GoogleCloudPlatform · NickElliot · Aug 18, 2023 · Aug 9, 2023 · Aug 10, 2023 · Aug 10, 2023
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_target_pool.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_target_pool.go.erb
@@ -126,6 +126,14 @@ func ResourceComputeTargetPool() *schema.Resource {
 				Default:     "NONE",
 				Description: `How to distribute load. Options are "NONE" (no affinity). "CLIENT_IP" (hash of the source/dest addresses / ports), and "CLIENT_IP_PROTO" also includes the protocol (default "NONE").`,
 			},
+
+			<% unless version == 'ga' -%>
+			"security_policy": {
+				Type: schema.TypeString,
+				Optional: true,
+				Description: `The resource URL for the security policy associated with this target pool.`,
+			},
+			<% end -%>
 		},
 		UseJSONNumber: true,
 	}
@@ -248,6 +256,35 @@ func resourceComputeTargetPoolCreate(d *schema.ResourceData, meta interface{}) e
 	if err != nil {
 		return err
 	}
+
+	<% unless version == 'ga' -%>
+	// security_policy isn't set by Create
+	if o, n := d.GetChange("security_policy"); o.(string) != n.(string) {
+		pol, err := tpgresource.ParseSecurityPolicyRegionalFieldValue(n.(string), d, config)
+		if err != nil {
+			return fmt.Errorf("Error parsing TargetPool security policy: %s", err)
+		}
+
+		region, err := tpgresource.GetRegion(d, config)
+		if err != nil {
+			return err
+		}
+
+		spr := emptySecurityPolicyReference()
+		spr.SecurityPolicy = pol.RelativeLink()
+
+		op, err := config.NewComputeClient(userAgent).TargetPools.SetSecurityPolicy(project, region, d.Get("name").(string), spr).Do()
+		if err != nil {
+			return fmt.Errorf("Error setting TargetPool security policy:: %s", err)
+		}
+
+		waitErr := ComputeOperationWaitTime(config, op, project, "Setting TargetPool Security Policy", userAgent, d.Timeout(schema.TimeoutCreate))
+		if waitErr != nil {
+			return waitErr
+		}
+	}
+	<% end -%>
+
 	return resourceComputeTargetPoolRead(d, meta)
 }
 
@@ -384,6 +421,34 @@ func resourceComputeTargetPoolUpdate(d *schema.ResourceData, meta interface{}) e
 		}
 	}
 
+	<% unless version == 'ga' -%>
+	if d.HasChange("security_policy") {
+		sp := d.Get("security_policy").(string)
+		pol, err := tpgresource.ParseSecurityPolicyRegionalFieldValue(sp, d, config)
+		if err != nil {
+			return fmt.Errorf("Error parsing TargetPool security policy: %s", err)
+		}
+
+		region, err := tpgresource.GetRegion(d, config)
+		if err != nil {
+			return err
+		}
+
+		spr := emptySecurityPolicyReference()
+		spr.SecurityPolicy = pol.RelativeLink()
+
+		op, err := config.NewComputeClient(userAgent).TargetPools.SetSecurityPolicy(project, region, d.Get("name").(string), spr).Do()
+		if err != nil {
+			return fmt.Errorf("Error updating TargetPool security policy:: %s", err)
+		}
+
+		waitErr := ComputeOperationWaitTime(config, op, project, "Updating TargetPool Security Policy", userAgent, d.Timeout(schema.TimeoutCreate))
+		if waitErr != nil {
+			return waitErr
+		}
+	}
+	<% end -%>
+
 	d.Partial(false)
 
 	return resourceComputeTargetPoolRead(d, meta)
@@ -458,6 +523,11 @@ func resourceComputeTargetPoolRead(d *schema.ResourceData, meta interface{}) err
 	if err := d.Set("project", project); err != nil {
 		return fmt.Errorf("Error setting project: %s", err)
 	}
+	<% unless version == 'ga' -%>
+	if err := d.Set("security_policy", tpool.SecurityPolicy); err != nil {
+		return fmt.Errorf("Error setting security_policy: %s", err)
+	}
+	<% end -%>
 	return nil
 }
 

diff --git a/...pute/resource_compute_target_pool_test.go → .../resource_compute_target_pool_test.go.erb b/...pute/resource_compute_target_pool_test.go → .../resource_compute_target_pool_test.go.erb
@@ -1,3 +1,4 @@
+<% autogen_exception -%>
 package compute_test
 
 import (
@@ -82,6 +83,62 @@ func TestAccComputeTargetPool_update(t *testing.T) {
 	})
 }
 
+<% unless version == 'ga' -%>
+func TestAccComputeTargetPool_withSecurityPolicy(t *testing.T) {
+	tpname := fmt.Sprintf("tf-tp-test-%s", acctest.RandString(t, 10))
+	ddosPolicy := fmt.Sprintf("tf-tp-ddos-pol-test-%s", acctest.RandString(t, 10))
+	edgeSecService := fmt.Sprintf("tf-tp-edge-sec-test-%s", acctest.RandString(t, 10))
+	pol1 := fmt.Sprintf("tf-tp-pol1-test-%s", acctest.RandString(t, 10))
+	pol2 := fmt.Sprintf("tf-tp-pol2-test-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeTargetPoolDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				// Create target pool with no security policy attached
+				Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, "\"\""),
+			},
+			{
+				ResourceName:      "google_compute_target_pool.foo",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Add the first security policy to the pool
+				Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname,
+					`google_compute_region_security_policy.policytargetpool1.self_link`),
+			},
+			{
+				ResourceName:      "google_compute_target_pool.foo",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Change to the second security policy in the pool
+				Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname,
+					`google_compute_region_security_policy.policytargetpool2.self_link`),
+			},
+			{
+				ResourceName:      "google_compute_target_pool.foo",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Clean the security policy from the pool
+				Config: testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, "\"\""),
+			},
+			{
+				ResourceName:      "google_compute_target_pool.foo",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+<% end -%>
 func testAccCheckComputeTargetPoolDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		config := acctest.GoogleProviderConfig(t)
@@ -239,3 +296,50 @@ resource "google_compute_instance" "bar" {
 }
 `, tpname, instances, name1, name2)
 }
+
+<% unless version == 'ga' -%>
+func testAccComputeTargetPool_withSecurityPolicy(ddosPolicy, edgeSecService, pol1, pol2, tpname, polToSet string) string {
+	return fmt.Sprintf(`
+resource "google_compute_region_security_policy" "policyddosprotection" {
+  region      = "us-south1"
+  name        = "%s"
+  description = "region security policy for load balancers target pool"
+  type        = "CLOUD_ARMOR_NETWORK"
+  ddos_protection_config {
+    ddos_protection = "ADVANCED_PREVIEW"
+  }
+}
+
+resource "google_compute_network_edge_security_service" "edge_sec_service" {
+  name            = "%s"
+  region          = "us-south1"
+  description     = "edge security service with security policy"
+  security_policy = google_compute_region_security_policy.policyddosprotection.self_link
+}
+
+resource "google_compute_region_security_policy" "policytargetpool1" {
+  region      = "us-south1"
+  name        = "%s"
+  description = "region security policy one"
+  type        = "CLOUD_ARMOR_NETWORK"
+  depends_on  = [google_compute_network_edge_security_service.edge_sec_service]
+}
+
+resource "google_compute_region_security_policy" "policytargetpool2" {
+  region      = "us-south1"
+  name        = "%s"
+  description = "region security policy two"
+  type        = "CLOUD_ARMOR_NETWORK"
+  depends_on  = [google_compute_network_edge_security_service.edge_sec_service]
+}
+
+resource "google_compute_target_pool" "foo" {
+  region          = "us-south1"
+  description     = "Setting SecurityPolicy to targetPool"
+  name            = "%s"
+  security_policy = %s
+}
+`, ddosPolicy, edgeSecService, pol1, pol2, tpname, polToSet)
+}
+
+<% end -%>
diff --git a/mmv1/third_party/terraform/tpgresource/field_helpers.go b/mmv1/third_party/terraform/tpgresource/field_helpers.go
@@ -86,6 +86,10 @@ func ParseSecurityPolicyFieldValue(securityPolicy string, d TerraformResourceDat
 	return ParseGlobalFieldValue("securityPolicies", securityPolicy, "project", d, config, true)
 }
 
+func ParseSecurityPolicyRegionalFieldValue(securityPolicy string, d TerraformResourceData, config *transport_tpg.Config) (*RegionalFieldValue, error) {
+	return ParseRegionalFieldValue("securityPolicies", securityPolicy, "project", "region", "zone", d, config, true)
+}
+
 func ParseNetworkEndpointGroupFieldValue(networkEndpointGroup string, d TerraformResourceData, config *transport_tpg.Config) (*ZonalFieldValue, error) {
 	return ParseZonalFieldValue("networkEndpointGroups", networkEndpointGroup, "project", "zone", d, config, false)
 }

diff --git a/mmv1/third_party/terraform/website/docs/r/compute_target_pool.html.markdown b/mmv1/third_party/terraform/website/docs/r/compute_target_pool.html.markdown
@@ -73,6 +73,8 @@ The following arguments are supported:
     affinity). "CLIENT\_IP" (hash of the source/dest addresses / ports), and
     "CLIENT\_IP\_PROTO" also includes the protocol (default "NONE").
 
+* `security_policy` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) The resource URL for the security policy associated with this target pool.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are