Fix address group ordering for network firewall policy rule (#12182) (#8592)

modular-magician · web-flow · commit 90df7036df00 · 2024-11-01T09:50:04.000-07:00
[upstream:b41c48e34de620d6042a2af0a1e905de9d66c211]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/12182.txt b/.changelog/12182.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+compute: fixed a diff based on server-side reordering of `match.src_address_groups` and `match.dest_address_groups` in `google_compute_network_firewall_policy_rule`
+```
diff --git a/google-beta/services/compute/resource_compute_network_firewall_policy_rule.go b/google-beta/services/compute/resource_compute_network_firewall_policy_rule.go
@@ -874,11 +874,55 @@ func flattenComputeNetworkFirewallPolicyRuleMatchSrcSecureTagsState(v interface{
 }
 
 func flattenComputeNetworkFirewallPolicyRuleMatchDestAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
-	return v
+	rawConfigValue := d.Get("match.0.dest_address_groups")
+
+	// Convert config value to []string
+	configValue, err := tpgresource.InterfaceSliceToStringSlice(rawConfigValue)
+	if err != nil {
+		log.Printf("[ERROR] Failed to convert config value: %s", err)
+		return v
+	}
+
+	// Convert v to []string
+	apiStringValue, err := tpgresource.InterfaceSliceToStringSlice(v)
+	if err != nil {
+		log.Printf("[ERROR] Failed to convert API value: %s", err)
+		return v
+	}
+
+	sortedStrings, err := tpgresource.SortStringsByConfigOrder(configValue, apiStringValue)
+	if err != nil {
+		log.Printf("[ERROR] Could not sort API response value: %s", err)
+		return v
+	}
+
+	return sortedStrings
 }
 
 func flattenComputeNetworkFirewallPolicyRuleMatchSrcAddressGroups(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
-	return v
+	rawConfigValue := d.Get("match.0.src_address_groups")
+
+	// Convert config value to []string
+	configValue, err := tpgresource.InterfaceSliceToStringSlice(rawConfigValue)
+	if err != nil {
+		log.Printf("[ERROR] Failed to convert config value: %s", err)
+		return v
+	}
+
+	// Convert v to []string
+	apiStringValue, err := tpgresource.InterfaceSliceToStringSlice(v)
+	if err != nil {
+		log.Printf("[ERROR] Failed to convert API value: %s", err)
+		return v
+	}
+
+	sortedStrings, err := tpgresource.SortStringsByConfigOrder(configValue, apiStringValue)
+	if err != nil {
+		log.Printf("[ERROR] Could not sort API response value: %s", err)
+		return v
+	}
+
+	return sortedStrings
 }
 
 func flattenComputeNetworkFirewallPolicyRuleMatchSrcFqdns(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
diff --git a/google-beta/services/compute/resource_compute_network_firewall_policy_rule_test.go b/google-beta/services/compute/resource_compute_network_firewall_policy_rule_test.go
@@ -142,6 +142,41 @@ func TestAccComputeNetworkFirewallPolicyRule_multipleRules(t *testing.T) {
 	})
 }
 
+func TestAccComputeNetworkFirewallPolicyRule_addressGroupOrder(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+		"project":       envvar.GetTestProjectFromEnv(),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkFirewallPolicyRule_addressGroupOrder(context),
+			},
+			{
+				ResourceName:      "google_compute_network_firewall_policy_rule.src_test",
+				ImportState:       true,
+				ImportStateVerify: true,
+				// Referencing using ID causes import to fail
+				// Client-side reordering doesn't work with no state, so ignore on import
+				ImportStateVerifyIgnore: []string{"firewall_policy", "match.0.src_address_groups"},
+			},
+			{
+				ResourceName:      "google_compute_network_firewall_policy_rule.dest_test",
+				ImportState:       true,
+				ImportStateVerify: true,
+				// Referencing using ID causes import to fail
+				// Client-side reordering doesn't work with no state, so ignore on import
+				ImportStateVerifyIgnore: []string{"firewall_policy", "match.0.dest_address_groups"},
+			},
+		},
+	})
+}
+
 func TestAccComputeNetworkFirewallPolicyRule_securityProfileGroup_update(t *testing.T) {
 	t.Parallel()
 
@@ -898,3 +933,72 @@ resource "google_compute_network_firewall_policy_rule" "fw_policy_rule3" {
 }
 `, context)
 }
+
+func testAccComputeNetworkFirewallPolicyRule_addressGroupOrder(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_network_firewall_policy" "policy" {
+  name = "tf-test-policy-%{random_suffix}"
+  description = "Resource created for Terraform acceptance testing"
+}
+
+resource "google_network_security_address_group" "add-group1" {
+  name        = "tf-test-group-1-%{random_suffix}"
+  parent      = "projects/%{project}"
+  location    = "global"
+  type        = "IPV4"
+  capacity    = "10"
+  items       = ["10.0.1.1/32"]
+}
+resource "google_network_security_address_group" "add-group2" {
+  name        = "tf-test-group-2-%{random_suffix}"
+  parent      = "projects/%{project}"
+  location    = "global"
+  type        = "IPV4"
+  capacity    = "10"
+  items       = ["10.0.2.2/32"]
+}
+resource "google_network_security_address_group" "add-group3" {
+  name        = "tf-test-group-3-%{random_suffix}"
+  parent      = "projects/%{project}"
+  location    = "global"
+  type        = "IPV4"
+  capacity    = "10"
+  items       = ["10.0.3.3/32"]
+}
+
+resource "google_compute_network_firewall_policy_rule" "src_test" {
+  firewall_policy         = google_compute_network_firewall_policy.policy.id
+  action                  = "allow"
+  priority                = 1000
+  description             = "Testing address group order issue"
+  direction               = "INGRESS"
+  enable_logging          = true
+  match {
+    src_address_groups = [google_network_security_address_group.add-group2.id,
+                          google_network_security_address_group.add-group1.id]
+    dest_ip_ranges     = ["192.168.2.0/24", "10.0.3.4/32"]
+    layer4_configs {
+      ip_protocol = "all"
+    }
+  }
+}
+
+resource "google_compute_network_firewall_policy_rule" "dest_test" {
+  firewall_policy         = google_compute_network_firewall_policy.policy.id
+  action                  = "allow"
+  priority                = 1100
+  description             = "Testing address group order issue"
+  direction               = "EGRESS"
+  enable_logging          = true
+  match {
+    dest_address_groups = [google_network_security_address_group.add-group3.id,
+                           google_network_security_address_group.add-group2.id]
+    src_ip_ranges       = ["192.168.2.0/24", "10.0.3.4/32"]
+    layer4_configs {
+      ip_protocol = "all"
+    }
+  }
+}
+
+`, context)
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	+compute: fixed a diff based on server-side reordering of `match.src_address_groups` and `match.dest_address_groups` in `google_compute_network_firewall_policy_rule`
	`3`	+```