Migrate google_compute_firewall_policy_rule resource from DCL to MMv1 (GoogleCloudPlatform#11360)

Samir-Cit · trodge · niharika-98 · commit 3b7ac0de536a · 2025-02-17T08:56:15.000Z
Co-authored-by: Thomas Rodgers &lt;thomasrodgers@google.com&gt;
diff --git a/mmv1/products/compute/FirewallPolicyRule.yaml b/mmv1/products/compute/FirewallPolicyRule.yaml
@@ -0,0 +1,245 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'FirewallPolicyRule'
+kind: 'compute#firewallPolicyRule'
+description: |
+  Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny).
+min_version: 'beta'
+references:
+  guides:
+  api: 'https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies/addRule'
+docs:
+id_format: 'locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}'
+base_url: 'locations/global/firewallPolicies/{{firewall_policy}}'
+self_link: 'locations/global/firewallPolicies/{{firewall_policy}}/getRule?priority={{priority}}'
+create_url: 'locations/global/firewallPolicies/{{firewall_policy}}/addRule'
+update_url: 'locations/global/firewallPolicies/{{firewall_policy}}/patchRule?priority={{priority}}'
+update_verb: 'POST'
+delete_url: 'locations/global/firewallPolicies/{{firewall_policy}}/removeRule?priority={{priority}}'
+delete_verb: 'POST'
+import_format:
+  - 'locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}'
+  - '{{firewall_policy}}/{{priority}}'
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+custom_diff:
+  - 'tpgresource.DefaultProviderProject'
+custom_code:
+  post_create: 'templates/terraform/post_create/compute_firewall_policy_rule.go.tmpl'
+  post_delete: 'templates/terraform/post_delete/compute_firewall_policy_rule.go.tmpl'
+  post_update: 'templates/terraform/post_update/compute_firewall_policy_rule.go.tmpl'
+examples:
+  - name: 'firewall_policy_rule'
+    primary_resource_id: 'policy_rule'
+    vars:
+      fw_policy: 'policy'
+      address: 'address'
+      folder: 'folder'
+    test_env_vars:
+      org_id: 'ORG_ID'
+      service_account: 'SERVICE_ACCT'
+parameters:
+  - name: 'firewallPolicy'
+    type: ResourceRef
+    description: |
+      The firewall policy of the resource.
+    ignore_read: true
+    required: true
+    immutable: true
+    diff_suppress_func: 'tpgresource.CompareResourceNames'
+    custom_expand: 'templates/terraform/custom_expand/compute_firewall_policy_rule.go.tmpl'
+    resource: 'FirewallPolicy'
+    imports: 'name'
+properties:
+  - name: 'creationTimestamp'
+    type: String
+    description: |
+      Creation timestamp in RFC3339 text format.
+    output: true
+  - name: 'kind'
+    type: String
+    description: |
+      Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules
+    output: true
+  - name: 'description'
+    type: String
+    description: 'An optional description for this resource.'
+  - name: 'priority'
+    type: Integer
+    immutable: true
+    description: |
+      An integer indicating the priority of a rule in the list.
+      The priority must be a positive value between 0 and 2147483647.
+      Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
+    required: true
+  - name: 'match'
+    type: NestedObject
+    description: |
+      A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
+    required: true
+    properties:
+      - name: 'srcIpRanges'
+        type: Array
+        send_empty_value: true
+        description: |
+          CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
+        item_type:
+          type: String
+      - name: 'destIpRanges'
+        type: Array
+        send_empty_value: true
+        description: |
+          CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
+        item_type:
+          type: String
+      - name: 'layer4Configs'
+        type: Array
+        send_empty_value: true
+        description: |
+          Pairs of IP protocols and ports that the rule should match.
+        required: true
+        item_type:
+          type: NestedObject
+          properties:
+            - name: 'ipProtocol'
+              type: String
+              description: |
+                The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule.
+                This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
+              required: true
+            - name: 'ports'
+              type: Array
+              description: |
+                An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port.
+                Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
+              item_type:
+                type: String
+      - name: 'destAddressGroups'
+        type: Array
+        send_empty_value: true
+        description: |
+          Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
+        item_type:
+          type: String
+      - name: 'srcAddressGroups'
+        type: Array
+        send_empty_value: true
+        description: |
+          Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
+        item_type:
+          type: String
+      - name: 'srcFqdns'
+        type: Array
+        send_empty_value: true
+        description: |
+          Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
+        item_type:
+          type: String
+      - name: 'destFqdns'
+        type: Array
+        send_empty_value: true
+        description: |
+          Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
+        item_type:
+          type: String
+      - name: 'srcRegionCodes'
+        type: Array
+        send_empty_value: true
+        description: |
+          Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
+        item_type:
+          type: String
+      - name: 'destRegionCodes'
+        type: Array
+        send_empty_value: true
+        description: |
+          Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
+        item_type:
+          type: String
+      - name: 'destThreatIntelligences'
+        type: Array
+        send_empty_value: true
+        description: |
+          Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
+        item_type:
+          type: String
+      - name: 'srcThreatIntelligences'
+        type: Array
+        send_empty_value: true
+        description: |
+          Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
+        item_type:
+          type: String
+  - name: 'action'
+    type: String
+    description: 'The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".'
+    required: true
+  - name: 'securityProfileGroup'
+    type: String
+    description: |
+      A fully-qualified URL of a SecurityProfile resource instance.
+      Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
+      Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
+  - name: 'tlsInspect'
+    type: Boolean
+    description: |
+      Boolean flag indicating if the traffic should be TLS decrypted.
+      Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
+  - name: 'direction'
+    type: Enum
+    description: |
+      The direction in which this rule applies.
+    required: true
+    enum_values:
+      - 'INGRESS'
+      - 'EGRESS'
+  - name: 'targetResources'
+    type: Array
+    send_empty_value: true
+    description: |
+      A list of network resource URLs to which this rule applies.
+      This field allows you to control which network's VMs get this rule.
+      If this field is left blank, all VMs within the organization will receive the rule.
+    diff_suppress_func: 'tpgresource.CompareSelfLinkOrResourceName'
+    item_type:
+      type: String
+  - name: 'enableLogging'
+    type: Boolean
+    send_empty_value: true
+    description: |
+      Denotes whether to enable logging for a particular rule.
+      If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
+      Logs may be exported to BigQuery or Pub/Sub.
+      Note: you cannot enable logging on "goto_next" rules.
+  - name: 'ruleTupleCount'
+    type: Integer
+    description: |
+      Calculation of the complexity of a single firewall policy rule.
+    output: true
+  - name: 'targetServiceAccounts'
+    type: Array
+    send_empty_value: true
+    description: |
+      A list of service accounts indicating the sets of instances that are applied with this rule.
+    item_type:
+      type: String
+  - name: 'disabled'
+    type: Boolean
+    description: |
+      Denotes whether the firewall policy rule is disabled.
+      When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist.
+      If this is unspecified, the firewall policy rule will be enabled.
diff --git a/mmv1/templates/terraform/custom_expand/compute_firewall_policy_rule.go.tmpl b/mmv1/templates/terraform/custom_expand/compute_firewall_policy_rule.go.tmpl
@@ -0,0 +1,7 @@
+func expand{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	firewallPolicyId := tpgresource.GetResourceNameFromSelfLink(v.(string))
+    if err := d.Set("firewall_policy", firewallPolicyId); err != nil {
+		return nil, fmt.Errorf("Error setting firewall_policy: %s", err)
+	}
+    return firewallPolicyId, nil
+}
diff --git a/mmv1/templates/terraform/examples/firewall_policy_rule.tf.tmpl b/mmv1/templates/terraform/examples/firewall_policy_rule.tf.tmpl
@@ -0,0 +1,57 @@
+resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
+  provider = google-beta
+  
+  name        = "{{index $.Vars "address"}}"
+  parent      = "organizations/{{index $.TestEnvVars "org_id"}}"
+  description = "Sample global networksecurity_address_group"
+  location    = "global"
+  items       = ["208.80.154.224/32"]
+  type        = "IPV4"
+  capacity    = 100
+}
+
+resource "google_folder" "folder" {
+  provider = google-beta
+  
+  display_name        = "{{index $.Vars "folder"}}"
+  parent              = "organizations/{{index $.TestEnvVars "org_id"}}"
+  deletion_protection = false
+}
+
+resource "google_compute_firewall_policy" "default" {
+  provider = google-beta
+  
+  parent      = google_folder.folder.id
+  short_name  = "{{index $.Vars "fw_policy"}}"
+  description = "Resource created for Terraform acceptance testing"
+}
+
+resource "google_compute_firewall_policy_rule" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+  
+  firewall_policy = google_compute_firewall_policy.default.name
+  description     = "Resource created for Terraform acceptance testing"
+  priority        = 9000
+  enable_logging  = true
+  action          = "allow"
+  direction       = "EGRESS"
+  disabled        = false
+
+  match {
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports = [8080]
+    }
+    layer4_configs {
+      ip_protocol = "udp"
+      ports = [22]
+    }
+    dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = []
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
+    src_address_groups = []
+    dest_address_groups = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
+  }
+  target_service_accounts = ["{{index $.TestEnvVars "service_account"}}"]
+}
diff --git a/mmv1/templates/terraform/post_create/compute_firewall_policy_rule.go.tmpl b/mmv1/templates/terraform/post_create/compute_firewall_policy_rule.go.tmpl
@@ -0,0 +1,11 @@
+parent := d.Get("firewall_policy").(string)
+var opRes map[string]interface{}
+err = ComputeOrgOperationWaitTimeWithResponse(
+	config, res, &opRes, parent, "Creating FirewallPolicyRule", userAgent,
+	d.Timeout(schema.TimeoutCreate))
+
+if err != nil {
+	// The resource didn't actually create
+	d.SetId("")
+	return fmt.Errorf("Error waiting to create FirewallPolicyRule: %s", err)
+}
diff --git a/mmv1/templates/terraform/post_delete/compute_firewall_policy_rule.go.tmpl b/mmv1/templates/terraform/post_delete/compute_firewall_policy_rule.go.tmpl
@@ -0,0 +1,11 @@
+parent := d.Get("firewall_policy").(string)
+var opRes map[string]interface{}
+err = ComputeOrgOperationWaitTimeWithResponse(
+	config, res, &opRes, parent, "Deleting FirewallPolicyRule", userAgent,
+	d.Timeout(schema.TimeoutCreate))
+
+if err != nil {
+	// The resource didn't actually create
+	d.SetId("")
+	return fmt.Errorf("Error waiting to delete FirewallPolicyRule: %s", err)
+}
diff --git a/mmv1/templates/terraform/post_update/compute_firewall_policy_rule.go.tmpl b/mmv1/templates/terraform/post_update/compute_firewall_policy_rule.go.tmpl
@@ -0,0 +1,11 @@
+parent := d.Get("firewall_policy").(string)
+var opRes map[string]interface{}
+err = ComputeOrgOperationWaitTimeWithResponse(
+	config, res, &opRes, parent, "Updating FirewallPolicyRule", userAgent,
+	d.Timeout(schema.TimeoutCreate))
+
+if err != nil {
+	// The resource didn't actually create
+	d.SetId("")
+	return fmt.Errorf("Error waiting to update FirewallPolicyRule: %s", err)
+}
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_firewall_policy_rule_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_firewall_policy_rule_test.go.tmpl
diff --git a/tpgtools/overrides/compute/beta/firewall_policy_rule.yaml b/tpgtools/overrides/compute/beta/firewall_policy_rule.yaml
diff --git a/tpgtools/overrides/compute/firewall_policy_rule.yaml b/tpgtools/overrides/compute/firewall_policy_rule.yaml
