SWP Policy Rule - Mitigate multiple rules issue (GoogleCloudPlatform#12704)

Samir-Cit · NA2047 · commit a21b0905d24f · 2025-03-13T11:35:50.000-07:00
diff --git a/mmv1/products/networksecurity/GatewaySecurityPolicyRule.yaml b/mmv1/products/networksecurity/GatewaySecurityPolicyRule.yaml
@@ -43,7 +43,7 @@ async:
       delete_minutes: 30
   result:
     resource_inside_response: false
-custom_code:
+mutex: 'gatewaySecurityPolicies/{{gateway_security_policy}}/rules'
 examples:
   - name: 'network_security_gateway_security_policy_rules_basic'
     primary_resource_id: 'default'
diff --git a/mmv1/third_party/terraform/services/networksecurity/resource_network_security_gateway_security_policy_rule_test.go b/mmv1/third_party/terraform/services/networksecurity/resource_network_security_gateway_security_policy_rule_test.go
@@ -48,6 +48,50 @@ func TestAccNetworkSecurityGatewaySecurityPolicyRule_update(t *testing.T) {
 	})
 }
 
+func TestAccNetworkSecurityGatewaySecurityPolicyRule_multiple(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecurityGatewaySecurityPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecurityGatewaySecurityPolicyRule_multiple(context),
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule1",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule2",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule3",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule4",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule5",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccNetworkSecurityGatewaySecurityPolicyRule_basic(gatewaySecurityPolicyName, gatewaySecurityPolicyRuleName string) string {
 	return fmt.Sprintf(`
 resource "google_network_security_gateway_security_policy" "default" {
@@ -92,3 +136,76 @@ resource "google_network_security_gateway_security_policy_rule" "foobar" {
 }
 `, gatewaySecurityPolicyName, gatewaySecurityPolicyRuleName)
 }
+
+func testAccNetworkSecurityGatewaySecurityPolicyRule_multiple(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_network_security_gateway_security_policy" "default" {
+  name        = "tf-test-gateway-sp-%{random_suffix}"
+  location    = "us-central1"
+  description = "gateway security policy created to be used as reference by the rule."
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule1" {
+  name                    = "tf-test-gateway-sp-rule1-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Highest priority rule"
+  priority                = 0
+  session_matcher         = "host() == 'example.com'"
+  application_matcher     = "request.method == 'POST'"
+  basic_profile           = "ALLOW"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule2" {
+  name                    = "tf-test-gateway-sp-rule2-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Rule priority 762"
+  priority                = 762
+  session_matcher         = "host() == 'example.com'"
+  application_matcher     = "request.method == 'GET'"
+  tls_inspection_enabled  = false
+  basic_profile           = "DENY"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule3" {
+  name                    = "tf-test-gateway-sp-rule3-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Rule priority 37961"
+  priority                = 37961
+  session_matcher         = "host() == 'update.com'"
+  application_matcher     = "request.method == 'POST'"
+  basic_profile           = "ALLOW"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule4" {
+  name                    = "tf-test-gateway-sp-rule4-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Rule priority 9572843"
+  priority                = 9572843
+  session_matcher         = "host() == 'update.com'"
+  application_matcher     = "request.method == 'GET'"
+  tls_inspection_enabled  = false
+  basic_profile           = "DENY"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule5" {
+  name                    = "tf-test-gateway-sp-rule5-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Lowest priority rule"
+  priority                = 2147483647
+  session_matcher         = "host() == 'update.com'"
+  application_matcher     = "request.method == 'GET'"
+  tls_inspection_enabled  = false
+  basic_profile           = "DENY"
+}
+`, context)
+}
