Added new profile type "URL_FILTERING" for SecurityProfile (#13342)

Author: matheusaleixo-cit

mmv1/products/networksecurity/SecurityProfile.yaml

@@ -78,6 +78,13 @@ examples:
       endpoint_group_id: 'my-eg'
     test_env_vars:
       org_id: 'ORG_ID'
+  - name: 'network_security_security_profile_url_filtering'
+    min_version: 'beta'
+    primary_resource_id: 'default'
+    vars:
+      resource_name: 'my-security-profile'
+    test_env_vars:
+      org_id: 'ORG_ID'
 parameters:
   - name: 'name'
     type: String
@@ -223,6 +230,48 @@ properties:
                 - 'DEFAULT_ACTION'
                 - 'DENY'
     conflicts:
+      - 'urlFilteringProfile'
+      - 'customMirroringProfile'
+      - 'customInterceptProfile'
+  - name: 'urlFilteringProfile'
+    min_version: 'beta'
+    type: NestedObject
+    description: The url filtering configuration for the security profile.
+    custom_flatten: 'templates/terraform/custom_flatten/network_security_security_profile_url_filters_flatten.go.tmpl'
+    properties:
+      - name: 'urlFilters'
+        type: Array
+        is_set: true
+        description: |
+          The configuration for action to take based on domain name match.
+          A domain name would be checked for matching filters through the list in order of highest to lowest priority,
+          and the first filter that a domain name matches with is the one whose actions gets applied.
+        item_type:
+          type: NestedObject
+          properties:
+            - name: 'filteringAction'
+              type: Enum
+              description: The action to take when the filter is applied.
+              required: true
+              enum_values:
+                - 'ALLOW'
+                - 'DENY'
+            - name: 'urls'
+              type: Array
+              description: |
+                A list of domain matcher strings that a domain name gets compared with to determine if the filter is applicable.
+                A domain name must match with at least one of the strings in the list for a filter to be applicable.
+              item_type:
+                type: String
+            - name: 'priority'
+              type: Integer
+              description: |
+                The priority of the filter within the URL filtering profile.
+                Must be an integer from 0 and 2147483647, inclusive. Lower integers indicate higher priorities.
+                The priority of a filter must be unique within a URL filtering profile.
+              required: true
+    conflicts:
+      - 'threatPreventionProfile'
       - 'customMirroringProfile'
       - 'customInterceptProfile'
   - name: 'customMirroringProfile'
@@ -239,6 +288,7 @@ properties:
         required: true
     conflicts:
       - 'threatPreventionProfile'
+      - 'urlFilteringProfile'
       - 'customInterceptProfile'
   - name: 'customInterceptProfile'
     type: NestedObject
@@ -254,6 +304,7 @@ properties:
         required: true
     conflicts:
       - 'threatPreventionProfile'
+      - 'urlFilteringProfile'
       - 'customMirroringProfile'
   - name: 'type'
     type: Enum
@@ -262,5 +313,6 @@ properties:
     immutable: true
     enum_values:
       - 'THREAT_PREVENTION'
+      - 'URL_FILTERING'
       - 'CUSTOM_MIRRORING'
       - 'CUSTOM_INTERCEPT'

mmv1/products/networksecurity/SecurityProfileGroup.yaml

@@ -72,6 +72,14 @@ examples:
       security_profile_group_name: 'sec-profile-group'
     test_env_vars:
       org_id: 'ORG_ID'
+  - name: 'network_security_security_profile_group_url_filtering'
+    min_version: 'beta'
+    primary_resource_id: 'default'
+    vars:
+      security_profile_group_name: 'sec-profile-group'
+      security_profile_name: 'sec-profile'
+    test_env_vars:
+      org_id: 'ORG_ID'
 parameters:
   - name: 'name'
     type: String
@@ -123,6 +131,11 @@ properties:
     type: String
     description: |
       Reference to a SecurityProfile with the threat prevention configuration for the SecurityProfileGroup.
+  - name: 'urlFilteringProfile'
+    min_version: 'beta'
+    type: String
+    description: |
+      Reference to a SecurityProfile with the URL filtering configuration for the SecurityProfileGroup.
   - name: 'customMirroringProfile'
     type: String
     description: |

mmv1/templates/terraform/custom_flatten/network_security_security_profile_url_filters_flatten.go.tmpl

@@ -0,0 +1,94 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["url_filters"] =
+		flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFilters(original["urlFilters"], d, config)
+
+	// We check again the length after removing the default url_filter
+	if transformed["url_filters"].(*schema.Set).Len() == 0 {
+		return nil
+	}
+	return []interface{}{transformed}
+}
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFilters(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+
+	// We check if the user included the default filter in his config
+	resourceDataContainsDefaultFilter := false
+	resourceData, ok := d.GetOk("url_filtering_profile.0.url_filters")
+	if ok {
+		for _, raw := range resourceData.(*schema.Set).List() {
+			if raw.(map[string]interface{})["priority"] == 2147483647 {
+				resourceDataContainsDefaultFilter = true
+				break
+			}
+		}
+	}
+
+	l := v.([]interface{})
+	transformed := schema.NewSet(schema.HashResource(networksecuritySecurityProfileUrlFilteringProfileUrlFiltersSchema()), []interface{}{})
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+
+		priorityFlatten := flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersPriority(original["priority"], d, config)
+		// Do not include the auto created default url_filter coming back from the api unless the user included it in his config
+		if priorityFlatten == 2147483647 && !resourceDataContainsDefaultFilter {
+			continue
+		}
+
+		transformed.Add(map[string]interface{}{
+			"filtering_action": flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersFilteringAction(original["filteringAction"], d, config),
+			"urls":             flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersUrls(original["urls"], d, config),
+			"priority":         priorityFlatten,
+		})
+	}
+	return transformed
+}
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersFilteringAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersUrls(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersPriority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	// Handles the string fixed64 format
+	if strVal, ok := v.(string); ok {
+		if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+			return intVal
+		}
+	}
+
+	// number values are represented as float64
+	if floatVal, ok := v.(float64); ok {
+		intVal := int(floatVal)
+		return intVal
+	}
+
+	return v // let terraform core handle it otherwise
+}

mmv1/templates/terraform/examples/network_security_security_profile_group_url_filtering.tf.tmpl

@@ -0,0 +1,27 @@
+resource "google_network_security_security_profile_group" "{{$.PrimaryResourceId}}" {
+  provider                  = google-beta
+  name                      = "{{index $.Vars "security_profile_group_name"}}"
+  parent                    = "organizations/{{index $.TestEnvVars "org_id"}}"
+  description               = "my description"
+  url_filtering_profile     = google_network_security_security_profile.security_profile.id
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+resource "google_network_security_security_profile" "security_profile" {
+  provider    = google-beta
+  name        = "{{index $.Vars "security_profile_name"}}"
+  location    = "global"
+  type        = "URL_FILTERING"
+
+  url_filtering_profile {
+    url_filters {
+      priority = 1
+      filtering_action   = "ALLOW"
+      urls = ["*example.com", "*about.example.com", "*help.example.com"]
+    }
+  }
+  parent = "organizations/{{index $.TestEnvVars "org_id"}}"
+}

mmv1/templates/terraform/examples/network_security_security_profile_url_filtering.tf.tmpl

@@ -0,0 +1,24 @@
+resource "google_network_security_security_profile" "{{$.PrimaryResourceId}}" {
+  provider    = google-beta
+  name        = "{{index $.Vars "resource_name"}}"
+  parent      = "organizations/{{index $.TestEnvVars "org_id"}}"
+  description = "my description"
+  type        = "URL_FILTERING"
+
+  url_filtering_profile {
+    url_filters {
+      priority = 1
+      filtering_action   = "ALLOW"
+      urls = ["*example.com", "*about.example.com", "*help.example.com"]
+    }
+    url_filters {
+      priority = 2
+      filtering_action   = "DENY"
+      urls = ["*restricted.example.com"]
+    }
+  }
+
+  labels = {
+    foo = "bar"
+  }
+}