add terraform support to SAC realm (#15650)

harshithpatte-g · web-flow · commit c20da38d145a · 2025-11-18T17:46:14.000Z
diff --git a/mmv1/products/networksecurity/SacRealm.yaml b/mmv1/products/networksecurity/SacRealm.yaml
@@ -0,0 +1,119 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'SacRealm'
+description: "Secure Access Connect Realm resource"
+references:
+  guides:
+    'QUICKSTART_TITLE': 'https://cloud.google.com/secure-access-connect/docs/overview'
+  api: 'https://cloud.google.com/secure-access-connect/docs/reference/network-security/rest/v1beta1/projects.locations.sacRealms'
+min_version: beta
+
+base_url: 'projects/{{project}}/locations/global/sacRealms'
+self_link: 'projects/{{project}}/locations/global/sacRealms/{{name}}'
+immutable: true
+create_url: 'projects/{{project}}/locations/global/sacRealms?sacRealmId={{name}}'
+autogen_async: true
+async:
+  operation:
+    base_url: '{{op_id}}'
+examples:
+  - name: 'sac_realm_prisma_access'
+    min_version: beta
+    primary_resource_id: 'default'
+    vars:
+      resource_name: 'sac-realm-name'
+  - name: 'sac_realm_symantec_cloud_swg'
+    min_version: beta
+    exclude_test: true
+    primary_resource_id: 'default'
+    vars:
+      resource_name: 'sac-realm-name'
+      secret_path: 'secret-path'
+properties:
+  - name: 'name'
+    type: String
+    required: true
+    immutable: true
+    description: |
+      Identifier. Resource name.
+    custom_flatten: 'templates/terraform/custom_flatten/id_from_name.tmpl'
+  - name: 'createTime'
+    type: String
+    description: Timestamp when the realm was created.
+    output: true
+  - name: 'updateTime'
+    type: String
+    description: Timestamp when the realm was last updated.
+    output: true
+  - name: 'labels'
+    type: KeyValueLabels
+    description: |
+      Optional labels in key:value format. For more information about labels, see [Requirements for labels](https://cloud.google.com/resource-manager/docs/creating-managing-labels#requirements).
+  - name: 'pairingKey'
+    type: NestedObject
+    description: Key to be shared with SSE service provider during pairing.
+    properties:
+      - name: 'key'
+        type: String
+        description: Key value.
+        output: true
+      - name: 'expireTime'
+        type: String
+        description: Timestamp in UTC of when this resource is considered expired. It expires 7 days after creation.
+        output: true
+    output: true
+  - name: 'securityService'
+    type: Enum
+    description: SSE service provider associated with the realm.
+    required: true
+    immutable: true
+    enum_values:
+      - 'SECURITY_SERVICE_UNSPECIFIED'
+      - 'PALO_ALTO_PRISMA_ACCESS'
+      - 'SYMANTEC_CLOUD_SWG'
+  - name: 'state'
+    type: Enum
+    description: State of the realm.
+    output: true
+    enum_values:
+      - 'STATE_UNSPECIFIED'
+      - 'PENDING_PARTNER_ATTACHMENT'
+      - 'PARTNER_ATTACHED'
+      - 'PARTNER_DETACHED'
+      - 'KEY_EXPIRED'
+  - name: 'symantecOptions'
+    description: Configuration required for Symantec realms.
+    type: NestedObject
+    properties:
+      - name: 'availableSymantecSites'
+        type: Array
+        description: Symantec site IDs which the user can choose to connect to.
+        output: true
+        item_type:
+          type: String
+      - name: 'secretPath'
+        type: String
+        description: |
+          API Key used to call Symantec APIs on the user's behalf. Required if using Symantec Cloud SWG. P4SA account needs permissions granted to read this secret.
+          A secret ID, secret name, or secret URI can be specified, but it will be parsed and stored as a secret URI in the form projects/{projectNumber}/secrets/my-secret.
+      - name: "symantecConnectionState"
+        type: Enum
+        description: Connection status to Symantec API
+        output: true
+        enum_values:
+          - 'SYMANTEC_CONNECTION_STATE_UNSPECIFIED'
+          - 'SUCCEEDED'
+          - 'READ_SECRET_FAILED'
+          - 'REQUEST_TO_SYMANTEC_FAILED'
diff --git a/mmv1/templates/terraform/examples/sac_realm_prisma_access.tf.tmpl b/mmv1/templates/terraform/examples/sac_realm_prisma_access.tf.tmpl
@@ -0,0 +1,8 @@
+resource "google_network_security_sac_realm" "{{$.PrimaryResourceId}}" {
+  provider      = google-beta
+  name          = "{{index $.Vars "resource_name"}}"
+  labels = {
+    label-one = "value-one"
+  }
+  security_service = "PALO_ALTO_PRISMA_ACCESS"
+}
diff --git a/mmv1/templates/terraform/examples/sac_realm_symantec_cloud_swg.tf.tmpl b/mmv1/templates/terraform/examples/sac_realm_symantec_cloud_swg.tf.tmpl
@@ -0,0 +1,11 @@
+resource "google_network_security_sac_realm" "{{$.PrimaryResourceId}}" {
+  provider      = google-beta
+  name          = "{{index $.Vars "resource_name"}}"
+  labels = {
+    label-one = "value-one"
+  }
+  security_service = "SYMANTEC_CLOUD_SWG"
+  symantecOptions = {
+    secretPath = "{{index $.Vars "secret_path"}}"
+  }
+}
