Support new Network Security Integration security profile types (#12816) (#9110)

[upstream:db31db4510175885374eaa1b051f64396103a02a]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12816.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+networksecurity: added `customMirroringProfile` and `customInterceptProfile` fields to `google_network_security_security_profile` and `google_network_security_security_profile_group`  resources
+```

google-beta/services/networksecurity/resource_network_security_security_profile.go

@@ -65,8 +65,44 @@ func ResourceNetworkSecuritySecurityProfile() *schema.Resource {
 				Type:         schema.TypeString,
 				Required:     true,
 				ForceNew:     true,
-				ValidateFunc: verify.ValidateEnum([]string{"THREAT_PREVENTION"}),
-				Description:  `The type of security profile. Possible values: ["THREAT_PREVENTION"]`,
+				ValidateFunc: verify.ValidateEnum([]string{"THREAT_PREVENTION", "CUSTOM_MIRRORING", "CUSTOM_INTERCEPT"}),
+				Description:  `The type of security profile. Possible values: ["THREAT_PREVENTION", "CUSTOM_MIRRORING", "CUSTOM_INTERCEPT"]`,
+			},
+			"custom_intercept_profile": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Description: `The configuration for defining the Intercept Endpoint Group used to
+intercept traffic to third-party firewall appliances.`,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"intercept_endpoint_group": {
+							Type:     schema.TypeString,
+							Required: true,
+							Description: `The Intercept Endpoint Group to which matching traffic should be intercepted.
+Format: projects/{project_id}/locations/global/interceptEndpointGroups/{endpoint_group_id}`,
+						},
+					},
+				},
+				ConflictsWith: []string{"threat_prevention_profile", "custom_mirroring_profile"},
+			},
+			"custom_mirroring_profile": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Description: `The configuration for defining the Mirroring Endpoint Group used to
+mirror traffic to third-party collectors.`,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"mirroring_endpoint_group": {
+							Type:     schema.TypeString,
+							Required: true,
+							Description: `The Mirroring Endpoint Group to which matching traffic should be mirrored.
+Format: projects/{project_id}/locations/global/mirroringEndpointGroups/{endpoint_group_id}`,
+						},
+					},
+				},
+				ConflictsWith: []string{"threat_prevention_profile", "custom_intercept_profile"},
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -155,6 +191,7 @@ and threat overrides, the threat overrides action is applied.`,
 						},
 					},
 				},
+				ConflictsWith: []string{"custom_mirroring_profile", "custom_intercept_profile"},
 			},
 			"create_time": {
 				Type:        schema.TypeString,
@@ -217,6 +254,18 @@ func resourceNetworkSecuritySecurityProfileCreate(d *schema.ResourceData, meta i
 	} else if v, ok := d.GetOkExists("threat_prevention_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(threatPreventionProfileProp)) && (ok || !reflect.DeepEqual(v, threatPreventionProfileProp)) {
 		obj["threatPreventionProfile"] = threatPreventionProfileProp
 	}
+	customMirroringProfileProp, err := expandNetworkSecuritySecurityProfileCustomMirroringProfile(d.Get("custom_mirroring_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_mirroring_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(customMirroringProfileProp)) && (ok || !reflect.DeepEqual(v, customMirroringProfileProp)) {
+		obj["customMirroringProfile"] = customMirroringProfileProp
+	}
+	customInterceptProfileProp, err := expandNetworkSecuritySecurityProfileCustomInterceptProfile(d.Get("custom_intercept_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_intercept_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(customInterceptProfileProp)) && (ok || !reflect.DeepEqual(v, customInterceptProfileProp)) {
+		obj["customInterceptProfile"] = customInterceptProfileProp
+	}
 	typeProp, err := expandNetworkSecuritySecurityProfileType(d.Get("type"), d, config)
 	if err != nil {
 		return err
@@ -333,6 +382,12 @@ func resourceNetworkSecuritySecurityProfileRead(d *schema.ResourceData, meta int
 	if err := d.Set("threat_prevention_profile", flattenNetworkSecuritySecurityProfileThreatPreventionProfile(res["threatPreventionProfile"], d, config)); err != nil {
 		return fmt.Errorf("Error reading SecurityProfile: %s", err)
 	}
+	if err := d.Set("custom_mirroring_profile", flattenNetworkSecuritySecurityProfileCustomMirroringProfile(res["customMirroringProfile"], d, config)); err != nil {
+		return fmt.Errorf("Error reading SecurityProfile: %s", err)
+	}
+	if err := d.Set("custom_intercept_profile", flattenNetworkSecuritySecurityProfileCustomInterceptProfile(res["customInterceptProfile"], d, config)); err != nil {
+		return fmt.Errorf("Error reading SecurityProfile: %s", err)
+	}
 	if err := d.Set("type", flattenNetworkSecuritySecurityProfileType(res["type"], d, config)); err != nil {
 		return fmt.Errorf("Error reading SecurityProfile: %s", err)
 	}
@@ -369,6 +424,18 @@ func resourceNetworkSecuritySecurityProfileUpdate(d *schema.ResourceData, meta i
 	} else if v, ok := d.GetOkExists("threat_prevention_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, threatPreventionProfileProp)) {
 		obj["threatPreventionProfile"] = threatPreventionProfileProp
 	}
+	customMirroringProfileProp, err := expandNetworkSecuritySecurityProfileCustomMirroringProfile(d.Get("custom_mirroring_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_mirroring_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, customMirroringProfileProp)) {
+		obj["customMirroringProfile"] = customMirroringProfileProp
+	}
+	customInterceptProfileProp, err := expandNetworkSecuritySecurityProfileCustomInterceptProfile(d.Get("custom_intercept_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_intercept_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, customInterceptProfileProp)) {
+		obj["customInterceptProfile"] = customInterceptProfileProp
+	}
 	labelsProp, err := expandNetworkSecuritySecurityProfileEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -393,6 +460,14 @@ func resourceNetworkSecuritySecurityProfileUpdate(d *schema.ResourceData, meta i
 		updateMask = append(updateMask, "threatPreventionProfile")
 	}
 
+	if d.HasChange("custom_mirroring_profile") {
+		updateMask = append(updateMask, "customMirroringProfile")
+	}
+
+	if d.HasChange("custom_intercept_profile") {
+		updateMask = append(updateMask, "customInterceptProfile")
+	}
+
 	if d.HasChange("effective_labels") {
 		updateMask = append(updateMask, "labels")
 	}
@@ -617,6 +692,40 @@ func flattenNetworkSecuritySecurityProfileThreatPreventionProfileThreatOverrides
 	return v
 }
 
+func flattenNetworkSecuritySecurityProfileCustomMirroringProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["mirroring_endpoint_group"] =
+		flattenNetworkSecuritySecurityProfileCustomMirroringProfileMirroringEndpointGroup(original["mirroringEndpointGroup"], d, config)
+	return []interface{}{transformed}
+}
+func flattenNetworkSecuritySecurityProfileCustomMirroringProfileMirroringEndpointGroup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecuritySecurityProfileCustomInterceptProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["intercept_endpoint_group"] =
+		flattenNetworkSecuritySecurityProfileCustomInterceptProfileInterceptEndpointGroup(original["interceptEndpointGroup"], d, config)
+	return []interface{}{transformed}
+}
+func flattenNetworkSecuritySecurityProfileCustomInterceptProfileInterceptEndpointGroup(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenNetworkSecuritySecurityProfileType(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -755,6 +864,52 @@ func expandNetworkSecuritySecurityProfileThreatPreventionProfileThreatOverridesT
 	return v, nil
 }
 
+func expandNetworkSecuritySecurityProfileCustomMirroringProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedMirroringEndpointGroup, err := expandNetworkSecuritySecurityProfileCustomMirroringProfileMirroringEndpointGroup(original["mirroring_endpoint_group"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedMirroringEndpointGroup); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["mirroringEndpointGroup"] = transformedMirroringEndpointGroup
+	}
+
+	return transformed, nil
+}
+
+func expandNetworkSecuritySecurityProfileCustomMirroringProfileMirroringEndpointGroup(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecuritySecurityProfileCustomInterceptProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedInterceptEndpointGroup, err := expandNetworkSecuritySecurityProfileCustomInterceptProfileInterceptEndpointGroup(original["intercept_endpoint_group"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedInterceptEndpointGroup); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["interceptEndpointGroup"] = transformedInterceptEndpointGroup
+	}
+
+	return transformed, nil
+}
+
+func expandNetworkSecuritySecurityProfileCustomInterceptProfileInterceptEndpointGroup(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandNetworkSecuritySecurityProfileType(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google-beta/services/networksecurity/resource_network_security_security_profile_generated_meta.yaml

@@ -5,6 +5,8 @@ api_version: 'v1beta1'
 api_resource_type_kind: 'SecurityProfile'
 fields:
   - field: 'create_time'
+  - field: 'custom_intercept_profile.intercept_endpoint_group'
+  - field: 'custom_mirroring_profile.mirroring_endpoint_group'
   - field: 'description'
   - field: 'effective_labels'
     provider_only: true

google-beta/services/networksecurity/resource_network_security_security_profile_generated_test.go

@@ -126,6 +126,130 @@ resource "google_network_security_security_profile" "default" {
 `, context)
 }
 
+func TestAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileMirroringExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecuritySecurityProfileDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileMirroringExample(context),
+			},
+			{
+				ResourceName:            "google_network_security_security_profile.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "location", "name", "parent", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileMirroringExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_network" "default" {
+  provider                = google-beta
+  name                    = "tf-test-my-network%{random_suffix}"
+  auto_create_subnetworks = false
+}
+
+resource "google_network_security_mirroring_deployment_group" "default" {
+  provider                      = google-beta
+  mirroring_deployment_group_id = "tf-test-my-dg%{random_suffix}"
+  location                      = "global"
+  network                       = google_compute_network.default.id
+}
+
+resource "google_network_security_mirroring_endpoint_group" "default" {
+  provider                      = google-beta
+  mirroring_endpoint_group_id   = "tf-test-my-eg%{random_suffix}"
+  location                      = "global"
+  mirroring_deployment_group    = google_network_security_mirroring_deployment_group.default.id
+}
+
+resource "google_network_security_security_profile" "default" {
+  provider    = google-beta
+  name        = "tf-test-my-security-profile%{random_suffix}"
+  parent      = "organizations/%{org_id}"
+  description = "my description"
+  type        = "CUSTOM_MIRRORING"
+
+  custom_mirroring_profile {
+    mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.default.id
+  }
+}
+`, context)
+}
+
+func TestAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileInterceptExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecuritySecurityProfileDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileInterceptExample(context),
+			},
+			{
+				ResourceName:            "google_network_security_security_profile.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "location", "name", "parent", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileInterceptExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_network" "default" {
+  provider                = google-beta
+  name                    = "tf-test-my-network%{random_suffix}"
+  auto_create_subnetworks = false
+}
+
+resource "google_network_security_intercept_deployment_group" "default" {
+  provider                      = google-beta
+  intercept_deployment_group_id = "tf-test-my-dg%{random_suffix}"
+  location                      = "global"
+  network                       = google_compute_network.default.id
+}
+
+resource "google_network_security_intercept_endpoint_group" "default" {
+  provider                      = google-beta
+  intercept_endpoint_group_id   = "tf-test-my-eg%{random_suffix}"
+  location                      = "global"
+  intercept_deployment_group    = google_network_security_intercept_deployment_group.default.id
+}
+
+resource "google_network_security_security_profile" "default" {
+  provider    = google-beta
+  name        = "tf-test-my-security-profile%{random_suffix}"
+  parent      = "organizations/%{org_id}"
+  description = "my description"
+  type        = "CUSTOM_INTERCEPT"
+
+  custom_intercept_profile {
+    intercept_endpoint_group = google_network_security_intercept_endpoint_group.default.id
+  }
+}
+`, context)
+}
+
 func testAccCheckNetworkSecuritySecurityProfileDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {