Feature gap: Add labels and label_fingerprint fields to google_compute_security_policy (#14821)

Signed-off-by: Cezary Sobczak <[email protected]>

Author: Cezarus27

mmv1/third_party/terraform/services/compute/resource_compute_security_policy.go.tmpl

@@ -65,6 +65,7 @@ func ResourceComputeSecurityPolicy() *schema.Resource {
 		},
 		CustomizeDiff: customdiff.All(
 			tpgresource.DefaultProviderProject,
+			tpgresource.SetLabelsDiff,
 			rulesCustomizeDiff,
 		),
 
@@ -701,8 +702,36 @@ func ResourceComputeSecurityPolicy() *schema.Resource {
 					},
 				},
 			},
-		},
+			"labels": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Description: `Labels to apply to this address.  A list of key->value pairs.
+
 
+**Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
+Please refer to the field 'effective_labels' for all of the labels present on the resource.`,
+			},
+			"terraform_labels": {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: `The combination of labels configured directly on the resource and default labels configured on the provider.`,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"effective_labels": {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: `All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.`,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"label_fingerprint": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `The unique fingerprint of the labels.`,
+			},
+		},
 		UseJSONNumber: true,
 	}
 }
@@ -748,7 +777,7 @@ func rulesCustomizeDiff(_ context.Context, diff *schema.ResourceDiff, _ interfac
 
 func resourceComputeSecurityPolicyCreate(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*transport_tpg.Config)
-	userAgent, err :=  tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
 	if err != nil {
 		return err
 	}
@@ -772,17 +801,17 @@ func resourceComputeSecurityPolicyCreate(d *schema.ResourceData, meta interface{
 		securityPolicy.Rules = expandSecurityPolicyRules(v.(*schema.Set).List())
 	}
 
-	if v, ok := d.GetOk("advanced_options_config"); ok{
+	if v, ok := d.GetOk("advanced_options_config"); ok {
 		securityPolicy.AdvancedOptionsConfig = expandSecurityPolicyAdvancedOptionsConfig(v.([]interface{}))
 	}
 
-	if v, ok := d.GetOk("adaptive_protection_config"); ok{
+	if v, ok := d.GetOk("adaptive_protection_config"); ok {
 		securityPolicy.AdaptiveProtectionConfig = expandSecurityPolicyAdaptiveProtectionConfig(v.([]interface{}))
 	}
 
 	log.Printf("[DEBUG] SecurityPolicy insert request: %#v", securityPolicy)
 
-	if v, ok := d.GetOk("recaptcha_options_config"); ok{
+	if v, ok := d.GetOk("recaptcha_options_config"); ok {
 		securityPolicy.RecaptchaOptionsConfig = expandSecurityPolicyRecaptchaOptionsConfig(v.([]interface{}), d)
 	}
 
@@ -805,6 +834,48 @@ func resourceComputeSecurityPolicyCreate(d *schema.ResourceData, meta interface{
 		return err
 	}
 
+	if effectiveLabels := tpgresource.ExpandEffectiveLabels(d); effectiveLabels != nil {
+		userLabels := d.Get("labels")
+		terraformLabels := d.Get("terraform_labels")
+
+		// Labels cannot be set in a create.  We'll have to set them here.
+		err = resourceComputeSecurityPolicyRead(d, meta)
+		if err != nil {
+			return err
+		}
+
+		// Now we can set the labels
+		setLabels := &compute.GlobalSetLabelsRequest{
+			Labels:           effectiveLabels,
+			LabelFingerprint: d.Get("label_fingerprint").(string),
+		}
+
+		op, err = client.SecurityPolicies.SetLabels(project, sp, setLabels).Do()
+		if err != nil {
+			return err
+		}
+
+		err = ComputeOperationWaitTime(config, op, project, fmt.Sprintf("Creating SecurityPolicy.Labels %q", sp), userAgent, d.Timeout(schema.TimeoutCreate))
+		if err != nil {
+			return err
+		}
+
+		// Set back the labels field, as it is needed to decide the value of "labels" in the state in the read function.
+		if err := d.Set("labels", userLabels); err != nil {
+			return fmt.Errorf("Error setting back labels: %s", err)
+		}
+
+		// Set back the terraform_labels field, as it is needed to decide the value of "terraform_labels" in the state in the read function.
+		if err := d.Set("terraform_labels", terraformLabels); err != nil {
+			return fmt.Errorf("Error setting back terraform_labels: %s", err)
+		}
+
+		// Set back the effective_labels field, as it is needed to decide the value of "effective_labels" in the state in the read function.
+		if err := d.Set("effective_labels", effectiveLabels); err != nil {
+			return fmt.Errorf("Error setting back effective_labels: %s", err)
+		}
+	}
+
 	return resourceComputeSecurityPolicyRead(d, meta)
 }
 
@@ -862,6 +933,22 @@ func resourceComputeSecurityPolicyRead(d *schema.ResourceData, meta interface{})
 		return fmt.Errorf("Error setting recaptcha_options_config: %s", err)
 	}
 
+	if err := tpgresource.SetLabels(securityPolicy.Labels, d, "labels"); err != nil {
+		return err
+	}
+
+	if err := tpgresource.SetLabels(securityPolicy.Labels, d, "terraform_labels"); err != nil {
+		return err
+	}
+
+	if err := d.Set("effective_labels", securityPolicy.Labels); err != nil {
+		return err
+	}
+
+	if err := d.Set("label_fingerprint", securityPolicy.LabelFingerprint); err != nil {
+		return fmt.Errorf("Error setting label_fingerprint: %s", err)
+	}
+
 	return nil
 }
 
@@ -923,6 +1010,22 @@ func resourceComputeSecurityPolicyUpdate(d *schema.ResourceData, meta interface{
 		securityPolicy.ForceSendFields = append(securityPolicy.ForceSendFields, "RecaptchaOptionsConfig")
 	}
 
+	if d.HasChange("effective_labels") {
+		labels := tpgresource.ExpandEffectiveLabels(d)
+		labelFingerprint := d.Get("label_fingerprint").(string)
+		req := compute.GlobalSetLabelsRequest{Labels: labels, LabelFingerprint: labelFingerprint}
+
+		op, err := config.NewComputeClient(userAgent).SecurityPolicies.SetLabels(project, sp, &req).Do()
+		if err != nil {
+			return fmt.Errorf("Error updating labels: %s", err)
+		}
+
+		opErr := ComputeOperationWaitTime(config, op, project, "labels to update", userAgent, d.Timeout(schema.TimeoutUpdate))
+		if opErr != nil {
+			return opErr
+		}
+	}
+
 	if len(securityPolicy.ForceSendFields) > 0 {
 		client := config.NewComputeClient(userAgent)
 

mmv1/third_party/terraform/services/compute/resource_compute_security_policy_rule_test.go

@@ -2,10 +2,11 @@ package compute_test
 
 import (
 	"fmt"
-	"github.com/hashicorp/terraform-provider-google/google/acctest"
 	"regexp"
 	"testing"
 
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 )
 

mmv1/third_party/terraform/services/compute/resource_compute_security_policy_test.go.tmpl

@@ -774,6 +774,38 @@ func TestAccComputeSecurityPolicy_modifyExprOptions(t *testing.T) {
 	})
 }
 
+func TestAccComputeSecurityPolicy_labels(t *testing.T) {
+	t.Parallel()
+
+	spName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeSecurityPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeSecurityPolicy_basicLabels(spName),
+			},
+			{
+				ResourceName:            "google_compute_security_policy.policy",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+			{
+				Config: testAccComputeSecurityPolicy_updateLabels(spName),
+			},
+			{
+				ResourceName:            "google_compute_security_policy.policy",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
 func testAccComputeSecurityPolicy_withRecaptchaOptionsConfig(project, spName string) string {
 	return fmt.Sprintf(`
 resource "google_recaptcha_enterprise_key" "primary" {
@@ -2230,3 +2262,32 @@ resource "google_compute_security_policy" "policy" {
 }
 `, spName)
 }
+
+func testAccComputeSecurityPolicy_basicLabels(spName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_security_policy" "policy" {
+  name        = "%s"
+  description = "basic security policy"
+  type        = "CLOUD_ARMOR"
+
+  labels = {
+    "env" = "test"
+  }
+}
+`, spName)
+}
+
+func testAccComputeSecurityPolicy_updateLabels(spName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_security_policy" "policy" {
+  name        = "%s"
+  description = "basic security policy"
+  type        = "CLOUD_ARMOR"
+
+  labels = {
+    "env" = "test",
+	"new_label" = "abcd1"
+  }
+}
+`, spName)
+}

mmv1/third_party/terraform/website/docs/r/compute_security_policy.html.markdown

@@ -191,6 +191,16 @@ The following arguments are supported:
   * `CLOUD_ARMOR_INTERNAL_SERVICE` - Cloud Armor internal service policies can be configured to filter HTTP requests targeting services
     managed by Traffic Director in a service mesh. They filter requests before the request is served from the application.
 
+* `labels` - Labels to apply to this address. A list of key->value pairs.
+  **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
+  Please refer to the field `effective_labels` for all of the labels present on the resource.
+
+* `effective_labels` - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
+
+* `terraform_labels` - The combination of labels configured directly on the resource and default labels configured on the provider.
+
+* `label_fingerprint` - The unique fingerprint of the labels.
+
 <a name="nested_advanced_options_config"></a>The `advanced_options_config` block supports:
 
 * `json_parsing` - Whether or not to JSON parse the payload body. Defaults to `DISABLED`.