Fix for (#13677) (#22402)

[upstream:1351767649df52958bbdbe1e60df1a987d82b2c1]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/13677.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+google_compute_network_firewall_policy_rule:  Adding diffsuppress  for Issue 21775
+```

google/services/compute/resource_compute_network_firewall_policy_rule.go

@@ -35,6 +35,16 @@ import (
 	"github.com/hashicorp/terraform-provider-google/google/verify"
 )
 
+func SecurityProfileGroupPrefixSlashes(_, old, new string, _ *schema.ResourceData) bool {
+	if strings.HasPrefix(old, "//") {
+		old = old[1:]
+	}
+	if strings.HasPrefix(new, "//") {
+		new = new[1:]
+	}
+	return old == new
+}
+
 func ResourceComputeNetworkFirewallPolicyRule() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceComputeNetworkFirewallPolicyRuleCreate,
@@ -243,8 +253,9 @@ Note: you cannot enable logging on "goto_next" rules.`,
 				Description: `An optional name for the rule. This field is not a unique identifier and can be updated.`,
 			},
 			"security_profile_group": {
-				Type:     schema.TypeString,
-				Optional: true,
+				Type:             schema.TypeString,
+				Optional:         true,
+				DiffSuppressFunc: SecurityProfileGroupPrefixSlashes,
 				Description: `A fully-qualified URL of a SecurityProfile resource instance.
 Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
 Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.`,

google/services/compute/resource_compute_network_firewall_policy_rule_test.go

@@ -181,8 +181,9 @@ func TestAccComputeNetworkFirewallPolicyRule_securityProfileGroup_update(t *test
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"random_suffix": acctest.RandString(t, 10),
-		"org_name":      fmt.Sprintf("organizations/%s", envvar.GetTestOrgFromEnv(t)),
+		"random_suffix":                 acctest.RandString(t, 10),
+		"org_name":                      fmt.Sprintf("organizations/%s", envvar.GetTestOrgFromEnv(t)),
+		"security_profile_group_prefix": "//",
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -262,6 +263,33 @@ func TestAccComputeNetworkFirewallPolicyRule_secureTags(t *testing.T) {
 	})
 }
 
+func TestAccComputeNetworkFirewallSecurityProfileGroupDiffsuppress(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":                 acctest.RandString(t, 10),
+		"org_name":                      fmt.Sprintf("organizations/%s", envvar.GetTestOrgFromEnv(t)),
+		"security_profile_group_prefix": "/",
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkFirewallPolicyRule_securityProfileGroup_update(context),
+			},
+			{
+				ResourceName:      "google_compute_network_firewall_policy_rule.fw_policy_rule1",
+				ImportState:       true,
+				ImportStateVerify: true,
+				// Referencing using ID causes import to fail
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+		},
+	})
+}
+
 func testAccComputeNetworkFirewallPolicyRule_secureTags(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
@@ -493,7 +521,7 @@ resource "google_compute_network_firewall_policy_rule" "fw_policy_rule1" {
   priority               = 9000
   enable_logging         = true
   action                 = "apply_security_profile_group"
-  security_profile_group = "//networksecurity.googleapis.com/${google_network_security_security_profile_group.security_profile_group_updated.id}"
+  security_profile_group = "%{security_profile_group_prefix}networksecurity.googleapis.com/${google_network_security_security_profile_group.security_profile_group_updated.id}"
   direction              = "INGRESS"
   disabled               = false
   match {