_2"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "post_quantum_key_exchange", ""), ), }, { @@ -84,6 +90,8 @@ func TestAccComputeSslPolicy_update(t *testing.T) { "google_compute_ssl_policy.update", "profile", "RESTRICTED"), resource.TestCheckResourceAttr( "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_3"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "post_quantum_key_exchange", ""), ), }, { From 073438cb5217c3b5ef935b0a41bdc548a52490cc Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 13 May 2026 18:36:01 -0400 Subject: [PATCH 07/17] Fix test missing parameter tiest --- .../compute/resource_compute_region_ssl_policy_test.go.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl index 44593a99fdb7..540bc26fab99 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go.tmpl @@ -413,7 +413,7 @@ resource "google_compute_region_ssl_policy" "foobar" { `, resourceName) } -func testAccComputeRegionSslPostQuantum(resourceName, pqke string) string { +func testAccComputeRegionSslPostQuantum(resourceName string, pqke string) string { return fmt.Sprintf(` resource "google_compute_region_ssl_policy" "postquantum" { name = "%s" From f50f180fdc1960beb79c2a9eba3e8958e24dd7c2 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Mon, 18 May 2026 10:43:04 -0400 Subject: [PATCH 08/17] Update region ssl policy test --- ...resource_compute_region_ssl_policy_test.go | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go index 7895b010dd60..955b56fdab26 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go @@ -9,7 +9,6 @@ import ( "github.com/hashicorp/terraform-provider-google/google/acctest" tpgcompute "github.com/hashicorp/terraform-provider-google/google/services/compute" transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport" - compute "google.golang.org/api/compute/v0.alpha" ) func TestAccComputeRegionSslPolicy_regionInherit(t *testing.T) { @@ -218,7 +217,7 @@ func TestAccComputeRegionSslPolicy_update_from_custom(t *testing.T) { func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { t.Parallel() - var sslPolicy compute.SslPolicy + var sslPolicy map[string]interface{} sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ @@ -230,17 +229,17 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeRegionSslUpdate1(sslPolicyName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeRegionSslPolicyExists( - t, "google_compute_region_ssl_policy.update", &sslPolicy), + t, "google_compute_region_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.update", "profile", "MODERN"), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "profile", "MODERN"), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.update", "min_tls_version", "TLS_1_0"), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "min_tls_version", "TLS_1_0"), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", ""), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", ""), ), }, { - ResourceName: "google_compute_region_ssl_policy.update", + ResourceName: "google_compute_region_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -248,13 +247,13 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "ENABLED"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeRegionSslPolicyExists( - t, "google_compute_region_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_region_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", "ENABLED"), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", "ENABLED"), ), }, { - ResourceName: "google_compute_region_ssl_policy.post_quantum", + ResourceName: "google_compute_region_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -262,13 +261,13 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "DEFERRED"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeRegionSslPolicyExists( - t, "google_compute_region_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_region_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFERRED"), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", "DEFERRED"), ), }, { - ResourceName: "google_compute_region_ssl_policy.post_quantum", + ResourceName: "google_compute_region_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -276,13 +275,13 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeRegionSslPostQuantum(sslPolicyName, "DEFAULT"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeRegionSslPolicyExists( - t, "google_compute_region_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_region_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFAULT"), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", "DEFAULT"), ), }, { - ResourceName: "google_compute_region_ssl_policy.post_quantum", + ResourceName: "google_compute_region_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, From e01b769d995d41225c6509dd2631bb28b0c75dbf Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Mon, 18 May 2026 11:12:50 -0400 Subject: [PATCH 09/17] Fix test formatting and add docs for pqke --- ...resource_compute_region_ssl_policy_test.go | 6 +-- .../resource_compute_ssl_policy_test.go.tmpl | 30 ++++++----- .../d/compute_region_ssl_policy.html.markdown | 54 +++++++++++++++++++ .../docs/d/compute_ssl_policy.html.markdown | 4 +- 4 files changed, 77 insertions(+), 17 deletions(-) create mode 100644 mmv1/third_party/terraform/website/docs/d/compute_region_ssl_policy.html.markdown diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go index 955b56fdab26..563a3e568d37 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go @@ -226,14 +226,14 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { CheckDestroy: testAccCheckComputeSslPolicyDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccComputeRegionSslUpdate1(sslPolicyName), + Config: testAccComputeRegionSslPostQuantum(sslPolicyName, ""), Check: resource.ComposeTestCheckFunc( testAccCheckComputeRegionSslPolicyExists( t, "google_compute_region_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( "google_compute_region_ssl_policy.post_quantum_key_exchange", "profile", "MODERN"), resource.TestCheckResourceAttr( - "google_compute_region_ssl_policy.post_quantum_key_exchange", "min_tls_version", "TLS_1_0"), + "google_compute_region_ssl_policy.post_quantum_key_exchange", "min_tls_version", "TLS_1_2"), resource.TestCheckResourceAttr( "google_compute_region_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", ""), ), @@ -416,7 +416,7 @@ resource "google_compute_region_ssl_policy" "foobar" { func testAccComputeRegionSslPostQuantum(resourceName string, pqke string) string { return fmt.Sprintf(` -resource "google_compute_region_ssl_policy" "postquantum" { +resource "google_compute_region_ssl_policy" "post_quantum_key_exchange" { name = "%s" profile = "MODERN" min_tls_version = "TLS_1_2" diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl index 94495f7a6965..55288572cef5 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go.tmpl @@ -212,13 +212,17 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeSslPostQuantum(sslPolicyName, ""), Check: resource.ComposeTestCheckFunc( testAccCheckComputeSslPolicyExists( - t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "ENABLED"), + "google_compute_ssl_policy.post_quantum_key_exchange", "profile", "MODERN"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.post_quantum_key_exchange", "min_tls_version", "TLS_1_2"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", ""), ), }, { - ResourceName: "google_compute_ssl_policy.post_quantum", + ResourceName: "google_compute_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -226,13 +230,13 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeSslPostQuantum(sslPolicyName, "DEFAULT"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeSslPolicyExists( - t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFAULT"), + "google_compute_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", "DEFAULT"), ), }, { - ResourceName: "google_compute_ssl_policy.post_quantum", + ResourceName: "google_compute_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -240,13 +244,13 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeSslPostQuantum(sslPolicyName, "ENABLED"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeSslPolicyExists( - t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "ENABLED"), + "google_compute_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", "ENABLED"), ), }, { - ResourceName: "google_compute_ssl_policy.post_quantum", + ResourceName: "google_compute_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -254,13 +258,13 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { Config: testAccComputeSslPostQuantum(sslPolicyName, "DEFERRED"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeSslPolicyExists( - t, "google_compute_ssl_policy.post_quantum", &sslPolicy), + t, "google_compute_ssl_policy.post_quantum_key_exchange", &sslPolicy), resource.TestCheckResourceAttr( - "google_compute_ssl_policy.post_quantum", "post_quantum_key_exchange", "DEFERRED"), + "google_compute_ssl_policy.post_quantum_key_exchange", "post_quantum_key_exchange", "DEFERRED"), ), }, { - ResourceName: "google_compute_ssl_policy.post_quantum", + ResourceName: "google_compute_ssl_policy.post_quantum_key_exchange", ImportState: true, ImportStateVerify: true, }, @@ -362,7 +366,7 @@ resource "google_compute_ssl_policy" "update" { func testAccComputeSslPostQuantum(resourceName, pqke string) string { return fmt.Sprintf(` -resource "google_compute_ssl_policy" "post_quantum" { +resource "google_compute_ssl_policy" "post_quantum_key_exchange" { name = "%s" profile = "MODERN" min_tls_version = "TLS_1_2" diff --git a/mmv1/third_party/terraform/website/docs/d/compute_region_ssl_policy.html.markdown b/mmv1/third_party/terraform/website/docs/d/compute_region_ssl_policy.html.markdown new file mode 100644 index 000000000000..92e2ba532da5 --- /dev/null +++ b/mmv1/third_party/terraform/website/docs/d/compute_region_ssl_policy.html.markdown @@ -0,0 +1,54 @@ +--- +subcategory: "Compute Engine" +description: |- + Gets a Regional SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. +--- + +# google_compute_ssl_policy + +Gets a Regional SSL Policy within GCE from its name, for use with Target HTTPS and Target SSL Proxies. + For more information see [the official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies). + +## Example Usage + +```tf +data "google_compute_region_ssl_policy" "my-ssl-policy" { + name = "production-ssl-policy" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) The name of the SSL Policy. + +- - - + +* `region` - (Optional) The region in which the resource belongs. If it + is not provided, the provider region is used. + +* `project` - (Optional) The ID of the project in which the resource belongs. If it + is not provided, the provider project is used. + +## Attributes Reference + +In addition to the arguments listed above, the following attributes are exported: + +* `enabled_features` - The set of enabled encryption ciphers as a result of the policy config + +* `description` - Description of this SSL Policy. + +* `min_tls_version` - The minimum supported TLS version of this policy. + +* `post_quantum_key_exchange` - The post-quantum key exchange setting of this policy. + +* `profile` - The Google-curated or custom profile used by this policy. + +* `custom_features` - If the `profile` is `CUSTOM`, these are the custom encryption + ciphers supported by the profile. If the `profile` is *not* `CUSTOM`, this + attribute will be empty. + +* `fingerprint` - Fingerprint of this resource. + +* `self_link` - The URI of the created resource. \ No newline at end of file diff --git a/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown b/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown index bf4efc6f1020..41f29a6b82c9 100644 --- a/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown +++ b/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown @@ -1,7 +1,7 @@ --- subcategory: "Compute Engine" description: |- - Gets an SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. + Gets a Regional SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. --- # google_compute_ssl_policy @@ -38,6 +38,8 @@ In addition to the arguments listed above, the following attributes are exported * `min_tls_version` - The minimum supported TLS version of this policy. +* `post_quantum_key_exchange` - The post-quantum key exchange setting of this policy. + * `profile` - The Google-curated or custom profile used by this policy. * `custom_features` - If the `profile` is `CUSTOM`, these are the custom encryption From 90c19bc3c16a097152cd178f2ce00e5fe879a1d4 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Mon, 18 May 2026 11:22:03 -0400 Subject: [PATCH 10/17] Fix typo in ssl policy doc --- .../terraform/website/docs/d/compute_ssl_policy.html.markdown | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown b/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown index 41f29a6b82c9..5a2ad5278dd2 100644 --- a/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown +++ b/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown @@ -1,7 +1,7 @@ --- subcategory: "Compute Engine" description: |- - Gets a Regional SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. + Gets an SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. --- # google_compute_ssl_policy @@ -38,7 +38,7 @@ In addition to the arguments listed above, the following attributes are exported * `min_tls_version` - The minimum supported TLS version of this policy. -* `post_quantum_key_exchange` - The post-quantum key exchange setting of this policy. +* `post_quantum_key_exchange` - The post-quantum key exchange setting of this * `profile` - The Google-curated or custom profile used by this policy. From c080911879d327f0206c0cbc675f4d154bdfbd8c Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Tue, 19 May 2026 12:57:24 -0400 Subject: [PATCH 11/17] Update names of examples and tests --- mmv1/products/compute/RegionSslPolicy.yaml | 1 - mmv1/products/compute/SslPolicy.yaml | 1 - .../terraform/examples/region_ssl_policy_basic.tf.tmpl | 8 -------- .../examples/region_ssl_policy_post_quantum.tf.tmpl | 7 +++++++ .../templates/terraform/examples/ssl_policy_basic.tf.tmpl | 7 ------- .../terraform/examples/ssl_policy_post_quantum.tf.tmpl | 6 ++++++ .../compute/resource_compute_region_ssl_policy_test.go | 2 +- 7 files changed, 14 insertions(+), 18 deletions(-) create mode 100644 mmv1/templates/terraform/examples/region_ssl_policy_post_quantum.tf.tmpl create mode 100644 mmv1/templates/terraform/examples/ssl_policy_post_quantum.tf.tmpl diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 9cedc65bbbd5..31eec013791c 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -136,7 +136,6 @@ properties: item_type: type: String - name: 'postQuantumKeyExchange' - api_name: 'postQuantumKeyExchange' type: Enum description: | One of `DEFAULT`, `ENABLED`, or `DEFERRED`. Controls whether the load balancer negotiates diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index 3a5c83634467..51f4b37f481b 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -130,7 +130,6 @@ properties: item_type: type: String - name: 'postQuantumKeyExchange' - api_name: 'postQuantumKeyExchange' type: Enum description: | One of `DEFAULT`, `ENABLED`, or `DEFERRED`. Controls whether the load balancer diff --git a/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl b/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl index e310da3693f8..97489b0c3c54 100644 --- a/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl +++ b/mmv1/templates/terraform/examples/region_ssl_policy_basic.tf.tmpl @@ -3,11 +3,3 @@ resource "google_compute_region_ssl_policy" "region-ssl-policy" { region = "us-central1" profile = "MODERN" } - -resource "google_compute_region_ssl_policy" "region-post-quantum-ssl-policy" { - name = "{{index $.Vars "post_quantum_region_ssl_policy_name"}}" - region = "us-central1" - profile = "MODERN" - min_tls_version = "TLS_1_2" - post_quantum_key_exchange = "ENABLED" -} diff --git a/mmv1/templates/terraform/examples/region_ssl_policy_post_quantum.tf.tmpl b/mmv1/templates/terraform/examples/region_ssl_policy_post_quantum.tf.tmpl new file mode 100644 index 000000000000..259f099db469 --- /dev/null +++ b/mmv1/templates/terraform/examples/region_ssl_policy_post_quantum.tf.tmpl @@ -0,0 +1,7 @@ +resource "google_compute_region_ssl_policy" "post-quantum-region-ssl-policy" { + name = "{{index $.Vars "post_quantum_region_ssl_policy_name"}}" + region = "us-central1" + profile = "MODERN" + min_tls_version = "TLS_1_2" + post_quantum_key_exchange = "ENABLED" +} diff --git a/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl b/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl index 68ddb3060325..e76e691a6d6f 100644 --- a/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl +++ b/mmv1/templates/terraform/examples/ssl_policy_basic.tf.tmpl @@ -15,10 +15,3 @@ resource "google_compute_ssl_policy" "custom-ssl-policy" { profile = "CUSTOM" custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] } - -resource "google_compute_ssl_policy" "post-quantum-ssl-policy" { - name = "{{index $.Vars "post_quantum_ssl_policy_name"}}" - profile = "MODERN" - min_tls_version = "TLS_1_2" - post_quantum_key_exchange = "ENABLED" -} diff --git a/mmv1/templates/terraform/examples/ssl_policy_post_quantum.tf.tmpl b/mmv1/templates/terraform/examples/ssl_policy_post_quantum.tf.tmpl new file mode 100644 index 000000000000..1064a363d2cd --- /dev/null +++ b/mmv1/templates/terraform/examples/ssl_policy_post_quantum.tf.tmpl @@ -0,0 +1,6 @@ +resource "google_compute_ssl_policy" "post-quantum-ssl-policy" { + name = "{{index $.Vars "post_quantum_ssl_policy_name"}}" + profile = "MODERN" + min_tls_version = "TLS_1_2" + post_quantum_key_exchange = "ENABLED" +} diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go index 563a3e568d37..b11c682c2c9f 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go @@ -218,7 +218,7 @@ func TestAccComputeRegionSslPolicy_postQuantumKeyExchange(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, From 1833a0f44fc133a03ecdb052fa52a2ba1d13c9c5 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Tue, 19 May 2026 13:24:46 -0400 Subject: [PATCH 12/17] Include post-quantum examples to ssl policy and region ssl policy resource --- mmv1/products/compute/RegionSslPolicy.yaml | 3 +++ mmv1/products/compute/SslPolicy.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 31eec013791c..37bc5c978215 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -48,6 +48,9 @@ examples: primary_resource_id: 'region-ssl-policy' vars: region_ssl_policy_name: 'region-ssl-policy' + - name: 'region_ssl_policy_post_quantum' + primary_resource_id: 'post-quantum-region-ssl-policy' + vars: post_quantum_region_ssl_policy_name: 'region-post-quantum-ssl-policy' parameters: - name: 'region' diff --git a/mmv1/products/compute/SslPolicy.yaml b/mmv1/products/compute/SslPolicy.yaml index 51f4b37f481b..2a788246cefa 100644 --- a/mmv1/products/compute/SslPolicy.yaml +++ b/mmv1/products/compute/SslPolicy.yaml @@ -50,6 +50,9 @@ examples: production_ssl_policy_name: 'production-ssl-policy' nonprod_ssl_policy_name: 'nonprod-ssl-policy' custom_ssl_policy_name: 'custom-ssl-policy' + - name: 'ssl_policy_post_quantum' + primary_resource_id: 'post-quantum-ssl-policy' + vars: post_quantum_ssl_policy_name: 'post-quantum-ssl-policy' parameters: properties: From fbb3a38a7da888bbd886326c37a3252bbce28460 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Tue, 19 May 2026 13:29:06 -0400 Subject: [PATCH 13/17] Update name of region ssl policy in example --- mmv1/products/compute/RegionSslPolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 37bc5c978215..6e6886bcdaf3 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -51,7 +51,7 @@ examples: - name: 'region_ssl_policy_post_quantum' primary_resource_id: 'post-quantum-region-ssl-policy' vars: - post_quantum_region_ssl_policy_name: 'region-post-quantum-ssl-policy' + post_quantum_region_ssl_policy_name: 'post_quantum_region_ssl_policy' parameters: - name: 'region' type: ResourceRef From d69668d5483aa7b50e5981258071fa01a862d234 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Tue, 19 May 2026 13:29:57 -0400 Subject: [PATCH 14/17] Fix typo in ssl policy pqke doc --- .../terraform/website/docs/d/compute_ssl_policy.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown b/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown index 5a2ad5278dd2..9c7be187a2cc 100644 --- a/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown +++ b/mmv1/third_party/terraform/website/docs/d/compute_ssl_policy.html.markdown @@ -38,7 +38,7 @@ In addition to the arguments listed above, the following attributes are exported * `min_tls_version` - The minimum supported TLS version of this policy. -* `post_quantum_key_exchange` - The post-quantum key exchange setting of this +* `post_quantum_key_exchange` - The post-quantum key exchange setting of this policy. * `profile` - The Google-curated or custom profile used by this policy. From 0544df4418dc5031b8f587baa0ee8a70d098b69b Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Tue, 19 May 2026 13:56:58 -0400 Subject: [PATCH 15/17] Change type for ssl policy to match main --- .../services/compute/resource_compute_ssl_policy_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go index f81db3cbdaf3..46215c963b45 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go @@ -9,7 +9,6 @@ import ( "github.com/hashicorp/terraform-provider-google/google/acctest" tpgcompute "github.com/hashicorp/terraform-provider-google/google/services/compute" transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport" - compute "google.golang.org/api/compute/v0.alpha" ) func TestAccComputeSslPolicy_update(t *testing.T) { @@ -268,7 +267,7 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { }) } -func testAccCheckComputeSslPolicyExists(t *testing.T, n string, sslPolicy *compute.SslPolicy) resource.TestCheckFunc { +func testAccCheckComputeSslPolicyExists(t *testing.T, n string, sslPolicy *map[string]interface{}) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] if !ok { From 276c8a3cdd07a2ce312803f496addecb8c1a487f Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 20 May 2026 11:35:18 -0400 Subject: [PATCH 16/17] Fix ssl policy name in region ssl policy example --- mmv1/products/compute/RegionSslPolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/products/compute/RegionSslPolicy.yaml b/mmv1/products/compute/RegionSslPolicy.yaml index 6e6886bcdaf3..ba2c6baa83ac 100644 --- a/mmv1/products/compute/RegionSslPolicy.yaml +++ b/mmv1/products/compute/RegionSslPolicy.yaml @@ -51,7 +51,7 @@ examples: - name: 'region_ssl_policy_post_quantum' primary_resource_id: 'post-quantum-region-ssl-policy' vars: - post_quantum_region_ssl_policy_name: 'post_quantum_region_ssl_policy' + post_quantum_region_ssl_policy_name: 'post-quantum-region-ssl-policy' parameters: - name: 'region' type: ResourceRef From a67173ce4e051b68cc47d90fdd39b9eede64db53 Mon Sep 17 00:00:00 2001 From: Jacque Li Date: Wed, 20 May 2026 13:16:56 -0400 Subject: [PATCH 17/17] Prepend test ssl policy name with '"tf-" --- .../compute/resource_compute_region_ssl_policy_test.go | 8 ++++---- .../services/compute/resource_compute_ssl_policy_test.go | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go index b11c682c2c9f..31dd25a8b45d 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_ssl_policy_test.go @@ -14,7 +14,7 @@ import ( func TestAccComputeRegionSslPolicy_regionInherit(t *testing.T) { t.Parallel() - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -45,7 +45,7 @@ func TestAccComputeRegionSslPolicy_update(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -124,7 +124,7 @@ func TestAccComputeRegionSslPolicy_update_to_custom(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -171,7 +171,7 @@ func TestAccComputeRegionSslPolicy_update_from_custom(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go index 46215c963b45..797d46e84102 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_ssl_policy_test.go @@ -15,7 +15,7 @@ func TestAccComputeSslPolicy_update(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -102,7 +102,7 @@ func TestAccComputeSslPolicy_update_to_custom(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -149,7 +149,7 @@ func TestAccComputeSslPolicy_update_from_custom(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -196,7 +196,7 @@ func TestAccComputeSslPolicy_postQuantumKeyExchange(t *testing.T) { t.Parallel() var sslPolicy map[string]interface{} - sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(t, 10)) + sslPolicyName := fmt.Sprintf("tf-test-ssl-policy-%s", acctest.RandString(t, 10)) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) },