diff --git a/google/services/networkservices/resource_network_services_gateway.go b/google/services/networkservices/resource_network_services_gateway.go index c6a135abf6f..e23a6380fe6 100644 --- a/google/services/networkservices/resource_network_services_gateway.go +++ b/google/services/networkservices/resource_network_services_gateway.go @@ -209,7 +209,6 @@ Gateways of type 'OPEN_MESH' listen on 0.0.0.0.`, "certificate_urls": { Type: schema.TypeList, Optional: true, - ForceNew: true, Description: `A fully-qualified Certificates URL reference. The proxy presents a Certificate (selected based on SNI) when establishing a TLS connection. This feature only applies to gateways of type 'SECURE_WEB_GATEWAY'.`, Elem: &schema.Schema{ @@ -224,7 +223,6 @@ This feature only applies to gateways of type 'SECURE_WEB_GATEWAY'.`, "gateway_security_policy": { Type: schema.TypeString, Optional: true, - ForceNew: true, Description: `A fully-qualified GatewaySecurityPolicy URL reference. Defines how a server should apply security policy to inbound (VM to Proxy) initiated connections. For example: 'projects/*/locations/*/gatewaySecurityPolicies/swg-policy'. This policy is specific to gateways of type 'SECURE_WEB_GATEWAY'.`, @@ -581,6 +579,18 @@ func resourceNetworkServicesGatewayUpdate(d *schema.ResourceData, meta interface } else if v, ok := d.GetOkExists("server_tls_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, serverTlsPolicyProp)) { obj["serverTlsPolicy"] = serverTlsPolicyProp } + gatewaySecurityPolicyProp, err := expandNetworkServicesGatewayGatewaySecurityPolicy(d.Get("gateway_security_policy"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("gateway_security_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, gatewaySecurityPolicyProp)) { + obj["gatewaySecurityPolicy"] = gatewaySecurityPolicyProp + } + certificateUrlsProp, err := expandNetworkServicesGatewayCertificateUrls(d.Get("certificate_urls"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("certificate_urls"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, certificateUrlsProp)) { + obj["certificateUrls"] = certificateUrlsProp + } labelsProp, err := expandNetworkServicesGatewayEffectiveLabels(d.Get("effective_labels"), d, config) if err != nil { return err @@ -605,6 +615,14 @@ func resourceNetworkServicesGatewayUpdate(d *schema.ResourceData, meta interface updateMask = append(updateMask, "serverTlsPolicy") } + if d.HasChange("gateway_security_policy") { + updateMask = append(updateMask, "gatewaySecurityPolicy") + } + + if d.HasChange("certificate_urls") { + updateMask = append(updateMask, "certificateUrls") + } + if d.HasChange("effective_labels") { updateMask = append(updateMask, "labels") } @@ -614,6 +632,10 @@ func resourceNetworkServicesGatewayUpdate(d *schema.ResourceData, meta interface if err != nil { return err } + if d.Get("type") == "SECURE_WEB_GATEWAY" { + obj["name"] = d.Get("name") + obj["type"] = d.Get("type") + } // err == nil indicates that the billing_project value was found if bp, err := tpgresource.GetBillingProject(d, config); err == nil { diff --git a/google/services/networkservices/resource_network_services_gateway_test.go b/google/services/networkservices/resource_network_services_gateway_test.go index 99832107db4..5d599999fba 100644 --- a/google/services/networkservices/resource_network_services_gateway_test.go +++ b/google/services/networkservices/resource_network_services_gateway_test.go @@ -165,218 +165,214 @@ resource "google_network_services_gateway" "default" { subnetwork = google_compute_subnetwork.default.id delete_swg_autogen_router_on_destroy = true depends_on = [google_compute_subnetwork.proxyonlysubnet] - } +} `, context) return config } -// TODO(#14600): Enable the test once the api allows to update the fields for secure web gateway type. -//func TestAccNetworkServicesGateway_updateSwp(t *testing.T) { -//cmName := fmt.Sprintf("tf-test-gateway-swp-cm-%s", acctest.RandString(t, 10)) -// netName := fmt.Sprintf("tf-test-gateway-swp-net-%s", acctest.RandString(t, 10)) -// subnetName := fmt.Sprintf("tf-test-gateway-swp-subnet-%s", acctest.RandString(t, 10)) -// pSubnetName := fmt.Sprintf("tf-test-gateway-swp-proxyonly-%s", acctest.RandString(t, 10)) -// policyName := fmt.Sprintf("tf-test-gateway-swp-policy-%s", acctest.RandString(t, 10)) -// ruleName := fmt.Sprintf("tf-test-gateway-swp-rule-%s", acctest.RandString(t, 10)) -// gatewayScope := fmt.Sprintf("tf-test-gateway-swp-scope-%s", acctest.RandString(t, 10)) -// gatewayName := fmt.Sprintf("tf-test-gateway-swp-%s", acctest.RandString(t, 10)) -// // updates -// newCmName := fmt.Sprintf("tf-test-gateway-swp-newcm-%s", acctest.RandString(t, 10)) -// newPolicyName := fmt.Sprintf("tf-test-gateway-swp-newpolicy-%s", acctest.RandString(t, 10)) -// newRuleName := fmt.Sprintf("tf-test-gateway-swp-newrule-%s", acctest.RandString(t, 10)) -// -// acctest.VcrTest(t, resource.TestCase{ -// PreCheck: func() { acctest.AccTestPreCheck(t) }, -// ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), -// CheckDestroy: testAccCheckNetworkServicesGatewayDestroyProducer(t), -// Steps: []resource.TestStep{ -// { -// Config: testAccNetworkServicesGateway_basicSwp(cmName, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName, gatewayScope), -// }, -// { -// ResourceName: "google_network_services_gateway.foobar", -// ImportState: true, -// ImportStateVerify: true, -// ImportStateVerifyIgnore: []string{"name", "location", "delete_swg_autogen_router_on_destroy"}, -// }, -// { -// Config: testAccNetworkServicesGateway_updateSwp(cmName, newCmName, netName, subnetName, pSubnetName, policyName, newPolicyName, ruleName, newRuleName, gatewayName, gatewayScope), -// }, -// { -// ResourceName: "google_network_services_gateway.foobar", -// ImportState: true, -// ImportStateVerify: true, -// ImportStateVerifyIgnore: []string{"name", "location", "delete_swg_autogen_router_on_destroy"}, -// }, -// }, -// }) -//} - -//func testAccNetworkServicesGateway_basicSwp(cmName, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName, gatewayScope string) string { -// return fmt.Sprintf(` -//resource "google_certificate_manager_certificate" "default" { -// name = "%s" -// location = "us-east1" -// self_managed { -// pem_certificate = file("test-fixtures/cert.pem") -// pem_private_key = file("test-fixtures/private-key.pem") -// } -//} -// -//resource "google_compute_network" "default" { -// name = "%s" -// routing_mode = "REGIONAL" -// auto_create_subnetworks = false -//} -// -//resource "google_compute_subnetwork" "proxyonlysubnet" { -// name = "%s" -// purpose = "REGIONAL_MANAGED_PROXY" -// ip_cidr_range = "192.168.0.0/23" -// region = "us-east1" -// network = google_compute_network.default.id -// role = "ACTIVE" -//} -// -//resource "google_compute_subnetwork" "default" { -// name = "%s" -// purpose = "PRIVATE" -// ip_cidr_range = "10.128.0.0/20" -// region = "us-east1" -// network = google_compute_network.default.id -// role = "ACTIVE" -//} -// -//resource "google_network_security_gateway_security_policy" "default" { -// name = "%s" -// location = "us-east1" -//} -// -//resource "google_network_security_gateway_security_policy_rule" "default" { -// name = "%s" -// location = "us-east1" -// gateway_security_policy = google_network_security_gateway_security_policy.default.name -// enabled = true -// priority = 1 -// session_matcher = "host() == 'example.com'" -// basic_profile = "ALLOW" -//} -// -//resource "google_network_services_gateway" "foobar" { -// name = "%s" -// location = "us-east1" -// addresses = ["10.128.0.99"] -// type = "SECURE_WEB_GATEWAY" -// ports = [443] -// description = "my description" -// scope = "%s" -// certificate_urls = [google_certificate_manager_certificate.default.id] -// gateway_security_policy = google_network_security_gateway_security_policy.default.id -// network = google_compute_network.default.id -// subnetwork = google_compute_subnetwork.default.id -// delete_swg_autogen_router_on_destroy = true -// depends_on = [google_compute_subnetwork.proxyonlysubnet] -// -//} -//`, cmName, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName, gatewayScope) -//} - -//func testAccNetworkServicesGateway_updateSwp(cmName, newCmName, netName, subnetName, pSubnetName, policyName, newPolicyName, ruleName, newRuleName, gatewayName, gatewayScope string) string { -// return fmt.Sprintf(` -//resource "google_certificate_manager_certificate" "default" { -// name = "%s" -// location = "us-east1" -// self_managed { -// pem_certificate = file("test-fixtures/cert.pem") -// pem_private_key = file("test-fixtures/private-key.pem") -// } -//} -// -//resource "google_certificate_manager_certificate" "newcm" { -// name = "%s" -// location = "us-east1" -// self_managed { -// pem_certificate = file("test-fixtures/cert.pem") -// pem_private_key = file("test-fixtures/private-key.pem") -// } -//} -// -//resource "google_compute_network" "default" { -// name = "%s" -// routing_mode = "REGIONAL" -// auto_create_subnetworks = false -//} -// -//resource "google_compute_subnetwork" "proxyonlysubnet" { -// name = "%s" -// purpose = "REGIONAL_MANAGED_PROXY" -// ip_cidr_range = "192.168.0.0/23" -// region = "us-east1" -// network = google_compute_network.default.id -// role = "ACTIVE" -//} -// -//resource "google_compute_subnetwork" "default" { -// name = "%s" -// purpose = "PRIVATE" -// ip_cidr_range = "10.128.0.0/20" -// region = "us-east1" -// network = google_compute_network.default.id -// role = "ACTIVE" -//} -// -//resource "google_network_security_gateway_security_policy" "default" { -// name = "%s" -// location = "us-east1" -//} -// -//resource "google_network_security_gateway_security_policy_rule" "default" { -// name = "%s" -// location = "us-east1" -// gateway_security_policy = google_network_security_gateway_security_policy.default.name -// enabled = true -// priority = 1 -// session_matcher = "host() == 'example.com'" -// basic_profile = "ALLOW" -//} -// -//# TODO(#14600): this field will be updatable soon so this test should also cover it. -//# resource "google_network_security_gateway_security_policy" "newpolicy" { -//# name = "%s" -//# location = "us-east1" -//# } -// -//# resource "google_network_security_gateway_security_policy_rule" "newrule" { -//# name = "%s" -//# location = "us-east1" -//# gateway_security_policy = google_network_security_gateway_security_policy.newpolicy.name -//# enabled = true -//# priority = 1 -//# session_matcher = "host() == 'example.com'" -//# basic_profile = "ALLOW" -//# } -// -//resource "google_network_services_gateway" "foobar" { -// name = "%s" -// location = "us-east1" -// addresses = ["10.128.0.99"] -// type = "SECURE_WEB_GATEWAY" -// ports = [443] -// description = "updated description" -// scope = "%s" -// certificate_urls = [google_certificate_manager_certificate.default.id, google_certificate_manager_certificate.newcm.id] -// gateway_security_policy = google_network_security_gateway_security_policy.default.id -// # TODO(#14600): this field will be updatable soon so this test should also cover it. -// # gateway_security_policy = google_network_security_gateway_security_policy.newpolicy.id -// network = google_compute_network.default.id -// subnetwork = google_compute_subnetwork.default.id -// delete_swg_autogen_router_on_destroy = true -// depends_on = [google_compute_subnetwork.proxyonlysubnet] -// -//} -//`, cmName, newCmName, netName, subnetName, pSubnetName, policyName, newPolicyName, ruleName, newRuleName, gatewayName, gatewayScope) -//} +func TestAccNetworkServicesGateway_updateSwp(t *testing.T) { + cmName := fmt.Sprintf("tf-test-gateway-swp-cm-%s", acctest.RandString(t, 10)) + netName := fmt.Sprintf("tf-test-gateway-swp-net-%s", acctest.RandString(t, 10)) + subnetName := fmt.Sprintf("tf-test-gateway-swp-subnet-%s", acctest.RandString(t, 10)) + pSubnetName := fmt.Sprintf("tf-test-gateway-swp-proxyonly-%s", acctest.RandString(t, 10)) + policyName := fmt.Sprintf("tf-test-gateway-swp-policy-%s", acctest.RandString(t, 10)) + ruleName := fmt.Sprintf("tf-test-gateway-swp-rule-%s", acctest.RandString(t, 10)) + gatewayScope := fmt.Sprintf("tf-test-gateway-swp-scope-%s", acctest.RandString(t, 10)) + gatewayName := fmt.Sprintf("tf-test-gateway-swp-%s", acctest.RandString(t, 10)) + // updates + newCmName := fmt.Sprintf("tf-test-gateway-swp-newcm-%s", acctest.RandString(t, 10)) + newPolicyName := fmt.Sprintf("tf-test-gateway-swp-newpolicy-%s", acctest.RandString(t, 10)) + newRuleName := fmt.Sprintf("tf-test-gateway-swp-newrule-%s", acctest.RandString(t, 10)) + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckNetworkServicesGatewayDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccNetworkServicesGateway_basicSwp(cmName, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName, gatewayScope), + }, + { + ResourceName: "google_network_services_gateway.foobar", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"name", "location", "delete_swg_autogen_router_on_destroy"}, + }, + { + Config: testAccNetworkServicesGateway_updateSwp(cmName, newCmName, netName, subnetName, pSubnetName, policyName, newPolicyName, ruleName, newRuleName, gatewayName, gatewayScope), + }, + { + ResourceName: "google_network_services_gateway.foobar", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"name", "location", "delete_swg_autogen_router_on_destroy"}, + }, + }, + }) +} + +func testAccNetworkServicesGateway_basicSwp(cmName, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName, gatewayScope string) string { + return fmt.Sprintf(` +resource "google_certificate_manager_certificate" "default" { + name = "%s" + location = "us-east1" + self_managed { + pem_certificate = file("test-fixtures/cert.pem") + pem_private_key = file("test-fixtures/private-key.pem") + } +} + +resource "google_compute_network" "default" { + name = "%s" + routing_mode = "REGIONAL" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "proxyonlysubnet" { + name = "%s" + purpose = "REGIONAL_MANAGED_PROXY" + ip_cidr_range = "192.168.0.0/23" + region = "us-east1" + network = google_compute_network.default.id + role = "ACTIVE" +} + +resource "google_compute_subnetwork" "default" { + name = "%s" + purpose = "PRIVATE" + ip_cidr_range = "10.128.0.0/20" + region = "us-east1" + network = google_compute_network.default.id + role = "ACTIVE" +} + +resource "google_network_security_gateway_security_policy" "default" { + name = "%s" + location = "us-east1" +} + +resource "google_network_security_gateway_security_policy_rule" "default" { + name = "%s" + location = "us-east1" + gateway_security_policy = google_network_security_gateway_security_policy.default.name + enabled = true + priority = 1 + session_matcher = "host() == 'example.com'" + basic_profile = "ALLOW" +} + +resource "google_network_services_gateway" "foobar" { + name = "%s" + location = "us-east1" + addresses = ["10.128.0.99"] + type = "SECURE_WEB_GATEWAY" + ports = [443] + description = "my description" + scope = "%s" + certificate_urls = [google_certificate_manager_certificate.default.id] + gateway_security_policy = google_network_security_gateway_security_policy.default.id + network = google_compute_network.default.id + subnetwork = google_compute_subnetwork.default.id + delete_swg_autogen_router_on_destroy = true + depends_on = [google_compute_subnetwork.proxyonlysubnet] +} + +`, cmName, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName, gatewayScope) +} + +func testAccNetworkServicesGateway_updateSwp(cmName, newCmName, netName, subnetName, pSubnetName, policyName, newPolicyName, ruleName, newRuleName, gatewayName, gatewayScope string) string { + return fmt.Sprintf(` +resource "google_certificate_manager_certificate" "default" { + name = "%s" + location = "us-east1" + self_managed { + pem_certificate = file("test-fixtures/cert.pem") + pem_private_key = file("test-fixtures/private-key.pem") + } +} + +resource "google_certificate_manager_certificate" "newcm" { + name = "%s" + location = "us-east1" + self_managed { + pem_certificate = file("test-fixtures/cert.pem") + pem_private_key = file("test-fixtures/private-key.pem") + } +} + +resource "google_compute_network" "default" { + name = "%s" + routing_mode = "REGIONAL" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "proxyonlysubnet" { + name = "%s" + purpose = "REGIONAL_MANAGED_PROXY" + ip_cidr_range = "192.168.0.0/23" + region = "us-east1" + network = google_compute_network.default.id + role = "ACTIVE" +} + +resource "google_compute_subnetwork" "default" { + name = "%s" + purpose = "PRIVATE" + ip_cidr_range = "10.128.0.0/20" + region = "us-east1" + network = google_compute_network.default.id + role = "ACTIVE" +} + +resource "google_network_security_gateway_security_policy" "default" { + name = "%s" + location = "us-east1" +} + +resource "google_network_security_gateway_security_policy_rule" "default" { + name = "%s" + location = "us-east1" + gateway_security_policy = google_network_security_gateway_security_policy.default.name + enabled = true + priority = 1 + session_matcher = "host() == 'example.com'" + basic_profile = "ALLOW" +} + +resource "google_network_security_gateway_security_policy" "newpolicy" { + name = "%s" + location = "us-east1" +} + +resource "google_network_security_gateway_security_policy_rule" "newrule" { + name = "%s" + location = "us-east1" + gateway_security_policy = google_network_security_gateway_security_policy.newpolicy.name + enabled = true + priority = 1 + session_matcher = "host() == 'example.com'" + basic_profile = "ALLOW" +} + +resource "google_network_services_gateway" "foobar" { + name = "%s" + location = "us-east1" + addresses = ["10.128.0.99"] + type = "SECURE_WEB_GATEWAY" + ports = [443] + description = "updated description" + scope = "%s" + certificate_urls = [google_certificate_manager_certificate.newcm.id] + gateway_security_policy = google_network_security_gateway_security_policy.newpolicy.id + network = google_compute_network.default.id + subnetwork = google_compute_subnetwork.default.id + delete_swg_autogen_router_on_destroy = true + depends_on = [google_compute_subnetwork.proxyonlysubnet] +} + +`, cmName, newCmName, netName, subnetName, pSubnetName, policyName, newPolicyName, ruleName, newRuleName, gatewayName, gatewayScope) +} func TestAccNetworkServicesGateway_multipleSwpGatewaysDifferentSubnetwork(t *testing.T) { cmName := fmt.Sprintf("tf-test-gateway-multiswp-cm-%s", acctest.RandString(t, 10)) @@ -425,7 +421,7 @@ resource "google_certificate_manager_certificate" "default" { location = "us-west1" self_managed { pem_certificate = file("test-fixtures/cert.pem") - pem_private_key = file("test-fixtures/private-key.pem") + pem_private_key = file("test-fixtures/private-key.pem") } } @@ -519,7 +515,7 @@ resource "google_certificate_manager_certificate" "default" { location = "us-west1" self_managed { pem_certificate = file("test-fixtures/cert.pem") - pem_private_key = file("test-fixtures/private-key.pem") + pem_private_key = file("test-fixtures/private-key.pem") } } @@ -548,8 +544,8 @@ resource "google_compute_subnetwork" "subnet1" { } resource "google_network_security_gateway_security_policy" "default" { - name = "%s" - location = "us-west1" + name = "%s" + location = "us-west1" } resource "google_network_security_gateway_security_policy_rule" "default" { @@ -670,8 +666,8 @@ resource "google_compute_subnetwork" "subnet1" { } resource "google_network_security_gateway_security_policy" "default" { - name = "%s" - location = "us-west2" + name = "%s" + location = "us-west2" } resource "google_network_security_gateway_security_policy_rule" "default" { @@ -779,8 +775,8 @@ resource "google_compute_subnetwork" "subnet1" { } resource "google_network_security_gateway_security_policy" "default" { - name = "%s" - location = "us-west2" + name = "%s" + location = "us-west2" } resource "google_network_security_gateway_security_policy_rule" "default" { @@ -891,8 +887,8 @@ resource "google_compute_subnetwork" "default" { } resource "google_network_security_gateway_security_policy" "default" { - name = "%s" - location = "us-central1" + name = "%s" + location = "us-central1" } resource "google_network_security_gateway_security_policy_rule" "default" {