hashicorp · modular-magician · Oct 28, 2024 · Oct 28, 2024
@@ -0,0 +1,6 @@
+```release-note:bug
+compute: fixed unable to create default rule when using `google_compute_region_security_policy_rule` resource (beta)
+```
+```release-note:bug
+compute: fixed unable to create default rule when using `google_compute_security_policy_rule` resource
+```
@@ -605,6 +605,17 @@ func resourceComputeRegionSecurityPolicyRuleCreate(d *schema.ResourceData, meta
 	}
 
 	headers := make(http.Header)
+	// We can't Create a default rule since one is automatically created with the policy
+	rulePriority, ok := d.GetOk("priority")
+
+	if ok && rulePriority.(int) == 2147483647 {
+		log.Printf("[WARN] RegionSecurityPolicyRule represents a default rule, will attempt an Update instead")
+		newUrl, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/patchRule?priority={{priority}}")
+		if err != nil {
+			return err
+		}
+		url = newUrl
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "POST",
@@ -901,6 +912,13 @@ func resourceComputeRegionSecurityPolicyRuleDelete(d *schema.ResourceData, meta
 	}
 
 	headers := make(http.Header)
+	// The default rule of a Security Policy cannot be removed
+	rulePriority, ok := d.GetOk("priority")
+
+	if ok && rulePriority.(int) == 2147483647 {
+		log.Printf("[WARN] RegionSecurityPolicyRule represents a default rule, skipping Delete request")
+		return nil
+	}
 
 	log.Printf("[DEBUG] Deleting RegionSecurityPolicyRule %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{

@@ -157,6 +157,74 @@ resource "google_compute_region_security_policy_rule" "policy_rule_two" {
 `, context)
 }
 
+func TestAccComputeRegionSecurityPolicyRule_regionSecurityPolicyRuleDefaultRuleExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckComputeRegionSecurityPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionSecurityPolicyRule_regionSecurityPolicyRuleDefaultRuleExample(context),
+			},
+			{
+				ResourceName:            "google_compute_region_security_policy_rule.policy_rule",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"region", "security_policy"},
+			},
+		},
+	})
+}
+
+func testAccComputeRegionSecurityPolicyRule_regionSecurityPolicyRuleDefaultRuleExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_region_security_policy" "default" {
+  provider    = google-beta
+  region      = "us-west2"
+  name        = "policywithdefaultrule%{random_suffix}"
+  description = "basic region security policy"
+  type        = "CLOUD_ARMOR"
+}
+
+resource "google_compute_region_security_policy_rule" "default_rule" {
+  provider        = google-beta
+  region          = "us-west2"
+  security_policy = google_compute_region_security_policy.default.name
+  description     = "new rule"
+  action          = "deny"
+  priority        = "2147483647"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+}
+
+resource "google_compute_region_security_policy_rule" "policy_rule" {
+  provider        = google-beta
+  region          = "us-west2"
+  security_policy = google_compute_region_security_policy.default.name
+  description     = "new rule"
+  priority        = 100
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["10.10.0.0/16"]
+    }
+  }
+  action          = "allow"
+  preview         = true
+}
+`, context)
+}
+
 func TestAccComputeRegionSecurityPolicyRule_regionSecurityPolicyRuleWithPreconfiguredWafConfigExample(t *testing.T) {
 	t.Parallel()
 

@@ -68,6 +68,88 @@ resource "google_compute_region_security_policy_rule" "policy_rule" {
 `, context)
 }
 
+func TestAccComputeRegionSecurityPolicyRule_securityPolicyDefaultRule(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeRegionSecurityPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionSecurityPolicyRule_securityPolicyDefaultRuleDeny(context),
+			},
+			{
+				ResourceName:      "google_compute_region_security_policy_rule.policy_rule_default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeRegionSecurityPolicyRule_securityPolicyDefaultRuleAllow(context),
+			},
+			{
+				ResourceName:      "google_compute_region_security_policy_rule.policy_rule_default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccComputeRegionSecurityPolicyRule_securityPolicyDefaultRuleDeny(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_region_security_policy" "default" {
+  region      = "us-west2"
+  name        = "tf-test%{random_suffix}"
+  description = "basic region security policy"
+  type        = "CLOUD_ARMOR"
+}
+
+resource "google_compute_region_security_policy_rule" "policy_rule_default" {
+  security_policy = google_compute_region_security_policy.default.name
+  region          = "us-west2"
+  description     = "default rule"
+  action          = "deny"
+  priority        = "2147483647"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+}
+`, context)
+}
+
+func testAccComputeRegionSecurityPolicyRule_securityPolicyDefaultRuleAllow(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_region_security_policy" "default" {
+  region      = "us-west2"
+  name        = "tf-test%{random_suffix}"
+  description = "basic region security policy"
+  type        = "CLOUD_ARMOR"
+}
+
+resource "google_compute_region_security_policy_rule" "policy_rule_default" {
+  security_policy = google_compute_region_security_policy.default.name
+  region          = "us-west2"
+  description     = "default rule"
+  action          = "allow"
+  priority        = "2147483647"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+}
+`, context)
+}
+
 func testAccComputeRegionSecurityPolicyRule_regionSecurityPolicyRulePostUpdate(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_compute_region_security_policy" "default" {

@@ -555,6 +555,17 @@ func resourceComputeSecurityPolicyRuleCreate(d *schema.ResourceData, meta interf
 	}
 
 	headers := make(http.Header)
+	// We can't Create a default rule since one is automatically created with the policy
+	rulePriority, ok := d.GetOk("priority")
+
+	if ok && rulePriority.(int) == 2147483647 {
+		log.Printf("[WARN] SecurityPolicyRule represents a default rule, will attempt an Update instead")
+		newUrl, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/global/securityPolicies/{{security_policy}}/patchRule?priority={{priority}}")
+		if err != nil {
+			return err
+		}
+		url = newUrl
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "POST",
@@ -832,6 +843,13 @@ func resourceComputeSecurityPolicyRuleDelete(d *schema.ResourceData, meta interf
 	}
 
 	headers := make(http.Header)
+	// The default rule of a Security Policy cannot be removed
+	rulePriority, ok := d.GetOk("priority")
+
+	if ok && rulePriority.(int) == 2147483647 {
+		log.Printf("[WARN] SecurityPolicyRule represents a default rule, skipping Delete request")
+		return nil
+	}
 
 	log.Printf("[DEBUG] Deleting SecurityPolicyRule %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{