Org Security Policies (Hierarchical Firewalls) (#3626) (#2333)

Co-authored-by: Dana Hoffman <[email protected]> Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Dana Hoffman <[email protected]>
hashicorp · Aug 4, 2020 · 13bb0dd · 13bb0dd
1 parent bf7911e
commit 13bb0dd
Show file tree

Hide file tree

Showing 151 changed files with 2,719 additions and 81 deletions.
diff --git a/.changelog/3626.txt b/.changelog/3626.txt
@@ -0,0 +1,9 @@
+```release-note:new-resource
+`google_compute_compute_organization_security_policy` (beta-only)
+```
+```release-note:new-resource
+`google_compute_compute_organization_security_policy_association` (beta-only)
+```
+```release-note:new-resource
+`google_compute_compute_organization_security_policy_rule` (beta-only)
+```
diff --git a/google-beta/compute_operation.go b/google-beta/compute_operation.go
@@ -2,16 +2,18 @@ package google
 
 import (
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"time"
 
-	"google.golang.org/api/compute/v1"
+	computeBeta "google.golang.org/api/compute/v0.beta"
 )
 
 type ComputeOperationWaiter struct {
-	Service *compute.Service
-	Op      *compute.Operation
+	Service *computeBeta.Service
+	Op      *computeBeta.Operation
 	Project string
+	Parent  string
 }
 
 func (w *ComputeOperationWaiter) State() string {
@@ -42,7 +44,7 @@ func (w *ComputeOperationWaiter) IsRetryable(err error) bool {
 
 func (w *ComputeOperationWaiter) SetOp(op interface{}) error {
 	var ok bool
-	w.Op, ok = op.(*compute.Operation)
+	w.Op, ok = op.(*computeBeta.Operation)
 	if !ok {
 		return fmt.Errorf("Unable to set operation. Bad type!")
 	}
@@ -59,6 +61,8 @@ func (w *ComputeOperationWaiter) QueryOp() (interface{}, error) {
 	} else if w.Op.Region != "" {
 		region := GetResourceNameFromSelfLink(w.Op.Region)
 		return w.Service.RegionOperations.Get(w.Project, region, w.Op.Name).Do()
+	} else if w.Parent != "" {
+		return w.Service.GlobalOrganizationOperations.Get(w.Op.Name).ParentId(w.Parent).Do()
 	}
 	return w.Service.GlobalOperations.Get(w.Project, w.Op.Name).Do()
 }
@@ -80,14 +84,14 @@ func (w *ComputeOperationWaiter) TargetStates() []string {
 }
 
 func computeOperationWaitTime(config *Config, res interface{}, project, activity string, timeout time.Duration) error {
-	op := &compute.Operation{}
+	op := &computeBeta.Operation{}
 	err := Convert(res, op)
 	if err != nil {
 		return err
 	}
 
 	w := &ComputeOperationWaiter{
-		Service: config.clientCompute,
+		Service: config.clientComputeBeta,
 		Op:      op,
 		Project: project,
 	}
@@ -98,9 +102,35 @@ func computeOperationWaitTime(config *Config, res interface{}, project, activity
 	return OperationWait(w, activity, timeout, config.PollInterval)
 }
 
+func computeOrgOperationWaitTimeWithResponse(config *Config, res interface{}, response *map[string]interface{}, parent, activity string, timeout time.Duration) error {
+	op := &computeBeta.Operation{}
+	err := Convert(res, op)
+	if err != nil {
+		return err
+	}
+
+	w := &ComputeOperationWaiter{
+		Service: config.clientComputeBeta,
+		Op:      op,
+		Parent:  parent,
+	}
+
+	if err := w.SetOp(op); err != nil {
+		return err
+	}
+	if err := OperationWait(w, activity, timeout, config.PollInterval); err != nil {
+		return err
+	}
+	e, err := json.Marshal(w.Op)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(e, response)
+}
+
 // ComputeOperationError wraps compute.OperationError and implements the
 // error interface so it can be returned.
-type ComputeOperationError compute.OperationError
+type ComputeOperationError computeBeta.OperationError
 
 func (e ComputeOperationError) Error() string {
 	var buf bytes.Buffer

diff --git a/google-beta/deployment_manager_operation.go b/google-beta/deployment_manager_operation.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"google.golang.org/api/compute/v1"
+	computeBeta "google.golang.org/api/compute/v0.beta"
 )
 
 type DeploymentManagerOperationWaiter struct {
@@ -27,15 +27,15 @@ func (w *DeploymentManagerOperationWaiter) QueryOp() (interface{}, error) {
 	if err != nil {
 		return nil, err
 	}
-	op := &compute.Operation{}
+	op := &computeBeta.Operation{}
 	if err := Convert(resp, op); err != nil {
 		return nil, fmt.Errorf("could not convert response to operation: %v", err)
 	}
 	return op, nil
 }
 
 func deploymentManagerOperationWaitTime(config *Config, resp interface{}, project, activity string, timeout time.Duration) error {
-	op := &compute.Operation{}
+	op := &computeBeta.Operation{}
 	err := Convert(resp, op)
 	if err != nil {
 		return err
@@ -71,7 +71,7 @@ func (w *DeploymentManagerOperationWaiter) Error() error {
 type DeploymentManagerOperationError struct {
 	HTTPStatusCode int64
 	HTTPMessage    string
-	compute.OperationError
+	computeBeta.OperationError
 }
 
 func (e DeploymentManagerOperationError) Error() string {

diff --git a/google-beta/provider.go b/google-beta/provider.go
@@ -700,9 +700,9 @@ func Provider() terraform.ResourceProvider {
 	return provider
 }
 
-// Generated resources: 176
+// Generated resources: 179
 // Generated IAM resources: 66
-// Total generated resources: 242
+// Total generated resources: 245
 func ResourceMap() map[string]*schema.Resource {
 	resourceMap, _ := ResourceMapWithErrors()
 	return resourceMap
@@ -789,6 +789,9 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_compute_node_group":                                    resourceComputeNodeGroup(),
 			"google_compute_network_peering_routes_config":                 resourceComputeNetworkPeeringRoutesConfig(),
 			"google_compute_node_template":                                 resourceComputeNodeTemplate(),
+			"google_compute_organization_security_policy":                  resourceComputeOrganizationSecurityPolicy(),
+			"google_compute_organization_security_policy_association":      resourceComputeOrganizationSecurityPolicyAssociation(),
+			"google_compute_organization_security_policy_rule":             resourceComputeOrganizationSecurityPolicyRule(),
 			"google_compute_packet_mirroring":                              resourceComputePacketMirroring(),
 			"google_compute_per_instance_config":                           resourceComputePerInstanceConfig(),
 			"google_compute_region_per_instance_config":                    resourceComputeRegionPerInstanceConfig(),

diff --git a/google-beta/resource_access_context_manager_access_level.go b/google-beta/resource_access_context_manager_access_level.go
@@ -469,6 +469,8 @@ func resourceAccessContextManagerAccessLevelUpdate(d *schema.ResourceData, meta
 
 	if err != nil {
 		return fmt.Errorf("Error updating AccessLevel %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating AccessLevel %q: %#v", d.Id(), res)
 	}
 
 	err = accessContextManagerOperationWaitTime(

diff --git a/google-beta/resource_access_context_manager_access_policy.go b/google-beta/resource_access_context_manager_access_policy.go
@@ -210,6 +210,8 @@ func resourceAccessContextManagerAccessPolicyUpdate(d *schema.ResourceData, meta
 
 	if err != nil {
 		return fmt.Errorf("Error updating AccessPolicy %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating AccessPolicy %q: %#v", d.Id(), res)
 	}
 
 	err = accessContextManagerOperationWaitTime(

diff --git a/google-beta/resource_access_context_manager_service_perimeter.go b/google-beta/resource_access_context_manager_service_perimeter.go
@@ -521,6 +521,8 @@ func resourceAccessContextManagerServicePerimeterUpdate(d *schema.ResourceData,
 
 	if err != nil {
 		return fmt.Errorf("Error updating ServicePerimeter %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating ServicePerimeter %q: %#v", d.Id(), res)
 	}
 
 	err = accessContextManagerOperationWaitTime(

diff --git a/google-beta/resource_active_directory_domain.go b/google-beta/resource_active_directory_domain.go
@@ -299,6 +299,8 @@ func resourceActiveDirectoryDomainUpdate(d *schema.ResourceData, meta interface{
 
 	if err != nil {
 		return fmt.Errorf("Error updating Domain %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Domain %q: %#v", d.Id(), res)
 	}
 
 	err = activeDirectoryOperationWaitTime(

diff --git a/google-beta/resource_app_engine_application_url_dispatch_rules.go b/google-beta/resource_app_engine_application_url_dispatch_rules.go
@@ -195,6 +195,8 @@ func resourceAppEngineApplicationUrlDispatchRulesUpdate(d *schema.ResourceData,
 
 	if err != nil {
 		return fmt.Errorf("Error updating ApplicationUrlDispatchRules %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating ApplicationUrlDispatchRules %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(

diff --git a/google-beta/resource_app_engine_domain_mapping.go b/google-beta/resource_app_engine_domain_mapping.go
@@ -306,6 +306,8 @@ func resourceAppEngineDomainMappingUpdate(d *schema.ResourceData, meta interface
 
 	if err != nil {
 		return fmt.Errorf("Error updating DomainMapping %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating DomainMapping %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(

diff --git a/google-beta/resource_app_engine_firewall_rule.go b/google-beta/resource_app_engine_firewall_rule.go
@@ -276,10 +276,12 @@ func resourceAppEngineFirewallRuleUpdate(d *schema.ResourceData, meta interface{
 	if err != nil {
 		return err
 	}
-	_, err = sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating FirewallRule %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating FirewallRule %q: %#v", d.Id(), res)
 	}
 
 	return resourceAppEngineFirewallRuleRead(d, meta)

diff --git a/google-beta/resource_app_engine_flexible_app_version.go b/google-beta/resource_app_engine_flexible_app_version.go
@@ -1323,6 +1323,8 @@ func resourceAppEngineFlexibleAppVersionUpdate(d *schema.ResourceData, meta inte
 
 	if err != nil {
 		return fmt.Errorf("Error updating FlexibleAppVersion %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating FlexibleAppVersion %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(

diff --git a/google-beta/resource_app_engine_service_split_traffic.go b/google-beta/resource_app_engine_service_split_traffic.go
@@ -228,6 +228,8 @@ func resourceAppEngineServiceSplitTrafficUpdate(d *schema.ResourceData, meta int
 
 	if err != nil {
 		return fmt.Errorf("Error updating ServiceSplitTraffic %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating ServiceSplitTraffic %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(

diff --git a/google-beta/resource_app_engine_standard_app_version.go b/google-beta/resource_app_engine_standard_app_version.go
@@ -739,6 +739,8 @@ func resourceAppEngineStandardAppVersionUpdate(d *schema.ResourceData, meta inte
 
 	if err != nil {
 		return fmt.Errorf("Error updating StandardAppVersion %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating StandardAppVersion %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(

diff --git a/google-beta/resource_artifact_registry_repository.go b/google-beta/resource_artifact_registry_repository.go
@@ -282,6 +282,8 @@ func resourceArtifactRegistryRepositoryUpdate(d *schema.ResourceData, meta inter
 
 	if err != nil {
 		return fmt.Errorf("Error updating Repository %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Repository %q: %#v", d.Id(), res)
 	}
 
 	err = artifactRegistryOperationWaitTime(

diff --git a/google-beta/resource_big_query_dataset.go b/google-beta/resource_big_query_dataset.go
@@ -538,10 +538,12 @@ func resourceBigQueryDatasetUpdate(d *schema.ResourceData, meta interface{}) err
 	}
 
 	log.Printf("[DEBUG] Updating Dataset %q: %#v", d.Id(), obj)
-	_, err = sendRequestWithTimeout(config, "PUT", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PUT", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating Dataset %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Dataset %q: %#v", d.Id(), res)
 	}
 
 	return resourceBigQueryDatasetRead(d, meta)

diff --git a/google-beta/resource_bigquery_connection_connection.go b/google-beta/resource_bigquery_connection_connection.go
@@ -283,10 +283,12 @@ func resourceBigqueryConnectionConnectionUpdate(d *schema.ResourceData, meta int
 	if err != nil {
 		return err
 	}
-	_, err = sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating Connection %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Connection %q: %#v", d.Id(), res)
 	}
 
 	return resourceBigqueryConnectionConnectionRead(d, meta)

diff --git a/google-beta/resource_bigquery_data_transfer_config.go b/google-beta/resource_bigquery_data_transfer_config.go
@@ -342,10 +342,12 @@ func resourceBigqueryDataTransferConfigUpdate(d *schema.ResourceData, meta inter
 	if err != nil {
 		return err
 	}
-	_, err = sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate), iamMemberMissing)
+	res, err := sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate), iamMemberMissing)
 
 	if err != nil {
 		return fmt.Errorf("Error updating Config %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Config %q: %#v", d.Id(), res)
 	}
 
 	return resourceBigqueryDataTransferConfigRead(d, meta)

diff --git a/google-beta/resource_bigquery_reservation_reservation.go b/google-beta/resource_bigquery_reservation_reservation.go
@@ -199,10 +199,12 @@ func resourceBigqueryReservationReservationUpdate(d *schema.ResourceData, meta i
 	if err != nil {
 		return err
 	}
-	_, err = sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating Reservation %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Reservation %q: %#v", d.Id(), res)
 	}
 
 	return resourceBigqueryReservationReservationRead(d, meta)

diff --git a/google-beta/resource_bigtable_app_profile.go b/google-beta/resource_bigtable_app_profile.go
@@ -247,10 +247,12 @@ func resourceBigtableAppProfileUpdate(d *schema.ResourceData, meta interface{})
 	if err != nil {
 		return err
 	}
-	_, err = sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating AppProfile %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating AppProfile %q: %#v", d.Id(), res)
 	}
 
 	return resourceBigtableAppProfileRead(d, meta)

diff --git a/google-beta/resource_billing_budget.go b/google-beta/resource_billing_budget.go
@@ -313,10 +313,12 @@ func resourceBillingBudgetUpdate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	log.Printf("[DEBUG] Updating Budget %q: %#v", d.Id(), obj)
-	_, err = sendRequestWithTimeout(config, "PATCH", "", url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PATCH", "", url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating Budget %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Budget %q: %#v", d.Id(), res)
 	}
 
 	return resourceBillingBudgetRead(d, meta)

diff --git a/google-beta/resource_binary_authorization_attestor.go b/google-beta/resource_binary_authorization_attestor.go
@@ -292,10 +292,12 @@ func resourceBinaryAuthorizationAttestorUpdate(d *schema.ResourceData, meta inte
 	}
 
 	log.Printf("[DEBUG] Updating Attestor %q: %#v", d.Id(), obj)
-	_, err = sendRequestWithTimeout(config, "PUT", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PUT", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating Attestor %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Attestor %q: %#v", d.Id(), res)
 	}
 
 	return resourceBinaryAuthorizationAttestorRead(d, meta)

diff --git a/google-beta/resource_binary_authorization_policy.go b/google-beta/resource_binary_authorization_policy.go
@@ -367,10 +367,12 @@ func resourceBinaryAuthorizationPolicyUpdate(d *schema.ResourceData, meta interf
 	}
 
 	log.Printf("[DEBUG] Updating Policy %q: %#v", d.Id(), obj)
-	_, err = sendRequestWithTimeout(config, "PUT", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PUT", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating Policy %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Policy %q: %#v", d.Id(), res)
 	}
 
 	return resourceBinaryAuthorizationPolicyRead(d, meta)

diff --git a/google-beta/resource_cloud_asset_folder_feed.go b/google-beta/resource_cloud_asset_folder_feed.go
@@ -322,10 +322,12 @@ func resourceCloudAssetFolderFeedUpdate(d *schema.ResourceData, meta interface{}
 	if parts := regexp.MustCompile(`projects\/([^\/]+)\/`).FindStringSubmatch(url); parts != nil {
 		project = parts[1]
 	}
-	_, err = sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
+	res, err := sendRequestWithTimeout(config, "PATCH", project, url, obj, d.Timeout(schema.TimeoutUpdate))
 
 	if err != nil {
 		return fmt.Errorf("Error updating FolderFeed %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating FolderFeed %q: %#v", d.Id(), res)
 	}
 
 	return resourceCloudAssetFolderFeedRead(d, meta)