Create Tls Inspection Policy resource and update Gateway Security Policy to use the field tlsInspectionPolicy (#7880) (#5615)

* adding the resources, the examples and the tests

* updates in the tsl resource, added fix in the tests files, but not creating the tls resource, just the ca pool

* adding a todo for certificate authority

* adding the resource of certificate, need to fix the error while deleting

* fixed the creation of ca and capool, receiving error 13 for tls creation

* removing advanced example, adding capool fields for tests, failing in tls creation

* updating the ca_pool to add into the tls, not working

* fix the tests, concurrency problem, solved with depends_on field

* updating the gateway security policy to use tls inpection policy

* fixing the test scenario for tls_inspection basic

* fix a typo in documentation for tls resource and the name of file test

* adding a new field in the resource and in the test scenario, adding a todo for a field with a resource not implemented

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/7880.txt

@@ -0,0 +1,4 @@
+```release-note:enhancement
+`google_network_security_gateway_security_policy`
+`google_network_security_tls_inspection_policy`
+```

google-beta/provider.go

@@ -807,9 +807,9 @@ func Provider() *schema.Provider {
 	return provider
 }
 
-// Generated resources: 338
+// Generated resources: 339
 // Generated IAM resources: 219
-// Total generated resources: 557
+// Total generated resources: 558
 func ResourceMap() map[string]*schema.Resource {
 	resourceMap, _ := ResourceMapWithErrors()
 	return resourceMap
@@ -1247,6 +1247,7 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_network_security_client_tls_policy":                    ResourceNetworkSecurityClientTlsPolicy(),
 			"google_network_security_gateway_security_policy":              ResourceNetworkSecurityGatewaySecurityPolicy(),
 			"google_network_security_gateway_security_policy_rule":         ResourceNetworkSecurityGatewaySecurityPolicyRule(),
+			"google_network_security_tls_inspection_policy":                ResourceNetworkSecurityTlsInspectionPolicy(),
 			"google_network_security_url_lists":                            ResourceNetworkSecurityUrlLists(),
 			"google_network_services_edge_cache_keyset":                    ResourceNetworkServicesEdgeCacheKeyset(),
 			"google_network_services_edge_cache_origin":                    ResourceNetworkServicesEdgeCacheOrigin(),

google-beta/resource_network_security_gateway_security_policy.go

@@ -63,6 +63,11 @@ gatewaySecurityPolicy should match the pattern:(^a-z?$).`,
 The default value is 'global'.`,
 				Default: "global",
 			},
+			"tls_inspection_policy": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `Name of a TlsInspectionPolicy resource that defines how TLS inspection is performed for any rule that enables it.`,
+			},
 			"create_time": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -107,6 +112,12 @@ func resourceNetworkSecurityGatewaySecurityPolicyCreate(d *schema.ResourceData,
 	} else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
 		obj["description"] = descriptionProp
 	}
+	tlsInspectionPolicyProp, err := expandNetworkSecurityGatewaySecurityPolicyTlsInspectionPolicy(d.Get("tls_inspection_policy"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tls_inspection_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(tlsInspectionPolicyProp)) && (ok || !reflect.DeepEqual(v, tlsInspectionPolicyProp)) {
+		obj["tlsInspectionPolicy"] = tlsInspectionPolicyProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{NetworkSecurityBasePath}}projects/{{project}}/locations/{{location}}/gatewaySecurityPolicies?gatewaySecurityPolicyId={{name}}")
 	if err != nil {
@@ -226,6 +237,12 @@ func resourceNetworkSecurityGatewaySecurityPolicyUpdate(d *schema.ResourceData,
 	} else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
 		obj["description"] = descriptionProp
 	}
+	tlsInspectionPolicyProp, err := expandNetworkSecurityGatewaySecurityPolicyTlsInspectionPolicy(d.Get("tls_inspection_policy"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tls_inspection_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, tlsInspectionPolicyProp)) {
+		obj["tlsInspectionPolicy"] = tlsInspectionPolicyProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{NetworkSecurityBasePath}}projects/{{project}}/locations/{{location}}/gatewaySecurityPolicies/{{name}}")
 	if err != nil {
@@ -238,6 +255,10 @@ func resourceNetworkSecurityGatewaySecurityPolicyUpdate(d *schema.ResourceData,
 	if d.HasChange("description") {
 		updateMask = append(updateMask, "description")
 	}
+
+	if d.HasChange("tls_inspection_policy") {
+		updateMask = append(updateMask, "tlsInspectionPolicy")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -353,3 +374,7 @@ func flattenNetworkSecurityGatewaySecurityPolicyDescription(v interface{}, d *sc
 func expandNetworkSecurityGatewaySecurityPolicyDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandNetworkSecurityGatewaySecurityPolicyTlsInspectionPolicy(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}

google-beta/resource_network_security_gateway_security_policy_generated_test.go

@@ -46,7 +46,7 @@ func TestAccNetworkSecurityGatewaySecurityPolicy_networkSecurityGatewaySecurityP
 				ResourceName:            "google_network_security_gateway_security_policy.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"name", "location"},
+				ImportStateVerifyIgnore: []string{"tls_inspection_policy", "name", "location"},
 			},
 		},
 	})
@@ -63,6 +63,115 @@ resource "google_network_security_gateway_security_policy" "default" {
 `, context)
 }
 
+func TestAccNetworkSecurityGatewaySecurityPolicy_networkSecurityGatewaySecurityPolicyTlsInspectionBasicExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": RandString(t, 10),
+	}
+
+	VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecurityGatewaySecurityPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecurityGatewaySecurityPolicy_networkSecurityGatewaySecurityPolicyTlsInspectionBasicExample(context),
+			},
+			{
+				ResourceName:            "google_network_security_gateway_security_policy.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"tls_inspection_policy", "name", "location"},
+			},
+		},
+	})
+}
+
+func testAccNetworkSecurityGatewaySecurityPolicy_networkSecurityGatewaySecurityPolicyTlsInspectionBasicExample(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_privateca_ca_pool" "default" {
+  provider = google-beta
+  name      = "tf-test-my-basic-ca-pool%{random_suffix}"
+  location  = "us-central1"
+  tier     = "DEVOPS"
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl = false
+  }
+  issuance_policy {
+    maximum_lifetime = "1209600s"
+    baseline_values {
+      ca_options {
+        is_ca = false
+      }
+      key_usage {
+        base_key_usage {}
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+}
+
+
+resource "google_privateca_certificate_authority" "default" {
+  provider = google-beta
+  pool = google_privateca_ca_pool.default.name
+  certificate_authority_id = "tf-test-my-basic-certificate-authority%{random_suffix}"
+  location = "us-central1"
+  lifetime = "86400s"
+  type = "SELF_SIGNED"
+  deletion_protection = false
+  skip_grace_period = true
+  ignore_active_certificates_on_deletion = true
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name = "my-ca"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+resource "google_network_security_tls_inspection_policy" "default" {
+  provider = google-beta
+  name     = "tf-test-my-tls-inspection-policy%{random_suffix}"
+  location = "us-central1"
+  ca_pool  = google_privateca_ca_pool.default.id
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+}
+
+resource "google_network_security_gateway_security_policy" "default" {
+  provider    = google-beta
+  name        = "tf-test-my-gateway-security-policy%{random_suffix}"
+  location    = "us-central1"
+  description = "my description"
+  tls_inspection_policy = google_network_security_tls_inspection_policy.default.id
+  depends_on = [google_network_security_tls_inspection_policy.default]
+}
+`, context)
+}
+
 func testAccCheckNetworkSecurityGatewaySecurityPolicyDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {