[#15779] Add google_network_security_firewall_endpoint_association re…

…source (GoogleCloudPlatform#9815) * [#15779] Add google_network_security_firewall_endpoint_association resource * Fixing tests * Fixes * Add test for update --------- Co-authored-by: Luca Prete <[email protected]>
pengq-google · May 21, 2024 · 03204b0 · 03204b0
1 parent 6523c91
commit 03204b0
Show file tree

Hide file tree

Showing 3 changed files with 297 additions and 0 deletions.
diff --git a/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml b/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml
@@ -0,0 +1,122 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an 'AS IS' BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Resource
+name: 'FirewallEndpointAssociation'
+base_url: '{{parent}}/locations/{{location}}/firewallEndpointAssociations'
+create_url: '{{parent}}/locations/{{location}}/firewallEndpointAssociations?firewallEndpointId={{name}}'
+self_link: '{{parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}'
+min_version: beta
+update_verb: :PATCH
+update_mask: true
+description: |
+  Firewall endpoint association links a firewall endpoint to a VPC network in
+  the same zone. After you define this association, Cloud Firewall forwards the
+  zonal workload traffic in your VPC network that requires layer 7 inspection to
+  the attached firewall endpoint.
+references:
+  !ruby/object:Api::Resource::ReferenceLinks
+  api: 'https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/projects.locations.firewallEndpointAssociations#FirewallEndpointAssociation'
+  guides:
+    'Firewall endpoint overview': 'https://cloud.google.com/firewall/docs/about-firewall-endpoints'
+    'Create and associate firewall endpoints': 'https://cloud.google.com/firewall/docs/configure-firewall-endpoints'
+async: !ruby/object:Api::OpAsync
+  include_project: true
+  operation: !ruby/object:Api::OpAsync::Operation
+    base_url: '{{op_id}}'
+    result: !ruby/object:Api::OpAsync::Result
+      resource_inside_response: true
+import_format: [
+  '{{%parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}'
+]
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'network_security_firewall_endpoint_association_basic'
+    primary_resource_id: 'default'
+    # Handwritten test will take care of creates and updates.
+    # Firewall endpoint association creation is subjet to firewall endpoint creation which is long and expensive.
+    skip_test: true
+    min_version: beta
+    vars:
+      resource_name_prefix: 'my-firewall-endpoint'
+    test_env_vars:
+      org_id: :ORG_ID
+      project: :PROJECT_NAME
+parameters:
+  - !ruby/object:Api::Type::String
+    name: 'name'
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The name of the firewall endpoint association resource.
+  - !ruby/object:Api::Type::String
+    name: 'location'
+    required: true
+    immutable: true
+    description: |
+      The location (zone) of the firewall endpoint association.
+    url_param_only: true
+  - !ruby/object:Api::Type::String
+    name: 'parent'
+    description: |
+      The name of the parent this firewall endpoint association belongs to.
+      Format: projects/{project_id}.
+    immutable: true
+    url_param_only: true
+properties:
+  - !ruby/object:Api::Type::String
+    name: 'firewallEndpoint'
+    required: true
+    description: |
+      The URL of the firewall endpoint that is being associated.
+  - !ruby/object:Api::Type::String
+    name: 'network'
+    required: true
+    description: |
+      The URL of the network that is being associated.
+  - !ruby/object:Api::Type::String
+    name: 'tlsInspectionPolicy'
+    description: |
+      The URL of the TlsInspectionPolicy that is being associated.
+  - !ruby/object:Api::Type::KeyValueLabels
+    name: 'labels'
+    description: |
+      A map of key/value label pairs to assign to the resource.
+  - !ruby/object:Api::Type::String
+    name: 'selfLink'
+    description: |
+      Server-defined URL of this resource.
+    output: true
+  - !ruby/object:Api::Type::Time
+    name: 'createTime'
+    description: Time the firewall endpoint was created in UTC.
+    output: true
+  - !ruby/object:Api::Type::Time
+    name: 'updateTime'
+    description: Time the firewall endpoint was updated in UTC.
+    output: true
+  - !ruby/object:Api::Type::Boolean
+    name: 'reconciling'
+    description: |
+      Whether reconciling is in progress, recommended per https://google.aip.dev/128.
+    output: true
+  - !ruby/object:Api::Type::Enum
+    name: 'state'
+    description: The current state of the endpoint.
+    output: true
+    values:
+      - :ACTIVE
+      - :CREATING
+      - :DELETING
+      - :INACTIVE
diff --git a/.../templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb b/.../templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb
@@ -0,0 +1,21 @@
+resource "google_network_security_firewall_endpoint" "<%= ctx[:primary_resource_id] %>" {
+  provider    = google-beta
+  name        = "<%= ctx[:vars]['resource_name_prefix'] %>"
+  parent      = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
+  location    = "us-central1-a"
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+resource "google_network_security_firewall_endpoint_association" "<%= ctx[:primary_resource_id] %>_association" {
+  provider    = google-beta
+  name        = "<%= ctx[:vars]['resource_name_prefix'] %>-association"
+  parent      = "projects/<%= ctx[:test_env_vars]['project'] %>"
+  location    = "us-central1-a"
+
+  labels = {
+    foo = "bar"
+  }
+}
diff --git a/...vices/networksecurity/resource_network_security_firewall_endpoint_association_test.go.erb b/...vices/networksecurity/resource_network_security_firewall_endpoint_association_test.go.erb
@@ -0,0 +1,154 @@
+<% autogen_exception -%>
+package networksecurity_test
+<% unless version == 'ga' -%>
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
+)
+
+func TestAccNetworkSecurityFirewallEndpointAssociations_basic(t *testing.T) {
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	orgId := envvar.GetTestOrgFromEnv(t)
+	randomSuffix := acctest.RandString(t, 10)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecurityFirewallEndpointDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecurityFirewallEndpointAssociation_basic(randomSuffix, orgId, ),
+			},
+			{
+				ResourceName:            "google_network_security_firewall_endpoint_association.foobar",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+			{
+				Config: testAccNetworkSecurityFirewallEndpointAssociation_update(randomSuffix, orgId, ),
+			},
+			{
+				ResourceName:            "google_network_security_firewall_endpoint_association.foobar",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccNetworkSecurityFirewallEndpointAssociation_basic(randomSuffix string, orgId string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "foobar" {
+	provider                = google-beta
+    name                    = "tf-test-my-vpc%s"
+    auto_create_subnetworks = false
+}
+
+resource "google_network_security_firewall_endpoint" "foobar" {
+    provider = google-beta
+    name     = "tf-test-my-firewall-endpoint%s"
+    parent   = "organizations/%s"
+    location = "us-central1-a"
+}
+
+# TODO: add tlsInspectionPolicy once resource is ready
+resource "google_network_security_firewall_endpoint_association" "foobar" {
+    provider          = google-beta
+    name              = "tf-test-my-firewall-endpoint%s"
+    parent            = "organizations/%s"
+    location          = "us-central1-a"
+    firewall_endpoint = google_network_security_firewall_endpoint.foobar.id
+    network           = google_compute_network.foobar.id
+
+    labels = {
+        foo = "bar"
+    }
+}
+`, randomSuffix, randomSuffix, orgId, randomSuffix, orgId)
+}
+
+func testAccNetworkSecurityFirewallEndpointAssociation_update(randomSuffix string, orgId string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "foobar" {
+	provider                = google-beta
+    name                    = "tf-test-my-vpc%s"
+    auto_create_subnetworks = false
+}
+
+resource "google_network_security_firewall_endpoint" "foobar" {
+    provider = google-beta
+    name     = "tf-test-my-firewall-endpoint%s"
+    parent   = "organizations/%s"
+    location = "us-central1-a"
+}
+
+# TODO: add tlsInspectionPolicy once resource is ready
+resource "google_network_security_firewall_endpoint_association" "foobar" {
+    provider          = google-beta
+    name              = "tf-test-my-firewall-endpoint%s"
+    parent            = "organizations/%s"
+    location          = "us-central1-a"
+    firewall_endpoint = google_network_security_firewall_endpoint.foobar.id
+    network           = google_compute_network.foobar.id
+
+    labels = {
+        foo = "bar-updated"
+    }
+}
+`, randomSuffix, randomSuffix, orgId, randomSuffix, orgId)
+}
+
+func testAccCheckNetworkSecurityFirewallEndpointAssociationDestroyProducer(t *testing.T) func(s *terraform.State) error {
+	return func(s *terraform.State) error {
+		for name, rs := range s.RootModule().Resources {
+			if rs.Type != "google_network_security_firewall_endpoint_association" {
+				continue
+			}
+			if strings.HasPrefix(name, "data.") {
+				continue
+			}
+
+			config := acctest.GoogleProviderConfig(t)
+
+			url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{NetworkSecurityBasePath}}{{parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}")
+			if err != nil {
+				return err
+			}
+
+			billingProject := ""
+
+			if config.BillingProject != "" {
+				billingProject = config.BillingProject
+			}
+
+			_, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+				Config:    config,
+				Method:    "GET",
+				Project:   billingProject,
+				RawURL:    url,
+				UserAgent: config.UserAgent,
+			})
+			if err == nil {
+				return fmt.Errorf("NetworkSecurityFirewallEndpointAssociation still exists at %s", url)
+			}
+		}
+
+		return nil
+	}
+}
+
+<% end -%>