Support the new Broker type of custom mirroring security profile. (#15758)

duvni · web-flow · commit ca05687e91ff · 2025-11-20T19:14:13.000Z
diff --git a/mmv1/products/networksecurity/SecurityProfile.yaml b/mmv1/products/networksecurity/SecurityProfile.yaml
@@ -86,6 +86,16 @@ examples:
     test_env_vars:
       org_id: 'ORG_ID'
     tgc_skip_test: The ENUM value URL_FILTERING in type field is transformed to UNKNOWN_ENUM_VALUE_ProfileType_5 in CAI asset. The reason could be that URL_FILTERING is not supported in CAI yet. Will check if the value in CAI assets will be correct later.
+  - name: network_security_security_profile_broker
+    min_version: 'beta'
+    primary_resource_id: 'default'
+    vars:
+      resource_name: 'my-security-profile'
+      network_name: 'my-network'
+      deployment_group_id: 'my-dg'
+      endpoint_group_id: 'my-eg'
+    test_env_vars:
+      org_id: 'ORG_ID'
 parameters:
   - name: 'name'
     type: String
@@ -285,9 +295,31 @@ properties:
       - name: mirroringEndpointGroup
         type: String
         description: |
-          The Mirroring Endpoint Group to which matching traffic should be mirrored.
+          The target Mirroring Endpoint Group.
+          When a mirroring rule with this security profile attached matches a packet,
+          a replica will be mirrored to the location-local target in this group.
           Format: projects/{project_id}/locations/global/mirroringEndpointGroups/{endpoint_group_id}
         required: true
+      - name: mirroringDeploymentGroups
+        type: Array
+        item_type:
+          type: String
+        description: |
+          The target downstream Mirroring Deployment Groups.
+          This field is used for Packet Broker mirroring endpoint groups to specify
+          the deployment groups that the packet should be mirrored to by the broker.
+          Format: projects/{project_id}/locations/global/mirroringDeploymentGroups/{deployment_group_id}
+        immutable: true
+        min_version: 'beta'
+      - name: 'mirroringEndpointGroupType'
+        type: String
+        description: |-
+          The type of the mirroring endpoint group this profile is attached to.
+          Possible values:
+          DIRECT
+          BROKER
+        output: true
+        min_version: 'beta'
     conflicts:
       - 'threatPreventionProfile'
       - 'urlFilteringProfile'
diff --git a/mmv1/templates/terraform/examples/network_security_security_profile_broker.tf.tmpl b/mmv1/templates/terraform/examples/network_security_security_profile_broker.tf.tmpl
@@ -0,0 +1,33 @@
+resource "google_compute_network" "default" {
+  provider                = google-beta
+  name                    = "{{index $.Vars "network_name"}}"
+  auto_create_subnetworks = false
+}
+
+resource "google_network_security_mirroring_deployment_group" "default" {
+  provider                      = google-beta
+  mirroring_deployment_group_id = "{{index $.Vars "deployment_group_id"}}"
+  location                      = "global"
+  network                       = google_compute_network.default.id
+}
+
+resource "google_network_security_mirroring_endpoint_group" "default" {
+  provider                    = google-beta
+  mirroring_endpoint_group_id = "{{index $.Vars "endpoint_group_id"}}"
+  location                    = "global"
+  type                        = "BROKER"
+  mirroring_deployment_groups = [google_network_security_mirroring_deployment_group.default.id]
+}
+
+resource "google_network_security_security_profile" "{{$.PrimaryResourceId}}" {
+  provider    = google-beta
+  name        = "{{index $.Vars "resource_name"}}"
+  parent      = "organizations/{{index $.TestEnvVars "org_id"}}"
+  description = "my description"
+  type        = "CUSTOM_MIRRORING"
+
+  custom_mirroring_profile {
+    mirroring_endpoint_group    = google_network_security_mirroring_endpoint_group.default.id
+    mirroring_deployment_groups = [google_network_security_mirroring_deployment_group.default.id]
+  }
+}
