Add support for edge_security_policy to google_compute_backend_service (#7120) (#13494)

modular-magician · web-flow · commit 2930e0759073 · 2023-01-13T12:57:03.000-08:00
* updated backend service for edge security policy

* Updated fields for diff suppression, modified post_create custom go code and updated security policy tests.

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/7120.txt b/.changelog/7120.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: add support for 'edge_security_policy' field to 'google_compute_backend_service' resource.
+```
diff --git a/google/resource_compute_backend_service.go b/google/resource_compute_backend_service.go
@@ -573,6 +573,12 @@ responses.`,
 				Optional:    true,
 				Description: `An optional description of this resource.`,
 			},
+			"edge_security_policy": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				DiffSuppressFunc: compareSelfLinkOrResourceName,
+				Description:      `The resource URL for the edge security policy associated with this backend service.`,
+			},
 			"enable_cdn": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -1223,6 +1229,12 @@ func resourceComputeBackendServiceCreate(d *schema.ResourceData, meta interface{
 	} else if v, ok := d.GetOkExists("security_policy"); !isEmptyValue(reflect.ValueOf(securityPolicyProp)) && (ok || !reflect.DeepEqual(v, securityPolicyProp)) {
 		obj["securityPolicy"] = securityPolicyProp
 	}
+	edgeSecurityPolicyProp, err := expandComputeBackendServiceEdgeSecurityPolicy(d.Get("edge_security_policy"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("edge_security_policy"); !isEmptyValue(reflect.ValueOf(edgeSecurityPolicyProp)) && (ok || !reflect.DeepEqual(v, edgeSecurityPolicyProp)) {
+		obj["edgeSecurityPolicy"] = edgeSecurityPolicyProp
+	}
 	securitySettingsProp, err := expandComputeBackendServiceSecuritySettings(d.Get("security_settings"), d, config)
 	if err != nil {
 		return err
@@ -1313,6 +1325,25 @@ func resourceComputeBackendServiceCreate(d *schema.ResourceData, meta interface{
 			return waitErr
 		}
 	}
+	// edge security_policy isn't set by Create / Update
+	if o, n := d.GetChange("edge_security_policy"); o.(string) != n.(string) {
+		pol, err := ParseSecurityPolicyFieldValue(n.(string), d, config)
+		if err != nil {
+			return errwrap.Wrapf("Error parsing Backend Service edge security policy: {{err}}", err)
+		}
+
+		spr := emptySecurityPolicyReference()
+		spr.SecurityPolicy = pol.RelativeLink()
+		op, err := config.NewComputeClient(userAgent).BackendServices.SetEdgeSecurityPolicy(project, obj["name"].(string), spr).Do()
+		if err != nil {
+			return errwrap.Wrapf("Error setting Backend Service edge security policy: {{err}}", err)
+		}
+		// This uses the create timeout for simplicity, though technically this code appears in both create and update
+		waitErr := computeOperationWaitTime(config, op, project, "Setting Backend Service Edge Security Policy", userAgent, d.Timeout(schema.TimeoutCreate))
+		if waitErr != nil {
+			return waitErr
+		}
+	}
 
 	log.Printf("[DEBUG] Finished creating BackendService %q: %#v", d.Id(), res)
 
@@ -1446,6 +1477,9 @@ func resourceComputeBackendServiceRead(d *schema.ResourceData, meta interface{})
 	if err := d.Set("security_policy", flattenComputeBackendServiceSecurityPolicy(res["securityPolicy"], d, config)); err != nil {
 		return fmt.Errorf("Error reading BackendService: %s", err)
 	}
+	if err := d.Set("edge_security_policy", flattenComputeBackendServiceEdgeSecurityPolicy(res["edgeSecurityPolicy"], d, config)); err != nil {
+		return fmt.Errorf("Error reading BackendService: %s", err)
+	}
 	if err := d.Set("security_settings", flattenComputeBackendServiceSecuritySettings(res["securitySettings"], d, config)); err != nil {
 		return fmt.Errorf("Error reading BackendService: %s", err)
 	}
@@ -1607,6 +1641,12 @@ func resourceComputeBackendServiceUpdate(d *schema.ResourceData, meta interface{
 	} else if v, ok := d.GetOkExists("security_policy"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, securityPolicyProp)) {
 		obj["securityPolicy"] = securityPolicyProp
 	}
+	edgeSecurityPolicyProp, err := expandComputeBackendServiceEdgeSecurityPolicy(d.Get("edge_security_policy"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("edge_security_policy"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, edgeSecurityPolicyProp)) {
+		obj["edgeSecurityPolicy"] = edgeSecurityPolicyProp
+	}
 	securitySettingsProp, err := expandComputeBackendServiceSecuritySettings(d.Get("security_settings"), d, config)
 	if err != nil {
 		return err
@@ -1684,6 +1724,25 @@ func resourceComputeBackendServiceUpdate(d *schema.ResourceData, meta interface{
 			return waitErr
 		}
 	}
+	// edge security_policy isn't set by Create / Update
+	if o, n := d.GetChange("edge_security_policy"); o.(string) != n.(string) {
+		pol, err := ParseSecurityPolicyFieldValue(n.(string), d, config)
+		if err != nil {
+			return errwrap.Wrapf("Error parsing Backend Service edge security policy: {{err}}", err)
+		}
+
+		spr := emptySecurityPolicyReference()
+		spr.SecurityPolicy = pol.RelativeLink()
+		op, err := config.NewComputeClient(userAgent).BackendServices.SetEdgeSecurityPolicy(project, obj["name"].(string), spr).Do()
+		if err != nil {
+			return errwrap.Wrapf("Error setting Backend Service edge security policy: {{err}}", err)
+		}
+		// This uses the create timeout for simplicity, though technically this code appears in both create and update
+		waitErr := computeOperationWaitTime(config, op, project, "Setting Backend Service Edge Security Policy", userAgent, d.Timeout(schema.TimeoutCreate))
+		if waitErr != nil {
+			return waitErr
+		}
+	}
 	return resourceComputeBackendServiceRead(d, meta)
 }
 
@@ -2773,6 +2832,10 @@ func flattenComputeBackendServiceSecurityPolicy(v interface{}, d *schema.Resourc
 	return v
 }
 
+func flattenComputeBackendServiceEdgeSecurityPolicy(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
 func flattenComputeBackendServiceSecuritySettings(v interface{}, d *schema.ResourceData, config *Config) interface{} {
 	if v == nil {
 		return nil
@@ -3707,6 +3770,10 @@ func expandComputeBackendServiceSecurityPolicy(v interface{}, d TerraformResourc
 	return v, nil
 }
 
+func expandComputeBackendServiceEdgeSecurityPolicy(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandComputeBackendServiceSecuritySettings(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {
diff --git a/google/resource_compute_backend_service_test.go b/google/resource_compute_backend_service_test.go
@@ -261,22 +261,23 @@ func TestAccComputeBackendService_withSecurityPolicy(t *testing.T) {
 	serviceName := fmt.Sprintf("tf-test-%s", randString(t, 10))
 	checkName := fmt.Sprintf("tf-test-%s", randString(t, 10))
 	polName := fmt.Sprintf("tf-test-%s", randString(t, 10))
+	edgePolName := fmt.Sprintf("tf-test-%s", randString(t, 10))
 
 	vcrTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckComputeBackendServiceDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeBackendService_withSecurityPolicy(serviceName, checkName, polName, "google_compute_security_policy.policy.self_link"),
+				Config: testAccComputeBackendService_withSecurityPolicy(serviceName, checkName, polName, edgePolName, "google_compute_security_policy.policy.self_link", "google_compute_security_policy.edgePolicy.self_link"),
 			},
 			{
 				ResourceName:      "google_compute_backend_service.foobar",
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccComputeBackendService_withSecurityPolicy(serviceName, checkName, polName, "\"\""),
+				Config: testAccComputeBackendService_withSecurityPolicy(serviceName, checkName, polName, edgePolName, "\"\"", "\"\""),
 			},
 			{
 				ResourceName:      "google_compute_backend_service.foobar",
@@ -1057,12 +1058,13 @@ resource "google_compute_https_health_check" "zero" {
 `, serviceName, checkName)
 }
 
-func testAccComputeBackendService_withSecurityPolicy(serviceName, checkName, polName, polLink string) string {
+func testAccComputeBackendService_withSecurityPolicy(serviceName, checkName, polName, edgePolName, polLink string, edgePolLink string) string {
 	return fmt.Sprintf(`
 resource "google_compute_backend_service" "foobar" {
   name            = "%s"
   health_checks   = [google_compute_http_health_check.zero.self_link]
   security_policy = %s
+  edge_security_policy = %s
 }
 
 resource "google_compute_http_health_check" "zero" {
@@ -1076,7 +1078,13 @@ resource "google_compute_security_policy" "policy" {
   name        = "%s"
   description = "basic security policy"
 }
-`, serviceName, polLink, checkName, polName)
+
+resource "google_compute_security_policy" "edgePolicy" {
+  name        = "%s"
+  description = "edge security policy"
+  type = "CLOUD_ARMOR_EDGE"
+}
+`, serviceName, polLink, edgePolLink, checkName, polName, edgePolName)
 }
 
 func testAccComputeBackendService_withMaxConnections(
diff --git a/website/docs/r/compute_backend_service.html.markdown b/website/docs/r/compute_backend_service.html.markdown
@@ -459,6 +459,10 @@ The following arguments are supported:
   (Optional)
   The security policy associated with this backend service.
 
+* `edge_security_policy` -
+  (Optional)
+  The resource URL for the edge security policy associated with this backend service.
+
 * `security_settings` -
   (Optional)
   The security settings that apply to this backend service. This field is applicable to either

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	`+compute: add support for 'edge_security_policy' field to 'google_compute_backend_service' resource.`
	`3`	+```