adds NGFW support for google_network_security_tls_inspection_policy resource (#9864) (#7368)

[upstream:ebfd96bd8d7a1f13c352a2645d02407da4317021]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

google-beta/services/networksecurity/resource_network_security_tls_inspection_policy.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
 	transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
+	"github.com/hashicorp/terraform-provider-google-beta/google-beta/verify"
 )
 
 func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
@@ -64,6 +65,14 @@ func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
 				Required:    true,
 				Description: `Short name of the TlsInspectionPolicy resource to be created.`,
 			},
+			"custom_tls_features": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.`,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"description": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -79,6 +88,24 @@ func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
 				Optional:    true,
 				Description: `The location of the tls inspection policy.`,
 			},
+			"min_tls_version": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"TLS_VERSION_UNSPECIFIED", "TLS_1_0", "TLS_1_1", "TLS_1_2", "TLS_1_3", ""}),
+				Description:  `Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. Possible values: ["TLS_VERSION_UNSPECIFIED", "TLS_1_0", "TLS_1_1", "TLS_1_2", "TLS_1_3"]`,
+			},
+			"tls_feature_profile": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"PROFILE_UNSPECIFIED", "PROFILE_COMPATIBLE", "PROFILE_MODERN", "PROFILE_RESTRICTED", "PROFILE_CUSTOM", ""}),
+				Description:  `The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. Possible values: ["PROFILE_UNSPECIFIED", "PROFILE_COMPATIBLE", "PROFILE_MODERN", "PROFILE_RESTRICTED", "PROFILE_CUSTOM"]`,
+			},
+			"trust_config": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				DiffSuppressFunc: tpgresource.ProjectNumberDiffSuppress,
+				Description:      `A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field.`,
+			},
 			"create_time": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -120,6 +147,30 @@ func resourceNetworkSecurityTlsInspectionPolicyCreate(d *schema.ResourceData, me
 	} else if v, ok := d.GetOkExists("ca_pool"); !tpgresource.IsEmptyValue(reflect.ValueOf(caPoolProp)) && (ok || !reflect.DeepEqual(v, caPoolProp)) {
 		obj["caPool"] = caPoolProp
 	}
+	trustConfigProp, err := expandNetworkSecurityTlsInspectionPolicyTrustConfig(d.Get("trust_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("trust_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(trustConfigProp)) && (ok || !reflect.DeepEqual(v, trustConfigProp)) {
+		obj["trustConfig"] = trustConfigProp
+	}
+	minTlsVersionProp, err := expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(d.Get("min_tls_version"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("min_tls_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(minTlsVersionProp)) && (ok || !reflect.DeepEqual(v, minTlsVersionProp)) {
+		obj["minTlsVersion"] = minTlsVersionProp
+	}
+	tlsFeatureProfileProp, err := expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(d.Get("tls_feature_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tls_feature_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(tlsFeatureProfileProp)) && (ok || !reflect.DeepEqual(v, tlsFeatureProfileProp)) {
+		obj["tlsFeatureProfile"] = tlsFeatureProfileProp
+	}
+	customTlsFeaturesProp, err := expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(d.Get("custom_tls_features"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_tls_features"); !tpgresource.IsEmptyValue(reflect.ValueOf(customTlsFeaturesProp)) && (ok || !reflect.DeepEqual(v, customTlsFeaturesProp)) {
+		obj["customTlsFeatures"] = customTlsFeaturesProp
+	}
 	excludePublicCaSetProp, err := expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(d.Get("exclude_public_ca_set"), d, config)
 	if err != nil {
 		return err
@@ -237,6 +288,18 @@ func resourceNetworkSecurityTlsInspectionPolicyRead(d *schema.ResourceData, meta
 	if err := d.Set("ca_pool", flattenNetworkSecurityTlsInspectionPolicyCaPool(res["caPool"], d, config)); err != nil {
 		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
 	}
+	if err := d.Set("trust_config", flattenNetworkSecurityTlsInspectionPolicyTrustConfig(res["trustConfig"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
+	if err := d.Set("min_tls_version", flattenNetworkSecurityTlsInspectionPolicyMinTlsVersion(res["minTlsVersion"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
+	if err := d.Set("tls_feature_profile", flattenNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(res["tlsFeatureProfile"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
+	if err := d.Set("custom_tls_features", flattenNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(res["customTlsFeatures"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
 	if err := d.Set("exclude_public_ca_set", flattenNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(res["excludePublicCaSet"], d, config)); err != nil {
 		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
 	}
@@ -272,6 +335,30 @@ func resourceNetworkSecurityTlsInspectionPolicyUpdate(d *schema.ResourceData, me
 	} else if v, ok := d.GetOkExists("ca_pool"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, caPoolProp)) {
 		obj["caPool"] = caPoolProp
 	}
+	trustConfigProp, err := expandNetworkSecurityTlsInspectionPolicyTrustConfig(d.Get("trust_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("trust_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, trustConfigProp)) {
+		obj["trustConfig"] = trustConfigProp
+	}
+	minTlsVersionProp, err := expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(d.Get("min_tls_version"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("min_tls_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, minTlsVersionProp)) {
+		obj["minTlsVersion"] = minTlsVersionProp
+	}
+	tlsFeatureProfileProp, err := expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(d.Get("tls_feature_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tls_feature_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, tlsFeatureProfileProp)) {
+		obj["tlsFeatureProfile"] = tlsFeatureProfileProp
+	}
+	customTlsFeaturesProp, err := expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(d.Get("custom_tls_features"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_tls_features"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, customTlsFeaturesProp)) {
+		obj["customTlsFeatures"] = customTlsFeaturesProp
+	}
 	excludePublicCaSetProp, err := expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(d.Get("exclude_public_ca_set"), d, config)
 	if err != nil {
 		return err
@@ -296,6 +383,22 @@ func resourceNetworkSecurityTlsInspectionPolicyUpdate(d *schema.ResourceData, me
 		updateMask = append(updateMask, "caPool")
 	}
 
+	if d.HasChange("trust_config") {
+		updateMask = append(updateMask, "trustConfig")
+	}
+
+	if d.HasChange("min_tls_version") {
+		updateMask = append(updateMask, "minTlsVersion")
+	}
+
+	if d.HasChange("tls_feature_profile") {
+		updateMask = append(updateMask, "tlsFeatureProfile")
+	}
+
+	if d.HasChange("custom_tls_features") {
+		updateMask = append(updateMask, "customTlsFeatures")
+	}
+
 	if d.HasChange("exclude_public_ca_set") {
 		updateMask = append(updateMask, "excludePublicCaSet")
 	}
@@ -434,6 +537,22 @@ func flattenNetworkSecurityTlsInspectionPolicyCaPool(v interface{}, d *schema.Re
 	return v
 }
 
+func flattenNetworkSecurityTlsInspectionPolicyTrustConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecurityTlsInspectionPolicyMinTlsVersion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -446,6 +565,22 @@ func expandNetworkSecurityTlsInspectionPolicyCaPool(v interface{}, d tpgresource
 	return v, nil
 }
 
+func expandNetworkSecurityTlsInspectionPolicyTrustConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google-beta/services/networksecurity/resource_network_security_tls_inspection_policy_generated_test.go

@@ -136,6 +136,166 @@ resource "google_network_security_tls_inspection_policy" "default" {
 `, context)
 }
 
+func TestAccNetworkSecurityTlsInspectionPolicy_networkSecurityTlsInspectionPolicyCustomExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecurityTlsInspectionPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecurityTlsInspectionPolicy_networkSecurityTlsInspectionPolicyCustomExample(context),
+			},
+			{
+				ResourceName:            "google_network_security_tls_inspection_policy.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"location", "name"},
+			},
+		},
+	})
+}
+
+func testAccNetworkSecurityTlsInspectionPolicy_networkSecurityTlsInspectionPolicyCustomExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_privateca_ca_pool" "default" {
+  provider = google-beta
+  name     = "tf-test-my-basic-ca-pool%{random_suffix}"
+  location = "us-central1"
+  tier     = "DEVOPS"
+
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl = false
+  }
+
+  issuance_policy {
+    maximum_lifetime = "1209600s"
+    baseline_values {
+      ca_options {
+        is_ca = false
+      }
+      key_usage {
+        base_key_usage {}
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+}
+
+resource "google_privateca_certificate_authority" "default" {
+  provider = google-beta
+  pool     = google_privateca_ca_pool.default.name
+
+  certificate_authority_id = "tf-test-my-basic-certificate-authority%{random_suffix}"
+  location                 = "us-central1"
+  lifetime                 = "86400s"
+  type                     = "SELF_SIGNED"
+  deletion_protection      = false
+  skip_grace_period        = true
+
+  ignore_active_certificates_on_deletion = true
+
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name  = "my-ca"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+resource "google_project_service_identity" "ns_sa" {
+  provider = google-beta
+  service  = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "default" {
+  provider = google-beta
+  ca_pool  = google_privateca_ca_pool.default.id
+  role     = "roles/privateca.certificateManager"
+  member   = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
+resource "google_certificate_manager_trust_config" "default" {
+  provider    = google-beta
+  name        = "tf-test-my-trust-config%{random_suffix}"
+  description = "sample trust config description"
+  location    = "us-central1"
+
+  trust_stores {
+    trust_anchors {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+    intermediate_cas {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+  }
+}
+
+resource "google_network_security_tls_inspection_policy" "default" {
+  provider = google-beta
+  name     = "tf-test-my-tls-inspection-policy%{random_suffix}"
+  location = "us-central1"
+  ca_pool  = google_privateca_ca_pool.default.id
+
+  exclude_public_ca_set = false
+  min_tls_version       = "TLS_1_0"
+  trust_config          = google_certificate_manager_trust_config.default.id
+  tls_feature_profile   = "PROFILE_CUSTOM"
+
+  custom_tls_features = [
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    "TLS_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_RSA_WITH_AES_256_GCM_SHA384",
+  ]
+
+  depends_on = [
+    google_privateca_certificate_authority.default,
+    google_privateca_ca_pool_iam_member.default,
+  ]
+}
+`, context)
+}
+
 func testAccCheckNetworkSecurityTlsInspectionPolicyDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {