Add Looker egress configs to Instance.yaml (#15749)

Author: efeelaiho

mmv1/products/looker/Instance.yaml

@@ -153,6 +153,31 @@ properties:
       Network name in the consumer project in the format of: projects/{project}/global/networks/{network}
       Note that the consumer network may be in a different GCP project than the consumer
       project that is hosting the Looker Instance.
+  # Controlled Egress Config Object
+  - name: 'controlledEgressConfig'
+    type: NestedObject
+    description: |
+      Controlled egress configuration.
+    update_mask_fields:
+      - 'controlled_egress_config.marketplace_enabled'
+      - 'controlled_egress_config.egress_fqdns'
+    properties:
+      - name: 'marketplaceEnabled'
+        type: Boolean
+        description: |
+          Whether the Looker Marketplace is enabled.
+      - name: 'egressFqdns'
+        type: Array
+        description: |
+          List of fully qualified domain names to be added to the allowlist for
+          outbound traffic.
+        item_type:
+          type: String
+  # Controlled Egress Config Object - End
+  - name: 'controlledEgressEnabled'
+    type: Boolean
+    description: |
+      Whether controlled egress is enabled on the Looker instance.
   - name: 'createTime'
     type: Time
     description: |
@@ -440,6 +465,7 @@ properties:
     type: NestedObject
     description: |
       Information for Private Service Connect (PSC) setup for a Looker instance.
+    default_from_api: true
     update_mask_fields:
       - 'psc_config.allowed_vpcs'
       - 'psc_config.service_attachments'

mmv1/third_party/terraform/services/looker/resource_looker_instance_test.go

@@ -1,6 +1,7 @@
 package looker_test
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
@@ -40,3 +41,89 @@ func TestAccLookerInstance_update(t *testing.T) {
 		},
 	})
 }
+
+func TestAccLookerInstance_updateControlledEgress(t *testing.T) {
+	t.Parallel()
+
+	// Step 1: Create instance WITHOUT controlled egress
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				// Config A: Basic Instance
+				Config: testAccLookerInstance_basic(context),
+			},
+			{
+				ResourceName:            "google_looker_instance.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"oauth_config", "region"},
+			},
+			{
+				// Config B: Update to ENABLE controlled egress
+				// This triggers the PATCH with your update_mask logic
+				Config: testAccLookerInstance_controlledEgress(context),
+			},
+			{
+				ResourceName:            "google_looker_instance.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"oauth_config", "region"},
+			},
+		},
+	})
+}
+
+func testAccLookerInstance_basic(context map[string]interface{}) string {
+	return fmt.Sprintf(`
+resource "google_looker_instance" "test" {
+  name               = "tf-test-looker-%s"
+  platform_edition   = "LOOKER_CORE_ENTERPRISE_ANNUAL"
+  region             = "us-central1"
+  public_ip_enabled  = true
+  psc_enabled  = true
+
+  psc_config {
+    allowed_vpcs = []
+  }
+
+  oauth_config {
+    client_id     = "my-client-id"
+    client_secret = "my-client-secret"
+  }
+}
+`, context["random_suffix"])
+}
+
+func testAccLookerInstance_controlledEgress(context map[string]interface{}) string {
+	return fmt.Sprintf(`
+resource "google_looker_instance" "test" {
+  name               = "tf-test-looker-%s"
+  platform_edition   = "LOOKER_CORE_ENTERPRISE_ANNUAL"
+  region             = "us-central1"
+  public_ip_enabled  = true
+  psc_enabled  = true
+
+  psc_config {
+    allowed_vpcs = []
+  }
+
+  controlled_egress_enabled = true
+
+  controlled_egress_config {
+    marketplace_enabled = true
+    egress_fqdns        = ["google.com", "github.com"]
+  }
+
+  oauth_config {
+    client_id     = "my-client-id"
+    client_secret = "my-client-secret"
+  }
+}
+`, context["random_suffix"])
+}