Skip to content

Commit

Permalink
[#15779] Add google_network_security_firewall_endpoint_association re…
Browse files Browse the repository at this point in the history
…source (GoogleCloudPlatform#9815)

* [#15779] Add google_network_security_firewall_endpoint_association resource

* Fixing tests

* Fixes

* Add test for update

---------

Co-authored-by: Luca Prete <[email protected]>
  • Loading branch information
LucaPrete and Luca Prete authored Mar 11, 2024
1 parent ab21222 commit 124dd0e
Show file tree
Hide file tree
Showing 3 changed files with 297 additions and 0 deletions.
122 changes: 122 additions & 0 deletions mmv1/products/networksecurity/FirewallEndpointAssociation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
# Copyright 2024 Google Inc.
# Licensed under the Apache License, Version 2.0 (the 'License');
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an 'AS IS' BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

--- !ruby/object:Api::Resource
name: 'FirewallEndpointAssociation'
base_url: '{{parent}}/locations/{{location}}/firewallEndpointAssociations'
create_url: '{{parent}}/locations/{{location}}/firewallEndpointAssociations?firewallEndpointId={{name}}'
self_link: '{{parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}'
min_version: beta
update_verb: :PATCH
update_mask: true
description: |
Firewall endpoint association links a firewall endpoint to a VPC network in
the same zone. After you define this association, Cloud Firewall forwards the
zonal workload traffic in your VPC network that requires layer 7 inspection to
the attached firewall endpoint.
references:
!ruby/object:Api::Resource::ReferenceLinks
api: 'https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/projects.locations.firewallEndpointAssociations#FirewallEndpointAssociation'
guides:
'Firewall endpoint overview': 'https://cloud.google.com/firewall/docs/about-firewall-endpoints'
'Create and associate firewall endpoints': 'https://cloud.google.com/firewall/docs/configure-firewall-endpoints'
async: !ruby/object:Api::OpAsync
include_project: true
operation: !ruby/object:Api::OpAsync::Operation
base_url: '{{op_id}}'
result: !ruby/object:Api::OpAsync::Result
resource_inside_response: true
import_format: [
'{{%parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}'
]
examples:
- !ruby/object:Provider::Terraform::Examples
name: 'network_security_firewall_endpoint_association_basic'
primary_resource_id: 'default'
# Handwritten test will take care of creates and updates.
# Firewall endpoint association creation is subjet to firewall endpoint creation which is long and expensive.
skip_test: true
min_version: beta
vars:
resource_name_prefix: 'my-firewall-endpoint'
test_env_vars:
org_id: :ORG_ID
project: :PROJECT_NAME
parameters:
- !ruby/object:Api::Type::String
name: 'name'
required: true
immutable: true
url_param_only: true
description: |
The name of the firewall endpoint association resource.
- !ruby/object:Api::Type::String
name: 'location'
required: true
immutable: true
description: |
The location (zone) of the firewall endpoint association.
url_param_only: true
- !ruby/object:Api::Type::String
name: 'parent'
description: |
The name of the parent this firewall endpoint association belongs to.
Format: projects/{project_id}.
immutable: true
url_param_only: true
properties:
- !ruby/object:Api::Type::String
name: 'firewallEndpoint'
required: true
description: |
The URL of the firewall endpoint that is being associated.
- !ruby/object:Api::Type::String
name: 'network'
required: true
description: |
The URL of the network that is being associated.
- !ruby/object:Api::Type::String
name: 'tlsInspectionPolicy'
description: |
The URL of the TlsInspectionPolicy that is being associated.
- !ruby/object:Api::Type::KeyValueLabels
name: 'labels'
description: |
A map of key/value label pairs to assign to the resource.
- !ruby/object:Api::Type::String
name: 'selfLink'
description: |
Server-defined URL of this resource.
output: true
- !ruby/object:Api::Type::Time
name: 'createTime'
description: Time the firewall endpoint was created in UTC.
output: true
- !ruby/object:Api::Type::Time
name: 'updateTime'
description: Time the firewall endpoint was updated in UTC.
output: true
- !ruby/object:Api::Type::Boolean
name: 'reconciling'
description: |
Whether reconciling is in progress, recommended per https://google.aip.dev/128.
output: true
- !ruby/object:Api::Type::Enum
name: 'state'
description: The current state of the endpoint.
output: true
values:
- :ACTIVE
- :CREATING
- :DELETING
- :INACTIVE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
resource "google_network_security_firewall_endpoint" "<%= ctx[:primary_resource_id] %>" {
provider = google-beta
name = "<%= ctx[:vars]['resource_name_prefix'] %>"
parent = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
location = "us-central1-a"

labels = {
foo = "bar"
}
}

resource "google_network_security_firewall_endpoint_association" "<%= ctx[:primary_resource_id] %>_association" {
provider = google-beta
name = "<%= ctx[:vars]['resource_name_prefix'] %>-association"
parent = "projects/<%= ctx[:test_env_vars]['project'] %>"
location = "us-central1-a"

labels = {
foo = "bar"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
<% autogen_exception -%>
package networksecurity_test
<% unless version == 'ga' -%>

import (
"fmt"
"strings"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"

"github.com/hashicorp/terraform-provider-google/google/acctest"
"github.com/hashicorp/terraform-provider-google/google/envvar"
transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
"github.com/hashicorp/terraform-provider-google/google/tpgresource"
)

func TestAccNetworkSecurityFirewallEndpointAssociations_basic(t *testing.T) {
acctest.SkipIfVcr(t)
t.Parallel()

orgId := envvar.GetTestOrgFromEnv(t)
randomSuffix := acctest.RandString(t, 10)

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
CheckDestroy: testAccCheckNetworkSecurityFirewallEndpointDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccNetworkSecurityFirewallEndpointAssociation_basic(randomSuffix, orgId, ),
},
{
ResourceName: "google_network_security_firewall_endpoint_association.foobar",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
},
{
Config: testAccNetworkSecurityFirewallEndpointAssociation_update(randomSuffix, orgId, ),
},
{
ResourceName: "google_network_security_firewall_endpoint_association.foobar",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
},
},
})
}

func testAccNetworkSecurityFirewallEndpointAssociation_basic(randomSuffix string, orgId string) string {
return fmt.Sprintf(`
resource "google_compute_network" "foobar" {
provider = google-beta
name = "tf-test-my-vpc%s"
auto_create_subnetworks = false
}

resource "google_network_security_firewall_endpoint" "foobar" {
provider = google-beta
name = "tf-test-my-firewall-endpoint%s"
parent = "organizations/%s"
location = "us-central1-a"
}

# TODO: add tlsInspectionPolicy once resource is ready
resource "google_network_security_firewall_endpoint_association" "foobar" {
provider = google-beta
name = "tf-test-my-firewall-endpoint%s"
parent = "organizations/%s"
location = "us-central1-a"
firewall_endpoint = google_network_security_firewall_endpoint.foobar.id
network = google_compute_network.foobar.id

labels = {
foo = "bar"
}
}
`, randomSuffix, randomSuffix, orgId, randomSuffix, orgId)
}

func testAccNetworkSecurityFirewallEndpointAssociation_update(randomSuffix string, orgId string) string {
return fmt.Sprintf(`
resource "google_compute_network" "foobar" {
provider = google-beta
name = "tf-test-my-vpc%s"
auto_create_subnetworks = false
}

resource "google_network_security_firewall_endpoint" "foobar" {
provider = google-beta
name = "tf-test-my-firewall-endpoint%s"
parent = "organizations/%s"
location = "us-central1-a"
}

# TODO: add tlsInspectionPolicy once resource is ready
resource "google_network_security_firewall_endpoint_association" "foobar" {
provider = google-beta
name = "tf-test-my-firewall-endpoint%s"
parent = "organizations/%s"
location = "us-central1-a"
firewall_endpoint = google_network_security_firewall_endpoint.foobar.id
network = google_compute_network.foobar.id

labels = {
foo = "bar-updated"
}
}
`, randomSuffix, randomSuffix, orgId, randomSuffix, orgId)
}

func testAccCheckNetworkSecurityFirewallEndpointAssociationDestroyProducer(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
for name, rs := range s.RootModule().Resources {
if rs.Type != "google_network_security_firewall_endpoint_association" {
continue
}
if strings.HasPrefix(name, "data.") {
continue
}

config := acctest.GoogleProviderConfig(t)

url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{NetworkSecurityBasePath}}{{parent}}/locations/{{location}}/firewallEndpointAssociations/{{name}}")
if err != nil {
return err
}

billingProject := ""

if config.BillingProject != "" {
billingProject = config.BillingProject
}

_, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
Config: config,
Method: "GET",
Project: billingProject,
RawURL: url,
UserAgent: config.UserAgent,
})
if err == nil {
return fmt.Errorf("NetworkSecurityFirewallEndpointAssociation still exists at %s", url)
}
}

return nil
}
}

<% end -%>

0 comments on commit 124dd0e

Please sign in to comment.