diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_target_pool.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_target_pool.go.erb index 9e2d76091e35..7a0bb638024f 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_target_pool.go.erb +++ b/mmv1/third_party/terraform/services/compute/resource_compute_target_pool.go.erb @@ -126,6 +126,14 @@ func ResourceComputeTargetPool() *schema.Resource { Default: "NONE", Description: `How to distribute load. Options are "NONE" (no affinity). "CLIENT_IP" (hash of the source/dest addresses / ports), and "CLIENT_IP_PROTO" also includes the protocol (default "NONE").`, }, + + <% unless version == 'ga' -%> + "security_policy": { + Type: schema.TypeString, + Optional: true, + Description: `The resource URL for the security policy associated with this target pool.`, + }, + <% end -%> }, UseJSONNumber: true, } @@ -248,6 +256,35 @@ func resourceComputeTargetPoolCreate(d *schema.ResourceData, meta interface{}) e if err != nil { return err } + + <% unless version == 'ga' -%> + // security_policy isn't set by Create + if o, n := d.GetChange("security_policy"); o.(string) != n.(string) { + pol, err := tpgresource.ParseSecurityPolicyRegionalFieldValue(n.(string), d, config) + if err != nil { + return fmt.Errorf("Error parsing TargetPool security policy: %s", err) + } + + region, err := tpgresource.GetRegion(d, config) + if err != nil { + return err + } + + spr := emptySecurityPolicyReference() + spr.SecurityPolicy = pol.RelativeLink() + + op, err := config.NewComputeClient(userAgent).TargetPools.SetSecurityPolicy(project, region, d.Get("name").(string), spr).Do() + if err != nil { + return fmt.Errorf("Error setting TargetPool security policy:: %s", err) + } + + waitErr := ComputeOperationWaitTime(config, op, project, "Setting TargetPool Security Policy", userAgent, d.Timeout(schema.TimeoutCreate)) + if waitErr != nil { + return waitErr + } + } + <% end -%> + return resourceComputeTargetPoolRead(d, meta) } @@ -384,6 +421,34 @@ func resourceComputeTargetPoolUpdate(d *schema.ResourceData, meta interface{}) e } } + <% unless version == 'ga' -%> + if d.HasChange("security_policy") { + sp := d.Get("security_policy").(string) + pol, err := tpgresource.ParseSecurityPolicyRegionalFieldValue(sp, d, config) + if err != nil { + return fmt.Errorf("Error parsing TargetPool security policy: %s", err) + } + + region, err := tpgresource.GetRegion(d, config) + if err != nil { + return err + } + + spr := emptySecurityPolicyReference() + spr.SecurityPolicy = pol.RelativeLink() + + op, err := config.NewComputeClient(userAgent).TargetPools.SetSecurityPolicy(project, region, d.Get("name").(string), spr).Do() + if err != nil { + return fmt.Errorf("Error updating TargetPool security policy:: %s", err) + } + + waitErr := ComputeOperationWaitTime(config, op, project, "Updating TargetPool Security Policy", userAgent, d.Timeout(schema.TimeoutCreate)) + if waitErr != nil { + return waitErr + } + } + <% end -%> + d.Partial(false) return resourceComputeTargetPoolRead(d, meta) @@ -458,6 +523,11 @@ func resourceComputeTargetPoolRead(d *schema.ResourceData, meta interface{}) err if err := d.Set("project", project); err != nil { return fmt.Errorf("Error setting project: %s", err) } + <% unless version == 'ga' -%> + if err := d.Set("security_policy", tpool.SecurityPolicy); err != nil { + return fmt.Errorf("Error setting security_policy: %s", err) + } + <% end -%> return nil } diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_target_pool_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_target_pool_test.go.erb similarity index 64% rename from mmv1/third_party/terraform/services/compute/resource_compute_target_pool_test.go rename to mmv1/third_party/terraform/services/compute/resource_compute_target_pool_test.go.erb index 121e67535144..0aa5097f4313 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_target_pool_test.go +++ b/mmv1/third_party/terraform/services/compute/resource_compute_target_pool_test.go.erb @@ -1,3 +1,4 @@ +<% autogen_exception -%> package compute_test import ( @@ -82,6 +83,62 @@ func TestAccComputeTargetPool_update(t *testing.T) { }) } +<% unless version == 'ga' -%> +func TestAccComputeTargetPool_withSecurityPolicy(t *testing.T) { + tpname := fmt.Sprintf("tf-tp-test-%s", acctest.RandString(t, 10)) + ddosPolicy := fmt.Sprintf("tf-tp-ddos-pol-test-%s", acctest.RandString(t, 10)) + edgeSecService := fmt.Sprintf("tf-tp-edge-sec-test-%s", acctest.RandString(t, 10)) + pol1 := fmt.Sprintf("tf-tp-pol1-test-%s", acctest.RandString(t, 10)) + pol2 := fmt.Sprintf("tf-tp-pol2-test-%s", acctest.RandString(t, 10)) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckComputeTargetPoolDestroyProducer(t), + Steps: []resource.TestStep{ + { + // Create target pool with no security policy attached + Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, "\"\""), + }, + { + ResourceName: "google_compute_target_pool.foo", + ImportState: true, + ImportStateVerify: true, + }, + { + // Add the first security policy to the pool + Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, + `google_compute_region_security_policy.policytargetpool1.self_link`), + }, + { + ResourceName: "google_compute_target_pool.foo", + ImportState: true, + ImportStateVerify: true, + }, + { + // Change to the second security policy in the pool + Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, + `google_compute_region_security_policy.policytargetpool2.self_link`), + }, + { + ResourceName: "google_compute_target_pool.foo", + ImportState: true, + ImportStateVerify: true, + }, + { + // Clean the security policy from the pool + Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, "\"\""), + }, + { + ResourceName: "google_compute_target_pool.foo", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +<% end -%> func testAccCheckComputeTargetPoolDestroyProducer(t *testing.T) func(s *terraform.State) error { return func(s *terraform.State) error { config := acctest.GoogleProviderConfig(t) @@ -239,3 +296,50 @@ resource "google_compute_instance" "bar" { } `, tpname, instances, name1, name2) } + +<% unless version == 'ga' -%> +func testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, polToSet string) string { + return fmt.Sprintf(` +resource "google_compute_region_security_policy" "policyddosprotection" { + region = "us-south1" + name = "%s" + description = "region security policy for load balancers target pool" + type = "CLOUD_ARMOR_NETWORK" + ddos_protection_config { + ddos_protection = "ADVANCED_PREVIEW" + } +} + +resource "google_compute_network_edge_security_service" "edge_sec_service" { + name = "%s" + region = "us-south1" + description = "edge security service with security policy" + security_policy = google_compute_region_security_policy.policyddosprotection.self_link +} + +resource "google_compute_region_security_policy" "policytargetpool1" { + region = "us-south1" + name = "%s" + description = "region security policy one" + type = "CLOUD_ARMOR_NETWORK" + depends_on = [google_compute_network_edge_security_service.edge_sec_service] +} + +resource "google_compute_region_security_policy" "policytargetpool2" { + region = "us-south1" + name = "%s" + description = "region security policy two" + type = "CLOUD_ARMOR_NETWORK" + depends_on = [google_compute_network_edge_security_service.edge_sec_service] +} + +resource "google_compute_target_pool" "foo" { + region = "us-south1" + description = "Setting SecurityPolicy to targetPool" + name = "%s" + security_policy = %s +} +`, ddosPolicy, edgeSecService, pol1, pol2, tpname, polToSet) +} + +<% end -%> \ No newline at end of file diff --git a/mmv1/third_party/terraform/tpgresource/field_helpers.go b/mmv1/third_party/terraform/tpgresource/field_helpers.go index 177eded0ec93..a6e700c71ba4 100644 --- a/mmv1/third_party/terraform/tpgresource/field_helpers.go +++ b/mmv1/third_party/terraform/tpgresource/field_helpers.go @@ -86,6 +86,10 @@ func ParseSecurityPolicyFieldValue(securityPolicy string, d TerraformResourceDat return ParseGlobalFieldValue("securityPolicies", securityPolicy, "project", d, config, true) } +func ParseSecurityPolicyRegionalFieldValue(securityPolicy string, d TerraformResourceData, config *transport_tpg.Config) (*RegionalFieldValue, error) { + return ParseRegionalFieldValue("securityPolicies", securityPolicy, "project", "region", "zone", d, config, true) +} + func ParseNetworkEndpointGroupFieldValue(networkEndpointGroup string, d TerraformResourceData, config *transport_tpg.Config) (*ZonalFieldValue, error) { return ParseZonalFieldValue("networkEndpointGroups", networkEndpointGroup, "project", "zone", d, config, false) } diff --git a/mmv1/third_party/terraform/website/docs/r/compute_target_pool.html.markdown b/mmv1/third_party/terraform/website/docs/r/compute_target_pool.html.markdown index 52f8d5b06c8c..00c45b1c6caa 100644 --- a/mmv1/third_party/terraform/website/docs/r/compute_target_pool.html.markdown +++ b/mmv1/third_party/terraform/website/docs/r/compute_target_pool.html.markdown @@ -73,6 +73,8 @@ The following arguments are supported: affinity). "CLIENT\_IP" (hash of the source/dest addresses / ports), and "CLIENT\_IP\_PROTO" also includes the protocol (default "NONE"). +* `security_policy` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) The resource URL for the security policy associated with this target pool. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are