hashicorp
diff --git a/‎.changelog/14021.txt‎
Lines changed: 3 additions & 0 deletions b/‎.changelog/14021.txt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎google-beta/services/compute/resource_compute_firewall_policy_rule.go‎
Lines changed: 194 additions & 0 deletions b/‎google-beta/services/compute/resource_compute_firewall_policy_rule.go‎
Lines changed: 194 additions & 0 deletions
diff --git a/‎google-beta/services/compute/resource_compute_firewall_policy_rule_generated_meta.yaml‎
Lines changed: 4 additions & 0 deletions b/‎google-beta/services/compute/resource_compute_firewall_policy_rule_generated_meta.yaml‎
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: added `match.src_secure_tags` and `target_secure_tags` fields to `google_compute_firewall_policy_rule` resource
+```
@@ -197,6 +197,26 @@ Example inputs include: ["22"], ["80","443"], and ["12345-12349"].`,
 								Type: schema.TypeString,
 							},
 						},
+						"src_secure_tags": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.`,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"name": {
+										Type:             schema.TypeString,
+										Optional:         true,
+										DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
+										Description:      `Name of the secure tag, created with TagManager's TagValue API.`,
+									},
+									"state": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: `State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.`,
+									},
+								},
+							},
+						},
 						"src_threat_intelligences": {
 							Type:        schema.TypeList,
 							Optional:    true,
@@ -254,6 +274,28 @@ If this field is left blank, all VMs within the organization will receive the ru
 					Type: schema.TypeString,
 				},
 			},
+			"target_secure_tags": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Description: `A list of secure tags that controls which instances the firewall rule applies to.
+If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored.
+targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target secure tags allowed is 256.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:             schema.TypeString,
+							Optional:         true,
+							DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
+							Description:      `Name of the secure tag, created with TagManager's TagValue API.`,
+						},
+						"state": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.`,
+						},
+					},
+				},
+			},
 			"target_service_accounts": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -356,6 +398,12 @@ func resourceComputeFirewallPolicyRuleCreate(d *schema.ResourceData, meta interf
 	} else if v, ok := d.GetOkExists("target_service_accounts"); ok || !reflect.DeepEqual(v, targetServiceAccountsProp) {
 		obj["targetServiceAccounts"] = targetServiceAccountsProp
 	}
+	targetSecureTagsProp, err := expandComputeFirewallPolicyRuleTargetSecureTags(d.Get("target_secure_tags"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("target_secure_tags"); ok || !reflect.DeepEqual(v, targetSecureTagsProp) {
+		obj["targetSecureTags"] = targetSecureTagsProp
+	}
 	disabledProp, err := expandComputeFirewallPolicyRuleDisabled(d.Get("disabled"), d, config)
 	if err != nil {
 		return err
@@ -492,6 +540,9 @@ func resourceComputeFirewallPolicyRuleRead(d *schema.ResourceData, meta interfac
 	if err := d.Set("target_service_accounts", flattenComputeFirewallPolicyRuleTargetServiceAccounts(res["targetServiceAccounts"], d, config)); err != nil {
 		return fmt.Errorf("Error reading FirewallPolicyRule: %s", err)
 	}
+	if err := d.Set("target_secure_tags", flattenComputeFirewallPolicyRuleTargetSecureTags(res["targetSecureTags"], d, config)); err != nil {
+		return fmt.Errorf("Error reading FirewallPolicyRule: %s", err)
+	}
 	if err := d.Set("disabled", flattenComputeFirewallPolicyRuleDisabled(res["disabled"], d, config)); err != nil {
 		return fmt.Errorf("Error reading FirewallPolicyRule: %s", err)
 	}
@@ -569,6 +620,12 @@ func resourceComputeFirewallPolicyRuleUpdate(d *schema.ResourceData, meta interf
 	} else if v, ok := d.GetOkExists("target_service_accounts"); ok || !reflect.DeepEqual(v, targetServiceAccountsProp) {
 		obj["targetServiceAccounts"] = targetServiceAccountsProp
 	}
+	targetSecureTagsProp, err := expandComputeFirewallPolicyRuleTargetSecureTags(d.Get("target_secure_tags"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("target_secure_tags"); ok || !reflect.DeepEqual(v, targetSecureTagsProp) {
+		obj["targetSecureTags"] = targetSecureTagsProp
+	}
 	disabledProp, err := expandComputeFirewallPolicyRuleDisabled(d.Get("disabled"), d, config)
 	if err != nil {
 		return err
@@ -765,6 +822,8 @@ func flattenComputeFirewallPolicyRuleMatch(v interface{}, d *schema.ResourceData
 		flattenComputeFirewallPolicyRuleMatchDestThreatIntelligences(original["destThreatIntelligences"], d, config)
 	transformed["src_threat_intelligences"] =
 		flattenComputeFirewallPolicyRuleMatchSrcThreatIntelligences(original["srcThreatIntelligences"], d, config)
+	transformed["src_secure_tags"] =
+		flattenComputeFirewallPolicyRuleMatchSrcSecureTags(original["srcSecureTags"], d, config)
 	return []interface{}{transformed}
 }
 func flattenComputeFirewallPolicyRuleMatchSrcIpRanges(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -846,6 +905,33 @@ func flattenComputeFirewallPolicyRuleMatchSrcThreatIntelligences(v interface{},
 	return v
 }
 
+func flattenComputeFirewallPolicyRuleMatchSrcSecureTags(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed = append(transformed, map[string]interface{}{
+			"name":  flattenComputeFirewallPolicyRuleMatchSrcSecureTagsName(original["name"], d, config),
+			"state": flattenComputeFirewallPolicyRuleMatchSrcSecureTagsState(original["state"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenComputeFirewallPolicyRuleMatchSrcSecureTagsName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenComputeFirewallPolicyRuleMatchSrcSecureTagsState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenComputeFirewallPolicyRuleAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -891,6 +977,33 @@ func flattenComputeFirewallPolicyRuleTargetServiceAccounts(v interface{}, d *sch
 	return v
 }
 
+func flattenComputeFirewallPolicyRuleTargetSecureTags(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed = append(transformed, map[string]interface{}{
+			"name":  flattenComputeFirewallPolicyRuleTargetSecureTagsName(original["name"], d, config),
+			"state": flattenComputeFirewallPolicyRuleTargetSecureTagsState(original["state"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenComputeFirewallPolicyRuleTargetSecureTagsName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenComputeFirewallPolicyRuleTargetSecureTagsState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenComputeFirewallPolicyRuleDisabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1010,6 +1123,13 @@ func expandComputeFirewallPolicyRuleMatch(v interface{}, d tpgresource.Terraform
 		transformed["srcThreatIntelligences"] = transformedSrcThreatIntelligences
 	}
 
+	transformedSrcSecureTags, err := expandComputeFirewallPolicyRuleMatchSrcSecureTags(original["src_secure_tags"], d, config)
+	if err != nil {
+		return nil, err
+	} else {
+		transformed["srcSecureTags"] = transformedSrcSecureTags
+	}
+
 	return transformed, nil
 }
 
@@ -1102,6 +1222,43 @@ func expandComputeFirewallPolicyRuleMatchSrcThreatIntelligences(v interface{}, d
 	return v, nil
 }
 
+func expandComputeFirewallPolicyRuleMatchSrcSecureTags(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	req := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		if raw == nil {
+			continue
+		}
+		original := raw.(map[string]interface{})
+		transformed := make(map[string]interface{})
+
+		transformedName, err := expandComputeFirewallPolicyRuleMatchSrcSecureTagsName(original["name"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["name"] = transformedName
+		}
+
+		transformedState, err := expandComputeFirewallPolicyRuleMatchSrcSecureTagsState(original["state"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedState); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["state"] = transformedState
+		}
+
+		req = append(req, transformed)
+	}
+	return req, nil
+}
+
+func expandComputeFirewallPolicyRuleMatchSrcSecureTagsName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandComputeFirewallPolicyRuleMatchSrcSecureTagsState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandComputeFirewallPolicyRuleAction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -1130,6 +1287,43 @@ func expandComputeFirewallPolicyRuleTargetServiceAccounts(v interface{}, d tpgre
 	return v, nil
 }
 
+func expandComputeFirewallPolicyRuleTargetSecureTags(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	req := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		if raw == nil {
+			continue
+		}
+		original := raw.(map[string]interface{})
+		transformed := make(map[string]interface{})
+
+		transformedName, err := expandComputeFirewallPolicyRuleTargetSecureTagsName(original["name"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["name"] = transformedName
+		}
+
+		transformedState, err := expandComputeFirewallPolicyRuleTargetSecureTagsState(original["state"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedState); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["state"] = transformedState
+		}
+
+		req = append(req, transformed)
+	}
+	return req, nil
+}
+
+func expandComputeFirewallPolicyRuleTargetSecureTagsName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandComputeFirewallPolicyRuleTargetSecureTagsState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandComputeFirewallPolicyRuleDisabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
 
@@ -27,10 +27,14 @@ fields:
   - field: 'match.src_network_scope'
   - field: 'match.src_networks'
   - field: 'match.src_region_codes'
+  - field: 'match.src_secure_tags.name'
+  - field: 'match.src_secure_tags.state'
   - field: 'match.src_threat_intelligences'
   - field: 'priority'
   - field: 'rule_tuple_count'
   - field: 'security_profile_group'
   - field: 'target_resources'
+  - field: 'target_secure_tags.name'
+  - field: 'target_secure_tags.state'
   - field: 'target_service_accounts'
   - field: 'tls_inspect'
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+compute: added `match.src_secure_tags` and `target_secure_tags` fields to `google_compute_firewall_policy_rule` resource
	`3`	+```