Skip to content

Commit

Permalink
Set networkFirewallPolicyEnforcementOrder as mutable and default valu…
Browse files Browse the repository at this point in the history 
…e from API (#7650) (#14364)

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
@modular-magician
modular-magician authored Apr 19, 2023
1 parent bc3f5db commit 410d23f
Show file tree
Hide file tree
Showing 5 changed files with 124 additions and 10 deletions.
3 changes: 3 additions & 0 deletions .changelog/7650.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
compute: made `network_firewall_policy_enforcement_order` field mutable in `google_compute_network`.
```
11 changes: 8 additions & 3 deletions google/resource_compute_network.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,8 @@ with varying MTUs.`,
"network_firewall_policy_enforcement_order": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ValidateFunc: validateEnum([]string{"BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL", ""}),
Description: `Set the order that Firewall Rules and Firewall Policies are evaluated. Needs to be either 'AFTER_CLASSIC_FIREWALL' or 'BEFORE_CLASSIC_FIREWALL' Default 'AFTER_CLASSIC_FIREWALL' Default value: "AFTER_CLASSIC_FIREWALL" Possible values: ["BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL"]`,
Description: `Set the order that Firewall Rules and Firewall Policies are evaluated. Default value: "AFTER_CLASSIC_FIREWALL" Possible values: ["BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL"]`,
Default: "AFTER_CLASSIC_FIREWALL",
},
"routing_mode": {
Expand Down Expand Up @@ -389,7 +388,7 @@ func resourceComputeNetworkUpdate(d *schema.ResourceData, meta interface{}) erro

d.Partial(true)

if d.HasChange("routing_mode") {
if d.HasChange("routing_mode") || d.HasChange("network_firewall_policy_enforcement_order") {
obj := make(map[string]interface{})

routingConfigProp, err := expandComputeNetworkRoutingConfig(nil, d, config)
Expand All @@ -398,6 +397,12 @@ func resourceComputeNetworkUpdate(d *schema.ResourceData, meta interface{}) erro
} else if !isEmptyValue(reflect.ValueOf(routingConfigProp)) {
obj["routingConfig"] = routingConfigProp
}
networkFirewallPolicyEnforcementOrderProp, err := expandComputeNetworkNetworkFirewallPolicyEnforcementOrder(d.Get("network_firewall_policy_enforcement_order"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("network_firewall_policy_enforcement_order"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, networkFirewallPolicyEnforcementOrderProp)) {
obj["networkFirewallPolicyEnforcementOrder"] = networkFirewallPolicyEnforcementOrderProp
}

url, err := ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/global/networks/{{name}}")
if err != nil {
Expand Down
6 changes: 3 additions & 3 deletions google/resource_compute_network_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,9 @@ func TestAccComputeNetwork_networkCustomFirewallEnforcementOrderExample(t *testi
func testAccComputeNetwork_networkCustomFirewallEnforcementOrderExample(context map[string]interface{}) string {
return Nprintf(`
resource "google_compute_network" "vpc_network" {
project = "%{project}"
name = "tf-test-vpc-network%{random_suffix}"
auto_create_subnetworks = true
project = "%{project}"
name = "tf-test-vpc-network%{random_suffix}"
auto_create_subnetworks = true
network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL"
}
`, context)
Expand Down
106 changes: 106 additions & 0 deletions google/resource_compute_network_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,57 @@ func TestAccComputeNetwork_networkDeleteDefaultRoute(t *testing.T) {
})
}

func TestAccComputeNetwork_networkFirewallPolicyEnforcementOrderAndUpdate(t *testing.T) {
t.Parallel()

var network compute.Network
var updatedNetwork compute.Network
networkName := RandString(t, 10)

defaultNetworkFirewallPolicyEnforcementOrder := "AFTER_CLASSIC_FIREWALL"
explicitNetworkFirewallPolicyEnforcementOrder := "BEFORE_CLASSIC_FIREWALL"

VcrTest(t, resource.TestCase{
PreCheck: func() { AccTestPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeNetworkDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeNetwork_networkFirewallPolicyEnforcementOrderDefault(networkName),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeNetworkExists(
t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &network),
testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(
t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &network, defaultNetworkFirewallPolicyEnforcementOrder),
),
},
{
ResourceName: "google_compute_network.acc_network_firewall_policy_enforcement_order",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"force_destroy"},
},
// Test updating the enforcement order works and updates in-place
{
Config: testAccComputeNetwork_networkFirewallPolicyEnforcementOrderUpdate(networkName, explicitNetworkFirewallPolicyEnforcementOrder),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeNetworkExists(
t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &updatedNetwork),
testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(
t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &updatedNetwork, explicitNetworkFirewallPolicyEnforcementOrder),
testAccCheckComputeNetworkWasUpdated(&updatedNetwork, &network),
),
},
{
ResourceName: "google_compute_network.acc_network_firewall_policy_enforcement_order",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"force_destroy"},
},
},
})
}

func testAccCheckComputeNetworkExists(t *testing.T, n string, network *compute.Network) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
Expand Down Expand Up @@ -276,6 +327,44 @@ func testAccCheckComputeNetworkHasRoutingMode(t *testing.T, n string, network *c
}
}

func testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(t *testing.T, n string, network *compute.Network, order string) resource.TestCheckFunc {
return func(s *terraform.State) error {
config := GoogleProviderConfig(t)

rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}

if rs.Primary.Attributes["network_firewall_policy_enforcement_order"] == "" {
return fmt.Errorf("Network firewall policy enforcement order not found on resource")
}

found, err := config.NewComputeClient(config.UserAgent).Networks.Get(
config.Project, network.Name).Do()
if err != nil {
return err
}

foundNetworkFirewallPolicyEnforcementOrder := found.NetworkFirewallPolicyEnforcementOrder

if order != foundNetworkFirewallPolicyEnforcementOrder {
return fmt.Errorf("Expected network firewall policy enforcement order %s to match %s", order, foundNetworkFirewallPolicyEnforcementOrder)
}

return nil
}
}

func testAccCheckComputeNetworkWasUpdated(newNetwork *compute.Network, oldNetwork *compute.Network) resource.TestCheckFunc {
return func(s *terraform.State) error {
if oldNetwork.CreationTimestamp != newNetwork.CreationTimestamp {
return fmt.Errorf("expected compute network to have been updated (had same creation time), instead was recreated - old creation time %s, new creation time %s", oldNetwork.CreationTimestamp, newNetwork.CreationTimestamp)
}
return nil
}
}

func testAccComputeNetwork_basic(suffix string) string {
return fmt.Sprintf(`
resource "google_compute_network" "bar" {
Expand Down Expand Up @@ -312,3 +401,20 @@ resource "google_compute_network" "bar" {
}
`, suffix)
}

func testAccComputeNetwork_networkFirewallPolicyEnforcementOrderDefault(network string) string {
return fmt.Sprintf(`
resource "google_compute_network" "acc_network_firewall_policy_enforcement_order" {
name = "tf-test-network-firewall-policy-enforcement-order-%s"
}
`, network)
}

func testAccComputeNetwork_networkFirewallPolicyEnforcementOrderUpdate(network, order string) string {
return fmt.Sprintf(`
resource "google_compute_network" "acc_network_firewall_policy_enforcement_order" {
name = "tf-test-network-firewall-policy-enforcement-order-%s"
network_firewall_policy_enforcement_order = "%s"
}
`, network, order)
}
8 changes: 4 additions & 4 deletions website/docs/r/compute_network.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,9 @@ resource "google_compute_network" "vpc_network" {

```hcl
resource "google_compute_network" "vpc_network" {
project = "my-project-name"
name = "vpc-network"
auto_create_subnetworks = true
project = "my-project-name"
name = "vpc-network"
auto_create_subnetworks = true
network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL"
}
```
Expand Down Expand Up @@ -128,7 +128,7 @@ The following arguments are supported:

* `network_firewall_policy_enforcement_order` -
(Optional)
Set the order that Firewall Rules and Firewall Policies are evaluated. Needs to be either 'AFTER_CLASSIC_FIREWALL' or 'BEFORE_CLASSIC_FIREWALL' Default 'AFTER_CLASSIC_FIREWALL'
Set the order that Firewall Rules and Firewall Policies are evaluated.
Default value is `AFTER_CLASSIC_FIREWALL`.
Possible values are: `BEFORE_CLASSIC_FIREWALL`, `AFTER_CLASSIC_FIREWALL`.

Expand Down

0 comments on commit 410d23f

Please sign in to comment.