Added new profile type "URL_FILTERING" for SecurityProfile (#13342) (#10829)

[upstream:571484033a581bd2b8289ba6b8da527012f4db95]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/13342.txt

@@ -0,0 +1,9 @@
+```release-note:enhancement
+networksecurity: added `URL_FILTERING` option to enum field `type` for `google_network_security_security_profile` resource
+```
+```release-note:enhancement
+networksecurity: added `url_filtering_profile` field  to `google_network_security_security_profile` resource (beta)
+```
+```release-note:enhancement
+networksecurity: added `url_filtering_profile` field  to `google_network_security_security_profile_group` resource (beta)
+```

google-beta/services/networksecurity/resource_network_security_security_profile.go

@@ -67,8 +67,8 @@ func ResourceNetworkSecuritySecurityProfile() *schema.Resource {
 				Type:         schema.TypeString,
 				Required:     true,
 				ForceNew:     true,
-				ValidateFunc: verify.ValidateEnum([]string{"THREAT_PREVENTION", "CUSTOM_MIRRORING", "CUSTOM_INTERCEPT"}),
-				Description:  `The type of security profile. Possible values: ["THREAT_PREVENTION", "CUSTOM_MIRRORING", "CUSTOM_INTERCEPT"]`,
+				ValidateFunc: verify.ValidateEnum([]string{"THREAT_PREVENTION", "URL_FILTERING", "CUSTOM_MIRRORING", "CUSTOM_INTERCEPT"}),
+				Description:  `The type of security profile. Possible values: ["THREAT_PREVENTION", "URL_FILTERING", "CUSTOM_MIRRORING", "CUSTOM_INTERCEPT"]`,
 			},
 			"custom_intercept_profile": {
 				Type:     schema.TypeList,
@@ -86,7 +86,7 @@ Format: projects/{project_id}/locations/global/interceptEndpointGroups/{endpoint
 						},
 					},
 				},
-				ConflictsWith: []string{"threat_prevention_profile", "custom_mirroring_profile"},
+				ConflictsWith: []string{"threat_prevention_profile", "url_filtering_profile", "custom_mirroring_profile"},
 			},
 			"custom_mirroring_profile": {
 				Type:     schema.TypeList,
@@ -104,7 +104,7 @@ Format: projects/{project_id}/locations/global/mirroringEndpointGroups/{endpoint
 						},
 					},
 				},
-				ConflictsWith: []string{"threat_prevention_profile", "custom_intercept_profile"},
+				ConflictsWith: []string{"threat_prevention_profile", "url_filtering_profile", "custom_intercept_profile"},
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -168,7 +168,27 @@ and threat overrides, the threat overrides action is applied.`,
 						},
 					},
 				},
-				ConflictsWith: []string{"custom_mirroring_profile", "custom_intercept_profile"},
+				ConflictsWith: []string{"url_filtering_profile", "custom_mirroring_profile", "custom_intercept_profile"},
+			},
+			"url_filtering_profile": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `The url filtering configuration for the security profile.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"url_filters": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Description: `The configuration for action to take based on domain name match.
+A domain name would be checked for matching filters through the list in order of highest to lowest priority,
+and the first filter that a domain name matches with is the one whose actions gets applied.`,
+							Elem: networksecuritySecurityProfileUrlFilteringProfileUrlFiltersSchema(),
+							// Default schema.HashSchema is used.
+						},
+					},
+				},
+				ConflictsWith: []string{"threat_prevention_profile", "custom_mirroring_profile", "custom_intercept_profile"},
 			},
 			"create_time": {
 				Type:        schema.TypeString,
@@ -271,6 +291,35 @@ func networksecuritySecurityProfileThreatPreventionProfileAntivirusOverridesSche
 	}
 }
 
+func networksecuritySecurityProfileUrlFilteringProfileUrlFiltersSchema() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"filtering_action": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"ALLOW", "DENY"}),
+				Description:  `The action to take when the filter is applied. Possible values: ["ALLOW", "DENY"]`,
+			},
+			"priority": {
+				Type:     schema.TypeInt,
+				Required: true,
+				Description: `The priority of the filter within the URL filtering profile.
+Must be an integer from 0 and 2147483647, inclusive. Lower integers indicate higher priorities.
+The priority of a filter must be unique within a URL filtering profile.`,
+			},
+			"urls": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Description: `A list of domain matcher strings that a domain name gets compared with to determine if the filter is applicable.
+A domain name must match with at least one of the strings in the list for a filter to be applicable.`,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+		},
+	}
+}
+
 func resourceNetworkSecuritySecurityProfileCreate(d *schema.ResourceData, meta interface{}) error {
 	var project string
 	config := meta.(*transport_tpg.Config)
@@ -292,6 +341,12 @@ func resourceNetworkSecuritySecurityProfileCreate(d *schema.ResourceData, meta i
 	} else if v, ok := d.GetOkExists("threat_prevention_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(threatPreventionProfileProp)) && (ok || !reflect.DeepEqual(v, threatPreventionProfileProp)) {
 		obj["threatPreventionProfile"] = threatPreventionProfileProp
 	}
+	urlFilteringProfileProp, err := expandNetworkSecuritySecurityProfileUrlFilteringProfile(d.Get("url_filtering_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("url_filtering_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(urlFilteringProfileProp)) && (ok || !reflect.DeepEqual(v, urlFilteringProfileProp)) {
+		obj["urlFilteringProfile"] = urlFilteringProfileProp
+	}
 	customMirroringProfileProp, err := expandNetworkSecuritySecurityProfileCustomMirroringProfile(d.Get("custom_mirroring_profile"), d, config)
 	if err != nil {
 		return err
@@ -420,6 +475,9 @@ func resourceNetworkSecuritySecurityProfileRead(d *schema.ResourceData, meta int
 	if err := d.Set("threat_prevention_profile", flattenNetworkSecuritySecurityProfileThreatPreventionProfile(res["threatPreventionProfile"], d, config)); err != nil {
 		return fmt.Errorf("Error reading SecurityProfile: %s", err)
 	}
+	if err := d.Set("url_filtering_profile", flattenNetworkSecuritySecurityProfileUrlFilteringProfile(res["urlFilteringProfile"], d, config)); err != nil {
+		return fmt.Errorf("Error reading SecurityProfile: %s", err)
+	}
 	if err := d.Set("custom_mirroring_profile", flattenNetworkSecuritySecurityProfileCustomMirroringProfile(res["customMirroringProfile"], d, config)); err != nil {
 		return fmt.Errorf("Error reading SecurityProfile: %s", err)
 	}
@@ -462,6 +520,12 @@ func resourceNetworkSecuritySecurityProfileUpdate(d *schema.ResourceData, meta i
 	} else if v, ok := d.GetOkExists("threat_prevention_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, threatPreventionProfileProp)) {
 		obj["threatPreventionProfile"] = threatPreventionProfileProp
 	}
+	urlFilteringProfileProp, err := expandNetworkSecuritySecurityProfileUrlFilteringProfile(d.Get("url_filtering_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("url_filtering_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, urlFilteringProfileProp)) {
+		obj["urlFilteringProfile"] = urlFilteringProfileProp
+	}
 	customMirroringProfileProp, err := expandNetworkSecuritySecurityProfileCustomMirroringProfile(d.Get("custom_mirroring_profile"), d, config)
 	if err != nil {
 		return err
@@ -498,6 +562,10 @@ func resourceNetworkSecuritySecurityProfileUpdate(d *schema.ResourceData, meta i
 		updateMask = append(updateMask, "threatPreventionProfile")
 	}
 
+	if d.HasChange("url_filtering_profile") {
+		updateMask = append(updateMask, "urlFilteringProfile")
+	}
+
 	if d.HasChange("custom_mirroring_profile") {
 		updateMask = append(updateMask, "customMirroringProfile")
 	}
@@ -759,6 +827,89 @@ func flattenNetworkSecuritySecurityProfileThreatPreventionProfileAntivirusOverri
 	return v
 }
 
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["url_filters"] =
+		flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFilters(original["urlFilters"], d, config)
+
+	// We check again the length after removing the default url_filter
+	if transformed["url_filters"].(*schema.Set).Len() == 0 {
+		return nil
+	}
+	return []interface{}{transformed}
+}
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFilters(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+
+	// We check if the user included the default filter in his config
+	resourceDataContainsDefaultFilter := false
+	resourceData, ok := d.GetOk("url_filtering_profile.0.url_filters")
+	if ok {
+		for _, raw := range resourceData.(*schema.Set).List() {
+			if raw.(map[string]interface{})["priority"] == 2147483647 {
+				resourceDataContainsDefaultFilter = true
+				break
+			}
+		}
+	}
+
+	l := v.([]interface{})
+	transformed := schema.NewSet(schema.HashResource(networksecuritySecurityProfileUrlFilteringProfileUrlFiltersSchema()), []interface{}{})
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+
+		priorityFlatten := flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersPriority(original["priority"], d, config)
+		// Do not include the auto created default url_filter coming back from the api unless the user included it in his config
+		if priorityFlatten == 2147483647 && !resourceDataContainsDefaultFilter {
+			continue
+		}
+
+		transformed.Add(map[string]interface{}{
+			"filtering_action": flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersFilteringAction(original["filteringAction"], d, config),
+			"urls":             flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersUrls(original["urls"], d, config),
+			"priority":         priorityFlatten,
+		})
+	}
+	return transformed
+}
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersFilteringAction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersUrls(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersPriority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	// Handles the string fixed64 format
+	if strVal, ok := v.(string); ok {
+		if intVal, err := tpgresource.StringToFixed64(strVal); err == nil {
+			return intVal
+		}
+	}
+
+	// number values are represented as float64
+	if floatVal, ok := v.(float64); ok {
+		intVal := int(floatVal)
+		return intVal
+	}
+
+	return v // let terraform core handle it otherwise
+}
+
 func flattenNetworkSecuritySecurityProfileCustomMirroringProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return nil
@@ -990,6 +1141,80 @@ func expandNetworkSecuritySecurityProfileThreatPreventionProfileAntivirusOverrid
 	return v, nil
 }
 
+func expandNetworkSecuritySecurityProfileUrlFilteringProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	if v == nil {
+		return nil, nil
+	}
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedUrlFilters, err := expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFilters(original["url_filters"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedUrlFilters); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["urlFilters"] = transformedUrlFilters
+	}
+
+	return transformed, nil
+}
+
+func expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFilters(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	v = v.(*schema.Set).List()
+	if v == nil {
+		return nil, nil
+	}
+	l := v.([]interface{})
+	req := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		if raw == nil {
+			continue
+		}
+		original := raw.(map[string]interface{})
+		transformed := make(map[string]interface{})
+
+		transformedFilteringAction, err := expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersFilteringAction(original["filtering_action"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedFilteringAction); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["filteringAction"] = transformedFilteringAction
+		}
+
+		transformedUrls, err := expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersUrls(original["urls"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedUrls); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["urls"] = transformedUrls
+		}
+
+		transformedPriority, err := expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersPriority(original["priority"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedPriority); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["priority"] = transformedPriority
+		}
+
+		req = append(req, transformed)
+	}
+	return req, nil
+}
+
+func expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersFilteringAction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersUrls(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecuritySecurityProfileUrlFilteringProfileUrlFiltersPriority(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandNetworkSecuritySecurityProfileCustomMirroringProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	if v == nil {
 		return nil, nil

google-beta/services/networksecurity/resource_network_security_security_profile_generated_meta.yaml

@@ -31,3 +31,6 @@ fields:
   - field: 'threat_prevention_profile.threat_overrides.type'
   - field: 'type'
   - field: 'update_time'
+  - field: 'url_filtering_profile.url_filters.filtering_action'
+  - field: 'url_filtering_profile.url_filters.priority'
+  - field: 'url_filtering_profile.url_filters.urls'

google-beta/services/networksecurity/resource_network_security_security_profile_generated_test.go

@@ -255,6 +255,61 @@ resource "google_network_security_security_profile" "default" {
 `, context)
 }
 
+func TestAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileUrlFilteringExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecuritySecurityProfileDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileUrlFilteringExample(context),
+			},
+			{
+				ResourceName:            "google_network_security_security_profile.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "location", "name", "parent", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccNetworkSecuritySecurityProfile_networkSecuritySecurityProfileUrlFilteringExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_network_security_security_profile" "default" {
+  provider    = google-beta
+  name        = "tf-test-my-security-profile%{random_suffix}"
+  parent      = "organizations/%{org_id}"
+  description = "my description"
+  type        = "URL_FILTERING"
+
+  url_filtering_profile {
+    url_filters {
+      priority = 1
+      filtering_action   = "ALLOW"
+      urls = ["*example.com", "*about.example.com", "*help.example.com"]
+    }
+    url_filters {
+      priority = 2
+      filtering_action   = "DENY"
+      urls = ["*restricted.example.com"]
+    }
+  }
+
+  labels = {
+    foo = "bar"
+  }
+}
+`, context)
+}
+
 func testAccCheckNetworkSecuritySecurityProfileDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {