Add new compute-network-firewall-policy-with-rules resource

[mihhalj]

Add a new resource to allow updating all rules in network firewall policy at once.

Fixes
hashicorp/terraform-provider-google#19195

Release Note Template for Downstream PRs (will be copied)

`google_compute_network_firewall_policy_with_rules` (beta)

[github-actions]

Hello! I am a robot. Tests will require approval from a repository maintainer to run.

@NickElliot, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 2 files changed, 608 insertions(+))
google-beta provider: Diff ( 6 files changed, 3167 insertions(+), 2 deletions(-))
terraform-google-conversion: Diff ( 1 file changed, 541 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_compute_network_firewall_policy_with_rules (3 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_compute_network_firewall_policy_with_rules" "primary" {
  rule {
    rule_name               = # value needed
    security_profile_group  = # value needed
    target_service_accounts = # value needed
    tls_inspect             = # value needed
  }
}

[modular-magician]

Tests analytics

Total tests: 990
Passed tests: 911
Skipped tests: 77
Affected tests: 2

Click here to see the affected service packages

• compute

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeNetworkFirewallPolicyWithRules_computeNetworkFirewallPolicyWithRulesFullExample
• TestAccComputeNetworkFirewallPolicyWithRules_update

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccComputeNetworkFirewallPolicyWithRules_computeNetworkFirewallPolicyWithRulesFullExample[Error message] [Debug log]
TestAccComputeNetworkFirewallPolicyWithRules_update[Error message] [Debug log]

$\textcolor{red}{\textsf{Errors occurred during RECORDING mode. Please fix them to complete your PR.}}$

View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 2 files changed, 637 insertions(+))
google-beta provider: Diff ( 6 files changed, 3286 insertions(+), 2 deletions(-))
terraform-google-conversion: Diff ( 1 file changed, 541 insertions(+))

[modular-magician]

Tests analytics

Total tests: 991
Passed tests: 910
Skipped tests: 77
Affected tests: 4

Click here to see the affected service packages

• compute

Action taken

Found 4 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeInstanceTemplate_withNamePrefix
• TestAccComputeNetworkFirewallPolicyWithRules_computeNetworkFirewallPolicyWithRulesFullExample
• TestAccComputeNetworkFirewallPolicyWithRules_update
• TestAccComputeTargetHttpsProxy_update

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccComputeInstanceTemplate_withNamePrefix[Debug log]
TestAccComputeNetworkFirewallPolicyWithRules_computeNetworkFirewallPolicyWithRulesFullExample[Debug log]
TestAccComputeNetworkFirewallPolicyWithRules_update[Debug log]
TestAccComputeTargetHttpsProxy_update[Debug log]
$\textcolor{red}{\textsf{Tests failed when rerunning REPLAYING mode:}}$
TestAccComputeInstanceTemplate_withNamePrefix[Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

$\textcolor{green}{\textsf{All tests passed!}}$

View the build log or the debug log for each test

[mihhalj]

Could I ask fro review?
I ran my tests locally and they pass - not sure why TestReadPlannedAssetsCoverage* tests and VCR-test are failing.

[github-actions]

@NickElliot This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

[NickElliot]

hi, a couple formatting changes needed

could you link me some of the public documentation on the resource?

[mihhalj]

hi, a couple formatting changes needed

could you link me some of the public documentation on the resource?

Docs:
https://cloud.google.com/firewall/docs/network-firewall-policies
https://cloud.google.com/compute/docs/reference/rest/v1/networkFirewallPolicies

For firewall policy there's a terraform resource (not possible to set rules):
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy

And the rules in firewall policy can be configured using:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_network_firewall_policy_rule

The new google_compute_network_firewall_policy_with_rules would allow a user to configure firewall policy with all rules (it was suggested by rileykarson to create a new resource to handle it).

There are similar PRs for regional and org firewall policies:

• Add new compute-firewall-policy-with-rules resource #11525
• Add new compute-region-network-firewall-policy-with-rules resource #11526

[github-actions]

@NickElliot This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 2 files changed, 637 insertions(+))
google-beta provider: Diff ( 6 files changed, 3286 insertions(+), 2 deletions(-))
terraform-google-conversion: Diff ( 1 file changed, 541 insertions(+))

[modular-magician]

Tests analytics

Total tests: 868
Passed tests: 789
Skipped tests: 77
Affected tests: 2

Click here to see the affected service packages

• compute

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeInstanceTemplate_withNamePrefix
• TestAccComputeRegionPerInstanceConfig_removeInstanceOnDestroy

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccComputeInstanceTemplate_withNamePrefix[Debug log]
TestAccComputeRegionPerInstanceConfig_removeInstanceOnDestroy[Debug log]
$\textcolor{red}{\textsf{Tests failed when rerunning REPLAYING mode:}}$
TestAccComputeInstanceTemplate_withNamePrefix[Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

$\textcolor{green}{\textsf{All tests passed!}}$

View the build log or the debug log for each test

[NickElliot]

LGTM

[joekohlsdorf]

@mihhalj I have experimented with the new resource a little bit, it isn't great.

Adding a new rule between existing rules yields a plan which recreates all the rules following the new addition. The same happens when deleting a rule when multiple rules exist.
I haven't been able to verify it but when applying this it might even temporarily remove existing firewall while rules are reshuffled causing outages.

[mihhalj]

@mihhalj I have experimented with the new resource a little bit, it isn't great.

Adding a new rule between existing rules yields a plan which recreates all the rules following the new addition. The same happens when deleting a rule when multiple rules exist. I haven't been able to verify it but when applying this it might even temporarily remove existing firewall while rules are reshuffled causing outages.

joekohlsdorf Thanks for testing and You're right - using this resource when you update/remove/add even only one rule it results in updating all rules - the main goal for this resource is to be able to change many rules at once - it either succeeds and all the rules are updated or it fails and none of the rules are not updated - for example if one of the rule is invalid then the firewall policy won't be updated (there won't be a situation where valid rules are updated and invalid not).

Compare it to the case when you use compute_network_firewall_policy_rule resources for your rules - valid rules will be configured and the invalid not.