Added support for NAT64 when configuring Router NAT (#13522) (#23078)

[upstream:00ab6404f070cb339d540ed2f594eb0afc28b889]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/13522.txt

@@ -0,0 +1,6 @@
+```release-note:enhancement
+compute: added `source_subnetwork_ip_ranges_to_nat64` and `nat64_subnetwork` fields  to `google_compute_router_nat` resource
+```
+```release-note:enhancement
+dns: added `dns64_config` field  to `google_dns_policy` resource
+```

google/services/compute/resource_compute_router_nat.go

@@ -351,6 +351,14 @@ This field can only be set when enableDynamicPortAllocation is enabled.`,
 				Optional:    true,
 				Description: `Minimum number of ports allocated to a VM from this NAT. Defaults to 64 for static port allocation and 32 dynamic port allocation if not set.`,
 			},
+			"nat64_subnetwork": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Description: `One or more subnetwork NAT configurations whose traffic should be translated by NAT64 Gateway.
+Only used if 'source_subnetwork_ip_ranges_to_nat64' is set to 'LIST_OF_IPV6_SUBNETWORKS'`,
+				Elem: computeRouterNatNat64SubnetworkSchema(),
+				Set:  computeRouterNatSubnetworkHash,
+			},
 			"nat_ip_allocate_option": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -389,6 +397,16 @@ the number of resources can be increased/decreased without triggering the 'resou
 				Elem:        computeRouterNatRulesSchema(),
 				Set:         computeRouterNatRulesHash,
 			},
+			"source_subnetwork_ip_ranges_to_nat64": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"ALL_IPV6_SUBNETWORKS", "LIST_OF_IPV6_SUBNETWORKS", ""}),
+				Description: `Specify the Nat option for NAT64, which can take one of the following values:
+ALL_IPV6_SUBNETWORKS: All of the IP ranges in every Subnetwork are allowed to Nat.
+LIST_OF_IPV6_SUBNETWORKS: A list of Subnetworks are allowed to Nat (specified in the field nat64Subnetwork below).
+Note that if this field contains NAT64_ALL_V6_SUBNETWORKS no other Router.Nat section in this region can also enable NAT64 for any Subnetworks in this network.
+Other Router.Nat sections can still be present to enable NAT44 only. Possible values: ["ALL_IPV6_SUBNETWORKS", "LIST_OF_IPV6_SUBNETWORKS"]`,
+			},
 			"subnetwork": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -484,6 +502,19 @@ sourceIpRangesToNat`,
 	}
 }
 
+func computeRouterNatNat64SubnetworkSchema() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
+				Description:      `Self-link of the subnetwork resource that will use NAT64`,
+			},
+		},
+	}
+}
+
 func computeRouterNatRulesSchema() *schema.Resource {
 	return &schema.Resource{
 		Schema: map[string]*schema.Schema{
@@ -629,6 +660,18 @@ func resourceComputeRouterNatCreate(d *schema.ResourceData, meta interface{}) er
 	} else if v, ok := d.GetOkExists("subnetwork"); ok || !reflect.DeepEqual(v, subnetworksProp) {
 		obj["subnetworks"] = subnetworksProp
 	}
+	sourceSubnetworkIpRangesToNat64Prop, err := expandNestedComputeRouterNatSourceSubnetworkIpRangesToNat64(d.Get("source_subnetwork_ip_ranges_to_nat64"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("source_subnetwork_ip_ranges_to_nat64"); !tpgresource.IsEmptyValue(reflect.ValueOf(sourceSubnetworkIpRangesToNat64Prop)) && (ok || !reflect.DeepEqual(v, sourceSubnetworkIpRangesToNat64Prop)) {
+		obj["sourceSubnetworkIpRangesToNat64"] = sourceSubnetworkIpRangesToNat64Prop
+	}
+	nat64SubnetworksProp, err := expandNestedComputeRouterNatNat64Subnetwork(d.Get("nat64_subnetwork"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("nat64_subnetwork"); ok || !reflect.DeepEqual(v, nat64SubnetworksProp) {
+		obj["nat64Subnetworks"] = nat64SubnetworksProp
+	}
 	minPortsPerVmProp, err := expandNestedComputeRouterNatMinPortsPerVm(d.Get("min_ports_per_vm"), d, config)
 	if err != nil {
 		return err
@@ -885,6 +928,12 @@ func resourceComputeRouterNatRead(d *schema.ResourceData, meta interface{}) erro
 	if err := d.Set("subnetwork", flattenNestedComputeRouterNatSubnetwork(res["subnetworks"], d, config)); err != nil {
 		return fmt.Errorf("Error reading RouterNat: %s", err)
 	}
+	if err := d.Set("source_subnetwork_ip_ranges_to_nat64", flattenNestedComputeRouterNatSourceSubnetworkIpRangesToNat64(res["sourceSubnetworkIpRangesToNat64"], d, config)); err != nil {
+		return fmt.Errorf("Error reading RouterNat: %s", err)
+	}
+	if err := d.Set("nat64_subnetwork", flattenNestedComputeRouterNatNat64Subnetwork(res["nat64Subnetworks"], d, config)); err != nil {
+		return fmt.Errorf("Error reading RouterNat: %s", err)
+	}
 	if err := d.Set("min_ports_per_vm", flattenNestedComputeRouterNatMinPortsPerVm(res["minPortsPerVm"], d, config)); err != nil {
 		return fmt.Errorf("Error reading RouterNat: %s", err)
 	}
@@ -977,6 +1026,18 @@ func resourceComputeRouterNatUpdate(d *schema.ResourceData, meta interface{}) er
 	} else if v, ok := d.GetOkExists("subnetwork"); ok || !reflect.DeepEqual(v, subnetworksProp) {
 		obj["subnetworks"] = subnetworksProp
 	}
+	sourceSubnetworkIpRangesToNat64Prop, err := expandNestedComputeRouterNatSourceSubnetworkIpRangesToNat64(d.Get("source_subnetwork_ip_ranges_to_nat64"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("source_subnetwork_ip_ranges_to_nat64"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, sourceSubnetworkIpRangesToNat64Prop)) {
+		obj["sourceSubnetworkIpRangesToNat64"] = sourceSubnetworkIpRangesToNat64Prop
+	}
+	nat64SubnetworksProp, err := expandNestedComputeRouterNatNat64Subnetwork(d.Get("nat64_subnetwork"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("nat64_subnetwork"); ok || !reflect.DeepEqual(v, nat64SubnetworksProp) {
+		obj["nat64Subnetworks"] = nat64SubnetworksProp
+	}
 	minPortsPerVmProp, err := expandNestedComputeRouterNatMinPortsPerVm(d.Get("min_ports_per_vm"), d, config)
 	if err != nil {
 		return err
@@ -1290,6 +1351,35 @@ func flattenNestedComputeRouterNatSubnetworkSecondaryIpRangeNames(v interface{},
 	return schema.NewSet(schema.HashString, v.([]interface{}))
 }
 
+func flattenNestedComputeRouterNatSourceSubnetworkIpRangesToNat64(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNestedComputeRouterNatNat64Subnetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := schema.NewSet(computeRouterNatSubnetworkHash, []interface{}{})
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed.Add(map[string]interface{}{
+			"name": flattenNestedComputeRouterNatNat64SubnetworkName(original["name"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenNestedComputeRouterNatNat64SubnetworkName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	return tpgresource.ConvertSelfLinkToV1(v.(string))
+}
+
 func flattenNestedComputeRouterNatMinPortsPerVm(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	// Handles the string fixed64 format
 	if strVal, ok := v.(string); ok {
@@ -1648,6 +1738,41 @@ func expandNestedComputeRouterNatSubnetworkSecondaryIpRangeNames(v interface{},
 	return v, nil
 }
 
+func expandNestedComputeRouterNatSourceSubnetworkIpRangesToNat64(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNestedComputeRouterNatNat64Subnetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	v = v.(*schema.Set).List()
+	l := v.([]interface{})
+	req := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		if raw == nil {
+			continue
+		}
+		original := raw.(map[string]interface{})
+		transformed := make(map[string]interface{})
+
+		transformedName, err := expandNestedComputeRouterNatNat64SubnetworkName(original["name"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["name"] = transformedName
+		}
+
+		req = append(req, transformed)
+	}
+	return req, nil
+}
+
+func expandNestedComputeRouterNatNat64SubnetworkName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	f, err := tpgresource.ParseRegionalFieldValue("subnetworks", v.(string), "project", "region", "zone", d, config, true)
+	if err != nil {
+		return nil, fmt.Errorf("Invalid value for name: %s", err)
+	}
+	return f.RelativeLink(), nil
+}
+
 func expandNestedComputeRouterNatMinPortsPerVm(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -2021,6 +2146,8 @@ func resourceComputeRouterNatPatchUpdateEncoder(d *schema.ResourceData, meta int
 		"drainNatIps":                      struct{}{},
 		"sourceSubnetworkIpRangesToNat":    struct{}{},
 		"subnetworks":                      struct{}{},
+		"sourceSubnetworkIpRangesToNat64":  struct{}{},
+		"nat64Subnetworks":                 struct{}{},
 		"minPortsPerVm":                    struct{}{},
 		"maxPortsPerVm":                    struct{}{},
 		"enableDynamicPortAllocation":      struct{}{},

google/services/compute/resource_compute_router_nat_generated_meta.yaml

@@ -17,6 +17,8 @@ fields:
   - field: 'max_ports_per_vm'
   - field: 'min_ports_per_vm'
   - field: 'name'
+  - field: 'nat64_subnetwork.name'
+    api_field: 'nat64_subnetworks.name'
   - field: 'nat_ip_allocate_option'
   - field: 'nat_ips'
   - field: 'region'
@@ -31,6 +33,7 @@ fields:
   - field: 'rules.match'
   - field: 'rules.rule_number'
   - field: 'source_subnetwork_ip_ranges_to_nat'
+  - field: 'source_subnetwork_ip_ranges_to_nat64'
   - field: 'subnetwork.name'
     api_field: 'subnetworks.name'
   - field: 'subnetwork.secondary_ip_range_names'

google/services/compute/resource_compute_router_nat_test.go

@@ -813,6 +813,38 @@ func testAccCheckComputeRouterNatDelete(t *testing.T, n string) resource.TestChe
 	}
 }
 
+func TestAccComputeRouterNat_withNat64Configuration(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeRouterNatDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRouterNatWithNat64Configuration(context),
+			},
+			{
+				ResourceName:      "google_compute_router_nat.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeRouterNatWithNat64ConfigurationUpdate(context),
+			},
+			{
+				ResourceName:      "google_compute_router_nat.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccComputeRouterNatBasic(routerName string) string {
 	return fmt.Sprintf(`
 resource "google_compute_network" "foobar" {
@@ -2063,3 +2095,136 @@ resource "google_compute_router_nat" "foobar" {
 }
 `, testAccComputeRouterNatBaseResourcesWithPrivateNatSubnetworks(routerName, hubName), routerName)
 }
+
+func testAccComputeRouterNatWithNat64Configuration(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_dns_policy" "foobar" {
+  name                      = "tf-test-example-policy%{random_suffix}"
+  enable_inbound_forwarding = false
+  enable_logging            = false
+
+  dns64_config {
+    scope {
+      all_queries = true
+    }
+  }
+  networks {
+    network_url = google_compute_network.foobar.id
+  }
+}
+
+resource "google_compute_network" "foobar" {
+  name                     = "tf-test-network%{random_suffix}"
+  enable_ula_internal_ipv6 = true
+  auto_create_subnetworks  = false
+}
+
+resource "google_compute_subnetwork" "foobar" {
+  name          = "tf-test-subnetwork-%{random_suffix}"
+  network       = google_compute_network.foobar.self_link
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+}
+
+resource "google_compute_subnetwork" "foobar2" {
+  name             = "tf-test-subnetwork-2-%{random_suffix}"
+  network          = google_compute_network.foobar.self_link
+  ip_cidr_range    = "10.182.0.0/20"
+  ipv6_access_type = "EXTERNAL"
+  stack_type       = "IPV4_IPV6"
+  region           = "us-central1"
+}
+
+resource "google_compute_router" "foobar" {
+  name    = "tf-test-router%{random_suffix}"
+  region  = google_compute_subnetwork.foobar.region
+  network = google_compute_network.foobar.self_link
+  bgp {
+    asn = 64514
+  }
+}
+
+resource "google_compute_router_nat" "foobar" {
+  name                   = "tf-test-router-nat%{random_suffix}"
+  router                 = google_compute_router.foobar.name
+  region                 = google_compute_router.foobar.region
+  nat_ip_allocate_option = "AUTO_ONLY"
+  
+  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
+  subnetwork {
+    name                    = google_compute_subnetwork.foobar.name
+    source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
+  }
+
+  source_subnetwork_ip_ranges_to_nat64 = "ALL_IPV6_SUBNETWORKS"
+}
+`, context)
+}
+
+func testAccComputeRouterNatWithNat64ConfigurationUpdate(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_dns_policy" "foobar" {
+  name                      = "tf-test-example-policy%{random_suffix}"
+  enable_inbound_forwarding = false
+  enable_logging            = false
+
+  dns64_config {
+    scope {
+      all_queries = true
+    }
+  }
+  networks {
+    network_url = google_compute_network.foobar.id
+  }
+}
+
+resource "google_compute_network" "foobar" {
+  name                     = "tf-test-network%{random_suffix}"
+  enable_ula_internal_ipv6 = true
+  auto_create_subnetworks  = false
+}
+
+resource "google_compute_subnetwork" "foobar" {
+  name          = "tf-test-subnetwork-%{random_suffix}"
+  network       = google_compute_network.foobar.self_link
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+}
+
+resource "google_compute_subnetwork" "foobar2" {
+  name             = "tf-test-subnetwork-2-%{random_suffix}"
+  network          = google_compute_network.foobar.self_link
+  ip_cidr_range    = "10.182.0.0/20"
+  ipv6_access_type = "EXTERNAL"
+  stack_type       = "IPV4_IPV6"
+  region           = "us-central1"
+}
+
+resource "google_compute_router" "foobar" {
+  name    = "tf-test-router%{random_suffix}"
+  region  = google_compute_subnetwork.foobar.region
+  network = google_compute_network.foobar.self_link
+  bgp {
+    asn = 64514
+  }
+}
+
+resource "google_compute_router_nat" "foobar" {
+  name                   = "tf-test-router-nat%{random_suffix}"
+  router                 = google_compute_router.foobar.name
+  region                 = google_compute_router.foobar.region
+  nat_ip_allocate_option = "AUTO_ONLY"
+  
+  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
+  subnetwork {
+    name                    = google_compute_subnetwork.foobar.name
+    source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
+  }
+  
+  source_subnetwork_ip_ranges_to_nat64 = "LIST_OF_IPV6_SUBNETWORKS"
+  nat64_subnetwork {
+    name = google_compute_subnetwork.foobar2.name
+  }
+}
+`, context)
+}