Add VPC network support to Security Gateway terraform (#13581) (#22514)

[upstream:942681e33983068cf74fe9e5087e0cdf26d65b64]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/13581.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+beyondcorp: Added `upstreams` fields to `google_beyondcorp_application` resource
+```

google/services/beyondcorp/resource_beyondcorp_application.go

@@ -110,6 +110,49 @@ Hostname and Ports - ("abc.com" and "22"), ("abc.com" and "22,33") etc`,
 				Description: `Optional. An arbitrary user-provided name for the Application resource.
 Cannot exceed 64 characters.`,
 			},
+			"upstreams": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `Optional. List of which upstream resource(s) to forward traffic to.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"egress_policy": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `Optional. Routing policy information.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"regions": {
+										Type:        schema.TypeList,
+										Required:    true,
+										Description: `Required. List of regions where the application sends traffic to.`,
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+						},
+						"network": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `Network to forward traffic to.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"name": {
+										Type:     schema.TypeString,
+										Required: true,
+										Description: `Required. Network name is of the format:
+'projects/{project}/global/networks/{network}'`,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			"create_time": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -156,6 +199,12 @@ func resourceBeyondcorpApplicationCreate(d *schema.ResourceData, meta interface{
 	} else if v, ok := d.GetOkExists("endpoint_matchers"); !tpgresource.IsEmptyValue(reflect.ValueOf(endpointMatchersProp)) && (ok || !reflect.DeepEqual(v, endpointMatchersProp)) {
 		obj["endpointMatchers"] = endpointMatchersProp
 	}
+	upstreamsProp, err := expandBeyondcorpApplicationUpstreams(d.Get("upstreams"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("upstreams"); !tpgresource.IsEmptyValue(reflect.ValueOf(upstreamsProp)) && (ok || !reflect.DeepEqual(v, upstreamsProp)) {
+		obj["upstreams"] = upstreamsProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{BeyondcorpBasePath}}projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications?applicationId={{application_id}}")
 	if err != nil {
@@ -278,6 +327,9 @@ func resourceBeyondcorpApplicationRead(d *schema.ResourceData, meta interface{})
 	if err := d.Set("endpoint_matchers", flattenBeyondcorpApplicationEndpointMatchers(res["endpointMatchers"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Application: %s", err)
 	}
+	if err := d.Set("upstreams", flattenBeyondcorpApplicationUpstreams(res["upstreams"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Application: %s", err)
+	}
 	if err := d.Set("name", flattenBeyondcorpApplicationName(res["name"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Application: %s", err)
 	}
@@ -316,6 +368,12 @@ func resourceBeyondcorpApplicationUpdate(d *schema.ResourceData, meta interface{
 	} else if v, ok := d.GetOkExists("endpoint_matchers"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, endpointMatchersProp)) {
 		obj["endpointMatchers"] = endpointMatchersProp
 	}
+	upstreamsProp, err := expandBeyondcorpApplicationUpstreams(d.Get("upstreams"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("upstreams"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, upstreamsProp)) {
+		obj["upstreams"] = upstreamsProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{BeyondcorpBasePath}}projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications/{{application_id}}")
 	if err != nil {
@@ -333,6 +391,10 @@ func resourceBeyondcorpApplicationUpdate(d *schema.ResourceData, meta interface{
 	if d.HasChange("endpoint_matchers") {
 		updateMask = append(updateMask, "endpointMatchers")
 	}
+
+	if d.HasChange("upstreams") {
+		updateMask = append(updateMask, "upstreams")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -487,6 +549,59 @@ func flattenBeyondcorpApplicationEndpointMatchersPorts(v interface{}, d *schema.
 	return v
 }
 
+func flattenBeyondcorpApplicationUpstreams(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed = append(transformed, map[string]interface{}{
+			"egress_policy": flattenBeyondcorpApplicationUpstreamsEgressPolicy(original["egressPolicy"], d, config),
+			"network":       flattenBeyondcorpApplicationUpstreamsNetwork(original["network"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenBeyondcorpApplicationUpstreamsEgressPolicy(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["regions"] =
+		flattenBeyondcorpApplicationUpstreamsEgressPolicyRegions(original["regions"], d, config)
+	return []interface{}{transformed}
+}
+func flattenBeyondcorpApplicationUpstreamsEgressPolicyRegions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenBeyondcorpApplicationUpstreamsNetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["name"] =
+		flattenBeyondcorpApplicationUpstreamsNetworkName(original["name"], d, config)
+	return []interface{}{transformed}
+}
+func flattenBeyondcorpApplicationUpstreamsNetworkName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenBeyondcorpApplicationName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -535,3 +650,78 @@ func expandBeyondcorpApplicationEndpointMatchersHostname(v interface{}, d tpgres
 func expandBeyondcorpApplicationEndpointMatchersPorts(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandBeyondcorpApplicationUpstreams(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	req := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		if raw == nil {
+			continue
+		}
+		original := raw.(map[string]interface{})
+		transformed := make(map[string]interface{})
+
+		transformedEgressPolicy, err := expandBeyondcorpApplicationUpstreamsEgressPolicy(original["egress_policy"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedEgressPolicy); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["egressPolicy"] = transformedEgressPolicy
+		}
+
+		transformedNetwork, err := expandBeyondcorpApplicationUpstreamsNetwork(original["network"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedNetwork); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["network"] = transformedNetwork
+		}
+
+		req = append(req, transformed)
+	}
+	return req, nil
+}
+
+func expandBeyondcorpApplicationUpstreamsEgressPolicy(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedRegions, err := expandBeyondcorpApplicationUpstreamsEgressPolicyRegions(original["regions"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedRegions); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["regions"] = transformedRegions
+	}
+
+	return transformed, nil
+}
+
+func expandBeyondcorpApplicationUpstreamsEgressPolicyRegions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandBeyondcorpApplicationUpstreamsNetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedName, err := expandBeyondcorpApplicationUpstreamsNetworkName(original["name"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["name"] = transformedName
+	}
+
+	return transformed, nil
+}
+
+func expandBeyondcorpApplicationUpstreamsNetworkName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}

google/services/beyondcorp/resource_beyondcorp_application_generated_meta.yaml

@@ -16,3 +16,5 @@ fields:
   - field: 'security_gateways_id'
     provider_only: true
   - field: 'update_time'
+  - field: 'upstreams.egress_policy.regions'
+  - field: 'upstreams.network.name'

google/services/beyondcorp/resource_beyondcorp_application_generated_test.go

@@ -73,6 +73,59 @@ resource "google_beyondcorp_application" "example" {
 `, context)
 }
 
+func TestAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationVpcExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBeyondcorpApplicationDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationVpcExample(context),
+			},
+			{
+				ResourceName:            "google_beyondcorp_application.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"application_id", "security_gateways_id"},
+			},
+		},
+	})
+}
+
+func testAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationVpcExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+data "google_project" "project" {}
+
+resource "google_beyondcorp_security_gateway" "default" {
+  security_gateway_id = "default%{random_suffix}"
+  display_name = "My Security Gateway resource"
+  hubs { region = "us-central1" }
+}
+
+resource "google_beyondcorp_application" "example" {
+  security_gateways_id = google_beyondcorp_security_gateway.default.security_gateway_id
+  application_id = "tf-test-my-vm-service%{random_suffix}"
+  endpoint_matchers {
+    hostname = "my-vm-service.com"
+  }
+  upstreams {
+    egress_policy {
+      regions = ["us-central1"]
+    }
+    network {
+        name = "projects/${data.google_project.project.project_id}/global/networks/default"
+    }
+  }
+}
+`, context)
+}
+
 func testAccCheckBeyondcorpApplicationDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/beyondcorp_application.html.markdown

@@ -48,6 +48,39 @@ resource "google_beyondcorp_application" "example" {
   }
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=beyondcorp_security_gateway_application_vpc&open_in_editor=main.tf" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Beyondcorp Security Gateway Application Vpc
+
+
+```hcl
+data "google_project" "project" {}
+
+resource "google_beyondcorp_security_gateway" "default" {
+  security_gateway_id = "default"
+  display_name = "My Security Gateway resource"
+  hubs { region = "us-central1" }
+}
+
+resource "google_beyondcorp_application" "example" {
+  security_gateways_id = google_beyondcorp_security_gateway.default.security_gateway_id
+  application_id = "my-vm-service"
+  endpoint_matchers {
+    hostname = "my-vm-service.com"
+  }
+  upstreams {
+    egress_policy {
+      regions = ["us-central1"]
+    }
+    network {
+        name = "projects/${data.google_project.project.project_id}/global/networks/default"
+    }
+  }
+}
+```
 
 ## Argument Reference
 
@@ -99,10 +132,41 @@ The following arguments are supported:
   Optional. An arbitrary user-provided name for the Application resource.
   Cannot exceed 64 characters.
 
+* `upstreams` -
+  (Optional)
+  Optional. List of which upstream resource(s) to forward traffic to.
+  Structure is [documented below](#nested_upstreams).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
 
+<a name="nested_upstreams"></a>The `upstreams` block supports:
+
+* `egress_policy` -
+  (Optional)
+  Optional. Routing policy information.
+  Structure is [documented below](#nested_upstreams_upstreams_egress_policy).
+
+* `network` -
+  (Optional)
+  Network to forward traffic to.
+  Structure is [documented below](#nested_upstreams_upstreams_network).
+
+
+<a name="nested_upstreams_upstreams_egress_policy"></a>The `egress_policy` block supports:
+
+* `regions` -
+  (Required)
+  Required. List of regions where the application sends traffic to.
+
+<a name="nested_upstreams_upstreams_network"></a>The `network` block supports:
+
+* `name` -
+  (Required)
+  Required. Network name is of the format:
+  `projects/{project}/global/networks/{network}`
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: