From 916c84b6e7740f129d4447815219558ec0a147e4 Mon Sep 17 00:00:00 2001 From: Nick Elliot Date: Thu, 20 Apr 2023 12:41:10 -0700 Subject: [PATCH] Upgrade DCL to v1.38.0 (#7753) * added 'allow_psc_global_access' to 'google_compute_forwarding_rule' resource (beta) * added 'source_ip_ranges' and 'base_forwarding_rule' to 'google_compute_forwarding_rule' resource * added 'dest_fqdns', 'dest_region_codes', 'dest_threat_intelligences', 'src_fqdns', 'src_region_codes', and 'src_threat_intelligences' to 'google_compute_firewall_policy_rule' resource. --- mmv1/products/compute/ForwardingRule.yaml | 23 ++++++++++ .../forwarding_rule_regional_steering.tf.erb | 42 +++++++++++++++++++ .../examples/forwarding_rule_vpc_psc.tf.erb | 1 + mmv1/third_party/terraform/go.mod.erb | 2 +- mmv1/third_party/terraform/go.sum | 4 ++ ...ource_compute_firewall_policy_rule_test.go | 30 +++++++++++++ tpgtools/go.mod | 2 +- tpgtools/go.sum | 4 +- .../networkfirewallpolicyrule/global.tf.tmpl | 3 ++ .../global_update.tf.tmpl | 3 ++ .../regional.tf.tmpl | 3 ++ .../regional_update.tf.tmpl | 3 ++ 12 files changed, 116 insertions(+), 4 deletions(-) create mode 100644 mmv1/templates/terraform/examples/forwarding_rule_regional_steering.tf.erb diff --git a/mmv1/products/compute/ForwardingRule.yaml b/mmv1/products/compute/ForwardingRule.yaml index 358c46b0345e..876fcc9c7fae 100644 --- a/mmv1/products/compute/ForwardingRule.yaml +++ b/mmv1/products/compute/ForwardingRule.yaml @@ -178,6 +178,20 @@ examples: - "port_range" - "target" - "ip_address" + - !ruby/object:Provider::Terraform::Examples + name: "forwarding_rule_regional_steering" + min_version: 'beta' + primary_resource_id: "default" + vars: + forwarding_rule_name: "steering-rule" + ip_name: "website-ip" + external_forwarding_rule_name: "forwarding-rule" + backend_name: "service-backend" + healthcheck_name: "service-health-check" + ignore_read_extra: + - "port_range" + - "target" + - "ip_address" custom_code: !ruby/object:Provider::Terraform::CustomCode post_create: templates/terraform/post_create/labels.erb parameters: @@ -214,6 +228,15 @@ properties: description: 'The PSC connection status of the PSC Forwarding Rule. Possible values: STATUS_UNSPECIFIED, PENDING, ACCEPTED, REJECTED, CLOSED' output: true + - !ruby/object:Api::Type::Boolean + name: 'allowPscGlobalAccess' + min_version: beta + send_empty_value: true + update_verb: :PATCH + update_url: projects/{{project}}/regions/{{region}}/forwardingRules/{{name}} + description: | + This is used in PSC consumer ForwardingRule to control + whether the PSC endpoint can be accessed from another region. - !ruby/object:Api::Type::String name: 'description' description: | diff --git a/mmv1/templates/terraform/examples/forwarding_rule_regional_steering.tf.erb b/mmv1/templates/terraform/examples/forwarding_rule_regional_steering.tf.erb new file mode 100644 index 000000000000..4d67337b9cf1 --- /dev/null +++ b/mmv1/templates/terraform/examples/forwarding_rule_regional_steering.tf.erb @@ -0,0 +1,42 @@ +// Forwarding rule for VPC private service connect +resource "google_compute_forwarding_rule" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + name = "<%= ctx[:vars]['forwarding_rule_name'] %>" + region = "us-central1" + ip_address = google_compute_address.address.id + backend_service = google_compute_region_backend_service.backend_service.id + network_tier = "PREMIUM" + description = "A test steering forwarding rule" + ip_protocol = "TCP" + load_balancing_scheme = "EXTERNAL" + port_range = "80-81" + source_ip_ranges = ["34.121.88.0/24", "35.187.239.137"] + depends_on = [google_compute_forwarding_rule.external_forwarding_rule] +} + +resource "google_compute_address" "address" { + name = "<%= ctx[:vars]['ip_name'] %>-1" + provider = google-beta + region = "us-central1" +} + +resource "google_compute_forwarding_rule" "external_forwarding_rule" { + provider = google-beta + name = "<%= ctx[:vars]['external_forwarding_rule_name'] %>" + region = "us-central1" + ip_address = google_compute_address.address.id + backend_service = google_compute_region_backend_service.backend_service.id + network_tier = "PREMIUM" + description = "A test steering forwarding rule" + ip_protocol = "TCP" + load_balancing_scheme = "EXTERNAL" + port_range = "80-81" +} + +resource "google_compute_region_backend_service" "backend_service" { + provider = google-beta + name = "<%= ctx[:vars]['backend_name'] %>" + region = "us-central1" + + load_balancing_scheme = "EXTERNAL" +} diff --git a/mmv1/templates/terraform/examples/forwarding_rule_vpc_psc.tf.erb b/mmv1/templates/terraform/examples/forwarding_rule_vpc_psc.tf.erb index 3cd600278dd8..26e4860166db 100644 --- a/mmv1/templates/terraform/examples/forwarding_rule_vpc_psc.tf.erb +++ b/mmv1/templates/terraform/examples/forwarding_rule_vpc_psc.tf.erb @@ -7,6 +7,7 @@ resource "google_compute_forwarding_rule" "<%= ctx[:primary_resource_id] %>" { target = google_compute_service_attachment.producer_service_attachment.id network = google_compute_network.consumer_net.name ip_address = google_compute_address.consumer_address.id + allow_psc_global_access = true } // Consumer service endpoint diff --git a/mmv1/third_party/terraform/go.mod.erb b/mmv1/third_party/terraform/go.mod.erb index 8854aef316c4..ee40b59377c7 100644 --- a/mmv1/third_party/terraform/go.mod.erb +++ b/mmv1/third_party/terraform/go.mod.erb @@ -5,7 +5,7 @@ go 1.19 require ( cloud.google.com/go/bigtable v1.17.0 - github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0 + github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 github.com/apparentlymart/go-cidr v1.1.0 github.com/davecgh/go-spew v1.1.1 github.com/dnaeon/go-vcr v1.0.1 diff --git a/mmv1/third_party/terraform/go.sum b/mmv1/third_party/terraform/go.sum index aa0faa620525..799e7237fd11 100644 --- a/mmv1/third_party/terraform/go.sum +++ b/mmv1/third_party/terraform/go.sum @@ -731,3 +731,7 @@ rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8= +github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k= +github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8= +github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k= diff --git a/mmv1/third_party/terraform/tests/resource_compute_firewall_policy_rule_test.go b/mmv1/third_party/terraform/tests/resource_compute_firewall_policy_rule_test.go index 937c71e5145e..5b624c590054 100644 --- a/mmv1/third_party/terraform/tests/resource_compute_firewall_policy_rule_test.go +++ b/mmv1/third_party/terraform/tests/resource_compute_firewall_policy_rule_test.go @@ -108,6 +108,9 @@ resource "google_compute_firewall_policy_rule" "default" { ports = [80, 8080] } dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = [] + dest_region_codes = [] + dest_threat_intelligences = [] } } `, context) @@ -162,6 +165,9 @@ resource "google_compute_firewall_policy_rule" "default" { ports = [22] } dest_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"] + dest_fqdns = ["google.com"] + dest_region_codes = ["US"] + dest_threat_intelligences = ["iplist-known-malicious-ips"] } target_resources = [google_compute_network.network1.self_link, google_compute_network.network2.self_link] target_service_accounts = [google_service_account.service_account.email] @@ -214,6 +220,9 @@ resource "google_compute_firewall_policy_rule" "default" { ports = [22] } src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"] + src_fqdns = ["google.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] } target_resources = [google_compute_network.network1.self_link] target_service_accounts = [google_service_account.service_account.email, google_service_account.service_account2.email] @@ -294,6 +303,9 @@ resource "google_compute_firewall_policy_rule" "rule1" { ports = [80, 8080] } dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = ["google.com"] + dest_region_codes = ["US"] + dest_threat_intelligences = ["iplist-known-malicious-ips"] } } @@ -314,6 +326,9 @@ resource "google_compute_firewall_policy_rule" "rule2" { ip_protocol = "all" } src_ip_ranges = ["11.100.0.1/32"] + src_fqdns = ["google.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] } } `, context) @@ -345,6 +360,9 @@ resource "google_compute_firewall_policy_rule" "rule1" { ip_protocol = "tcp" } dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = ["google.com"] + dest_region_codes = ["US"] + dest_threat_intelligences = ["iplist-known-malicious-ips"] } } @@ -365,6 +383,9 @@ resource "google_compute_firewall_policy_rule" "rule2" { ip_protocol = "all" } src_ip_ranges = ["11.100.0.1/32"] + src_fqdns = ["google.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] } } @@ -382,6 +403,9 @@ resource "google_compute_firewall_policy_rule" "rule3" { ports = [8000] } src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"] + src_fqdns = ["google.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] } } `, context) @@ -414,6 +438,9 @@ resource "google_compute_firewall_policy_rule" "rule1" { ports = [80, 8080] } dest_ip_ranges = ["11.100.0.1/32"] + dest_fqdns = ["google.com"] + dest_region_codes = ["US"] + dest_threat_intelligences = ["iplist-known-malicious-ips"] } } @@ -431,6 +458,9 @@ resource "google_compute_firewall_policy_rule" "rule3" { ports = [8000] } src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"] + src_fqdns = ["google.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] } } `, context) diff --git a/tpgtools/go.mod b/tpgtools/go.mod index f88a11f61040..3ec97905a80f 100644 --- a/tpgtools/go.mod +++ b/tpgtools/go.mod @@ -4,7 +4,7 @@ go 1.19 require ( bitbucket.org/creachadair/stringset v0.0.9 - github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0 + github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/hashicorp/errwrap v1.0.0 github.com/hashicorp/hcl v1.0.0 diff --git a/tpgtools/go.sum b/tpgtools/go.sum index 22c25e1b543a..4d65e15ebfaf 100644 --- a/tpgtools/go.sum +++ b/tpgtools/go.sum @@ -35,8 +35,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0 h1:lTD1OrEwktUJDTZopou9HXXiVDcKQ3f0s7/P0wsgw3M= -github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k= +github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8= +github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k= github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE= github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl index f2ca03088ab0..bf2032c494e0 100644 --- a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl +++ b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global.tf.tmpl @@ -17,6 +17,9 @@ resource "google_compute_network_firewall_policy_rule" "primary" { match { src_ip_ranges = ["10.100.0.1/32"] + src_fqdns = ["google.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] src_secure_tags { name = "tagValues/${google_tags_tag_value.basic_value.name}" diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl index 450fc2a2130c..fdf63563aefe 100644 --- a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl +++ b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/global_update.tf.tmpl @@ -16,6 +16,9 @@ resource "google_compute_network_firewall_policy_rule" "primary" { match { dest_ip_ranges = ["0.0.0.0/0"] + dest_fqdns = ["example.com"] + dest_region_codes = ["US"] + dest_threat_intelligences = ["iplist-known-malicious-ips"] layer4_configs { ip_protocol = "tcp" diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl index 7e304b325e19..701ca410afa4 100644 --- a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl +++ b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional.tf.tmpl @@ -19,6 +19,9 @@ resource "google_compute_region_network_firewall_policy_rule" "primary" { match { src_ip_ranges = ["10.100.0.1/32"] + src_fqdns = ["example.com"] + src_region_codes = ["US"] + src_threat_intelligences = ["iplist-known-malicious-ips"] layer4_configs { ip_protocol = "all" diff --git a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl index a6becfa25312..0b84e25b4c96 100644 --- a/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl +++ b/tpgtools/overrides/compute/samples/networkfirewallpolicyrule/regional_update.tf.tmpl @@ -18,6 +18,9 @@ resource "google_compute_region_network_firewall_policy_rule" "primary" { match { dest_ip_ranges = ["0.0.0.0/0"] + dest_fqdns = ["example.com"] + dest_region_codes = ["US"] + dest_threat_intelligences = ["iplist-known-malicious-ips"] layer4_configs { ip_protocol = "tcp"