Create region security policies rules (#8477) (#15523)

modular-magician · diogoEsteves42 · web-flow · commit fbc4b0ced6de · 2023-08-15T16:24:07.000-07:00
* creating first version of region security policy and adding ddos protection config

* adding rules field in region security policy

* creating resource network_edge_security_service and their scenarios of test

* adding patch operation and fixing id, import_format and self_link

* added fields in the region_security_policy, and fixed the scenario tests for network_edge_security_service

* removed duplicated field for region_security_policy

* adding ddos_protection_config field in region_security_policy

* cleanups

* adding self_link field back and removing uncessary fields

* adding docs for ddosProtection

* making new resources only availabe in beta downstream

* fixing eof

* adding region security policy rule and basic scenario

* code experiments cleanups

* adding preconfiguredWafConfig object and some inner fields in region security policy rule

* adding mapping for network_match object in region security policy rule

* adding rateLimitOptions mapping

* adding ruleNumber field to region security policy

* adding basic update for region security policy rule

* adding network_match and preconfigured_waf scenarios for region sec policy rules

* wip - adding user_defined_fields in region security policy

* fixing yaml linter issues

* fixing review comments

* removing validate_only field

* fixing comments in region_security_policy_rule test

* fixing userDefinedFields and adding tests for regionSecPolicyRule

* adding user_defined_fields update test for regionSecPolicy

* removing rule_number from regionSecPolicyRule

* removing preconfiguredWaf from regionSecPolicyRule because it is not finished yet

* removing rateLimitOptions from RegionSecPolicyRule because it is not finished yet

* small cleanups

* fixing yamllint issues on the worked resources

* prevent that netwrokt_match test fails due paralellism

* adding new test for multiple rules

* fixing code review comments

* removing harcoded project from tests

* moving network_edge_security_service basic test to another region

* fixing code review issues

* fixing import cycle issue in downstream repo

* updating with upstream and change regions

---------

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
Co-authored-by: diogoEsteves &lt;diogoesteves@ciandt.com&gt;
diff --git a/.changelog/8477.txt b/.changelog/8477.txt
@@ -0,0 +1,6 @@
+```release-note:new-resource
+`google_compute_region_security_policy_rule`
+```
+```release-note:enhancement
+compute: added support for `user_defined_fields` to `google_compute_region_security_policy`
+```
diff --git a/google/services/compute/resource_compute_region_security_policy_rule_test.go b/google/services/compute/resource_compute_region_security_policy_rule_test.go
@@ -0,0 +1,3 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+package compute_test
diff --git a/website/docs/r/compute_network_edge_security_service.html.markdown b/website/docs/r/compute_network_edge_security_service.html.markdown
@@ -38,7 +38,7 @@ resource "google_compute_network_edge_security_service" "default" {
   provider     = google-beta  
 
   name         = "my-edge-security-service"
-  region       = "asia-southeast1"
+  region       = "us-east1"
   description  = "My basic resource"
 }
 ```
diff --git a/website/docs/r/compute_region_security_policy.html.markdown b/website/docs/r/compute_region_security_policy.html.markdown
@@ -68,6 +68,37 @@ resource "google_compute_region_security_policy" "region-sec-policy-ddos-protect
   }
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_with_user_defined_fields&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Region Security Policy With User Defined Fields
+
+
+```hcl
+resource "google_compute_region_security_policy" "region-sec-policy-user-defined-fields" {
+  provider    = google-beta  
+
+  name        = "my-sec-policy-user-defined-fields"
+  description = "with user defined fields"
+  type        = "CLOUD_ARMOR_NETWORK"
+  user_defined_fields {
+    name = "SIG1_AT_0"
+    base = "UDP"
+    offset = 8
+    size = 2
+    mask = "0x8F00"
+  }
+  user_defined_fields {
+    name = "SIG2_AT_8"
+    base = "UDP"
+    offset = 16
+    size = 4
+    mask = "0xFFFFFFFF"
+  }
+}
+```
 
 ## Argument Reference
 
@@ -101,6 +132,13 @@ The following arguments are supported:
   Configuration for Google Cloud Armor DDOS Proctection Config.
   Structure is [documented below](#nested_ddos_protection_config).
 
+* `user_defined_fields` -
+  (Optional)
+  Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies.
+  A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits.
+  Rules may then specify matching values for these fields.
+  Structure is [documented below](#nested_user_defined_fields).
+
 * `region` -
   (Optional)
   The Region in which the created Region Security Policy should reside.
@@ -120,6 +158,35 @@ The following arguments are supported:
   - ADVANCED_PREVIEW: flag to enable the security policy in preview mode.
   Possible values are: `ADVANCED`, `ADVANCED_PREVIEW`, `STANDARD`.
 
+<a name="nested_user_defined_fields"></a>The `user_defined_fields` block supports:
+
+* `name` -
+  (Optional)
+  The name of this field. Must be unique within the policy.
+
+* `base` -
+  (Required)
+  The base relative to which 'offset' is measured. Possible values are:
+  - IPV4: Points to the beginning of the IPv4 header.
+  - IPV6: Points to the beginning of the IPv6 header.
+  - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
+  - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
+  Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.
+
+* `offset` -
+  (Optional)
+  Offset of the first byte of the field (in network byte order) relative to 'base'.
+
+* `size` -
+  (Optional)
+  Size of the field in bytes. Valid values: 1-4.
+
+* `mask` -
+  (Optional)
+  If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
+  Encoded as a hexadecimal number (starting with "0x").
+  The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported:
diff --git a/website/docs/r/compute_region_security_policy_rule.html.markdown b/website/docs/r/compute_region_security_policy_rule.html.markdown

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+// Copyright (c) HashiCorp, Inc.`
	`2`	`+// SPDX-License-Identifier: MPL-2.0`
	`3`	`+package compute_test`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ resource "google_compute_network_edge_security_service" "default" {`
`38`	`38`	`provider = google-beta`
`39`	`39`
`40`	`40`	`name = "my-edge-security-service"`
`41`		`- region = "asia-southeast1"`
	`41`	`+ region = "us-east1"`
`42`	`42`	`description = "My basic resource"`
`43`	`43`	`}`
`44`	`44`	```