hashicorp · modular-magician · Apr 19, 2023 · Apr 19, 2023
diff --git a/.changelog/7650.txt b/.changelog/7650.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: made `network_firewall_policy_enforcement_order` field mutable in `google_compute_network`.
+```
diff --git a/google/resource_compute_network.go b/google/resource_compute_network.go
@@ -106,9 +106,8 @@ with varying MTUs.`,
 			"network_firewall_policy_enforcement_order": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				ForceNew:     true,
 				ValidateFunc: validateEnum([]string{"BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL", ""}),
-				Description:  `Set the order that Firewall Rules and Firewall Policies are evaluated. Needs to be either 'AFTER_CLASSIC_FIREWALL' or 'BEFORE_CLASSIC_FIREWALL' Default 'AFTER_CLASSIC_FIREWALL' Default value: "AFTER_CLASSIC_FIREWALL" Possible values: ["BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL"]`,
+				Description:  `Set the order that Firewall Rules and Firewall Policies are evaluated. Default value: "AFTER_CLASSIC_FIREWALL" Possible values: ["BEFORE_CLASSIC_FIREWALL", "AFTER_CLASSIC_FIREWALL"]`,
 				Default:      "AFTER_CLASSIC_FIREWALL",
 			},
 			"routing_mode": {
@@ -389,7 +388,7 @@ func resourceComputeNetworkUpdate(d *schema.ResourceData, meta interface{}) erro
 
 	d.Partial(true)
 
-	if d.HasChange("routing_mode") {
+	if d.HasChange("routing_mode") || d.HasChange("network_firewall_policy_enforcement_order") {
 		obj := make(map[string]interface{})
 
 		routingConfigProp, err := expandComputeNetworkRoutingConfig(nil, d, config)
@@ -398,6 +397,12 @@ func resourceComputeNetworkUpdate(d *schema.ResourceData, meta interface{}) erro
 		} else if !isEmptyValue(reflect.ValueOf(routingConfigProp)) {
 			obj["routingConfig"] = routingConfigProp
 		}
+		networkFirewallPolicyEnforcementOrderProp, err := expandComputeNetworkNetworkFirewallPolicyEnforcementOrder(d.Get("network_firewall_policy_enforcement_order"), d, config)
+		if err != nil {
+			return err
+		} else if v, ok := d.GetOkExists("network_firewall_policy_enforcement_order"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, networkFirewallPolicyEnforcementOrderProp)) {
+			obj["networkFirewallPolicyEnforcementOrder"] = networkFirewallPolicyEnforcementOrderProp
+		}
 
 		url, err := ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/global/networks/{{name}}")
 		if err != nil {

diff --git a/google/resource_compute_network_generated_test.go b/google/resource_compute_network_generated_test.go
@@ -119,9 +119,9 @@ func TestAccComputeNetwork_networkCustomFirewallEnforcementOrderExample(t *testi
 func testAccComputeNetwork_networkCustomFirewallEnforcementOrderExample(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_network" "vpc_network" {
-  project                 = "%{project}"
-  name                    = "tf-test-vpc-network%{random_suffix}"
-  auto_create_subnetworks = true
+  project                                   = "%{project}"
+  name                                      = "tf-test-vpc-network%{random_suffix}"
+  auto_create_subnetworks                   = true
   network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL"
 }
 `, context)

diff --git a/google/resource_compute_network_test.go b/google/resource_compute_network_test.go
@@ -148,6 +148,57 @@ func TestAccComputeNetwork_networkDeleteDefaultRoute(t *testing.T) {
 	})
 }
 
+func TestAccComputeNetwork_networkFirewallPolicyEnforcementOrderAndUpdate(t *testing.T) {
+	t.Parallel()
+
+	var network compute.Network
+	var updatedNetwork compute.Network
+	networkName := RandString(t, 10)
+
+	defaultNetworkFirewallPolicyEnforcementOrder := "AFTER_CLASSIC_FIREWALL"
+	explicitNetworkFirewallPolicyEnforcementOrder := "BEFORE_CLASSIC_FIREWALL"
+
+	VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeNetworkDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetwork_networkFirewallPolicyEnforcementOrderDefault(networkName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeNetworkExists(
+						t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &network),
+					testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(
+						t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &network, defaultNetworkFirewallPolicyEnforcementOrder),
+				),
+			},
+			{
+				ResourceName:            "google_compute_network.acc_network_firewall_policy_enforcement_order",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"force_destroy"},
+			},
+			// Test updating the enforcement order works and updates in-place
+			{
+				Config: testAccComputeNetwork_networkFirewallPolicyEnforcementOrderUpdate(networkName, explicitNetworkFirewallPolicyEnforcementOrder),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeNetworkExists(
+						t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &updatedNetwork),
+					testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(
+						t, "google_compute_network.acc_network_firewall_policy_enforcement_order", &updatedNetwork, explicitNetworkFirewallPolicyEnforcementOrder),
+					testAccCheckComputeNetworkWasUpdated(&updatedNetwork, &network),
+				),
+			},
+			{
+				ResourceName:            "google_compute_network.acc_network_firewall_policy_enforcement_order",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"force_destroy"},
+			},
+		},
+	})
+}
+
 func testAccCheckComputeNetworkExists(t *testing.T, n string, network *compute.Network) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -276,6 +327,44 @@ func testAccCheckComputeNetworkHasRoutingMode(t *testing.T, n string, network *c
 	}
 }
 
+func testAccCheckComputeNetworkHasNetworkFirewallPolicyEnforcementOrder(t *testing.T, n string, network *compute.Network, order string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		config := GoogleProviderConfig(t)
+
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.Attributes["network_firewall_policy_enforcement_order"] == "" {
+			return fmt.Errorf("Network firewall policy enforcement order not found on resource")
+		}
+
+		found, err := config.NewComputeClient(config.UserAgent).Networks.Get(
+			config.Project, network.Name).Do()
+		if err != nil {
+			return err
+		}
+
+		foundNetworkFirewallPolicyEnforcementOrder := found.NetworkFirewallPolicyEnforcementOrder
+
+		if order != foundNetworkFirewallPolicyEnforcementOrder {
+			return fmt.Errorf("Expected network firewall policy enforcement order %s to match %s", order, foundNetworkFirewallPolicyEnforcementOrder)
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckComputeNetworkWasUpdated(newNetwork *compute.Network, oldNetwork *compute.Network) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if oldNetwork.CreationTimestamp != newNetwork.CreationTimestamp {
+			return fmt.Errorf("expected compute network to have been updated (had same creation time), instead was recreated - old creation time %s, new creation time %s", oldNetwork.CreationTimestamp, newNetwork.CreationTimestamp)
+		}
+		return nil
+	}
+}
+
 func testAccComputeNetwork_basic(suffix string) string {
 	return fmt.Sprintf(`
 resource "google_compute_network" "bar" {
@@ -312,3 +401,20 @@ resource "google_compute_network" "bar" {
 }
 `, suffix)
 }
+
+func testAccComputeNetwork_networkFirewallPolicyEnforcementOrderDefault(network string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "acc_network_firewall_policy_enforcement_order" {
+  name = "tf-test-network-firewall-policy-enforcement-order-%s"
+}
+`, network)
+}
+
+func testAccComputeNetwork_networkFirewallPolicyEnforcementOrderUpdate(network, order string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "acc_network_firewall_policy_enforcement_order" {
+  name                                      = "tf-test-network-firewall-policy-enforcement-order-%s"
+  network_firewall_policy_enforcement_order = "%s"
+}
+`, network, order)
+}
diff --git a/website/docs/r/compute_network.html.markdown b/website/docs/r/compute_network.html.markdown
@@ -57,9 +57,9 @@ resource "google_compute_network" "vpc_network" {
 
 ```hcl
 resource "google_compute_network" "vpc_network" {
-  project                 = "my-project-name"
-  name                    = "vpc-network"
-  auto_create_subnetworks = true
+  project                                   = "my-project-name"
+  name                                      = "vpc-network"
+  auto_create_subnetworks                   = true
   network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL"
 }
 ```
@@ -128,7 +128,7 @@ The following arguments are supported:
 
 * `network_firewall_policy_enforcement_order` -
   (Optional)
-  Set the order that Firewall Rules and Firewall Policies are evaluated. Needs to be either 'AFTER_CLASSIC_FIREWALL' or 'BEFORE_CLASSIC_FIREWALL' Default 'AFTER_CLASSIC_FIREWALL'
+  Set the order that Firewall Rules and Firewall Policies are evaluated.
   Default value is `AFTER_CLASSIC_FIREWALL`.
   Possible values are: `BEFORE_CLASSIC_FIREWALL`, `AFTER_CLASSIC_FIREWALL`.