Add Network Firewall Policy Policy Packet Mirroring Rule resource (#12855) (#21196)

[upstream:bc0b2a950500c7b7ac185e34a3706e6c9f393ce9]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12855.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+`google_compute_network_firewall_policy_packet_mirroring_rule` (beta)
+```

google/services/compute/resource_compute_network_firewall_policy_packet_mirroring_rule_test.go

@@ -0,0 +1,3 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+package compute_test

website/docs/r/compute_network_firewall_policy_packet_mirroring_rule.html.markdown

@@ -0,0 +1,290 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+subcategory: "Compute Engine"
+description: |-
+  Represents a packet mirroring rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (mirror or do_not_mirror).
+---
+
+# google_compute_network_firewall_policy_packet_mirroring_rule
+
+Represents a packet mirroring rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (mirror or do_not_mirror).
+
+~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+To get more information about NetworkFirewallPolicyPacketMirroringRule, see:
+
+* [API documentation](https://cloud.google.com/compute/docs/reference/rest/beta/networkFirewallPolicies/addPacketMirroringRule)
+
+## Example Usage - Compute Network Firewall Policy Packet Mirroring Rule
+
+
+```hcl
+data "google_project" "project" {
+  provider = google-beta
+}
+
+resource "google_compute_network" "default" {
+  provider                = google-beta
+  name                    = "fw-network"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
+  provider    = google-beta
+  name        = "fw-policy"
+  description = "Sample global network firewall policy"
+  project     = "my-project-name"
+}
+
+resource "google_compute_network_firewall_policy_packet_mirroring_rule" "primary" {
+  provider                = google-beta
+  action                  = "mirror"
+  description             = "This is a simple packet mirroring rule description"
+  direction               = "INGRESS"
+  disabled                = false
+  firewall_policy         = google_compute_network_firewall_policy.basic_network_firewall_policy.name
+  priority                = 1000
+  rule_name               = "test-rule"
+
+  match {
+    src_ip_ranges = ["10.100.0.1/32"]
+    layer4_configs {
+      ip_protocol = "all"
+    }
+  }
+  security_profile_group = "//networksecurity.googleapis.com/${google_network_security_security_profile_group.security_profile_group_1.id}"
+
+  target_secure_tags {
+    name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
+  }
+}
+
+resource "google_network_security_mirroring_deployment_group" "default" {
+  provider                      = google-beta
+  mirroring_deployment_group_id = "deployment-group"
+  location                      = "global"
+  network                       = google_compute_network.default.id
+}
+
+resource "google_network_security_mirroring_endpoint_group" "default" {
+  provider                      = google-beta
+  mirroring_endpoint_group_id   = "endpoint-group"
+  location                      = "global"
+  mirroring_deployment_group    = google_network_security_mirroring_deployment_group.default.id
+}
+
+resource "google_network_security_security_profile" "default" {
+  provider    = google-beta
+  name        = "sec-profile"
+  parent      = "organizations/123456789"
+  description = "my description"
+  type        = "CUSTOM_MIRRORING"
+
+  custom_mirroring_profile {
+    mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.default.id
+  }
+}
+
+resource "google_network_security_security_profile_group" "security_profile_group_1" {
+  provider                 = google-beta
+  name                     = "sec-profile-group"
+  parent                   = "organizations/123456789"
+  description              = "my description"
+  custom_mirroring_profile = google_network_security_security_profile.default.id
+}
+
+resource "google_tags_tag_key" "secure_tag_key_1" {
+  provider    = google-beta
+  description = "Test tag key description"
+  parent      = "organizations/123456789"
+  purpose     = "GCE_FIREWALL"
+  short_name  = "tag-key"
+  purpose_data = {
+    network = "my-project-name/${google_compute_network.default.name}"
+  }
+}
+
+resource "google_tags_tag_value" "secure_tag_value_1" {
+  provider    = google-beta
+  description = "Test tag value description."
+  parent      = google_tags_tag_key.secure_tag_key_1.id
+  short_name  = "tag-value"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `priority` -
+  (Required)
+  An integer indicating the priority of a rule in the list.
+  The priority must be a positive value between 0 and 2147483647.
+  Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
+
+* `match` -
+  (Required)
+  A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
+  Structure is [documented below](#nested_match).
+
+* `action` -
+  (Required)
+  The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
+
+* `direction` -
+  (Required)
+  The direction in which this rule applies.
+  Possible values are: `INGRESS`, `EGRESS`.
+
+* `firewall_policy` -
+  (Required)
+  The firewall policy of the resource.
+
+
+<a name="nested_match"></a>The `match` block supports:
+
+* `src_ip_ranges` -
+  (Optional)
+  CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
+
+* `dest_ip_ranges` -
+  (Optional)
+  CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
+
+* `layer4_configs` -
+  (Required)
+  Pairs of IP protocols and ports that the rule should match.
+  Structure is [documented below](#nested_match_layer4_configs).
+
+
+<a name="nested_match_layer4_configs"></a>The `layer4_configs` block supports:
+
+* `ip_protocol` -
+  (Required)
+  The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule.
+  This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
+
+* `ports` -
+  (Optional)
+  An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port.
+  Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
+
+- - -
+
+
+* `rule_name` -
+  (Optional)
+  An optional name for the rule. This field is not a unique identifier and can be updated.
+
+* `description` -
+  (Optional)
+  An optional description for this resource.
+
+* `security_profile_group` -
+  (Optional)
+  A fully-qualified URL of a SecurityProfile resource instance.
+  Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
+  Must be specified if action = 'mirror' and cannot be specified for other actions.
+
+* `target_secure_tags` -
+  (Optional)
+  A list of secure tags that controls which instances the firewall rule applies to.
+  If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored.
+  targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
+  Structure is [documented below](#nested_target_secure_tags).
+
+* `tls_inspect` -
+  (Optional)
+  Boolean flag indicating if the traffic should be TLS decrypted.
+  Can be set only if action = 'mirror' and cannot be set for other actions.
+
+* `disabled` -
+  (Optional)
+  Denotes whether the firewall policy rule is disabled.
+  When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist.
+  If this is unspecified, the firewall policy rule will be enabled.
+
+* `project` - (Optional) The ID of the project in which the resource belongs.
+    If it is not provided, the provider project is used.
+
+
+<a name="nested_target_secure_tags"></a>The `target_secure_tags` block supports:
+
+* `name` -
+  (Optional)
+  Name of the secure tag, created with TagManager's TagValue API.
+  diff_suppress_func: 'tpgresource.CompareSelfLinkOrResourceName'
+
+* `state` -
+  (Output)
+  State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `id` - an identifier for the resource with format `projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}`
+
+* `creation_timestamp` -
+  Creation timestamp in RFC3339 text format.
+
+* `kind` -
+  Type of the resource. Always `compute#packetMirroringRule` for firewall policy packet mirroring rules
+
+* `rule_tuple_count` -
+  Calculation of the complexity of a single firewall policy rule.
+
+
+## Timeouts
+
+This resource provides the following
+[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
+- `delete` - Default is 20 minutes.
+
+## Import
+
+
+NetworkFirewallPolicyPacketMirroringRule can be imported using any of these accepted formats:
+
+* `projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}`
+* `{{project}}/{{firewall_policy}}/{{priority}}`
+* `{{firewall_policy}}/{{priority}}`
+
+
+In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import NetworkFirewallPolicyPacketMirroringRule using one of the formats above. For example:
+
+```tf
+import {
+  id = "projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}"
+  to = google_compute_network_firewall_policy_packet_mirroring_rule.default
+}
+```
+
+When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), NetworkFirewallPolicyPacketMirroringRule can be imported using one of the formats above. For example:
+
+```
+$ terraform import google_compute_network_firewall_policy_packet_mirroring_rule.default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}
+$ terraform import google_compute_network_firewall_policy_packet_mirroring_rule.default {{project}}/{{firewall_policy}}/{{priority}}
+$ terraform import google_compute_network_firewall_policy_packet_mirroring_rule.default {{firewall_policy}}/{{priority}}
+```
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).