From 1e9261a3981b3de939e7a601db689f9276e886da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Fri, 14 Jul 2023 10:55:16 -0300 Subject: [PATCH 1/7] adding security_policy field to TargetInstance --- mmv1/products/compute/TargetInstance.yaml | 19 ++++++ ...arget_instance_with_security_policy.tf.erb | 58 +++++++++++++++++++ ...ute_target_instance_security_policy.go.erb | 39 +++++++++++++ 3 files changed, 116 insertions(+) create mode 100644 mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb create mode 100644 mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb diff --git a/mmv1/products/compute/TargetInstance.yaml b/mmv1/products/compute/TargetInstance.yaml index 3ff7681e4ea7..35015e0b700e 100644 --- a/mmv1/products/compute/TargetInstance.yaml +++ b/mmv1/products/compute/TargetInstance.yaml @@ -61,6 +61,18 @@ examples: vars: target_name: 'custom-network' instance_name: 'custom-network-target-vm' + - !ruby/object:Provider::Terraform::Examples + min_version: beta + name: 'target_instance_with_security_policy' + primary_resource_id: 'default' + vars: + network_name: 'custom-default-network' + subnetname_name: 'custom-default-subnet' + instance_name: 'target-vm' + region_sec_policy: 'regionsecpolicy' + target_name: 'target' +custom_code: !ruby/object:Provider::Terraform::CustomCode + post_create: 'templates/terraform/post_create/compute_target_instance_security_policy.go.erb' parameters: - !ruby/object:Api::Type::ResourceRef name: 'zone' @@ -123,3 +135,10 @@ properties: default_value: :NO_NAT values: - :NO_NAT + - !ruby/object:Api::Type::String + name: 'securityPolicy' + min_version: beta + description: | + The resource URL for the security policy associated with this target instance. + immutable: true + min_version: beta diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb new file mode 100644 index 000000000000..614d54820b02 --- /dev/null +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -0,0 +1,58 @@ +resource "google_compute_network" "default" { + provider = google-beta + name = "<%= ctx[:vars]['network_name'] %>" + auto_create_subnetworks = false + routing_mode = "REGIONAL" +} + +resource "google_compute_subnetwork" "default" { + provider = google-beta + name = "<%= ctx[:vars]['subnetname_name'] %>" + ip_cidr_range = "10.1.2.0/24" + network = google_compute_network.default.id + private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" + purpose = "PRIVATE" + region = "asia-southeast1" + stack_type = "IPV4_ONLY" +} + +data "google_compute_image" "vmimage" { + provider = google-beta + family = "debian-11" + project = "debian-cloud" +} + +resource "google_compute_instance" "target-vm" { + provider = google-beta + name = "<%= ctx[:vars]['instance_name'] %>" + machine_type = "e2-medium" + zone = "asia-southeast1-a" + + boot_disk { + initialize_params { + image = data.google_compute_image.vmimage.self_link + } + } + + network_interface { + network = google_compute_network.default.self_link + subnetwork = google_compute_subnetwork.default.self_link + access_config { + } + } +} + +resource "google_compute_region_security_policy" "regionsecuritypolicy" { + provider = google-beta + name = "<%= ctx[:vars]['region_sec_policy'] %>" + region = "asia-southeast1" + description = "basic security policy for target instance" + type = "CLOUD_ARMOR_NETWORK" +} + +resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + name = "<%= ctx[:vars]['target_name'] %>" + instance = google_compute_instance.target-vm.id + security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link +} \ No newline at end of file diff --git a/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb b/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb new file mode 100644 index 000000000000..9ce164dfc8a3 --- /dev/null +++ b/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb @@ -0,0 +1,39 @@ +<% unless version == 'ga' -%> +// security_policy isn't set by Create +if v, ok := d.GetOkExists("security_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, securityPolicyProp)) { + err = resourceComputeTargetInstanceRead(d, meta) + if err != nil { + return err + } + + obj := make(map[string]interface{}) + securityPolicyProp, err := expandComputeTargetInstanceSecurityPolicy(v, d, config) + if err != nil { + return err + } + obj["security_policy"] = securityPolicyProp + + url, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/zones/{{zone}}/targetInstances/{{name}}/setSecurityPolicy") + if err != nil { + return err + } + + res, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "POST", + Project: project, + RawURL: url, + UserAgent: userAgent, + Body: obj, + }) + + if err != nil { + return fmt.Errorf("Error adding SecurityPolicy to TargetInstance %q: %s", d.Id(), err) + } + + err = ComputeOperationWaitTime(config, res, project, "Updating TargetInstance SecurityPolicy", userAgent, d.Timeout(schema.TimeoutUpdate)) + if err != nil { + return err + } +} +<% end -%> \ No newline at end of file From 3c83a5450447f0f2b88c4886d73ff3d27c2e2d85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Mon, 17 Jul 2023 13:04:33 -0300 Subject: [PATCH 2/7] making sure the target_instance uses the same zone as instance --- .../examples/target_instance_with_security_policy.tf.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb index 614d54820b02..93ea31105b03 100644 --- a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -53,6 +53,7 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy" { resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { provider = google-beta name = "<%= ctx[:vars]['target_name'] %>" + zone = "asia-southeast1-a" instance = google_compute_instance.target-vm.id security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link } \ No newline at end of file From f6660bd6009fc222288a21948085226e1b9538e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Mon, 31 Jul 2023 09:54:06 -0300 Subject: [PATCH 3/7] fixing test by adding ddos protection policy rule --- ...arget_instance_with_security_policy.tf.erb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb index 93ea31105b03..176d3c04a9ba 100644 --- a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -42,6 +42,24 @@ resource "google_compute_instance" "target-vm" { } } +resource "google_compute_region_security_policy" "policyddosprotection" { + provider = google-beta + region = "asia-southeast1" + name = "tf-test-policyddos%{random_suffix}" + description = "ddos protection security policy to set target instance" + type = "CLOUD_ARMOR_NETWORK" + ddos_protection_config { + ddos_protection = "ADVANCED_PREVIEW" + } +} + +resource "google_compute_network_edge_security_service" "edge_sec_service" { + provider = google-beta + region = "asia-southeast1" + name = "tf-test-edgesec%{random_suffix}" + security_policy = google_compute_region_security_policy.policyddosprotection.self_link +} + resource "google_compute_region_security_policy" "regionsecuritypolicy" { provider = google-beta name = "<%= ctx[:vars]['region_sec_policy'] %>" @@ -56,4 +74,5 @@ resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { zone = "asia-southeast1-a" instance = google_compute_instance.target-vm.id security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link + depends_on = [google_compute_network_edge_security_service.edge_sec_service] } \ No newline at end of file From f6dc03defa5cbeb20fec1755be8a4aee2bd8d8aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Tue, 15 Aug 2023 17:01:42 -0300 Subject: [PATCH 4/7] fixing review issues --- mmv1/products/compute/TargetInstance.yaml | 5 ++--- .../target_instance_with_security_policy.tf.erb | 12 ++++++------ .../compute_target_instance_security_policy.go.erb | 5 ----- 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/mmv1/products/compute/TargetInstance.yaml b/mmv1/products/compute/TargetInstance.yaml index 35015e0b700e..d2cb122574fc 100644 --- a/mmv1/products/compute/TargetInstance.yaml +++ b/mmv1/products/compute/TargetInstance.yaml @@ -69,8 +69,8 @@ examples: network_name: 'custom-default-network' subnetname_name: 'custom-default-subnet' instance_name: 'target-vm' - region_sec_policy: 'regionsecpolicy' - target_name: 'target' + region_sec_policy: 'region-secpolicy' + target_name: 'target-instance' custom_code: !ruby/object:Provider::Terraform::CustomCode post_create: 'templates/terraform/post_create/compute_target_instance_security_policy.go.erb' parameters: @@ -141,4 +141,3 @@ properties: description: | The resource URL for the security policy associated with this target instance. immutable: true - min_version: beta diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb index 176d3c04a9ba..9180415f5c21 100644 --- a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -12,7 +12,7 @@ resource "google_compute_subnetwork" "default" { network = google_compute_network.default.id private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" purpose = "PRIVATE" - region = "asia-southeast1" + region = "us-east1" stack_type = "IPV4_ONLY" } @@ -26,7 +26,7 @@ resource "google_compute_instance" "target-vm" { provider = google-beta name = "<%= ctx[:vars]['instance_name'] %>" machine_type = "e2-medium" - zone = "asia-southeast1-a" + zone = "us-east1-b" boot_disk { initialize_params { @@ -44,7 +44,7 @@ resource "google_compute_instance" "target-vm" { resource "google_compute_region_security_policy" "policyddosprotection" { provider = google-beta - region = "asia-southeast1" + region = "us-east1" name = "tf-test-policyddos%{random_suffix}" description = "ddos protection security policy to set target instance" type = "CLOUD_ARMOR_NETWORK" @@ -55,7 +55,7 @@ resource "google_compute_region_security_policy" "policyddosprotection" { resource "google_compute_network_edge_security_service" "edge_sec_service" { provider = google-beta - region = "asia-southeast1" + region = "us-east1" name = "tf-test-edgesec%{random_suffix}" security_policy = google_compute_region_security_policy.policyddosprotection.self_link } @@ -63,7 +63,7 @@ resource "google_compute_network_edge_security_service" "edge_sec_service" { resource "google_compute_region_security_policy" "regionsecuritypolicy" { provider = google-beta name = "<%= ctx[:vars]['region_sec_policy'] %>" - region = "asia-southeast1" + region = "us-east1" description = "basic security policy for target instance" type = "CLOUD_ARMOR_NETWORK" } @@ -71,7 +71,7 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy" { resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { provider = google-beta name = "<%= ctx[:vars]['target_name'] %>" - zone = "asia-southeast1-a" + zone = "us-east1-b" instance = google_compute_instance.target-vm.id security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link depends_on = [google_compute_network_edge_security_service.edge_sec_service] diff --git a/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb b/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb index 9ce164dfc8a3..14dd1fc916aa 100644 --- a/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb +++ b/mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb @@ -1,11 +1,6 @@ <% unless version == 'ga' -%> // security_policy isn't set by Create if v, ok := d.GetOkExists("security_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, securityPolicyProp)) { - err = resourceComputeTargetInstanceRead(d, meta) - if err != nil { - return err - } - obj := make(map[string]interface{}) securityPolicyProp, err := expandComputeTargetInstanceSecurityPolicy(v, d, config) if err != nil { From 49fe840bab348cd138040f4e13967801aa2448bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Wed, 16 Aug 2023 13:59:23 -0300 Subject: [PATCH 5/7] making securityPolicy field updatable and add hw test for it --- mmv1/products/compute/TargetInstance.yaml | 3 +- ...arget_instance_with_security_policy.tf.erb | 2 +- ...source_compute_target_instance_test.go.erb | 151 ++++++++++++++++++ 3 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb diff --git a/mmv1/products/compute/TargetInstance.yaml b/mmv1/products/compute/TargetInstance.yaml index d2cb122574fc..a7d3e5b8c214 100644 --- a/mmv1/products/compute/TargetInstance.yaml +++ b/mmv1/products/compute/TargetInstance.yaml @@ -140,4 +140,5 @@ properties: min_version: beta description: | The resource URL for the security policy associated with this target instance. - immutable: true + update_url: projects/{{project}}/zones/{{zone}}/targetInstances/{{name}}/setSecurityPolicy + update_verb: :POST diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb index 9180415f5c21..9e9dca7b05e5 100644 --- a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -66,6 +66,7 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy" { region = "us-east1" description = "basic security policy for target instance" type = "CLOUD_ARMOR_NETWORK" + depends_on = [google_compute_network_edge_security_service.edge_sec_service] } resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { @@ -74,5 +75,4 @@ resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { zone = "us-east1-b" instance = google_compute_instance.target-vm.id security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link - depends_on = [google_compute_network_edge_security_service.edge_sec_service] } \ No newline at end of file diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb new file mode 100644 index 000000000000..4f9908e6e627 --- /dev/null +++ b/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb @@ -0,0 +1,151 @@ +<% autogen_exception -%> +package compute_test +<% unless version == 'ga' -%> + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest" +) + +func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) { + net := fmt.Sprintf("tf-test-up-pol-net%s", acctest.RandString(t, 10)) + subnet := fmt.Sprintf("tf-test-up-pol-subnet%s", acctest.RandString(t, 10)) + instance := fmt.Sprintf("tf-test-up-pol-target-vm%s", acctest.RandString(t, 10)) + ddosPolicy := fmt.Sprintf("tf-test-up-pol-policyddos%s", acctest.RandString(t, 10)) + edgeService := fmt.Sprintf("tf-test-up-pol-edgesec%s", acctest.RandString(t, 10)) + pol1 := fmt.Sprintf("tf-test-up-pol-region-secpolicy1%s", acctest.RandString(t, 10)) + pol2 := fmt.Sprintf("tf-test-up-pol-region-secpolicy2%s", acctest.RandString(t, 10)) + targetInstance := fmt.Sprintf("tf-test-up-pol-target-instance%s", acctest.RandString(t, 10)) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t), + CheckDestroy: testAccCheckComputeTargetInstanceDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "google_compute_region_security_policy.regionsecuritypolicy1.self_link"), + }, + { + ResourceName: "google_compute_target_instance.default", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"instance", "zone"}, + }, + { + Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "google_compute_region_security_policy.regionsecuritypolicy2.self_link"), + }, + { + ResourceName: "google_compute_target_instance.default", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"instance", "zone"}, + }, + { + Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "\"\""), + }, + { + ResourceName: "google_compute_target_instance.default", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"instance", "zone"}, + }, + }, + }) +} + +func testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, policySet string) string { + return fmt.Sprintf(` +resource "google_compute_network" "default" { + provider = google-beta + name = "%s" + auto_create_subnetworks = false + routing_mode = "REGIONAL" +} + +resource "google_compute_subnetwork" "default" { + provider = google-beta + name = "%s" + ip_cidr_range = "10.1.2.0/24" + network = google_compute_network.default.id + private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" + purpose = "PRIVATE" + region = "us-east1" + stack_type = "IPV4_ONLY" +} + +data "google_compute_image" "vmimage" { + provider = google-beta + family = "debian-11" + project = "debian-cloud" +} + +resource "google_compute_instance" "target-vm" { + provider = google-beta + name = "%s" + machine_type = "e2-medium" + zone = "us-east1-b" + + boot_disk { + initialize_params { + image = data.google_compute_image.vmimage.self_link + } + } + + network_interface { + network = google_compute_network.default.self_link + subnetwork = google_compute_subnetwork.default.self_link + access_config { + } + } +} + +resource "google_compute_region_security_policy" "policyddosprotection" { + provider = google-beta + region = "us-east1" + name = "%s" + description = "ddos protection security policy to set target instance" + type = "CLOUD_ARMOR_NETWORK" + ddos_protection_config { + ddos_protection = "ADVANCED_PREVIEW" + } +} + +resource "google_compute_network_edge_security_service" "edge_sec_service" { + provider = google-beta + region = "us-east1" + name = "%s" + security_policy = google_compute_region_security_policy.policyddosprotection.self_link +} + +resource "google_compute_region_security_policy" "regionsecuritypolicy1" { + provider = google-beta + name = "%s" + region = "us-east1" + description = "basic security policy one for target instance" + type = "CLOUD_ARMOR_NETWORK" + depends_on = [google_compute_network_edge_security_service.edge_sec_service] +} + +resource "google_compute_region_security_policy" "regionsecuritypolicy2" { + provider = google-beta + name = "%s" + region = "us-east1" + description = "basic security policy two for target instance" + type = "CLOUD_ARMOR_NETWORK" + depends_on = [google_compute_network_edge_security_service.edge_sec_service] +} + +resource "google_compute_target_instance" "default" { + provider = google-beta + name = "%s" + zone = "us-east1-b" + instance = google_compute_instance.target-vm.id + security_policy = %s +} +`, net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, policySet) +} +<% end -%> From 56e6b9e71c4c01c84e0f39fb4c813e68f4a925b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Wed, 16 Aug 2023 16:47:59 -0300 Subject: [PATCH 6/7] adding lifecyle block and context var for hw test --- ...arget_instance_with_security_policy.tf.erb | 12 ++-- ...source_compute_target_instance_test.go.erb | 69 ++++++++++--------- 2 files changed, 44 insertions(+), 37 deletions(-) diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb index 9e9dca7b05e5..fe4afeb31f78 100644 --- a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -12,7 +12,7 @@ resource "google_compute_subnetwork" "default" { network = google_compute_network.default.id private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" purpose = "PRIVATE" - region = "us-east1" + region = "southamerica-east1" stack_type = "IPV4_ONLY" } @@ -26,7 +26,7 @@ resource "google_compute_instance" "target-vm" { provider = google-beta name = "<%= ctx[:vars]['instance_name'] %>" machine_type = "e2-medium" - zone = "us-east1-b" + zone = "southamerica-east1-a" boot_disk { initialize_params { @@ -44,7 +44,7 @@ resource "google_compute_instance" "target-vm" { resource "google_compute_region_security_policy" "policyddosprotection" { provider = google-beta - region = "us-east1" + region = "southamerica-east1" name = "tf-test-policyddos%{random_suffix}" description = "ddos protection security policy to set target instance" type = "CLOUD_ARMOR_NETWORK" @@ -55,7 +55,7 @@ resource "google_compute_region_security_policy" "policyddosprotection" { resource "google_compute_network_edge_security_service" "edge_sec_service" { provider = google-beta - region = "us-east1" + region = "southamerica-east1" name = "tf-test-edgesec%{random_suffix}" security_policy = google_compute_region_security_policy.policyddosprotection.self_link } @@ -63,7 +63,7 @@ resource "google_compute_network_edge_security_service" "edge_sec_service" { resource "google_compute_region_security_policy" "regionsecuritypolicy" { provider = google-beta name = "<%= ctx[:vars]['region_sec_policy'] %>" - region = "us-east1" + region = "southamerica-east1" description = "basic security policy for target instance" type = "CLOUD_ARMOR_NETWORK" depends_on = [google_compute_network_edge_security_service.edge_sec_service] @@ -72,7 +72,7 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy" { resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { provider = google-beta name = "<%= ctx[:vars]['target_name'] %>" - zone = "us-east1-b" + zone = "southamerica-east1-a" instance = google_compute_instance.target-vm.id security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link } \ No newline at end of file diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb index 4f9908e6e627..1d93bf5cd395 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb +++ b/mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb @@ -3,7 +3,6 @@ package compute_test <% unless version == 'ga' -%> import ( - "fmt" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" @@ -12,14 +11,9 @@ import ( ) func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) { - net := fmt.Sprintf("tf-test-up-pol-net%s", acctest.RandString(t, 10)) - subnet := fmt.Sprintf("tf-test-up-pol-subnet%s", acctest.RandString(t, 10)) - instance := fmt.Sprintf("tf-test-up-pol-target-vm%s", acctest.RandString(t, 10)) - ddosPolicy := fmt.Sprintf("tf-test-up-pol-policyddos%s", acctest.RandString(t, 10)) - edgeService := fmt.Sprintf("tf-test-up-pol-edgesec%s", acctest.RandString(t, 10)) - pol1 := fmt.Sprintf("tf-test-up-pol-region-secpolicy1%s", acctest.RandString(t, 10)) - pol2 := fmt.Sprintf("tf-test-up-pol-region-secpolicy2%s", acctest.RandString(t, 10)) - targetInstance := fmt.Sprintf("tf-test-up-pol-target-instance%s", acctest.RandString(t, 10)) + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + } acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -27,7 +21,7 @@ func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) { CheckDestroy: testAccCheckComputeTargetInstanceDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "google_compute_region_security_policy.regionsecuritypolicy1.self_link"), + Config: testAccComputeTargetInstance_withSecurityPolicy(context, "google_compute_region_security_policy.regionsecuritypolicy1.self_link", true), }, { ResourceName: "google_compute_target_instance.default", @@ -36,7 +30,7 @@ func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) { ImportStateVerifyIgnore: []string{"instance", "zone"}, }, { - Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "google_compute_region_security_policy.regionsecuritypolicy2.self_link"), + Config: testAccComputeTargetInstance_withSecurityPolicy(context, "google_compute_region_security_policy.regionsecuritypolicy2.self_link", true), }, { ResourceName: "google_compute_target_instance.default", @@ -45,7 +39,7 @@ func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) { ImportStateVerifyIgnore: []string{"instance", "zone"}, }, { - Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "\"\""), + Config: testAccComputeTargetInstance_withSecurityPolicy(context, "\"\"", true), }, { ResourceName: "google_compute_target_instance.default", @@ -53,27 +47,39 @@ func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) { ImportStateVerify: true, ImportStateVerifyIgnore: []string{"instance", "zone"}, }, + { + Config: testAccComputeTargetInstance_withSecurityPolicy(context, "\"\"", false), + }, }, }) } -func testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, policySet string) string { - return fmt.Sprintf(` +func testAccComputeTargetInstance_withSecurityPolicy(context map[string]interface{}, policySet string, preventDestroy bool) string { + context["policy_set"] = policySet + context["lifecycle_block"] = "" + if preventDestroy { + context["lifecycle_block"] = ` + lifecycle { + prevent_destroy = true + }` + } + + return acctest.Nprintf(` resource "google_compute_network" "default" { provider = google-beta - name = "%s" + name = "tf-test-up-pol-net%{random_suffix}" auto_create_subnetworks = false routing_mode = "REGIONAL" } resource "google_compute_subnetwork" "default" { provider = google-beta - name = "%s" + name = "tf-test-up-pol-subnet%{random_suffix}" ip_cidr_range = "10.1.2.0/24" network = google_compute_network.default.id private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" purpose = "PRIVATE" - region = "us-east1" + region = "southamerica-east1" stack_type = "IPV4_ONLY" } @@ -85,9 +91,9 @@ data "google_compute_image" "vmimage" { resource "google_compute_instance" "target-vm" { provider = google-beta - name = "%s" + name = "tf-test-up-pol-target-vm%{random_suffix}" machine_type = "e2-medium" - zone = "us-east1-b" + zone = "southamerica-east1-a" boot_disk { initialize_params { @@ -105,8 +111,8 @@ resource "google_compute_instance" "target-vm" { resource "google_compute_region_security_policy" "policyddosprotection" { provider = google-beta - region = "us-east1" - name = "%s" + region = "southamerica-east1" + name = "tf-test-up-pol-policyddos%{random_suffix}" description = "ddos protection security policy to set target instance" type = "CLOUD_ARMOR_NETWORK" ddos_protection_config { @@ -116,15 +122,15 @@ resource "google_compute_region_security_policy" "policyddosprotection" { resource "google_compute_network_edge_security_service" "edge_sec_service" { provider = google-beta - region = "us-east1" - name = "%s" + region = "southamerica-east1" + name = "tf-test-up-pol-edgesec%{random_suffix}" security_policy = google_compute_region_security_policy.policyddosprotection.self_link } resource "google_compute_region_security_policy" "regionsecuritypolicy1" { provider = google-beta - name = "%s" - region = "us-east1" + name = "tf-test-up-pol-region-secpolicy1%{random_suffix}" + region = "southamerica-east1" description = "basic security policy one for target instance" type = "CLOUD_ARMOR_NETWORK" depends_on = [google_compute_network_edge_security_service.edge_sec_service] @@ -132,8 +138,8 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy1" { resource "google_compute_region_security_policy" "regionsecuritypolicy2" { provider = google-beta - name = "%s" - region = "us-east1" + name = "tf-test-up-pol-region-secpolicy2%{random_suffix}" + region = "southamerica-east1" description = "basic security policy two for target instance" type = "CLOUD_ARMOR_NETWORK" depends_on = [google_compute_network_edge_security_service.edge_sec_service] @@ -141,11 +147,12 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy2" { resource "google_compute_target_instance" "default" { provider = google-beta - name = "%s" - zone = "us-east1-b" + name = "tf-test-up-pol-target-instance%{random_suffix}" + zone = "southamerica-east1-a" instance = google_compute_instance.target-vm.id - security_policy = %s + security_policy = %{policy_set} + %{lifecycle_block} } -`, net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, policySet) +`, context) } <% end -%> From ff0166633caabed8411f4ce21a2fbbb86abe3d61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Gon=C3=A7alves=20de=20Castro?= Date: Wed, 16 Aug 2023 20:55:04 -0300 Subject: [PATCH 7/7] separating regions for tests --- .../target_instance_with_security_policy.tf.erb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb index fe4afeb31f78..f3ab7b16471b 100644 --- a/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb +++ b/mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb @@ -12,7 +12,7 @@ resource "google_compute_subnetwork" "default" { network = google_compute_network.default.id private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" purpose = "PRIVATE" - region = "southamerica-east1" + region = "southamerica-west1" stack_type = "IPV4_ONLY" } @@ -26,7 +26,7 @@ resource "google_compute_instance" "target-vm" { provider = google-beta name = "<%= ctx[:vars]['instance_name'] %>" machine_type = "e2-medium" - zone = "southamerica-east1-a" + zone = "southamerica-west1-a" boot_disk { initialize_params { @@ -44,7 +44,7 @@ resource "google_compute_instance" "target-vm" { resource "google_compute_region_security_policy" "policyddosprotection" { provider = google-beta - region = "southamerica-east1" + region = "southamerica-west1" name = "tf-test-policyddos%{random_suffix}" description = "ddos protection security policy to set target instance" type = "CLOUD_ARMOR_NETWORK" @@ -55,7 +55,7 @@ resource "google_compute_region_security_policy" "policyddosprotection" { resource "google_compute_network_edge_security_service" "edge_sec_service" { provider = google-beta - region = "southamerica-east1" + region = "southamerica-west1" name = "tf-test-edgesec%{random_suffix}" security_policy = google_compute_region_security_policy.policyddosprotection.self_link } @@ -63,7 +63,7 @@ resource "google_compute_network_edge_security_service" "edge_sec_service" { resource "google_compute_region_security_policy" "regionsecuritypolicy" { provider = google-beta name = "<%= ctx[:vars]['region_sec_policy'] %>" - region = "southamerica-east1" + region = "southamerica-west1" description = "basic security policy for target instance" type = "CLOUD_ARMOR_NETWORK" depends_on = [google_compute_network_edge_security_service.edge_sec_service] @@ -72,7 +72,7 @@ resource "google_compute_region_security_policy" "regionsecuritypolicy" { resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" { provider = google-beta name = "<%= ctx[:vars]['target_name'] %>" - zone = "southamerica-east1-a" + zone = "southamerica-west1-a" instance = google_compute_instance.target-vm.id security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link } \ No newline at end of file