Upgrade DCL to v1.38.0 (GoogleCloudPlatform#7753)

* added 'allow_psc_global_access' to 'google_compute_forwarding_rule' resource (beta)
* added 'source_ip_ranges' and 'base_forwarding_rule' to 'google_compute_forwarding_rule' resource
* added 'dest_fqdns', 'dest_region_codes', 'dest_threat_intelligences', 'src_fqdns', 'src_region_codes', and 'src_threat_intelligences' to 'google_compute_firewall_policy_rule' resource.

mmv1/products/compute/ForwardingRule.yaml

@@ -178,6 +178,20 @@ examples:
       - "port_range"
       - "target"
       - "ip_address"
+  - !ruby/object:Provider::Terraform::Examples
+    name: "forwarding_rule_regional_steering"
+    min_version: 'beta'
+    primary_resource_id: "default"
+    vars:
+      forwarding_rule_name: "steering-rule"
+      ip_name: "website-ip"
+      external_forwarding_rule_name: "forwarding-rule"
+      backend_name: "service-backend"
+      healthcheck_name: "service-health-check"
+    ignore_read_extra:
+      - "port_range"
+      - "target"
+      - "ip_address"
 custom_code: !ruby/object:Provider::Terraform::CustomCode
   post_create: templates/terraform/post_create/labels.erb
 parameters:
@@ -214,6 +228,15 @@ properties:
     description: 'The PSC connection status of the PSC Forwarding Rule. Possible values:
       STATUS_UNSPECIFIED, PENDING, ACCEPTED, REJECTED, CLOSED'
     output: true
+  - !ruby/object:Api::Type::Boolean
+    name: 'allowPscGlobalAccess'
+    min_version: beta
+    send_empty_value: true
+    update_verb: :PATCH
+    update_url: projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}
+    description: |
+        This is used in PSC consumer ForwardingRule to control 
+        whether the PSC endpoint can be accessed from another region.
   - !ruby/object:Api::Type::String
     name: 'description'
     description: |

mmv1/templates/terraform/examples/forwarding_rule_regional_steering.tf.erb

@@ -0,0 +1,42 @@
+// Forwarding rule for VPC private service connect
+resource "google_compute_forwarding_rule" "<%= ctx[:primary_resource_id] %>" {
+  provider              = google-beta
+  name                  = "<%= ctx[:vars]['forwarding_rule_name'] %>"
+  region                = "us-central1"
+  ip_address            = google_compute_address.address.id
+  backend_service       = google_compute_region_backend_service.backend_service.id
+  network_tier = "PREMIUM"
+  description = "A test steering forwarding rule"
+  ip_protocol = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+  port_range = "80-81"
+  source_ip_ranges = ["34.121.88.0/24", "35.187.239.137"]
+  depends_on = [google_compute_forwarding_rule.external_forwarding_rule]
+}
+
+resource "google_compute_address" "address" {
+  name         = "<%= ctx[:vars]['ip_name'] %>-1"
+  provider     = google-beta
+  region       = "us-central1"
+}
+
+resource "google_compute_forwarding_rule" "external_forwarding_rule" {
+  provider = google-beta
+  name     = "<%= ctx[:vars]['external_forwarding_rule_name'] %>"
+  region                = "us-central1"
+  ip_address            = google_compute_address.address.id
+  backend_service       = google_compute_region_backend_service.backend_service.id
+  network_tier = "PREMIUM"
+  description = "A test steering forwarding rule"
+  ip_protocol = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+  port_range = "80-81"
+}
+
+resource "google_compute_region_backend_service" "backend_service" {
+  provider = google-beta
+  name     = "<%= ctx[:vars]['backend_name'] %>"
+  region   = "us-central1"
+
+  load_balancing_scheme = "EXTERNAL"
+}

mmv1/templates/terraform/examples/forwarding_rule_vpc_psc.tf.erb

@@ -7,6 +7,7 @@ resource "google_compute_forwarding_rule" "<%= ctx[:primary_resource_id] %>" {
   target                = google_compute_service_attachment.producer_service_attachment.id
   network               = google_compute_network.consumer_net.name
   ip_address            = google_compute_address.consumer_address.id
+  allow_psc_global_access = true
 }
 
 // Consumer service endpoint

mmv1/third_party/terraform/go.mod.erb

@@ -5,7 +5,7 @@ go 1.19
 
 require (
 	cloud.google.com/go/bigtable v1.17.0
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/davecgh/go-spew v1.1.1
 	github.com/dnaeon/go-vcr v1.0.1

mmv1/third_party/terraform/go.sum

@@ -731,3 +731,7 @@ rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=

mmv1/third_party/terraform/tests/resource_compute_firewall_policy_rule_test.go

@@ -108,6 +108,9 @@ resource "google_compute_firewall_policy_rule" "default" {
       ports = [80, 8080]
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = []
+    dest_region_codes = []
+    dest_threat_intelligences = []
   }
 }
 `, context)
@@ -162,6 +165,9 @@ resource "google_compute_firewall_policy_rule" "default" {
       ports = [22]
     }
     dest_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
   target_resources = [google_compute_network.network1.self_link, google_compute_network.network2.self_link]
   target_service_accounts = [google_service_account.service_account.email]
@@ -214,6 +220,9 @@ resource "google_compute_firewall_policy_rule" "default" {
       ports = [22]
     }
     src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
   target_resources = [google_compute_network.network1.self_link]
   target_service_accounts = [google_service_account.service_account.email, google_service_account.service_account2.email]
@@ -294,6 +303,9 @@ resource "google_compute_firewall_policy_rule" "rule1" {
       ports = [80, 8080]
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -314,6 +326,9 @@ resource "google_compute_firewall_policy_rule" "rule2" {
       ip_protocol = "all"
     }
     src_ip_ranges = ["11.100.0.1/32"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 `, context)
@@ -345,6 +360,9 @@ resource "google_compute_firewall_policy_rule" "rule1" {
       ip_protocol = "tcp"
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -365,6 +383,9 @@ resource "google_compute_firewall_policy_rule" "rule2" {
       ip_protocol = "all"
     }
     src_ip_ranges = ["11.100.0.1/32"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -382,6 +403,9 @@ resource "google_compute_firewall_policy_rule" "rule3" {
       ports = [8000]
     }
     src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 `, context)
@@ -414,6 +438,9 @@ resource "google_compute_firewall_policy_rule" "rule1" {
       ports = [80, 8080]
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -431,6 +458,9 @@ resource "google_compute_firewall_policy_rule" "rule3" {
       ports = [8000]
     }
     src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 `, context)

tpgtools/go.mod

@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	bitbucket.org/creachadair/stringset v0.0.9
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/hcl v1.0.0

tpgtools/go.sum

@@ -35,8 +35,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0 h1:lTD1OrEwktUJDTZopou9HXXiVDcKQ3f0s7/P0wsgw3M=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=

tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl

@@ -17,6 +17,9 @@ resource "google_compute_network_firewall_policy_rule" "primary" {
 
   match {
     src_ip_ranges = ["10.100.0.1/32"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
 
     src_secure_tags {
       name = "tagValues/${google_tags_tag_value.basic_value.name}"

tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl

@@ -16,6 +16,9 @@ resource "google_compute_network_firewall_policy_rule" "primary" {
 
   match {
     dest_ip_ranges = ["0.0.0.0/0"]
+    dest_fqdns = ["example.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
 
     layer4_configs {
       ip_protocol = "tcp"

tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl

@@ -19,6 +19,9 @@ resource "google_compute_region_network_firewall_policy_rule" "primary" {
 
   match {
     src_ip_ranges = ["10.100.0.1/32"]
+    src_fqdns = ["example.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
 
     layer4_configs {
       ip_protocol = "all"

tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl

@@ -18,6 +18,9 @@ resource "google_compute_region_network_firewall_policy_rule" "primary" {
 
   match {
     dest_ip_ranges = ["0.0.0.0/0"]
+    dest_fqdns = ["example.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
 
     layer4_configs {
       ip_protocol = "tcp"