[#20905] Add network scope and src network fields to fw policy rules (#12762) (#20951)

[upstream:22ebcfbc1bce625abe2a1a382af8c6312fc8032e]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12762.txt

@@ -0,0 +1,18 @@
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_firewall_policy_rule` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_firewall_policy_with_rules` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_network_firewall_policy_rule` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_network_firewall_policy_with_rules` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_region_network_firewall_policy_rule` resource (beta)
+```
+```release-note:enhancement
+compute: added `dest_network_scope`, `src_network_scope` and `src_networks` fields to `google_compute_region_network_firewall_policy_with_rules` resource (beta)
+```

google/services/compute/resource_compute_firewall_policy_rule_generated_test.go

@@ -35,9 +35,9 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"org_id":          envvar.GetTestOrgFromEnv(t),
-		"service_account": envvar.GetTestServiceAccountFromEnv(t),
-		"random_suffix":   acctest.RandString(t, 10),
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"service_acct":  envvar.GetTestServiceAccountFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -49,7 +49,7 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
 				Config: testAccComputeFirewallPolicyRule_firewallPolicyRuleExample(context),
 			},
 			{
-				ResourceName:            "google_compute_firewall_policy_rule.policy_rule",
+				ResourceName:            "google_compute_firewall_policy_rule.primary",
 				ImportState:             true,
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"firewall_policy"},
@@ -61,7 +61,7 @@ func TestAccComputeFirewallPolicyRule_firewallPolicyRuleExample(t *testing.T) {
 func testAccComputeFirewallPolicyRule_firewallPolicyRuleExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
-  name        = "address%{random_suffix}"
+  name        = "tf-test-address-group%{random_suffix}"
   parent      = "organizations/%{org_id}"
   description = "Sample global networksecurity_address_group"
   location    = "global"
@@ -78,36 +78,111 @@ resource "google_folder" "folder" {
 
 resource "google_compute_firewall_policy" "default" {
   parent      = google_folder.folder.id
-  short_name  = "policy%{random_suffix}"
+  short_name  = "tf-test-fw-policy%{random_suffix}"
   description = "Resource created for Terraform acceptance testing"
 }
 
-resource "google_compute_firewall_policy_rule" "policy_rule" {
+resource "google_compute_firewall_policy_rule" "primary" {
+  firewall_policy         = google_compute_firewall_policy.default.name
+  description             = "Resource created for Terraform acceptance testing"
+  priority                = 9000
+  enable_logging          = true
+  action                  = "allow"
+  direction               = "EGRESS"
+  disabled                = false
+  target_service_accounts = ["%{service_acct}"]
+
+  match {
+    dest_ip_ranges            = ["11.100.0.1/32"]
+    dest_fqdns                = []
+    dest_region_codes         = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
+    src_address_groups        = []
+    dest_address_groups       = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
+    dest_network_scope        = "INTERNET"
+
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = [8080]
+    }
+
+    layer4_configs {
+      ip_protocol = "udp"
+      ports       = [22]
+    }
+  }
+}
+`, context)
+}
+
+func TestAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeFirewallPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(context),
+			},
+			{
+				ResourceName:            "google_compute_firewall_policy_rule.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+		},
+	})
+}
+
+func testAccComputeFirewallPolicyRule_firewallPolicyRuleNetworkScopeExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_folder" "folder" {
+  display_name        = "folder%{random_suffix}"
+  parent              = "organizations/%{org_id}"
+  deletion_protection = false
+}
+
+resource "google_compute_firewall_policy" "default" {
+  parent      = google_folder.folder.id
+  short_name  = "tf-test-fw-policy%{random_suffix}"
+  description = "Firewall policy"
+}
+
+resource "google_compute_firewall_policy_rule" "primary" {
   firewall_policy = google_compute_firewall_policy.default.name
-  description     = "Resource created for Terraform acceptance testing"
+  description     = "Firewall policy rule with network scope"
   priority        = 9000
-  enable_logging  = true
   action          = "allow"
-  direction       = "EGRESS"
+  direction       = "INGRESS"
   disabled        = false
 
   match {
+    src_ip_ranges     = ["11.100.0.1/32"]
+    src_network_scope = "VPC_NETWORKS"
+    src_networks      = [google_compute_network.network.id]
+
     layer4_configs {
       ip_protocol = "tcp"
-      ports = [8080]
+      ports       = [8080]
     }
+
     layer4_configs {
       ip_protocol = "udp"
-      ports = [22]
+      ports       = [22]
     }
-    dest_ip_ranges = ["11.100.0.1/32"]
-    dest_fqdns = []
-    dest_region_codes = ["US"]
-    dest_threat_intelligences = ["iplist-known-malicious-ips"]
-    src_address_groups = []
-    dest_address_groups = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
   }
-  target_service_accounts = ["%{service_account}"]
+}
+
+resource "google_compute_network" "network" {
+  name                    = "network%{random_suffix}"
+  auto_create_subnetworks = false
 }
 `, context)
 }

google/services/compute/resource_compute_network_firewall_policy_rule_generated_test.go

@@ -62,7 +62,7 @@ func TestAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleExample(t
 func testAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_network_security_address_group" "basic_global_networksecurity_address_group" {
-  name        = "address%{random_suffix}"
+  name        = "tf-test-address-group%{random_suffix}"
   parent      = "projects/%{project_name}"
   description = "Sample global networksecurity_address_group"
   location    = "global"
@@ -72,7 +72,7 @@ resource "google_network_security_address_group" "basic_global_networksecurity_a
 }
 
 resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
-  name        = "policy%{random_suffix}"
+  name        = "tf-test-fw-policy%{random_suffix}"
   description = "Sample global network firewall policy"
   project     = "%{project_name}"
 }
@@ -89,9 +89,10 @@ resource "google_compute_network_firewall_policy_rule" "primary" {
   target_service_accounts = ["%{service_acct}"]
 
   match {
-    src_ip_ranges = ["10.100.0.1/32"]
-    src_fqdns = ["google.com"]
-    src_region_codes = ["US"]
+    src_address_groups       = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
+    src_ip_ranges            = ["10.100.0.1/32"]
+    src_fqdns                = ["google.com"]
+    src_region_codes         = ["US"]
     src_threat_intelligences = ["iplist-known-malicious-ips"]
 
     src_secure_tags {
@@ -101,8 +102,6 @@ resource "google_compute_network_firewall_policy_rule" "primary" {
     layer4_configs {
       ip_protocol = "all"
     }
-
-    src_address_groups = [google_network_security_address_group.basic_global_networksecurity_address_group.id]
   }
 }
 
@@ -114,7 +113,8 @@ resource "google_tags_tag_key" "basic_key" {
   description = "For keyname resources."
   parent      = "organizations/%{org_id}"
   purpose     = "GCE_FIREWALL"
-  short_name  = "tagkey%{random_suffix}"
+  short_name  = "tf-test-tag-key%{random_suffix}"
+
   purpose_data = {
     network = "%{project_name}/${google_compute_network.basic_network.name}"
   }
@@ -123,7 +123,124 @@ resource "google_tags_tag_key" "basic_key" {
 resource "google_tags_tag_value" "basic_value" {
   description = "For valuename resources."
   parent      = google_tags_tag_key.basic_key.id
-  short_name  = "tagvalue"
+  short_name  = "tf-test-tag-value%{random_suffix}"
+}
+`, context)
+}
+
+func TestAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleNetworkScopeEgressExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_name":  envvar.GetTestProjectFromEnv(),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeNetworkFirewallPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleNetworkScopeEgressExample(context),
+			},
+			{
+				ResourceName:            "google_compute_network_firewall_policy_rule.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+		},
+	})
+}
+
+func testAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleNetworkScopeEgressExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
+  name        = "tf-test-fw-policy%{random_suffix}"
+  description = "Sample global network firewall policy"
+  project     = "%{project_name}"
+}
+
+resource "google_compute_network_firewall_policy_rule" "primary" {
+  action          = "allow"
+  description     = "This is a simple rule description"
+  direction       = "EGRESS"
+  disabled        = false
+  enable_logging  = true
+  firewall_policy = google_compute_network_firewall_policy.basic_network_firewall_policy.name
+  priority        = 1000
+  rule_name       = "test-rule"
+
+  match {
+    dest_ip_ranges     = ["10.100.0.1/32"]
+    dest_network_scope = "INTERNET"
+
+    layer4_configs {
+      ip_protocol = "all"
+    }
+  }
+}
+`, context)
+}
+
+func TestAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleNetworkScopeIngressExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_name":  envvar.GetTestProjectFromEnv(),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeNetworkFirewallPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleNetworkScopeIngressExample(context),
+			},
+			{
+				ResourceName:            "google_compute_network_firewall_policy_rule.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"firewall_policy"},
+			},
+		},
+	})
+}
+
+func testAccComputeNetworkFirewallPolicyRule_networkFirewallPolicyRuleNetworkScopeIngressExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
+  name        = "tf-test-fw-policy%{random_suffix}"
+  description = "Sample global network firewall policy"
+  project     = "%{project_name}"
+}
+
+resource "google_compute_network_firewall_policy_rule" "primary" {
+  action          = "allow"
+  description     = "This is a simple rule description"
+  direction       = "INGRESS"
+  disabled        = false
+  enable_logging  = true
+  firewall_policy = google_compute_network_firewall_policy.basic_network_firewall_policy.name
+  priority        = 1000
+  rule_name       = "test-rule"
+
+  match {
+    src_ip_ranges     = ["11.100.0.1/32"]
+    src_network_scope = "VPC_NETWORKS"
+    src_networks      = [google_compute_network.network.id]
+
+    layer4_configs {
+      ip_protocol = "all"
+    }
+  }
+}
+
+resource "google_compute_network" "network" {
+  name     = "network%{random_suffix}"
 }
 `, context)
 }