Org Security Policies (Hierarchical Firewalls) (#3626) (#2333)

Co-authored-by: Dana Hoffman <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: Dana Hoffman <[email protected]>

Author: modular-magician

.changelog/3626.txt

@@ -0,0 +1,9 @@
+```release-note:new-resource
+`google_compute_compute_organization_security_policy` (beta-only)
+```
+```release-note:new-resource
+`google_compute_compute_organization_security_policy_association` (beta-only)
+```
+```release-note:new-resource
+`google_compute_compute_organization_security_policy_rule` (beta-only)
+```

google-beta/compute_operation.go

@@ -2,16 +2,18 @@ package google
 
 import (
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"time"
 
-	"google.golang.org/api/compute/v1"
+	computeBeta "google.golang.org/api/compute/v0.beta"
 )
 
 type ComputeOperationWaiter struct {
-	Service *compute.Service
-	Op      *compute.Operation
+	Service *computeBeta.Service
+	Op      *computeBeta.Operation
 	Project string
+	Parent  string
 }
 
 func (w *ComputeOperationWaiter) State() string {
@@ -42,7 +44,7 @@ func (w *ComputeOperationWaiter) IsRetryable(err error) bool {
 
 func (w *ComputeOperationWaiter) SetOp(op interface{}) error {
 	var ok bool
-	w.Op, ok = op.(*compute.Operation)
+	w.Op, ok = op.(*computeBeta.Operation)
 	if !ok {
 		return fmt.Errorf("Unable to set operation. Bad type!")
 	}
@@ -59,6 +61,8 @@ func (w *ComputeOperationWaiter) QueryOp() (interface{}, error) {
 	} else if w.Op.Region != "" {
 		region := GetResourceNameFromSelfLink(w.Op.Region)
 		return w.Service.RegionOperations.Get(w.Project, region, w.Op.Name).Do()
+	} else if w.Parent != "" {
+		return w.Service.GlobalOrganizationOperations.Get(w.Op.Name).ParentId(w.Parent).Do()
 	}
 	return w.Service.GlobalOperations.Get(w.Project, w.Op.Name).Do()
 }
@@ -80,14 +84,14 @@ func (w *ComputeOperationWaiter) TargetStates() []string {
 }
 
 func computeOperationWaitTime(config *Config, res interface{}, project, activity string, timeout time.Duration) error {
-	op := &compute.Operation{}
+	op := &computeBeta.Operation{}
 	err := Convert(res, op)
 	if err != nil {
 		return err
 	}
 
 	w := &ComputeOperationWaiter{
-		Service: config.clientCompute,
+		Service: config.clientComputeBeta,
 		Op:      op,
 		Project: project,
 	}
@@ -98,9 +102,35 @@ func computeOperationWaitTime(config *Config, res interface{}, project, activity
 	return OperationWait(w, activity, timeout, config.PollInterval)
 }
 
+func computeOrgOperationWaitTimeWithResponse(config *Config, res interface{}, response *map[string]interface{}, parent, activity string, timeout time.Duration) error {
+	op := &computeBeta.Operation{}
+	err := Convert(res, op)
+	if err != nil {
+		return err
+	}
+
+	w := &ComputeOperationWaiter{
+		Service: config.clientComputeBeta,
+		Op:      op,
+		Parent:  parent,
+	}
+
+	if err := w.SetOp(op); err != nil {
+		return err
+	}
+	if err := OperationWait(w, activity, timeout, config.PollInterval); err != nil {
+		return err
+	}
+	e, err := json.Marshal(w.Op)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(e, response)
+}
+
 // ComputeOperationError wraps compute.OperationError and implements the
 // error interface so it can be returned.
-type ComputeOperationError compute.OperationError
+type ComputeOperationError computeBeta.OperationError
 
 func (e ComputeOperationError) Error() string {
 	var buf bytes.Buffer

google-beta/deployment_manager_operation.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"google.golang.org/api/compute/v1"
+	computeBeta "google.golang.org/api/compute/v0.beta"
 )
 
 type DeploymentManagerOperationWaiter struct {
@@ -27,15 +27,15 @@ func (w *DeploymentManagerOperationWaiter) QueryOp() (interface{}, error) {
 	if err != nil {
 		return nil, err
 	}
-	op := &compute.Operation{}
+	op := &computeBeta.Operation{}
 	if err := Convert(resp, op); err != nil {
 		return nil, fmt.Errorf("could not convert response to operation: %v", err)
 	}
 	return op, nil
 }
 
 func deploymentManagerOperationWaitTime(config *Config, resp interface{}, project, activity string, timeout time.Duration) error {
-	op := &compute.Operation{}
+	op := &computeBeta.Operation{}
 	err := Convert(resp, op)
 	if err != nil {
 		return err
@@ -71,7 +71,7 @@ func (w *DeploymentManagerOperationWaiter) Error() error {
 type DeploymentManagerOperationError struct {
 	HTTPStatusCode int64
 	HTTPMessage    string
-	compute.OperationError
+	computeBeta.OperationError
 }
 
 func (e DeploymentManagerOperationError) Error() string {

google-beta/provider.go

@@ -700,9 +700,9 @@ func Provider() terraform.ResourceProvider {
 	return provider
 }
 
-// Generated resources: 176
+// Generated resources: 179
 // Generated IAM resources: 66
-// Total generated resources: 242
+// Total generated resources: 245
 func ResourceMap() map[string]*schema.Resource {
 	resourceMap, _ := ResourceMapWithErrors()
 	return resourceMap
@@ -789,6 +789,9 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_compute_node_group":                                    resourceComputeNodeGroup(),
 			"google_compute_network_peering_routes_config":                 resourceComputeNetworkPeeringRoutesConfig(),
 			"google_compute_node_template":                                 resourceComputeNodeTemplate(),
+			"google_compute_organization_security_policy":                  resourceComputeOrganizationSecurityPolicy(),
+			"google_compute_organization_security_policy_association":      resourceComputeOrganizationSecurityPolicyAssociation(),
+			"google_compute_organization_security_policy_rule":             resourceComputeOrganizationSecurityPolicyRule(),
 			"google_compute_packet_mirroring":                              resourceComputePacketMirroring(),
 			"google_compute_per_instance_config":                           resourceComputePerInstanceConfig(),
 			"google_compute_region_per_instance_config":                    resourceComputeRegionPerInstanceConfig(),

google-beta/resource_access_context_manager_access_level.go

@@ -469,6 +469,8 @@ func resourceAccessContextManagerAccessLevelUpdate(d *schema.ResourceData, meta
 
 	if err != nil {
 		return fmt.Errorf("Error updating AccessLevel %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating AccessLevel %q: %#v", d.Id(), res)
 	}
 
 	err = accessContextManagerOperationWaitTime(

google-beta/resource_access_context_manager_access_policy.go

@@ -210,6 +210,8 @@ func resourceAccessContextManagerAccessPolicyUpdate(d *schema.ResourceData, meta
 
 	if err != nil {
 		return fmt.Errorf("Error updating AccessPolicy %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating AccessPolicy %q: %#v", d.Id(), res)
 	}
 
 	err = accessContextManagerOperationWaitTime(

google-beta/resource_access_context_manager_service_perimeter.go

@@ -521,6 +521,8 @@ func resourceAccessContextManagerServicePerimeterUpdate(d *schema.ResourceData,
 
 	if err != nil {
 		return fmt.Errorf("Error updating ServicePerimeter %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating ServicePerimeter %q: %#v", d.Id(), res)
 	}
 
 	err = accessContextManagerOperationWaitTime(

google-beta/resource_active_directory_domain.go

@@ -299,6 +299,8 @@ func resourceActiveDirectoryDomainUpdate(d *schema.ResourceData, meta interface{
 
 	if err != nil {
 		return fmt.Errorf("Error updating Domain %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating Domain %q: %#v", d.Id(), res)
 	}
 
 	err = activeDirectoryOperationWaitTime(

google-beta/resource_app_engine_application_url_dispatch_rules.go

@@ -195,6 +195,8 @@ func resourceAppEngineApplicationUrlDispatchRulesUpdate(d *schema.ResourceData,
 
 	if err != nil {
 		return fmt.Errorf("Error updating ApplicationUrlDispatchRules %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating ApplicationUrlDispatchRules %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(

google-beta/resource_app_engine_domain_mapping.go

@@ -306,6 +306,8 @@ func resourceAppEngineDomainMappingUpdate(d *schema.ResourceData, meta interface
 
 	if err != nil {
 		return fmt.Errorf("Error updating DomainMapping %q: %s", d.Id(), err)
+	} else {
+		log.Printf("[DEBUG] Finished updating DomainMapping %q: %#v", d.Id(), res)
 	}
 
 	err = appEngineOperationWaitTime(