adding security_policy field to TargetInstance

mmv1/products/compute/TargetInstance.yaml

@@ -61,6 +61,18 @@ examples:
     vars:
       target_name: 'custom-network'
       instance_name: 'custom-network-target-vm'
+  - !ruby/object:Provider::Terraform::Examples
+    min_version: beta
+    name: 'target_instance_with_security_policy'
+    primary_resource_id: 'default'
+    vars:
+      network_name: 'custom-default-network'
+      subnetname_name: 'custom-default-subnet'
+      instance_name: 'target-vm'
+      region_sec_policy: 'region-secpolicy'
+      target_name: 'target-instance'
+custom_code: !ruby/object:Provider::Terraform::CustomCode
+  post_create: 'templates/terraform/post_create/compute_target_instance_security_policy.go.erb'
 parameters:
   - !ruby/object:Api::Type::ResourceRef
     name: 'zone'
@@ -123,3 +135,10 @@ properties:
     default_value: :NO_NAT
     values:
       - :NO_NAT
+  - !ruby/object:Api::Type::String
+    name: 'securityPolicy'
+    min_version: beta
+    description: |
+      The resource URL for the security policy associated with this target instance.
+    update_url: projects/{{project}}/zones/{{zone}}/targetInstances/{{name}}/setSecurityPolicy
+    update_verb: :POST

mmv1/templates/terraform/examples/target_instance_with_security_policy.tf.erb

@@ -0,0 +1,78 @@
+resource "google_compute_network" "default" {
+  provider                = google-beta
+  name                    = "<%= ctx[:vars]['network_name'] %>"
+  auto_create_subnetworks = false
+  routing_mode            = "REGIONAL"
+}
+
+resource "google_compute_subnetwork" "default" {
+  provider                   = google-beta
+  name                       = "<%= ctx[:vars]['subnetname_name'] %>"
+  ip_cidr_range              = "10.1.2.0/24"
+  network                    = google_compute_network.default.id
+  private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS"
+  purpose                    = "PRIVATE"
+  region                     = "us-east1"
+  stack_type                 = "IPV4_ONLY"
+}
+
+data "google_compute_image" "vmimage" {
+  provider = google-beta
+  family   = "debian-11"
+  project  = "debian-cloud"
+}
+
+resource "google_compute_instance" "target-vm" {
+  provider     = google-beta
+  name         = "<%= ctx[:vars]['instance_name'] %>"
+  machine_type = "e2-medium"
+  zone         = "us-east1-b"
+
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.vmimage.self_link
+    }
+  }
+
+  network_interface {       
+    network = google_compute_network.default.self_link
+    subnetwork = google_compute_subnetwork.default.self_link
+    access_config {
+    }
+  }
+}
+
+resource "google_compute_region_security_policy" "policyddosprotection" {
+  provider    = google-beta
+  region      = "us-east1"
+  name        = "tf-test-policyddos%{random_suffix}"
+  description = "ddos protection security policy to set target instance"
+  type        = "CLOUD_ARMOR_NETWORK"
+  ddos_protection_config {
+    ddos_protection = "ADVANCED_PREVIEW"
+  }
+}
+
+resource "google_compute_network_edge_security_service" "edge_sec_service" {
+  provider        = google-beta
+  region          = "us-east1"
+  name            = "tf-test-edgesec%{random_suffix}"
+  security_policy = google_compute_region_security_policy.policyddosprotection.self_link
+}
+
+resource "google_compute_region_security_policy" "regionsecuritypolicy" {
+  provider    = google-beta
+  name        = "<%= ctx[:vars]['region_sec_policy'] %>"
+  region      = "us-east1"
+  description = "basic security policy for target instance"
+  type        = "CLOUD_ARMOR_NETWORK"
+  depends_on  = [google_compute_network_edge_security_service.edge_sec_service]
+}
+
+resource "google_compute_target_instance" "<%= ctx[:primary_resource_id] %>" {
+  provider        = google-beta
+  name            = "<%= ctx[:vars]['target_name'] %>"
+  zone            = "us-east1-b"
+  instance        = google_compute_instance.target-vm.id
+  security_policy = google_compute_region_security_policy.regionsecuritypolicy.self_link
+}

mmv1/templates/terraform/post_create/compute_target_instance_security_policy.go.erb

@@ -0,0 +1,34 @@
+<% unless version == 'ga' -%>
+// security_policy isn't set by Create
+if v, ok := d.GetOkExists("security_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, securityPolicyProp)) {
+  obj := make(map[string]interface{})
+  securityPolicyProp, err := expandComputeTargetInstanceSecurityPolicy(v, d, config)
+  if err != nil {
+    return err
+  }
+  obj["security_policy"] = securityPolicyProp
+
+  url, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/zones/{{zone}}/targetInstances/{{name}}/setSecurityPolicy")
+  if err != nil {
+    return err
+  }
+
+  res, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+    Config:    config,
+    Method:    "POST",
+    Project:   project,
+    RawURL:    url,
+    UserAgent: userAgent,
+    Body:      obj,
+  })
+
+  if err != nil {
+    return fmt.Errorf("Error adding SecurityPolicy to TargetInstance %q: %s", d.Id(), err)
+  }
+
+  err = ComputeOperationWaitTime(config, res, project, "Updating TargetInstance SecurityPolicy", userAgent, d.Timeout(schema.TimeoutUpdate))
+  if err != nil {
+    return err
+  }
+}
+<% end -%>

mmv1/third_party/terraform/services/compute/resource_compute_target_instance_test.go.erb

@@ -0,0 +1,151 @@
+<% autogen_exception -%>
+package compute_test
+<% unless version == 'ga' -%>
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest"
+)
+
+func TestAccComputeTargetInstance_withSecurityPolicy(t *testing.T) {
+	net := fmt.Sprintf("tf-test-up-pol-net%s", acctest.RandString(t, 10))
+	subnet := fmt.Sprintf("tf-test-up-pol-subnet%s", acctest.RandString(t, 10))
+	instance := fmt.Sprintf("tf-test-up-pol-target-vm%s", acctest.RandString(t, 10))
+	ddosPolicy := fmt.Sprintf("tf-test-up-pol-policyddos%s", acctest.RandString(t, 10))
+	edgeService := fmt.Sprintf("tf-test-up-pol-edgesec%s", acctest.RandString(t, 10))
+	pol1 := fmt.Sprintf("tf-test-up-pol-region-secpolicy1%s", acctest.RandString(t, 10))
+	pol2 := fmt.Sprintf("tf-test-up-pol-region-secpolicy2%s", acctest.RandString(t, 10))
+	targetInstance := fmt.Sprintf("tf-test-up-pol-target-instance%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckComputeTargetInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "google_compute_region_security_policy.regionsecuritypolicy1.self_link"),
+			},
+			{
+				ResourceName:            "google_compute_target_instance.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"instance", "zone"},
+			},
+			{
+				Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "google_compute_region_security_policy.regionsecuritypolicy2.self_link"),
+			},
+			{
+				ResourceName:            "google_compute_target_instance.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"instance", "zone"},
+			},
+			{
+				Config: testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, "\"\""),
+			},
+			{
+				ResourceName:            "google_compute_target_instance.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"instance", "zone"},
+			},
+		},
+	})
+}
+
+func testAccComputeTargetInstance_withSecurityPolicy(net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, policySet string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "default" {
+  provider                = google-beta
+  name                    = "%s"
+  auto_create_subnetworks = false
+  routing_mode            = "REGIONAL"
+}
+
+resource "google_compute_subnetwork" "default" {
+  provider                   = google-beta
+  name                       = "%s"
+  ip_cidr_range              = "10.1.2.0/24"
+  network                    = google_compute_network.default.id
+  private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS"
+  purpose                    = "PRIVATE"
+  region                     = "us-east1"
+  stack_type                 = "IPV4_ONLY"
+}
+
+data "google_compute_image" "vmimage" {
+  provider = google-beta
+  family   = "debian-11"
+  project  = "debian-cloud"
+}
+
+resource "google_compute_instance" "target-vm" {
+  provider     = google-beta
+  name         = "%s"
+  machine_type = "e2-medium"
+  zone         = "us-east1-b"
+
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.vmimage.self_link
+    }
+  }
+
+  network_interface {       
+    network = google_compute_network.default.self_link
+    subnetwork = google_compute_subnetwork.default.self_link
+    access_config {
+    }
+  }
+}
+
+resource "google_compute_region_security_policy" "policyddosprotection" {
+  provider    = google-beta
+  region      = "us-east1"
+  name        = "%s"
+  description = "ddos protection security policy to set target instance"
+  type        = "CLOUD_ARMOR_NETWORK"
+  ddos_protection_config {
+    ddos_protection = "ADVANCED_PREVIEW"
+  }
+}
+
+resource "google_compute_network_edge_security_service" "edge_sec_service" {
+  provider        = google-beta
+  region          = "us-east1"
+  name            = "%s"
+  security_policy = google_compute_region_security_policy.policyddosprotection.self_link
+}
+
+resource "google_compute_region_security_policy" "regionsecuritypolicy1" {
+  provider    = google-beta
+  name        = "%s"
+  region      = "us-east1"
+  description = "basic security policy one for target instance"
+  type        = "CLOUD_ARMOR_NETWORK"
+  depends_on  = [google_compute_network_edge_security_service.edge_sec_service]
+}
+
+resource "google_compute_region_security_policy" "regionsecuritypolicy2" {
+  provider    = google-beta
+  name        = "%s"
+  region      = "us-east1"
+  description = "basic security policy two for target instance"
+  type        = "CLOUD_ARMOR_NETWORK"
+  depends_on  = [google_compute_network_edge_security_service.edge_sec_service]
+}
+
+resource "google_compute_target_instance" "default" {
+  provider        = google-beta
+  name            = "%s"
+  zone            = "us-east1-b"
+  instance        = google_compute_instance.target-vm.id
+  security_policy = %s
+}
+`, net, subnet, instance, ddosPolicy, edgeService, pol1, pol2, targetInstance, policySet)
+}
+<% end -%>