Add NON_GCP_PRIVATE_IP_PORT as networkEndpointType for NetworkEndpointGroup (#5684) (#4068)

* Add NON_GCP_PRIVATE_IP_PORT as networkEndpointType for NetworkEndpointGroup

* Fix the Network Endpoint Group non-GCP example

* Make networkEndpoint instance optional, handle, and add example

* Put the hybrid endpoint in the hybrid NEG

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/5684.txt

@@ -0,0 +1,6 @@
+```release-note:enhancement
+compute: add `NON_GCP_PRIVATE_IP_PORT` value for `network_endpoint_type` in the `google_compute_network_endpoint_group` resource
+```
+```release-note:enhancement
+compute: Update `instance` attribute for `google_compute_network_endpoint` to be optional, as Hybrid connectivity NEGs use network endpoints with just IP and Port.
+```

google-beta/resource_compute_global_forwarding_rule_generated_test.go

@@ -667,6 +667,141 @@ resource "google_compute_backend_service" "default" {
 `, context)
 }
 
+func TestAccComputeGlobalForwardingRule_globalForwardingRuleHybridExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckComputeGlobalForwardingRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeGlobalForwardingRule_globalForwardingRuleHybridExample(context),
+			},
+			{
+				ResourceName:            "google_compute_global_forwarding_rule.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"network", "port_range", "target"},
+			},
+		},
+	})
+}
+
+func testAccComputeGlobalForwardingRule_globalForwardingRuleHybridExample(context map[string]interface{}) string {
+	return Nprintf(`
+// Roughly mirrors https://cloud.google.com/load-balancing/docs/https/setting-up-ext-https-hybrid
+
+resource "google_compute_network" "default" {
+  name                    = "tf-test-my-network%{random_suffix}"
+}
+
+// Zonal NEG with GCE_VM_IP_PORT
+resource "google_compute_network_endpoint_group" "default" {
+  name                  = "tf-test-default-neg%{random_suffix}"
+  network               = google_compute_network.default.id
+  default_port          = "90"
+  zone                  = "us-central1-a"
+  network_endpoint_type = "GCE_VM_IP_PORT"
+}
+
+// Hybrid connectivity NEG
+resource "google_compute_network_endpoint_group" "hybrid" {
+  name                  = "tf-test-hybrid-neg%{random_suffix}"
+  network               = google_compute_network.default.id
+  default_port          = "90"
+  zone                  = "us-central1-a"
+  network_endpoint_type = "NON_GCP_PRIVATE_IP_PORT"
+}
+
+resource "google_compute_network_endpoint" "hybrid-endpoint" {
+  network_endpoint_group = google_compute_network_endpoint_group.hybrid.name
+  port       = google_compute_network_endpoint_group.hybrid.default_port
+  ip_address = "127.0.0.1"
+}
+
+// Backend service for Zonal NEG
+resource "google_compute_backend_service" "default" {
+  name                  = "tf-test-backend-default%{random_suffix}"
+  port_name             = "http"
+  protocol              = "HTTP"
+  timeout_sec           = 10
+  backend {
+    group = google_compute_network_endpoint_group.default.id
+    balancing_mode               = "RATE"
+    max_rate_per_endpoint        = 10
+  }
+  health_checks = [google_compute_health_check.default.id]
+}
+
+// Backgend service for Hybrid NEG
+resource "google_compute_backend_service" "hybrid" {
+  name                  = "tf-test-backend-hybrid%{random_suffix}"
+  port_name             = "http"
+  protocol              = "HTTP"
+  timeout_sec           = 10
+  backend {
+    group                        = google_compute_network_endpoint_group.hybrid.id
+    balancing_mode               = "RATE"
+    max_rate_per_endpoint = 10
+  }
+  health_checks = [google_compute_health_check.default.id]
+}
+
+resource "google_compute_health_check" "default" {
+  name               = "tf-test-health-check%{random_suffix}"
+  timeout_sec        = 1
+  check_interval_sec = 1
+
+  tcp_health_check {
+    port = "80"
+  }
+}
+
+resource "google_compute_url_map" "default" {
+  name            = "url-map-tf-test-target-proxy%{random_suffix}"
+  description     = "a description"
+  default_service = google_compute_backend_service.default.id
+
+  host_rule {
+    hosts        = ["mysite.com"]
+    path_matcher = "allpaths"
+  }
+
+  path_matcher {
+    name            = "allpaths"
+    default_service = google_compute_backend_service.default.id
+
+    path_rule {
+      paths   = ["/*"]
+      service = google_compute_backend_service.default.id
+    }
+
+    path_rule {
+      paths   = ["/hybrid"]
+      service = google_compute_backend_service.hybrid.id
+    }
+  }
+}
+
+resource "google_compute_target_http_proxy" "default" {
+  name        = "tf-test-target-proxy%{random_suffix}"
+  description = "a description"
+  url_map     = google_compute_url_map.default.id
+}
+
+resource "google_compute_global_forwarding_rule" "default" {
+  name       = "tf-test-global-rule%{random_suffix}"
+  target     = google_compute_target_http_proxy.default.id
+  port_range = "80"
+}
+`, context)
+}
+
 func TestAccComputeGlobalForwardingRule_privateServiceConnectGoogleApisExample(t *testing.T) {
 	t.Parallel()
 

google-beta/resource_compute_network_endpoint.go

@@ -39,15 +39,6 @@ func resourceComputeNetworkEndpoint() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"instance": {
-				Type:             schema.TypeString,
-				Required:         true,
-				ForceNew:         true,
-				DiffSuppressFunc: compareSelfLinkOrResourceName,
-				Description: `The name for a specific VM instance that the IP address belongs to.
-This is required for network endpoints of type GCE_VM_IP_PORT.
-The instance must be in the same zone of network endpoint group.`,
-			},
 			"ip_address": {
 				Type:     schema.TypeString,
 				Required: true,
@@ -69,6 +60,15 @@ range).`,
 				ForceNew:    true,
 				Description: `Port number of network endpoint.`,
 			},
+			"instance": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: compareSelfLinkOrResourceName,
+				Description: `The name for a specific VM instance that the IP address belongs to.
+This is required for network endpoints of type GCE_VM_IP_PORT.
+The instance must be in the same zone of network endpoint group.`,
+			},
 			"zone": {
 				Type:             schema.TypeString,
 				Computed:         true,
@@ -277,7 +277,9 @@ func resourceComputeNetworkEndpointDelete(d *schema.ResourceData, meta interface
 	if err != nil {
 		return err
 	}
-	toDelete["instance"] = instanceProp
+	if instanceProp != "" {
+		toDelete["instance"] = instanceProp
+	}
 
 	portProp, err := expandNestedComputeNetworkEndpointPort(d.Get("port"), d, config)
 	if err != nil {
@@ -320,11 +322,12 @@ func resourceComputeNetworkEndpointDelete(d *schema.ResourceData, meta interface
 
 func resourceComputeNetworkEndpointImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	config := meta.(*Config)
+	// instance is optional, so use * instead of + when reading the import id
 	if err := parseImportId([]string{
-		"projects/(?P<project>[^/]+)/zones/(?P<zone>[^/]+)/networkEndpointGroups/(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]+)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
-		"(?P<project>[^/]+)/(?P<zone>[^/]+)/(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]+)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
-		"(?P<zone>[^/]+)/(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]+)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
-		"(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]+)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
+		"projects/(?P<project>[^/]+)/zones/(?P<zone>[^/]+)/networkEndpointGroups/(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]*)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
+		"(?P<project>[^/]+)/(?P<zone>[^/]+)/(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]*)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
+		"(?P<zone>[^/]+)/(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]*)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
+		"(?P<network_endpoint_group>[^/]+)/(?P<instance>[^/]*)/(?P<ip_address>[^/]+)/(?P<port>[^/]+)",
 	}, d, config); err != nil {
 		return nil, err
 	}

google-beta/resource_compute_network_endpoint_group.go

@@ -78,9 +78,15 @@ you create the resource.`,
 				Type:         schema.TypeString,
 				Optional:     true,
 				ForceNew:     true,
-				ValidateFunc: validateEnum([]string{"GCE_VM_IP_PORT", ""}),
-				Description:  `Type of network endpoints in this network endpoint group. Default value: "GCE_VM_IP_PORT" Possible values: ["GCE_VM_IP_PORT"]`,
-				Default:      "GCE_VM_IP_PORT",
+				ValidateFunc: validateEnum([]string{"GCE_VM_IP_PORT", "NON_GCP_PRIVATE_IP_PORT", ""}),
+				Description: `Type of network endpoints in this network endpoint group. 
+NON_GCP_PRIVATE_IP_PORT is used for hybrid connectivity network 
+endpoint groups (see https://cloud.google.com/load-balancing/docs/hybrid).
+Note that NON_GCP_PRIVATE_IP_PORT can only be used with Backend Services
+that 1) have the following load balancing schemes: EXTERNAL, EXTERNAL_MANAGED,
+INTERNAL_MANAGED, and INTERNAL_SELF_MANAGED and 2) support the RATE or
+CONNECTION balancing modes. Default value: "GCE_VM_IP_PORT" Possible values: ["GCE_VM_IP_PORT", "NON_GCP_PRIVATE_IP_PORT"]`,
+				Default: "GCE_VM_IP_PORT",
 			},
 			"subnetwork": {
 				Type:             schema.TypeString,

google-beta/resource_compute_network_endpoint_group_generated_test.go

@@ -72,6 +72,53 @@ resource "google_compute_subnetwork" "default" {
 `, context)
 }
 
+func TestAccComputeNetworkEndpointGroup_networkEndpointGroupNonGcpExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckComputeNetworkEndpointGroupDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkEndpointGroup_networkEndpointGroupNonGcpExample(context),
+			},
+			{
+				ResourceName:            "google_compute_network_endpoint_group.neg",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"network", "subnetwork", "zone"},
+			},
+		},
+	})
+}
+
+func testAccComputeNetworkEndpointGroup_networkEndpointGroupNonGcpExample(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_network_endpoint_group" "neg" {
+  name                  = "tf-test-my-lb-neg%{random_suffix}"
+  network               = google_compute_network.default.id
+  default_port          = "90"
+  zone                  = "us-central1-a"
+  network_endpoint_type = "NON_GCP_PRIVATE_IP_PORT"
+}
+
+resource "google_compute_network_endpoint" "default-endpoint" {
+  network_endpoint_group = google_compute_network_endpoint_group.neg.name
+  port = google_compute_network_endpoint_group.neg.default_port
+  ip_address = "127.0.0.1"
+}
+
+resource "google_compute_network" "default" {
+  name = "tf-test-neg-network%{random_suffix}"
+}
+`, context)
+}
+
 func testAccCheckComputeNetworkEndpointGroupDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {