fix: string based ordering for google_compute_region_security_policy causes recreate after apply (#14093)

Author: ramonvermeulen

mmv1/products/compute/RegionSecurityPolicy.yaml

@@ -39,6 +39,7 @@ async:
   result:
     resource_inside_response: false
 custom_code:
+  constants: 'templates/terraform/constants/region_security_policy.go.tmpl'
 sweeper:
   url_substitutions:
     - region: "us-south1"
@@ -188,6 +189,7 @@ properties:
     description: |
       The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
     default_from_api: true
+    diff_suppress_func: 'resourceComputeRegionSecurityPolicySpecRulesDiffSuppress'
     item_type:
       type: NestedObject
       properties:

mmv1/templates/terraform/constants/region_security_policy.go.tmpl

@@ -0,0 +1,31 @@
+{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
+func resourceComputeRegionSecurityPolicySpecRulesDiffSuppress(k, o, n string, d *schema.ResourceData) bool {
+    oldCount, newCount := d.GetChange("rules.#")
+    var count int
+    // There could be duplicates - worth continuing even if the counts are unequal.
+    if oldCount.(int) < newCount.(int) {
+        count = newCount.(int)
+    } else {
+        count = oldCount.(int)
+    }
+
+    old := make([]interface{}, 0, count)
+    new := make([]interface{}, 0, count)
+    for i := 0; i < count; i++ {
+        o, n := d.GetChange(fmt.Sprintf("rules.%d", i))
+
+        if o != nil {
+            old = append(old, o)
+        }
+        if n != nil {
+            new = append(new, n)
+        }
+    }
+
+    oldSet := schema.NewSet(schema.HashResource(ResourceComputeRegionSecurityPolicy().Schema["rules"].Elem.(*schema.Resource)), old)
+    newSet := schema.NewSet(schema.HashResource(ResourceComputeRegionSecurityPolicy().Schema["rules"].Elem.(*schema.Resource)), new)
+
+    return oldSet.Equal(newSet)
+}
+
+{{- end }}

mmv1/third_party/terraform/services/compute/resource_compute_region_security_policy_test.go.tmpl

@@ -722,6 +722,121 @@ func testAccComputeRegionSecurityPolicy_withMultipleEnforceOnKeyConfigs_update(c
 	`, context)
 }
 
+func TestAccComputeRegionSecurityPolicy_regionSecurityPolicyRuleOrderingWithMultipleRules(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeRegionSecurityPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionSecurityPolicy_ruleOrderingWithMultipleRules_create(context),
+			},
+			{
+				ResourceName:      "google_compute_region_security_policy.policy",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeRegionSecurityPolicy_ruleOrderingWithMultipleRules_update(context),
+			},
+			{
+				ResourceName:      "google_compute_region_security_policy.policy",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+
+func testAccComputeRegionSecurityPolicy_ruleOrderingWithMultipleRules_create(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+
+resource "google_compute_region_security_policy" "policy" {
+	name	    = "tf-test-ordering%{random_suffix}"
+	description = "basic region security policy with multiple rules"
+	type        = "CLOUD_ARMOR"
+	region      = "us-central1"
+
+	rules {
+		action   = "deny"
+		priority = "3000"
+		match {
+			expr {
+			expression = "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2"
+			}
+		}
+	}
+
+	rules {
+		action   = "deny"
+		priority = "2147483647"
+		match {
+			versioned_expr = "SRC_IPS_V1"
+			config {
+				src_ip_ranges = ["*"]
+			}
+		}
+		description = "default rule"
+	}
+}
+
+	`, context)
+}
+
+
+func testAccComputeRegionSecurityPolicy_ruleOrderingWithMultipleRules_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+
+resource "google_compute_region_security_policy" "policy" {
+	name	    = "tf-test-ordering%{random_suffix}"
+	description = "basic region security policy with multiple rules, updated"
+	type        = "CLOUD_ARMOR"
+	region      = "us-central1"
+
+	rules {
+		action   = "allow"
+		priority = "4000"
+		match {
+			expr {
+				expression = "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2"
+			}
+		}
+	}
+
+	rules {
+		action   = "allow"
+		priority = "5000"
+		match {
+			expr {
+				expression = "request.path.matches(\"/404.html\") && token.recaptcha_session.score > 0.4"
+			}
+		}
+		description = "new rule"
+	}
+
+	rules {
+		action   = "deny"
+		priority = "2147483647"
+		match {
+			versioned_expr = "SRC_IPS_V1"
+			config {
+				src_ip_ranges = ["*"]
+			}
+		}
+		description = "default rule"
+	}
+}
+	`, context)
+}
+
+
 {{- if ne $.TargetVersionName "ga" }}
 func TestAccComputeRegionSecurityPolicy_regionSecurityPolicyWithRulesNetworkMatch(t *testing.T) {
 	t.Parallel()