Add support for updating server TLS policy via PATCH

gservat · Gonzalo Servat · commit bd9a48c73486 · 2024-07-18T00:54:08.000+10:00
diff --git a/mmv1/products/compute/RegionTargetHttpsProxy.yaml b/mmv1/products/compute/RegionTargetHttpsProxy.yaml
@@ -204,3 +204,8 @@ properties:
       INTERNAL_SELF_MANAGED and which with EXTERNAL, EXTERNAL_MANAGED
       loadBalancingScheme consult ServerTlsPolicy documentation.
       If left blank, communications are not encrypted.
+    update_id: 'serverTlsPolicy'
+    fingerprint_name: 'fingerprint'
+    update_verb: :PATCH
+    update_url:
+      'projects/{{project}}/regions/{{region}}/targetHttpsProxies/{{name}}'
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_target_https_proxy_test.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_region_target_https_proxy_test.go.erb
@@ -387,6 +387,9 @@ func TestAccComputeRegionTargetHttpsProxy_addSslPolicy_withForwardingRule(t *tes
 func testAccComputeRegionTargetHttpsProxy_withForwardingRule(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_compute_forwarding_rule" "default-https" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   project               = "%{project_id}"
   region                = "us-central1"
   name                  = "https-frwd-rule-%{resource_suffix}"
@@ -402,6 +405,9 @@ resource "google_compute_forwarding_rule" "default-https" {
 }
 
 resource "google_compute_region_backend_service" "default" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   project               = "%{project_id}"
   region                = "us-central1"
   name                  = "backend-service-%{resource_suffix}"
@@ -412,7 +418,7 @@ resource "google_compute_region_backend_service" "default" {
   health_checks         = [google_compute_region_health_check.default.self_link]
   locality_lb_policy    = "RING_HASH"
 
-  # webscoket handling: https://stackoverflow.com/questions/63822612/websocket-connection-being-closed-on-google-compute-engine
+  # websocket handling: https://stackoverflow.com/questions/63822612/websocket-connection-being-closed-on-google-compute-engine
   timeout_sec = 600
 
   consistent_hash {
@@ -436,6 +442,9 @@ resource "google_compute_region_backend_service" "default" {
 }
 
 resource "google_compute_region_health_check" "default" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   project             = "%{project_id}"
   region              = "us-central1"
   name                = "hc-%{resource_suffix}"
@@ -451,6 +460,9 @@ resource "google_compute_region_health_check" "default" {
 }
 
 resource "google_compute_region_target_https_proxy" "default-https" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   project          = "%{project_id}"
   region           = "us-central1"
   name             = "https-proxy-%{resource_suffix}"
@@ -459,32 +471,47 @@ resource "google_compute_region_target_https_proxy" "default-https" {
 }
 
 resource "google_compute_region_url_map" "default-https" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   project         = "%{project_id}"
   region          = "us-central1"
   name            = "lb-%{resource_suffix}"
   default_service = google_compute_region_backend_service.default.id
 }
 
 resource "google_compute_region_ssl_certificate" "foobar0" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   name        = "httpsproxy-test-cert0-%{resource_suffix}"
   description = "very descriptive"
   private_key = file("test-fixtures/test.key")
   certificate = file("test-fixtures/test.crt")
 }
 
 resource "google_compute_network" "ilb_network" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   name                    = "tf-test-l4-ilb-network-%{resource_suffix}"
   auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "ilb_subnet" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   name          = "tf-test-l4-ilb-subnet-%{resource_suffix}"
   ip_cidr_range = "10.0.1.0/24"
   region        = "us-central1"
   network       = google_compute_network.ilb_network.id
 }
 
 resource "google_compute_subnetwork" "ilb_subnet2" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   name          = "tf-test-l4-ilb-subnet2-%{resource_suffix}"
 	ip_cidr_range = "10.142.0.0/20"
   region        = "us-central1"
@@ -494,6 +521,9 @@ resource "google_compute_subnetwork" "ilb_subnet2" {
 }
 
 resource "google_compute_address" "consumer_address" {
+<% unless version == 'ga' -%>
+  provider = google-beta
+<% end -%>
   name         = "tf-test-website-ip-%{resource_suffix}-1"
   region       = "us-central1"
   subnetwork   = google_compute_subnetwork.ilb_subnet.id
@@ -530,7 +560,7 @@ resource "google_compute_region_backend_service" "default" {
   health_checks         = [google_compute_region_health_check.default.self_link]
   locality_lb_policy    = "RING_HASH"
 
-  # webscoket handling: https://stackoverflow.com/questions/63822612/websocket-connection-being-closed-on-google-compute-engine
+  # websocket handling: https://stackoverflow.com/questions/63822612/websocket-connection-being-closed-on-google-compute-engine
   timeout_sec = 600
 
   consistent_hash {
@@ -629,3 +659,215 @@ resource "google_compute_address" "consumer_address" {
 }
 `, context)
 }
+
+<% unless version == 'ga' -%>
+
+func TestAccComputeRegionTargetHttpsProxy_addServerTlsPolicy_withForwardingRule(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"resource_suffix": acctest.RandString(t, 10),
+		"project_id":      envvar.GetTestProjectFromEnv(),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckComputeTargetHttpsProxyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionTargetHttpsProxy_withForwardingRule(context),
+			},
+			{
+				ResourceName:      "google_compute_region_target_https_proxy.default-https",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeRegionTargetHttpsProxy_withForwardingRule_withServerTlsPolicy(context),
+			},
+			{
+				ResourceName:      "google_compute_region_target_https_proxy.default-https",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccComputeRegionTargetHttpsProxy_withForwardingRule_withServerTlsPolicy(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+
+data "google_project" "project" {
+  provider   = google-beta
+  project_id = "%{project_id}"
+}
+
+resource "google_compute_forwarding_rule" "default-https" {
+  provider = google-beta
+
+  project               = "%{project_id}"
+  region                = "us-central1"
+  name                  = "https-frwd-rule-%{resource_suffix}"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  target                = google_compute_region_target_https_proxy.default-https.self_link
+  network               = google_compute_network.ilb_network.name
+  subnetwork            = google_compute_subnetwork.ilb_subnet.name
+  ip_address            = google_compute_address.consumer_address.id
+  ip_protocol           = "TCP"
+  port_range            = "443"
+  allow_global_access   = "true"
+  depends_on            = [google_compute_subnetwork.ilb_subnet2]
+}
+
+resource "google_compute_region_backend_service" "default" {
+  provider = google-beta
+
+  project               = "%{project_id}"
+  region                = "us-central1"
+  name                  = "backend-service-%{resource_suffix}"
+  protocol              = "HTTPS"
+  port_name             = "https-server"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  session_affinity      = "HTTP_COOKIE"
+  health_checks         = [google_compute_region_health_check.default.self_link]
+  locality_lb_policy    = "RING_HASH"
+
+  # websocket handling: https://stackoverflow.com/questions/63822612/websocket-connection-being-closed-on-google-compute-engine
+  timeout_sec = 600
+
+  consistent_hash {
+    http_cookie {
+      ttl {
+        # 24hr cookie ttl
+        seconds = 86400
+        nanos   = null
+      }
+      name = "X-CLIENT-SESSION"
+      path = null
+    }
+    http_header_name  = null
+    minimum_ring_size = 1024
+  }
+
+  log_config {
+    enable      = true
+    sample_rate = 1.0
+  }
+}
+
+resource "google_compute_region_health_check" "default" {
+  provider = google-beta
+
+  project             = "%{project_id}"
+  region              = "us-central1"
+  name                = "hc-%{resource_suffix}"
+  timeout_sec         = 5
+  check_interval_sec  = 30
+  healthy_threshold   = 3
+  unhealthy_threshold = 3
+
+  https_health_check {
+    port         = 443
+    request_path = "/health"
+  }
+}
+
+resource "google_compute_region_target_https_proxy" "default-https" {
+  provider = google-beta
+
+  project           = "%{project_id}"
+  region            = "us-central1"
+  name              = "https-proxy-%{resource_suffix}"
+  url_map           = google_compute_region_url_map.default-https.self_link
+  ssl_certificates  = [google_compute_region_ssl_certificate.foobar0.self_link]
+  server_tls_policy = google_network_security_server_tls_policy.default.id
+}
+
+resource "google_certificate_manager_trust_config" "default" {
+  provider = google-beta
+
+  project     = "%{project_id}"
+  location    = "us-central1"
+  name        = "trust-config-%{resource_suffix}"
+
+  trust_stores {
+    trust_anchors {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+    intermediate_cas {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+  }
+}
+
+resource "google_network_security_server_tls_policy" "default" {
+  provider = google-beta
+
+  project    = "%{project_id}"
+  location   = "us-central1"
+  name       = "tls-policy-%{resource_suffix}"
+  allow_open = "false"
+  mtls_policy {
+    client_validation_mode = "REJECT_INVALID"
+    client_validation_trust_config = "projects/${data.google_project.project.number}/locations/us-central1/trustConfigs/${google_certificate_manager_trust_config.default.name}"
+  }
+}
+
+resource "google_compute_region_url_map" "default-https" {
+  provider = google-beta
+
+  project         = "%{project_id}"
+  region          = "us-central1"
+  name            = "lb-%{resource_suffix}"
+  default_service = google_compute_region_backend_service.default.id
+}
+
+resource "google_compute_region_ssl_certificate" "foobar0" {
+  provider = google-beta
+
+  name        = "httpsproxy-test-cert0-%{resource_suffix}"
+  description = "very descriptive"
+  private_key = file("test-fixtures/test.key")
+  certificate = file("test-fixtures/test.crt")
+}
+
+resource "google_compute_network" "ilb_network" {
+  provider = google-beta
+
+  name                    = "tf-test-l4-ilb-network-%{resource_suffix}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "ilb_subnet" {
+  provider = google-beta
+
+  name          = "tf-test-l4-ilb-subnet-%{resource_suffix}"
+  ip_cidr_range = "10.0.1.0/24"
+  region        = "us-central1"
+  network       = google_compute_network.ilb_network.id
+}
+
+resource "google_compute_subnetwork" "ilb_subnet2" {
+  provider = google-beta
+
+  name          = "tf-test-l4-ilb-subnet2-%{resource_suffix}"
+	ip_cidr_range = "10.142.0.0/20"
+  region        = "us-central1"
+  purpose       = "REGIONAL_MANAGED_PROXY"
+  role          = "ACTIVE"
+  network       = google_compute_network.ilb_network.id
+}
+
+resource "google_compute_address" "consumer_address" {
+  provider = google-beta
+
+  name         = "tf-test-website-ip-%{resource_suffix}-1"
+  region       = "us-central1"
+  subnetwork   = google_compute_subnetwork.ilb_subnet.id
+  address_type = "INTERNAL"
+}
+`, context)
+}
+
+<% end -%>
