add billing project id support to firewall endpoint resource (#10122) (#7124)

modular-magician · web-flow · commit bc08799606b1 · 2024-03-19T18:54:56.000-07:00
* add billing project support

* removed description field due to API issue

* test updated and fixed for ADC support

* added ADC warning

* removing ADC

[upstream:8f3a9892f4cfeddbaf4dc8457849e30e6ac49b8e]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/10122.txt b/.changelog/10122.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+networksecurity: added required field `billing_project_id` to `google_network_security_firewall_endpoint` resource. Any configuration without `billing_project_id` specified will cause resource creation fail (beta)
+```
diff --git a/google-beta/services/networksecurity/resource_network_security_firewall_endpoint.go b/google-beta/services/networksecurity/resource_network_security_firewall_endpoint.go
@@ -53,6 +53,11 @@ func ResourceNetworkSecurityFirewallEndpoint() *schema.Resource {
 		),
 
 		Schema: map[string]*schema.Schema{
+			"billing_project_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `Project to bill on endpoint uptime usage.`,
+			},
 			"location": {
 				Type:        schema.TypeString,
 				Required:    true,
@@ -145,6 +150,12 @@ func resourceNetworkSecurityFirewallEndpointCreate(d *schema.ResourceData, meta
 	}
 
 	obj := make(map[string]interface{})
+	billingProjectIdProp, err := expandNetworkSecurityFirewallEndpointBillingProjectId(d.Get("billing_project_id"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("billing_project_id"); !tpgresource.IsEmptyValue(reflect.ValueOf(billingProjectIdProp)) && (ok || !reflect.DeepEqual(v, billingProjectIdProp)) {
+		obj["billingProjectId"] = billingProjectIdProp
+	}
 	labelsProp, err := expandNetworkSecurityFirewallEndpointEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -251,6 +262,9 @@ func resourceNetworkSecurityFirewallEndpointRead(d *schema.ResourceData, meta in
 	if err := d.Set("state", flattenNetworkSecurityFirewallEndpointState(res["state"], d, config)); err != nil {
 		return fmt.Errorf("Error reading FirewallEndpoint: %s", err)
 	}
+	if err := d.Set("billing_project_id", flattenNetworkSecurityFirewallEndpointBillingProjectId(res["billingProjectId"], d, config)); err != nil {
+		return fmt.Errorf("Error reading FirewallEndpoint: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenNetworkSecurityFirewallEndpointTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading FirewallEndpoint: %s", err)
 	}
@@ -272,6 +286,12 @@ func resourceNetworkSecurityFirewallEndpointUpdate(d *schema.ResourceData, meta
 	billingProject := ""
 
 	obj := make(map[string]interface{})
+	billingProjectIdProp, err := expandNetworkSecurityFirewallEndpointBillingProjectId(d.Get("billing_project_id"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("billing_project_id"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, billingProjectIdProp)) {
+		obj["billingProjectId"] = billingProjectIdProp
+	}
 	labelsProp, err := expandNetworkSecurityFirewallEndpointEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -287,6 +307,10 @@ func resourceNetworkSecurityFirewallEndpointUpdate(d *schema.ResourceData, meta
 	log.Printf("[DEBUG] Updating FirewallEndpoint %q: %#v", d.Id(), obj)
 	updateMask := []string{}
 
+	if d.HasChange("billing_project_id") {
+		updateMask = append(updateMask, "billingProjectId")
+	}
+
 	if d.HasChange("effective_labels") {
 		updateMask = append(updateMask, "labels")
 	}
@@ -437,6 +461,10 @@ func flattenNetworkSecurityFirewallEndpointState(v interface{}, d *schema.Resour
 	return v
 }
 
+func flattenNetworkSecurityFirewallEndpointBillingProjectId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenNetworkSecurityFirewallEndpointTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -456,6 +484,10 @@ func flattenNetworkSecurityFirewallEndpointEffectiveLabels(v interface{}, d *sch
 	return v
 }
 
+func expandNetworkSecurityFirewallEndpointBillingProjectId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandNetworkSecurityFirewallEndpointEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil
diff --git a/google-beta/services/networksecurity/resource_network_security_firewall_endpoint_test.go b/google-beta/services/networksecurity/resource_network_security_firewall_endpoint_test.go
@@ -20,6 +20,7 @@ func TestAccNetworkSecurityFirewallEndpoints_basic(t *testing.T) {
 	acctest.SkipIfVcr(t)
 	t.Parallel()
 
+	billingProjectId := envvar.GetTestProjectFromEnv()
 	orgId := envvar.GetTestOrgFromEnv(t)
 	randomSuffix := acctest.RandString(t, 10)
 
@@ -29,7 +30,7 @@ func TestAccNetworkSecurityFirewallEndpoints_basic(t *testing.T) {
 		CheckDestroy:             testAccCheckNetworkSecurityFirewallEndpointDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccNetworkSecurityFirewallEndpoints_basic(orgId, randomSuffix),
+				Config: testAccNetworkSecurityFirewallEndpoints_basic(orgId, billingProjectId, randomSuffix),
 			},
 			{
 				ResourceName:            "google_network_security_firewall_endpoint.foobar",
@@ -38,7 +39,7 @@ func TestAccNetworkSecurityFirewallEndpoints_basic(t *testing.T) {
 				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
 			},
 			{
-				Config: testAccNetworkSecurityFirewallEndpoints_update(orgId, randomSuffix),
+				Config: testAccNetworkSecurityFirewallEndpoints_update(orgId, billingProjectId, randomSuffix),
 			},
 			{
 				ResourceName:            "google_network_security_firewall_endpoint.foobar",
@@ -50,34 +51,38 @@ func TestAccNetworkSecurityFirewallEndpoints_basic(t *testing.T) {
 	})
 }
 
-func testAccNetworkSecurityFirewallEndpoints_basic(orgId string, randomSuffix string) string {
+func testAccNetworkSecurityFirewallEndpoints_basic(orgId string, billingProjectId string, randomSuffix string) string {
 	return fmt.Sprintf(`
 resource "google_network_security_firewall_endpoint" "foobar" {
-    provider = google-beta
-    name     = "tf-test-my-firewall-endpoint%s"
-    parent   = "organizations/%s"
-    location = "us-central1-a"
-
-    labels = {
-        foo = "bar"
-    }
+  provider = google-beta
+
+  name     = "tf-test-my-firewall-endpoint%[1]s"
+  parent   = "organizations/%[2]s"
+  location = "us-central1-a"
+  billing_project_id = "%[3]s"
+
+  labels = {
+    foo = "bar"
+  }
 }
-`, randomSuffix, orgId)
+`, randomSuffix, orgId, billingProjectId)
 }
 
-func testAccNetworkSecurityFirewallEndpoints_update(orgId string, randomSuffix string) string {
+func testAccNetworkSecurityFirewallEndpoints_update(orgId string, billingProjectId string, randomSuffix string) string {
 	return fmt.Sprintf(`
 resource "google_network_security_firewall_endpoint" "foobar" {
-    provider = google-beta
-    name     = "tf-test-my-firewall-endpoint%s"
-    parent   = "organizations/%s"
-    location = "us-central1-a"
-
-    labels = {
-        foo = "bar-updated"
-    }
+  provider = google-beta
+
+  name     = "tf-test-my-firewall-endpoint%[1]s"
+  parent   = "organizations/%[2]s"
+  location = "us-central1-a"
+  billing_project_id = "%[3]s"
+
+  labels = {
+    foo = "bar-updated"
+  }
 }
-`, randomSuffix, orgId)
+`, randomSuffix, orgId, billingProjectId)
 }
 
 func testAccCheckNetworkSecurityFirewallEndpointDestroyProducer(t *testing.T) func(s *terraform.State) error {
diff --git a/website/docs/r/network_security_firewall_endpoint.html.markdown b/website/docs/r/network_security_firewall_endpoint.html.markdown
@@ -35,6 +35,12 @@ To get more information about FirewallEndpoint, see:
     * [Firewall endpoint overview](https://cloud.google.com/firewall/docs/about-firewall-endpoints)
     * [Create and associate firewall endpoints](https://cloud.google.com/firewall/docs/configure-firewall-endpoints)
 
+~> **Warning:** If you are using User ADCs (Application Default Credentials) with this resource,
+you must specify a `billing_project` and set `user_project_override` to true
+in the provider configuration. Otherwise the ACM API will return a 403 error.
+Your account must have the `serviceusage.services.use` permission on the
+`billing_project` you defined.
+
 ## Example Usage - Network Security Firewall Endpoint Basic
 
 
@@ -56,6 +62,10 @@ resource "google_network_security_firewall_endpoint" "default" {
 The following arguments are supported:
 
 
+* `billing_project_id` -
+  (Required)
+  Project to bill on endpoint uptime usage.
+
 * `name` -
   (Required)
   The name of the firewall endpoint resource.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:breaking-change
	`2`	+networksecurity: added required field `billing_project_id` to `google_network_security_firewall_endpoint` resource. Any configuration without `billing_project_id` specified will cause resource creation fail (beta)
	`3`	+```