[#20905] Add network scope and src network fields to fw policy rules (#12762) (#9082)

[upstream:22ebcfbc1bce625abe2a1a382af8c6312fc8032e]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12762.txt

@@ -0,0 +1,18 @@
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_firewall_policy_rule` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_firewall_policy_with_rules` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_network_firewall_policy_rule` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_network_firewall_policy_with_rules` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_region_network_firewall_policy_rule` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_region_network_firewall_policy_with_rules` resource (beta)
+```

google-beta/services/compute/resource_compute_firewall_policy_rule.go

@@ -127,6 +127,12 @@ Example inputs include: ["22"], ["80","443"], and ["12345-12349"].`,
 								Type: schema.TypeString,
 							},
 						},
+						"dest_network_scope": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: verify.ValidateEnum([]string{"INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS", ""}),
+							Description:  `Network scope of the traffic destination. Possible values: ["INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS"]`,
+						},
 						"dest_region_codes": {
 							Type:        schema.TypeList,
 							Optional:    true,
@@ -167,6 +173,20 @@ Example inputs include: ["22"], ["80","443"], and ["12345-12349"].`,
 								Type: schema.TypeString,
 							},
 						},
+						"src_network_scope": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: verify.ValidateEnum([]string{"INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS", ""}),
+							Description:  `Network scope of the traffic source. Possible values: ["INTERNET", "INTRA_VPC", "NON_INTERNET", "VPC_NETWORKS"]`,
+						},
+						"src_networks": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `Networks of the traffic source. It can be either a full or partial url.`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
 						"src_region_codes": {
 							Type:        schema.TypeList,
 							Optional:    true,
@@ -719,6 +739,12 @@ func flattenComputeFirewallPolicyRuleMatch(v interface{}, d *schema.ResourceData
 		flattenComputeFirewallPolicyRuleMatchSrcIpRanges(original["srcIpRanges"], d, config)
 	transformed["dest_ip_ranges"] =
 		flattenComputeFirewallPolicyRuleMatchDestIpRanges(original["destIpRanges"], d, config)
+	transformed["src_network_scope"] =
+		flattenComputeFirewallPolicyRuleMatchSrcNetworkScope(original["srcNetworkScope"], d, config)
+	transformed["src_networks"] =
+		flattenComputeFirewallPolicyRuleMatchSrcNetworks(original["srcNetworks"], d, config)
+	transformed["dest_network_scope"] =
+		flattenComputeFirewallPolicyRuleMatchDestNetworkScope(original["destNetworkScope"], d, config)
 	transformed["layer4_configs"] =
 		flattenComputeFirewallPolicyRuleMatchLayer4Configs(original["layer4Configs"], d, config)
 	transformed["dest_address_groups"] =
@@ -747,6 +773,18 @@ func flattenComputeFirewallPolicyRuleMatchDestIpRanges(v interface{}, d *schema.
 	return v
 }
 
+func flattenComputeFirewallPolicyRuleMatchSrcNetworkScope(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenComputeFirewallPolicyRuleMatchSrcNetworks(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenComputeFirewallPolicyRuleMatchDestNetworkScope(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenComputeFirewallPolicyRuleMatchLayer4Configs(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -886,6 +924,27 @@ func expandComputeFirewallPolicyRuleMatch(v interface{}, d tpgresource.Terraform
 		transformed["destIpRanges"] = transformedDestIpRanges
 	}
 
+	transformedSrcNetworkScope, err := expandComputeFirewallPolicyRuleMatchSrcNetworkScope(original["src_network_scope"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedSrcNetworkScope); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["srcNetworkScope"] = transformedSrcNetworkScope
+	}
+
+	transformedSrcNetworks, err := expandComputeFirewallPolicyRuleMatchSrcNetworks(original["src_networks"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedSrcNetworks); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["srcNetworks"] = transformedSrcNetworks
+	}
+
+	transformedDestNetworkScope, err := expandComputeFirewallPolicyRuleMatchDestNetworkScope(original["dest_network_scope"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedDestNetworkScope); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["destNetworkScope"] = transformedDestNetworkScope
+	}
+
 	transformedLayer4Configs, err := expandComputeFirewallPolicyRuleMatchLayer4Configs(original["layer4_configs"], d, config)
 	if err != nil {
 		return nil, err
@@ -960,6 +1019,18 @@ func expandComputeFirewallPolicyRuleMatchDestIpRanges(v interface{}, d tpgresour
 	return v, nil
 }
 
+func expandComputeFirewallPolicyRuleMatchSrcNetworkScope(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandComputeFirewallPolicyRuleMatchSrcNetworks(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandComputeFirewallPolicyRuleMatchDestNetworkScope(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandComputeFirewallPolicyRuleMatchLayer4Configs(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	req := make([]interface{}, 0, len(l))

google-beta/services/compute/resource_compute_firewall_policy_rule_generated_test.go

@@ -35,9 +35,9 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"org_id":          envvar.GetTestOrgFromEnv(t),
-		"service_account": envvar.GetTestServiceAccountFromEnv(t),
-		"random_suffix":   acctest.RandString(t, 10),
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"service_acct":  envvar.GetTestServiceAccountFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -49,7 +49,7 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
 				Config: testAccComputeFirewallPolicyRule_firewallPolicyRuleExample(context),
 			},
 			{
-				ResourceName:            "google_compute_firewall_policy_rule.policy_rule",
+				ResourceName:            "google_compute_firewall_policy_rule.primary",
 				ImportState:             true,
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"firewall_policy"},
@@ -61,7 +61,7 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
 func testAccComputeFirewallPolicyRule_firewallPolicyRuleExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
-  name        = "address%{random_suffix}"
+  name        = "tf-test-address-group%{random_suffix}"
   parent      = "organizations/%{org_id}"
   description = "Sample global networksecurity_address_group"
   location    = "global"
@@ -78,36 +78,111 @@ resource "google_folder" "folder" {
 
 resource "google_compute_firewall_policy" "default" {
   parent      = google_folder.folder.id
-  short_name  = "policy%{random_suffix}"
+  short_name  = "tf-test-fw-policy%{random_suffix}"
   description = "Resource created for Terraform acceptance testing"
 }
 
-resource "google_compute_firewall_policy_rule" "policy_rule" {
+resource "google_compute_firewall_policy_rule" "primary" {
+  firewall_policy         = google_compute_firewall_policy.default.name
+  description             = "Resource created for Terraform acceptance testing"
+  priority                = 9000
+  enable_logging          = true
+  action                  = "allow"
+  direction               = "EGRESS"
+  disabled                = false
+  target_service_accounts = ["%{service_acct}"]
+
+  match {
+    dest_ip_ranges            = ["11.100.0.1/32"]
+    dest_fqdns                = []
+    dest_region_codes         = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
+    src_address_groups        = []
+    dest_address_groups       = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
+    dest_network_scope        = "INTERNET"
+
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = [8080]
+    }
+
+    layer4_configs {
+      ip_protocol = "udp"
+      ports       = [22]
+    }
+  }
+}
+`, context)
+}
+
+func TestAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeFirewallPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(context),
+			},
+			{
+				ResourceName:            "google_compute_firewall_policy_rule.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+		},
+	})
+}
+
+func testAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_folder" "folder" {
+  display_name        = "folder%{random_suffix}"
+  parent              = "organizations/%{org_id}"
+  deletion_protection = false
+}
+
+resource "google_compute_firewall_policy" "default" {
+  parent      = google_folder.folder.id
+  short_name  = "tf-test-fw-policy%{random_suffix}"
+  description = "Firewall policy"
+}
+
+resource "google_compute_firewall_policy_rule" "primary" {
   firewall_policy = google_compute_firewall_policy.default.name
-  description     = "Resource created for Terraform acceptance testing"
+  description     = "Firewall policy rule with network scope"
   priority        = 9000
-  enable_logging  = true
   action          = "allow"
-  direction       = "EGRESS"
+  direction       = "INGRESS"
   disabled        = false
 
   match {
+    src_ip_ranges     = ["11.100.0.1/32"]
+    src_network_scope = "VPC_NETWORKS"
+    src_networks      = [google_compute_network.network.id]
+
     layer4_configs {
       ip_protocol = "tcp"
-      ports = [8080]
+      ports       = [8080]
     }
+
     layer4_configs {
       ip_protocol = "udp"
-      ports = [22]
+      ports       = [22]
     }
-    dest_ip_ranges = ["11.100.0.1/32"]
-    dest_fqdns = []
-    dest_region_codes = ["US"]
-    dest_threat_intelligences = ["iplist-known-malicious-ips"]
-    src_address_groups = []
-    dest_address_groups = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
   }
-  target_service_accounts = ["%{service_account}"]
+}
+
+resource "google_compute_network" "network" {
+  name                    = "network%{random_suffix}"
+  auto_create_subnetworks = false
 }
 `, context)
 }