Fix google_compute_network_firewall_policy_rule staying disabled after apply with disabled = false (#15454)

duvni · web-flow · commit 536b55c13145 · 2025-10-29T17:18:33.000Z
diff --git a/mmv1/products/compute/NetworkFirewallPolicyRule.yaml b/mmv1/products/compute/NetworkFirewallPolicyRule.yaml
@@ -329,6 +329,7 @@ properties:
             - 'INEFFECTIVE'
   - name: 'disabled'
     type: Boolean
+    send_empty_value: true
     description: |
       Denotes whether the firewall policy rule is disabled.
       When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist.
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_network_firewall_policy_rule_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_network_firewall_policy_rule_test.go
@@ -288,6 +288,42 @@ func TestAccComputeNetworkFirewallSecurityProfileGroupDiffsuppress(t *testing.T)
 	})
 }
 
+func TestAccComputeNetworkFirewallPolicyRule_disable_enable(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkFirewallPolicyRule_disabled(context, true),
+			},
+			{
+				ResourceName:            "google_compute_network_firewall_policy_rule.fw_policy_rule",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+			{
+				Config: testAccComputeNetworkFirewallPolicyRule_disabled(context, false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_compute_network_firewall_policy_rule.fw_policy_rule", "disabled", "false"),
+				),
+			},
+			{
+				ResourceName:            "google_compute_network_firewall_policy_rule.fw_policy_rule",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+		},
+	})
+}
+
 func testAccComputeNetworkFirewallPolicyRule_secureTags(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
@@ -1028,3 +1064,33 @@ resource "google_compute_network_firewall_policy_rule" "dest_test" {
 
 `, context)
 }
+
+func testAccComputeNetworkFirewallPolicyRule_disabled(context map[string]interface{}, disabled bool) string {
+	context["disabled"] = fmt.Sprintf("%t", disabled)
+	return acctest.Nprintf(`
+resource "google_compute_network" "network" {
+  name                    = "tf-test-%{random_suffix}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_network_firewall_policy" "fw_policy" {
+  name = "tf-test-policy-%{random_suffix}"
+}
+
+resource "google_compute_network_firewall_policy_rule" "fw_policy_rule" {
+  firewall_policy = google_compute_network_firewall_policy.fw_policy.id
+  priority        = 1000
+  action          = "allow"
+  direction       = "EGRESS"
+  disabled        = %{disabled}
+  match {
+    dest_ip_ranges = ["35.235.240.0/20"]
+
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = [22]
+    }
+  }
+}
+`, context)
+}
