networkconnectivity: add producer_instance_location and allowed_google_producers_resource_hierarchy_level to psc_config for google_network_connectivity_service_connection_policy (#14170) (#23240)

[upstream:2c7c0b93979b2287c6f9c4b606d3eca57cf2c89e]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14170.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+networkconnectivity: add `psc_config.producer_instance_location` and `psc_config.allowed_google_producers_resource_hierarchy_level` fields to `google_network_connectivity_service_connection_policy`
+```

google/services/networkconnectivity/resource_network_connectivity_service_connection_policies_test.go

@@ -22,12 +22,14 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
 )
 
 func TestAccNetworkConnectivityServiceConnectionPolicy_update(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
+		"org_id":                      envvar.GetTestOrgFromEnv(t),
 		"networkProducerName":         fmt.Sprintf("tf-test-network-%s", acctest.RandString(t, 10)),
 		"subnetworkProducerName1":     fmt.Sprintf("tf-test-subnet-producer-%s", acctest.RandString(t, 10)),
 		"subnetworkProducerName2":     fmt.Sprintf("tf-test-subnet-producer-%s", acctest.RandString(t, 10)),
@@ -117,8 +119,12 @@ resource "google_network_connectivity_service_connection_policy" "default" {
   service_class = "gcp-memorystore-redis"
   network = google_compute_network.producer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.producer_subnet1.id]
-    limit = 4
+    producer_instance_location                        = "CUSTOM_RESOURCE_HIERARCHY_LEVELS"
+    subnetworks                                       = [google_compute_subnetwork.producer_subnet1.id]
+    limit                                             = 4
+    allowed_google_producers_resource_hierarchy_level = [
+		"organizations/%{org_id}",
+    ]
   }
   labels      = {
     foo = "bar"

google/services/networkconnectivity/resource_network_connectivity_service_connection_policy.go

@@ -113,11 +113,35 @@ Please refer to the field 'effective_labels' for all of the labels present on th
 								Type: schema.TypeString,
 							},
 						},
+						"allowed_google_producers_resource_hierarchy_level": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Description: `List of Projects, Folders, or Organizations from where the Producer instance can be within. For example,
+a network administrator can provide both 'organizations/foo' and 'projects/bar' as
+allowed_google_producers_resource_hierarchy_levels. This allowlists this network to connect with any Producer
+instance within the 'foo' organization or the 'bar' project. By default,
+allowedGoogleProducersResourceHierarchyLevel is empty. The format for each
+allowedGoogleProducersResourceHierarchyLevel is / where is one of 'projects', 'folders', or 'organizations'
+and is either the ID or the number of the resource type. Format for each
+allowedGoogleProducersResourceHierarchyLevel value: 'projects/' or 'folders/' or 'organizations/' Eg.
+[projects/my-project-id, projects/567, folders/891, organizations/123]`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
 						"limit": {
 							Type:        schema.TypeString,
 							Optional:    true,
 							Description: `Max number of PSC connections for this policy.`,
 						},
+						"producer_instance_location": {
+							Type:         schema.TypeString,
+							Computed:     true,
+							Optional:     true,
+							ValidateFunc: verify.ValidateEnum([]string{"PRODUCER_INSTANCE_LOCATION_UNSPECIFIED", "CUSTOM_RESOURCE_HIERARCHY_LEVELS", ""}),
+							Description: `ProducerInstanceLocation is used to specify which authorization mechanism to use to determine which projects
+the Producer instance can be within. Possible values: ["PRODUCER_INSTANCE_LOCATION_UNSPECIFIED", "CUSTOM_RESOURCE_HIERARCHY_LEVELS"]`,
+						},
 					},
 				},
 			},
@@ -669,6 +693,10 @@ func flattenNetworkConnectivityServiceConnectionPolicyPscConfig(v interface{}, d
 	transformed := make(map[string]interface{})
 	transformed["subnetworks"] =
 		flattenNetworkConnectivityServiceConnectionPolicyPscConfigSubnetworks(original["subnetworks"], d, config)
+	transformed["producer_instance_location"] =
+		flattenNetworkConnectivityServiceConnectionPolicyPscConfigProducerInstanceLocation(original["producerInstanceLocation"], d, config)
+	transformed["allowed_google_producers_resource_hierarchy_level"] =
+		flattenNetworkConnectivityServiceConnectionPolicyPscConfigAllowedGoogleProducersResourceHierarchyLevel(original["allowedGoogleProducersResourceHierarchyLevel"], d, config)
 	transformed["limit"] =
 		flattenNetworkConnectivityServiceConnectionPolicyPscConfigLimit(original["limit"], d, config)
 	return []interface{}{transformed}
@@ -677,6 +705,14 @@ func flattenNetworkConnectivityServiceConnectionPolicyPscConfigSubnetworks(v int
 	return v
 }
 
+func flattenNetworkConnectivityServiceConnectionPolicyPscConfigProducerInstanceLocation(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkConnectivityServiceConnectionPolicyPscConfigAllowedGoogleProducersResourceHierarchyLevel(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenNetworkConnectivityServiceConnectionPolicyPscConfigLimit(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -876,6 +912,20 @@ func expandNetworkConnectivityServiceConnectionPolicyPscConfig(v interface{}, d
 		transformed["subnetworks"] = transformedSubnetworks
 	}
 
+	transformedProducerInstanceLocation, err := expandNetworkConnectivityServiceConnectionPolicyPscConfigProducerInstanceLocation(original["producer_instance_location"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedProducerInstanceLocation); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["producerInstanceLocation"] = transformedProducerInstanceLocation
+	}
+
+	transformedAllowedGoogleProducersResourceHierarchyLevel, err := expandNetworkConnectivityServiceConnectionPolicyPscConfigAllowedGoogleProducersResourceHierarchyLevel(original["allowed_google_producers_resource_hierarchy_level"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAllowedGoogleProducersResourceHierarchyLevel); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["allowedGoogleProducersResourceHierarchyLevel"] = transformedAllowedGoogleProducersResourceHierarchyLevel
+	}
+
 	transformedLimit, err := expandNetworkConnectivityServiceConnectionPolicyPscConfigLimit(original["limit"], d, config)
 	if err != nil {
 		return nil, err
@@ -890,6 +940,14 @@ func expandNetworkConnectivityServiceConnectionPolicyPscConfigSubnetworks(v inte
 	return v, nil
 }
 
+func expandNetworkConnectivityServiceConnectionPolicyPscConfigProducerInstanceLocation(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkConnectivityServiceConnectionPolicyPscConfigAllowedGoogleProducersResourceHierarchyLevel(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandNetworkConnectivityServiceConnectionPolicyPscConfigLimit(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google/services/networkconnectivity/resource_network_connectivity_service_connection_policy_generated_meta.yaml

@@ -17,7 +17,9 @@ fields:
   - field: 'name'
     provider_only: true
   - field: 'network'
+  - field: 'psc_config.allowed_google_producers_resource_hierarchy_level'
   - field: 'psc_config.limit'
+  - field: 'psc_config.producer_instance_location'
   - field: 'psc_config.subnetworks'
   - field: 'psc_connections.consumer_address'
   - field: 'psc_connections.consumer_forwarding_rule'

website/docs/r/network_connectivity_service_connection_policy.html.markdown

@@ -117,6 +117,24 @@ The following arguments are supported:
   (Required)
   IDs of the subnetworks or fully qualified identifiers for the subnetworks
 
+* `producer_instance_location` -
+  (Optional)
+  ProducerInstanceLocation is used to specify which authorization mechanism to use to determine which projects
+  the Producer instance can be within.
+  Possible values are: `PRODUCER_INSTANCE_LOCATION_UNSPECIFIED`, `CUSTOM_RESOURCE_HIERARCHY_LEVELS`.
+
+* `allowed_google_producers_resource_hierarchy_level` -
+  (Optional)
+  List of Projects, Folders, or Organizations from where the Producer instance can be within. For example,
+  a network administrator can provide both 'organizations/foo' and 'projects/bar' as
+  allowed_google_producers_resource_hierarchy_levels. This allowlists this network to connect with any Producer
+  instance within the 'foo' organization or the 'bar' project. By default,
+  allowedGoogleProducersResourceHierarchyLevel is empty. The format for each
+  allowedGoogleProducersResourceHierarchyLevel is / where is one of 'projects', 'folders', or 'organizations'
+  and is either the ID or the number of the resource type. Format for each
+  allowedGoogleProducersResourceHierarchyLevel value: 'projects/' or 'folders/' or 'organizations/' Eg.
+  [projects/my-project-id, projects/567, folders/891, organizations/123]
+
 * `limit` -
   (Optional)
   Max number of PSC connections for this policy.