Add support for network_firewall_policy_rule and region_network_firew…

…all_policy_rule (GoogleCloudPlatform#6799) Co-authored-by: Ghaleb Al-habian <galhabian@google.com>
googlerjk · Nov 21, 2022 · 6760329 · 6760329
1 parent 2d221a9
commit 6760329
Show file tree

Hide file tree

Showing 13 changed files with 287 additions and 8 deletions.
diff --git a/mmv1/third_party/terraform/go.mod.erb b/mmv1/third_party/terraform/go.mod.erb
@@ -5,7 +5,7 @@ go 1.18
 
 require (
 	cloud.google.com/go/bigtable v1.17.0
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.4
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/client9/misspell v0.3.4
 	github.com/davecgh/go-spew v1.1.1

diff --git a/mmv1/third_party/terraform/go.sum b/mmv1/third_party/terraform/go.sum
@@ -55,8 +55,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0 h1:9RQhnEju2B+3njLTERnIeotRoI3GOQrN7kXA+n3iuJw=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.4 h1:nP8L2TqVbGehmlt6sfYiu4BKE0lJrGW1RrtP9/+FwfY=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.4/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -1301,5 +1301,3 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0 h1:9RQhnEju2B+3njLTERnIeotRoI3GOQrN7kXA+n3iuJw=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
diff --git a/tpgtools/go.mod b/tpgtools/go.mod
@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	bitbucket.org/creachadair/stringset v0.0.9
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.4
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/hcl v1.0.0

diff --git a/tpgtools/go.sum b/tpgtools/go.sum
@@ -35,8 +35,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0 h1:9RQhnEju2B+3njLTERnIeotRoI3GOQrN7kXA+n3iuJw=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.4 h1:nP8L2TqVbGehmlt6sfYiu4BKE0lJrGW1RrtP9/+FwfY=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.26.4/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=

diff --git a/tpgtools/overrides/compute/beta/network_firewall_policy_rule.yaml b/tpgtools/overrides/compute/beta/network_firewall_policy_rule.yaml
@@ -0,0 +1,19 @@
+- type: CUSTOM_RESOURCE_NAME
+  details:
+    title: region_network_firewall_policy_rule
+  location: region
+- type: EXCLUDE
+  field: location
+  location: global
+- type: EXCLUDE
+  field: region
+  location: region
+- type: CUSTOM_NAME
+  details:
+    name: region
+  field: location
+  location: region
+- type: CUSTOM_ID
+  details:
+    id: projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}
+  location: region
diff --git a/tpgtools/overrides/compute/network_firewall_policy_rule.yaml b/tpgtools/overrides/compute/network_firewall_policy_rule.yaml
@@ -0,0 +1,19 @@
+- type: CUSTOM_RESOURCE_NAME
+  details:
+    title: region_network_firewall_policy_rule
+  location: region
+- type: EXCLUDE
+  field: location
+  location: global
+- type: EXCLUDE
+  field: region
+  location: region
+- type: CUSTOM_NAME
+  details:
+    name: region
+  field: location
+  location: region
+- type: CUSTOM_ID
+  details:
+    id: projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}
+  location: region
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl
@@ -0,0 +1,45 @@
+resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
+  name = "{{policy}}"
+  project = "{{project}}"
+  description = "Sample global network firewall policy"
+}
+
+resource "google_compute_network_firewall_policy_rule" "primary" {
+ firewall_policy = google_compute_network_firewall_policy.basic_network_firewall_policy.name
+ action = "allow"
+ direction = "INGRESS"
+ priority = 1000
+ rule_name = "test-rule"
+ description = "This is a simple rule description" 
+match {
+ src_secure_tags {
+ name = "tagValues/${google_tags_tag_value.basic_value.name}"
+ }
+ src_ip_ranges = ["10.100.0.1/32"]
+layer4_configs {
+ip_protocol = "all"
+ }
+ }
+ target_service_accounts = ["{{test_service_account}}"]
+ enable_logging = true
+ disabled = false
+}
+resource "google_compute_network" "basic_network" {
+  name = "{{network}}"
+}
+resource "google_tags_tag_key" "basic_key" {
+  parent = "organizations/{{org_id}}"
+  short_name = "{{tagkey}}"
+  purpose = "GCE_FIREWALL"
+  purpose_data = {
+  network= "{{project}}/${google_compute_network.basic_network.name}"
+  }
+  description = "For keyname resources."
+}
+
+
+resource "google_tags_tag_value" "basic_value" {
+    parent = "tagKeys/${google_tags_tag_key.basic_key.name}"
+    short_name = "{{tagvalue}}"
+    description = "For valuename resources."
+}
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.yaml b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.yaml
@@ -0,0 +1,17 @@
+updates:
+- resource: ./global_update.tf.tmpl
+variables:
+- name: policy
+  type: resource_name
+- name: tagkey 
+  type: resource_name
+- name: tagvalue
+  type: resource_name
+- name: project
+  type: project
+- name: network
+  type: resource_name
+- name: org_id 
+  type: org_id
+- name: test_service_account
+  type: test_service_account
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl
@@ -0,0 +1,45 @@
+resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
+  name = "{{policy}}"
+  project = "{{project}}"
+  description = "Sample global network firewall policy"
+}
+
+resource "google_compute_network_firewall_policy_rule" "primary" {
+ firewall_policy = google_compute_network_firewall_policy.basic_network_firewall_policy.name
+ action = "deny"
+ direction = "EGRESS"
+ priority = 1000
+ rule_name = "updated-test-rule"
+ description = "This is an updated rule description"
+match {
+layer4_configs {
+ip_protocol = "tcp"
+ports = ["123"]
+ }
+ dest_ip_ranges = ["0.0.0.0/0"]
+ }
+  target_secure_tags {
+ name = "tagValues/${google_tags_tag_value.basic_value.name}"
+ }
+ enable_logging = false
+ disabled = true   
+}
+resource "google_compute_network" "basic_network" {
+  name = "{{network}}"
+}
+resource "google_tags_tag_key" "basic_key" {
+  parent = "organizations/{{org_id}}"
+  short_name = "{{tagkey}}"
+  purpose = "GCE_FIREWALL"
+  purpose_data = {
+  network= "{{project}}/${google_compute_network.basic_network.name}"
+  }
+  description = "For keyname resources."
+}
+
+
+resource "google_tags_tag_value" "basic_value" {
+    parent = "tagKeys/${google_tags_tag_key.basic_key.name}"
+    short_name = "{{tagvalue}}"
+    description = "For valuename resources."
+}
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/meta.yaml b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/meta.yaml
@@ -0,0 +1,21 @@
+# meta.yaml
+# this is a shared config file that all the tests merge with
+#
+doc_hide:
+  - global_network_firewall_policy_rule.yaml
+  - basic_regional_network_firewall_policy_rule.yaml
+test_hide:
+  - global_network_firewall_policy_rule.yaml
+  - basic_regional_network_firewall_policy_rule.yaml
+
+doc_hide_conditional:
+  - location: global
+    file_name: regional.tf.tmpl
+  - location: region
+    file_name: global.tf.tmpl
+
+test_hide_conditional:
+  - location: global
+    file_name: regional.tf.tmpl
+  - location: region
+    file_name: global.tf.tmpl
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl
@@ -0,0 +1,48 @@
+resource "google_compute_region_network_firewall_policy" "basic_regional_network_firewall_policy" {
+  name = "{{policy}}"
+  project = "{{project}}"
+  description = "Sample regional network firewall policy"
+  region = "{{region}}"
+}
+
+resource "google_compute_region_network_firewall_policy_rule" "primary" {
+ firewall_policy = google_compute_region_network_firewall_policy.basic_regional_network_firewall_policy.name
+ action = "allow"
+ direction = "INGRESS"
+ priority = 1000
+ rule_name = "test-rule"
+ description = "This is a simple rule description"
+match {
+ src_secure_tags {
+ name = "tagValues/${google_tags_tag_value.basic_value.name}"
+ }
+ src_ip_ranges = ["10.100.0.1/32"]
+layer4_configs {
+ip_protocol = "all"
+ }
+ }
+ target_service_accounts = ["{{test_service_account}}"]
+ region = "{{region}}"
+ enable_logging = true
+ disabled = false
+}
+
+resource "google_compute_network" "basic_network" {
+  name = "{{network}}"
+}
+resource "google_tags_tag_key" "basic_key" {
+  parent = "organizations/{{org_id}}"
+  short_name = "{{tagkey}}"
+  purpose = "GCE_FIREWALL"
+  purpose_data = {
+  network= "{{project}}/${google_compute_network.basic_network.name}"
+  }
+  description = "For keyname resources."
+}
+
+
+resource "google_tags_tag_value" "basic_value" {
+    parent = "tagKeys/${google_tags_tag_key.basic_key.name}"
+    short_name = "{{tagvalue}}"
+    description = "For valuename resources."
+}
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.yaml b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.yaml
@@ -0,0 +1,19 @@
+updates:
+- resource: ./regional_update.tf.tmpl
+variables:
+- name: policy
+  type: resource_name
+- name: project
+  type: project
+- name: region 
+  type: region
+- name: tagkey
+  type: resource_name
+- name: tagvalue
+  type: resource_name
+- name: network
+  type: resource_name
+- name: org_id
+  type: org_id
+- name: test_service_account
+  type: test_service_account
diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl
@@ -0,0 +1,48 @@
+resource "google_compute_region_network_firewall_policy" "basic_regional_network_firewall_policy" {
+  name = "{{policy}}"
+  project = "{{project}}"
+  description = "Sample regional network firewall policy"
+  region = "{{region}}"
+}
+
+resource "google_compute_region_network_firewall_policy_rule" "primary" {
+ firewall_policy = google_compute_region_network_firewall_policy.basic_regional_network_firewall_policy.name
+ action = "deny"
+ direction = "EGRESS"
+ priority = 1000
+ rule_name = "updated-test-rule"
+ description = "This is an updated rule description"
+match {
+layer4_configs {
+ip_protocol = "tcp"
+ports = ["123"]
+ }
+ dest_ip_ranges = ["0.0.0.0/0"]
+ }
+  target_secure_tags {
+ name = "tagValues/${google_tags_tag_value.basic_value.name}"
+ }
+ region = "{{region}}"
+ enable_logging = false
+ disabled = true  
+}
+
+resource "google_compute_network" "basic_network" {
+  name = "{{network}}"
+}
+resource "google_tags_tag_key" "basic_key" {
+  parent = "organizations/{{org_id}}"
+  short_name = "{{tagkey}}"
+  purpose = "GCE_FIREWALL"
+  purpose_data = {
+  network= "{{project}}/${google_compute_network.basic_network.name}"
+  }
+  description = "For keyname resources."
+}
+
+
+resource "google_tags_tag_value" "basic_value" {
+    parent = "tagKeys/${google_tags_tag_key.basic_key.name}"
+    short_name = "{{tagvalue}}"
+    description = "For valuename resources."
+}