hashicorp
diff --git a/‎.changelog/12903.txt
+3 b/‎.changelog/12903.txt
+3
diff --git a/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy.go
+50 b/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy.go
+50
diff --git a/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_generated_meta.yaml
+1 b/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_generated_meta.yaml
+1
diff --git a/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy.go
+50 b/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy.go
+50
diff --git a/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy_generated_meta.yaml
+1 b/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy_generated_meta.yaml
+1
diff --git a/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy.go
+48 b/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy.go
+48
diff --git a/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_generated_meta.yaml
+1 b/‎google-beta/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_generated_meta.yaml
+1
@@ -0,0 +1,3 @@
+```release-note:enhancement
+accesscontextmanager: added `etag` to access context manager directional policy resources to prevent overriding changes
+```
@@ -309,6 +309,11 @@ the perimeter.`,
 				Computed:    true,
 				Description: `The name of the Access Policy this resource belongs to.`,
 			},
+			"etag": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `The perimeter etag is internally used to prevent overwriting the list of policies on PATCH calls. It is retrieved from the same GET perimeter API call that's used to get the current list of policies. The policy defined in this resource is added or removed from that list, and then this etag is sent with the PATCH call along with the updated policies.`,
+			},
 		},
 		UseJSONNumber: true,
 	}
@@ -377,6 +382,22 @@ func resourceAccessContextManagerServicePerimeterDryRunEgressPolicyCreate(d *sch
 
 	headers := make(http.Header)
 	obj["use_explicit_dry_run_spec"] = true
+
+	etag := d.Get("etag").(string)
+
+	if etag == "" {
+		log.Printf("[ERROR] Unable to get etag: %s", err)
+		return nil
+	}
+	obj["etag"] = etag
+
+	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+	// won't set it
+	updateMask := []string{"spec.egressPolicies", "etag"}
+	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+	if err != nil {
+		return err
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "PATCH",
@@ -474,6 +495,9 @@ func resourceAccessContextManagerServicePerimeterDryRunEgressPolicyRead(d *schem
 	if err != nil {
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerServicePerimeterDryRunEgressPolicy %q", d.Id()))
 	}
+	if err := d.Set("etag", res["etag"]); err != nil {
+		log.Printf("[ERROR] Unable to set etag: %s", err)
+	}
 
 	res, err = flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicy(d, meta, res)
 	if err != nil {
@@ -496,6 +520,9 @@ func resourceAccessContextManagerServicePerimeterDryRunEgressPolicyRead(d *schem
 	if err := d.Set("title", flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyTitle(res["title"], d, config)); err != nil {
 		return fmt.Errorf("Error reading ServicePerimeterDryRunEgressPolicy: %s", err)
 	}
+	if err := d.Set("etag", flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEtag(res["etag"], d, config)); err != nil {
+		return fmt.Errorf("Error reading ServicePerimeterDryRunEgressPolicy: %s", err)
+	}
 
 	return nil
 }
@@ -540,6 +567,22 @@ func resourceAccessContextManagerServicePerimeterDryRunEgressPolicyDelete(d *sch
 	headers := make(http.Header)
 	obj["use_explicit_dry_run_spec"] = true
 
+	etag := d.Get("etag").(string)
+
+	if etag == "" {
+		log.Printf("[ERROR] Unable to get etag: %s", err)
+		return nil
+	}
+	obj["etag"] = etag
+
+	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+	// won't set it
+	updateMask := []string{"spec.egressPolicies", "etag"}
+	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+	if err != nil {
+		return err
+	}
+
 	log.Printf("[DEBUG] Deleting ServicePerimeterDryRunEgressPolicy %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
@@ -750,6 +793,10 @@ func flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyTitle(v
 	return v
 }
 
+func flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEtag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFrom(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -1127,6 +1174,9 @@ func resourceAccessContextManagerServicePerimeterDryRunEgressPolicyListForPatch(
 	if err != nil {
 		return nil, err
 	}
+	if err := d.Set("etag", res["etag"]); err != nil {
+		log.Printf("[ERROR] Unable to set etag: %s", err)
+	}
 	var v interface{}
 	var ok bool
 	if v, ok = res["spec"]; ok && v != nil {
 
@@ -16,6 +16,7 @@ fields:
   - field: 'egress_to.operations.method_selectors.permission'
   - field: 'egress_to.operations.service_name'
   - field: 'egress_to.resources'
+  - field: 'etag'
   - field: 'perimeter'
     provider_only: true
   - field: 'title'
@@ -302,6 +302,11 @@ also matches the 'operations' field.`,
 				Computed:    true,
 				Description: `The name of the Access Policy this resource belongs to.`,
 			},
+			"etag": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `The perimeter etag is internally used to prevent overwriting the list of policies on PATCH calls. It is retrieved from the same GET perimeter API call that's used to get the current list of policies. The policy defined in this resource is added or removed from that list, and then this etag is sent with the PATCH call along with the updated policies.`,
+			},
 		},
 		UseJSONNumber: true,
 	}
@@ -370,6 +375,22 @@ func resourceAccessContextManagerServicePerimeterDryRunIngressPolicyCreate(d *sc
 
 	headers := make(http.Header)
 	obj["use_explicit_dry_run_spec"] = true
+
+	etag := d.Get("etag").(string)
+
+	if etag == "" {
+		log.Printf("[ERROR] Unable to get etag: %s", err)
+		return nil
+	}
+	obj["etag"] = etag
+
+	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+	// won't set it
+	updateMask := []string{"spec.ingressPolicies", "etag"}
+	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+	if err != nil {
+		return err
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "PATCH",
@@ -467,6 +488,9 @@ func resourceAccessContextManagerServicePerimeterDryRunIngressPolicyRead(d *sche
 	if err != nil {
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerServicePerimeterDryRunIngressPolicy %q", d.Id()))
 	}
+	if err := d.Set("etag", res["etag"]); err != nil {
+		log.Printf("[ERROR] Unable to set etag: %s", err)
+	}
 
 	res, err = flattenNestedAccessContextManagerServicePerimeterDryRunIngressPolicy(d, meta, res)
 	if err != nil {
@@ -489,6 +513,9 @@ func resourceAccessContextManagerServicePerimeterDryRunIngressPolicyRead(d *sche
 	if err := d.Set("title", flattenNestedAccessContextManagerServicePerimeterDryRunIngressPolicyTitle(res["title"], d, config)); err != nil {
 		return fmt.Errorf("Error reading ServicePerimeterDryRunIngressPolicy: %s", err)
 	}
+	if err := d.Set("etag", flattenNestedAccessContextManagerServicePerimeterDryRunIngressPolicyEtag(res["etag"], d, config)); err != nil {
+		return fmt.Errorf("Error reading ServicePerimeterDryRunIngressPolicy: %s", err)
+	}
 
 	return nil
 }
@@ -533,6 +560,22 @@ func resourceAccessContextManagerServicePerimeterDryRunIngressPolicyDelete(d *sc
 	headers := make(http.Header)
 	obj["use_explicit_dry_run_spec"] = true
 
+	etag := d.Get("etag").(string)
+
+	if etag == "" {
+		log.Printf("[ERROR] Unable to get etag: %s", err)
+		return nil
+	}
+	obj["etag"] = etag
+
+	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+	// won't set it
+	updateMask := []string{"spec.ingressPolicies", "etag"}
+	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+	if err != nil {
+		return err
+	}
+
 	log.Printf("[DEBUG] Deleting ServicePerimeterDryRunIngressPolicy %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
@@ -731,6 +774,10 @@ func flattenNestedAccessContextManagerServicePerimeterDryRunIngressPolicyTitle(v
 	return v
 }
 
+func flattenNestedAccessContextManagerServicePerimeterDryRunIngressPolicyEtag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandNestedAccessContextManagerServicePerimeterDryRunIngressPolicyIngressFrom(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -1086,6 +1133,9 @@ func resourceAccessContextManagerServicePerimeterDryRunIngressPolicyListForPatch
 	if err != nil {
 		return nil, err
 	}
+	if err := d.Set("etag", res["etag"]); err != nil {
+		log.Printf("[ERROR] Unable to set etag: %s", err)
+	}
 	var v interface{}
 	var ok bool
 	if v, ok = res["spec"]; ok && v != nil {
 
@@ -6,6 +6,7 @@ api_version: 'v1'
 api_resource_type_kind: 'ServicePerimeter'
 fields:
   - field: 'access_policy_id'
+  - field: 'etag'
   - field: 'ingress_from.identities'
   - field: 'ingress_from.identity_type'
   - field: 'ingress_from.sources.access_level'
 
@@ -309,6 +309,11 @@ the perimeter.`,
 				Computed:    true,
 				Description: `The name of the Access Policy this resource belongs to.`,
 			},
+			"etag": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `The perimeter etag is internally used to prevent overwriting the list of policies on PATCH calls. It is retrieved from the same GET perimeter API call that's used to get the current list of policies. The policy defined in this resource is added or removed from that list, and then this etag is sent with the PATCH call along with the updated policies.`,
+			},
 		},
 		UseJSONNumber: true,
 	}
@@ -376,6 +381,21 @@ func resourceAccessContextManagerServicePerimeterEgressPolicyCreate(d *schema.Re
 	}
 
 	headers := make(http.Header)
+	etag := d.Get("etag").(string)
+
+	if etag == "" {
+		log.Printf("[ERROR] Unable to get etag: %s", err)
+		return nil
+	}
+	obj["etag"] = etag
+
+	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+	// won't set it
+	updateMask := []string{"status.egressPolicies", "etag"}
+	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+	if err != nil {
+		return err
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "PATCH",
@@ -473,6 +493,9 @@ func resourceAccessContextManagerServicePerimeterEgressPolicyRead(d *schema.Reso
 	if err != nil {
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerServicePerimeterEgressPolicy %q", d.Id()))
 	}
+	if err := d.Set("etag", res["etag"]); err != nil {
+		log.Printf("[ERROR] Unable to set etag: %s", err)
+	}
 
 	res, err = flattenNestedAccessContextManagerServicePerimeterEgressPolicy(d, meta, res)
 	if err != nil {
@@ -495,6 +518,9 @@ func resourceAccessContextManagerServicePerimeterEgressPolicyRead(d *schema.Reso
 	if err := d.Set("title", flattenNestedAccessContextManagerServicePerimeterEgressPolicyTitle(res["title"], d, config)); err != nil {
 		return fmt.Errorf("Error reading ServicePerimeterEgressPolicy: %s", err)
 	}
+	if err := d.Set("etag", flattenNestedAccessContextManagerServicePerimeterEgressPolicyEtag(res["etag"], d, config)); err != nil {
+		return fmt.Errorf("Error reading ServicePerimeterEgressPolicy: %s", err)
+	}
 
 	return nil
 }
@@ -537,6 +563,21 @@ func resourceAccessContextManagerServicePerimeterEgressPolicyDelete(d *schema.Re
 	}
 
 	headers := make(http.Header)
+	etag := d.Get("etag").(string)
+
+	if etag == "" {
+		log.Printf("[ERROR] Unable to get etag: %s", err)
+		return nil
+	}
+	obj["etag"] = etag
+
+	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
+	// won't set it
+	updateMask := []string{"status.egressPolicies", "etag"}
+	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
+	if err != nil {
+		return err
+	}
 
 	log.Printf("[DEBUG] Deleting ServicePerimeterEgressPolicy %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
@@ -748,6 +789,10 @@ func flattenNestedAccessContextManagerServicePerimeterEgressPolicyTitle(v interf
 	return v
 }
 
+func flattenNestedAccessContextManagerServicePerimeterEgressPolicyEtag(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandNestedAccessContextManagerServicePerimeterEgressPolicyEgressFrom(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -1125,6 +1170,9 @@ func resourceAccessContextManagerServicePerimeterEgressPolicyListForPatch(d *sch
 	if err != nil {
 		return nil, err
 	}
+	if err := d.Set("etag", res["etag"]); err != nil {
+		log.Printf("[ERROR] Unable to set etag: %s", err)
+	}
 	var v interface{}
 	var ok bool
 	if v, ok = res["status"]; ok && v != nil {
 
@@ -16,6 +16,7 @@ fields:
   - field: 'egress_to.operations.method_selectors.permission'
   - field: 'egress_to.operations.service_name'
   - field: 'egress_to.resources'
+  - field: 'etag'
   - field: 'perimeter'
     provider_only: true
   - field: 'title'
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+accesscontextmanager: added `etag` to access context manager directional policy resources to prevent overriding changes
	`3`	+```