From 410d23f63e9452bc1dd1fa8bfc436d2d71277e7d Mon Sep 17 00:00:00 2001 From: The Magician Date: Wed, 19 Apr 2023 16:16:44 -0700 Subject: [PATCH] Set networkFirewallPolicyEnforcementOrder as mutable and default value from API (#7650) (#14364) Signed-off-by: Modular Magician --- .changelog/7650.txt | 3 + google/resource_compute_network.go | 11 +- ...resource_compute_network_generated_test.go | 6 +- google/resource_compute_network_test.go | 106 ++++++++++++++++++ website/docs/r/compute_network.html.markdown | 8 +- 5 files changed, 124 insertions(+), 10 deletions(-) create mode 100644 .changelog/7650.txt diff --git a/.changelog/7650.txt b/.changelog/7650.txt new file mode 100644 index 00000000000..50bb63f64e8 --- /dev/null +++ b/.changelog/7650.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +compute: made `network_firewall_policy_enforcement_order` field mutable in `google_compute_network`. +``` diff --git a/google/resource_compute_network.go b/google/resource_compute_network.go index bd5286cb5e3..b16c1d73baa 100644 --- a/google/resource_compute_network.go +++ b/google/resource_compute_network.go @@ -106,9 +106,8 @@ with varying MTUs.`, "network_firewall_policy_enforcement_order": { Type: schema.TypeString, Optional: true, - ForceNew: true, ValidateFunc: validateEnum([]string{"BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL", ""}), - Description: `Set the order that Firewall Rules and Firewall Policies are evaluated. Needs to be either 'AFTER_CLASSIC_FIREWALL' or 'BEFORE_CLASSIC_FIREWALL' Default 'AFTER_CLASSIC_FIREWALL' Default value: "AFTER_CLASSIC_FIREWALL" Possible values: ["BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL"]`, + Description: `Set the order that Firewall Rules and Firewall Policies are evaluated. Default value: "AFTER_CLASSIC_FIREWALL" Possible values: ["BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL"]`, Default: "AFTER_CLASSIC_FIREWALL", }, "routing_mode": { @@ -389,7 +388,7 @@ func resourceComputeNetworkUpdate(d *schema.ResourceData, meta interface{}) erro d.Partial(true) - if d.HasChange("routing_mode") { + if d.HasChange("routing_mode") || d.HasChange("network_firewall_policy_enforcement_order") { obj := make(map[string]interface{}) routingConfigProp, err := expandComputeNetworkRoutingConfig(nil, d, config) @@ -398,6 +397,12 @@ func resourceComputeNetworkUpdate(d *schema.ResourceData, meta interface{}) erro } else if !isEmptyValue(reflect.ValueOf(routingConfigProp)) { obj["routingConfig"] = routingConfigProp } + networkFirewallPolicyEnforcementOrderProp, err := expandComputeNetworkNetworkFirewallPolicyEnforcementOrder(d.Get("network_firewall_policy_enforcement_order"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("network_firewall_policy_enforcement_order"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, networkFirewallPolicyEnforcementOrderProp)) { + obj["networkFirewallPolicyEnforcementOrder"] = networkFirewallPolicyEnforcementOrderProp + } url, err := ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/global/networks/{{name}}") if err != nil { diff --git a/google/resource_compute_network_generated_test.go b/google/resource_compute_network_generated_test.go index 379051a47f3..5a79d7cf07d 100644 --- a/google/resource_compute_network_generated_test.go +++ b/google/resource_compute_network_generated_test.go @@ -119,9 +119,9 @@ func TestAccComputeNetwork_networkCustomFirewallEnforcementOrderExample(t *testi func testAccComputeNetwork_networkCustomFirewallEnforcementOrderExample(context map[string]interface{}) string { return Nprintf(` resource "google_compute_network" "vpc_network" { - project = "%{project}" - name = "tf-test-vpc-network%{random_suffix}" - auto_create_subnetworks = true + project = "%{project}" + name = "tf-test-vpc-network%{random_suffix}" + auto_create_subnetworks = true network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL" } `, context) diff --git a/google/resource_compute_network_test.go b/google/resource_compute_network_test.go index faa6753e556..40be3195bd7 100644 --- a/google/resource_compute_network_test.go +++ b/google/resource_compute_network_test.go @@ -148,6 +148,57 @@ func TestAccComputeNetwork_networkDeleteDefaultRoute(t *testing.T) { }) } +func TestAccComputeNetwork_networkFirewallPolicyEnforcementOrderAndUpdate(t *testing.T) { + t.Parallel() + + var network compute.Network + var updatedNetwork compute.Network + networkName := RandString(t, 10) + + defaultNetworkFirewallPolicyEnforcementOrder := "AFTER_CLASSIC_FIREWALL" + explicitNetworkFirewallPolicyEnforcementOrder := "BEFORE_CLASSIC_FIREWALL" + + VcrTest(t, resource.TestCase{ + PreCheck: func() { AccTestPreCheck(t) }, + ProtoV5ProviderFactories: ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckComputeNetworkDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeNetwork_networkFirewallPolicyEnforcementOrderDefault(networkName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeNetworkExists( + t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &network), + testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder( + t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &network, defaultNetworkFirewallPolicyEnforcementOrder), + ), + }, + { + ResourceName: "google_compute_network.acc_network_firewall_policy_enforcement_order", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"force_destroy"}, + }, + // Test updating the enforcement order works and updates in-place + { + Config: testAccComputeNetwork_networkFirewallPolicyEnforcementOrderUpdate(networkName, explicitNetworkFirewallPolicyEnforcementOrder), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeNetworkExists( + t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &updatedNetwork), + testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder( + t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &updatedNetwork, explicitNetworkFirewallPolicyEnforcementOrder), + testAccCheckComputeNetworkWasUpdated(&updatedNetwork, &network), + ), + }, + { + ResourceName: "google_compute_network.acc_network_firewall_policy_enforcement_order", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"force_destroy"}, + }, + }, + }) +} + func testAccCheckComputeNetworkExists(t *testing.T, n string, network *compute.Network) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -276,6 +327,44 @@ func testAccCheckComputeNetworkHasRoutingMode(t *testing.T, n string, network *c } } +func testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(t *testing.T, n string, network *compute.Network, order string) resource.TestCheckFunc { + return func(s *terraform.State) error { + config := GoogleProviderConfig(t) + + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.Attributes["network_firewall_policy_enforcement_order"] == "" { + return fmt.Errorf("Network firewall policy enforcement order not found on resource") + } + + found, err := config.NewComputeClient(config.UserAgent).Networks.Get( + config.Project, network.Name).Do() + if err != nil { + return err + } + + foundNetworkFirewallPolicyEnforcementOrder := found.NetworkFirewallPolicyEnforcementOrder + + if order != foundNetworkFirewallPolicyEnforcementOrder { + return fmt.Errorf("Expected network firewall policy enforcement order %s to match %s", order, foundNetworkFirewallPolicyEnforcementOrder) + } + + return nil + } +} + +func testAccCheckComputeNetworkWasUpdated(newNetwork *compute.Network, oldNetwork *compute.Network) resource.TestCheckFunc { + return func(s *terraform.State) error { + if oldNetwork.CreationTimestamp != newNetwork.CreationTimestamp { + return fmt.Errorf("expected compute network to have been updated (had same creation time), instead was recreated - old creation time %s, new creation time %s", oldNetwork.CreationTimestamp, newNetwork.CreationTimestamp) + } + return nil + } +} + func testAccComputeNetwork_basic(suffix string) string { return fmt.Sprintf(` resource "google_compute_network" "bar" { @@ -312,3 +401,20 @@ resource "google_compute_network" "bar" { } `, suffix) } + +func testAccComputeNetwork_networkFirewallPolicyEnforcementOrderDefault(network string) string { + return fmt.Sprintf(` +resource "google_compute_network" "acc_network_firewall_policy_enforcement_order" { + name = "tf-test-network-firewall-policy-enforcement-order-%s" +} +`, network) +} + +func testAccComputeNetwork_networkFirewallPolicyEnforcementOrderUpdate(network, order string) string { + return fmt.Sprintf(` +resource "google_compute_network" "acc_network_firewall_policy_enforcement_order" { + name = "tf-test-network-firewall-policy-enforcement-order-%s" + network_firewall_policy_enforcement_order = "%s" +} +`, network, order) +} diff --git a/website/docs/r/compute_network.html.markdown b/website/docs/r/compute_network.html.markdown index 4351a6c939b..64c7d45f4a4 100644 --- a/website/docs/r/compute_network.html.markdown +++ b/website/docs/r/compute_network.html.markdown @@ -57,9 +57,9 @@ resource "google_compute_network" "vpc_network" { ```hcl resource "google_compute_network" "vpc_network" { - project = "my-project-name" - name = "vpc-network" - auto_create_subnetworks = true + project = "my-project-name" + name = "vpc-network" + auto_create_subnetworks = true network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL" } ``` @@ -128,7 +128,7 @@ The following arguments are supported: * `network_firewall_policy_enforcement_order` - (Optional) - Set the order that Firewall Rules and Firewall Policies are evaluated. Needs to be either 'AFTER_CLASSIC_FIREWALL' or 'BEFORE_CLASSIC_FIREWALL' Default 'AFTER_CLASSIC_FIREWALL' + Set the order that Firewall Rules and Firewall Policies are evaluated. Default value is `AFTER_CLASSIC_FIREWALL`. Possible values are: `BEFORE_CLASSIC_FIREWALL`, `AFTER_CLASSIC_FIREWALL`.