Add new compute-network-firewall-policy-with-rules resource

mihhalj · mihhalj · commit 29fcf77351c6 · 2024-08-26T10:36:07.000Z
diff --git a/mmv1/products/compute/NetworkFirewallPolicyWithRules.yaml b/mmv1/products/compute/NetworkFirewallPolicyWithRules.yaml
diff --git a/mmv1/templates/terraform/constants/firewall.erb b/mmv1/templates/terraform/constants/firewall.erb
@@ -111,4 +111,4 @@ func diffSuppressSourceRanges(k, old, new string, d *schema.ResourceData) bool {
 	}
 	// For any other source_ranges value diff, don't suppress
 	return false
-}
+}
diff --git a/mmv1/templates/terraform/constants/resource_compute_network_firewall_policy_with_rules.go.erb b/mmv1/templates/terraform/constants/resource_compute_network_firewall_policy_with_rules.go.erb
@@ -0,0 +1,54 @@
+func networkFirewallPolicyWithRulesConvertPriorityToInt(v interface {}) (int64, error) {
+  if strVal, ok := v.(string); ok {
+		if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+			return intVal, nil
+		}
+	}
+
+  if intVal, ok := v.(int64); ok {
+    return intVal, nil
+  }
+
+  if floatVal, ok := v.(float64); ok {
+ 	  intVal := int64(floatVal)
+ 	  return intVal, nil
+ 	}
+
+  return 0, fmt.Errorf("Incorrect rule priority: %s. Priority must be a number", v)
+}
+
+func  networkFirewallPolicyWithRulesIsPredefinedRule(rule map[string]interface{}) (bool, error) {
+  // Priorities from 2147483548 to 2147483647 are reserved and cannot be modified by the user.
+  const ReservedPriorityStart = 2147483548
+
+  priority := rule["priority"]
+  priorityInt, err :=  networkFirewallPolicyWithRulesConvertPriorityToInt(priority)
+
+  if err != nil {
+      return false, err
+    }
+
+  return priorityInt >= ReservedPriorityStart, nil
+
+}
+
+func  networkFirewallPolicyWithRulesSplitPredefinedRules(allRules []interface{}) ([]interface{}, []interface{}, error) {
+	predefinedRules := make([]interface{}, 0)
+	rules := make([]interface{}, 0)
+
+	for _, rule := range allRules {
+	  isPredefined, err :=  networkFirewallPolicyWithRulesIsPredefinedRule(rule.(map[string]interface{}))
+	  if err != nil {
+	    return nil, nil, err
+	  }
+
+		if isPredefined {
+		 predefinedRules = append(predefinedRules, rule)
+		} else {
+			rules = append(rules, rule)
+		}
+	}
+
+  return rules, predefinedRules, nil
+}
+
diff --git a/mmv1/templates/terraform/decoders/resource_compute_network_firewall_policy_with_rules.go.erb b/mmv1/templates/terraform/decoders/resource_compute_network_firewall_policy_with_rules.go.erb
@@ -0,0 +1,16 @@
+rules, predefinedRules, err := networkFirewallPolicyWithRulesSplitPredefinedRules(res["rules"].([]interface{}))
+
+if err != nil {
+	return nil, fmt.Errorf("Error occurred while splitting pre-defined rules: %s", err)
+}
+
+res["rules"] = rules
+res["predefinedRules"] = predefinedRules
+
+config := meta.(*transport_tpg.Config)
+
+if err := d.Set("predefined_rules", flattenComputeNetworkFirewallPolicyWithRulesPredefinedRules(predefinedRules, d, config)); err != nil {
+	return nil, fmt.Errorf("Error occurred while setting pre-defined rules: %s", err)
+}
+
+return res, nil
diff --git a/mmv1/templates/terraform/encoders/resource_compute_network_firewall_policy_with_rules.go.erb b/mmv1/templates/terraform/encoders/resource_compute_network_firewall_policy_with_rules.go.erb
@@ -0,0 +1,3 @@
+delete(obj, "rules") // Rules are not supported in the create API 
+return obj, nil
+
diff --git a/mmv1/templates/terraform/examples/compute_network_firewall_policy_with_rules_full.tf.erb b/mmv1/templates/terraform/examples/compute_network_firewall_policy_with_rules_full.tf.erb
@@ -0,0 +1,134 @@
+data "google_project" "project" {
+  provider = google-beta
+}
+
+resource "google_compute_network_firewall_policy_with_rules" "<%= ctx[:primary_resource_id] %>" {
+  name = "<%= ctx[:vars]['policy_name'] %>"
+  description = "Terraform test"
+  provider = google-beta
+
+  rule {
+    description    = "tcp rule"
+    priority       = 1000
+    enable_logging = true
+    action         = "allow"
+    direction      = "EGRESS"
+    match {
+      layer4_config {
+        ip_protocol = "tcp"
+        ports       = [8080, 7070]
+      }
+      dest_ip_ranges = ["11.100.0.1/32"]
+      dest_fqdns = ["www.yyy.com", "www.zzz.com"]
+      dest_region_codes = ["HK", "IN"]
+      dest_threat_intelligences = ["iplist-search-engines-crawlers", "iplist-tor-exit-nodes"]
+      dest_address_groups = [google_network_security_address_group.address_group_1.id]
+    }
+    target_secure_tag {
+      name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+    }
+  }
+  rule {
+      description    = "udp rule"
+      priority       = 2000
+      enable_logging = false
+      action         = "deny"
+      direction      = "INGRESS"
+      match {
+        layer4_config {
+          ip_protocol = "udp"
+        }
+        src_ip_ranges = ["0.0.0.0/0"]
+        src_fqdns = ["www.abc.com", "www.def.com"]
+        src_region_codes = ["US", "CA"]
+        src_threat_intelligences = ["iplist-known-malicious-ips", "iplist-public-clouds"]
+        src_address_groups = [google_network_security_address_group.address_group_1.id]
+        src_secure_tag {
+          name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+        }
+      }
+      disabled = true
+    }
+  rule {
+    description    = "default egress rule"
+    priority       = 2147483644
+    enable_logging = false
+    action         = "goto_next"
+    direction      = "EGRESS"
+    match {
+      layer4_config {
+        ip_protocol = "all"
+      }
+      dest_ip_ranges = ["::/0"]
+    }
+  }
+  rule {
+    description    = "default ingress rule"
+    priority       = 2147483645
+    enable_logging = false
+    action         = "goto_next"
+    direction      = "INGRESS"
+    match {
+      layer4_config {
+        ip_protocol = "all"
+      }
+      src_ip_ranges = ["::/0"]
+    }
+  }
+  rule {
+    description    = "default egress rule"
+    priority       = 2147483646
+    enable_logging = false
+    action         = "goto_next"
+    direction      = "EGRESS"
+    match {
+      layer4_config {
+        ip_protocol = "all"
+      }
+      dest_ip_ranges = ["0.0.0.0/0"]
+    }
+  }
+  rule {
+    description    = "default ingress rule"
+    priority       = 2147483647
+    enable_logging = false
+    action         = "goto_next"
+    direction      = "INGRESS"
+    match {
+      layer4_config {
+        ip_protocol = "all"
+      }
+      src_ip_ranges = ["0.0.0.0/0"]
+    }
+  }
+}
+
+resource "google_network_security_address_group" "address_group_1" {
+  provider    = google-beta
+  name        = "address-group-1"
+  parent      = "projects/${data.google_project.project.name}"
+  description = "Global address group"
+  location    = "global"
+  items       = ["208.80.154.224/32"]
+  type        = "IPV4"
+  capacity    = 100
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+  provider    = google-beta
+  description = "Tag key"
+  parent      = "projects/${data.google_project.project.name}"
+  purpose     = "GCE_FIREWALL"
+  short_name  = "tag-key"
+  purpose_data = {
+    network = "${data.google_project.project.name}/default"
+  }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+  provider    = google-beta
+  description = "Tag value"
+  parent      = "tagKeys/${google_tags_tag_key.secure_tag_key_1.name}"
+  short_name  = "tag-value"
+}
+
diff --git a/mmv1/templates/terraform/post_create/resource_compute_network_firewall_policy_with_rules.go.erb b/mmv1/templates/terraform/post_create/resource_compute_network_firewall_policy_with_rules.go.erb
@@ -0,0 +1,31 @@
+log.Printf("[DEBUG] Post-create for NetworkFirewallPolicyWithRules %q", d.Id())
+
+url, err = tpgresource.ReplaceVarsForId(d, config, "{{ComputeBasePath}}projects/{{project}}/global/firewallPolicies/{{name}}")
+if err != nil {
+  return err
+}
+
+headers = make(http.Header)
+res, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+  Config:    config,
+	Method:    "GET",
+	Project:   billingProject,
+	RawURL:    url,
+	UserAgent: userAgent,
+	Headers:   headers,
+})
+if err != nil {
+ return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("ComputeNetworkFirewallPolicyWithRules %q", d.Id()))
+}
+
+if err := d.Set("fingerprint", flattenComputeNetworkFirewallPolicyWithRulesFingerprint(res["fingerprint"], d, config)); err != nil {
+  return fmt.Errorf("Error reading NetworkFirewallPolicyWithRules: %s", err)
+}
+
+res, err = resourceComputeNetworkFirewallPolicyWithRulesDecoder(d, meta, res)
+if err != nil {
+	return err
+}
+
+log.Printf("[DEBUG] Updating NetworkFirewallPolicyWithRules %q", d.Id())
+return resourceComputeNetworkFirewallPolicyWithRulesUpdate(d, meta)
diff --git a/mmv1/templates/terraform/update_encoder/resource_compute_network_firewall_policy_with_rules.go.erb b/mmv1/templates/terraform/update_encoder/resource_compute_network_firewall_policy_with_rules.go.erb
@@ -0,0 +1,15 @@
+config := meta.(*transport_tpg.Config)
+
+predefinedRulesProp, err := expandComputeNetworkFirewallPolicyWithRulesRule(d.Get("predefined_rules"), d, config)
+if err != nil {
+  return nil, err
+}
+
+rules := obj["rules"].([]interface{})
+obj["rules"] = append(rules, predefinedRulesProp)
+
+return obj, nil
+
+
+
+
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_network_firewall_policy_with_rules_test.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_network_firewall_policy_with_rules_test.go.erb

Original file line number	Diff line number	Diff line change
`@@ -111,4 +111,4 @@ func diffSuppressSourceRanges(k, old, new string, d *schema.ResourceData) bool {`
`111`	`111`	`}`
`112`	`112`	`// For any other source_ranges value diff, don't suppress`
`113`	`113`	`return false`
`114`		`-}`
	`114`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+delete(obj, "rules") // Rules are not supported in the create API`
	`2`	`+return obj, nil`
	`3`	`+`