hashicorp · modular-magician · Apr 20, 2023 · Apr 20, 2023
diff --git a/.changelog/7753.txt b/.changelog/7753.txt
@@ -0,0 +1,9 @@
+```release-note:enhancement
+compute: added 'dest_fqdns', 'dest_region_codes', 'dest_threat_intelligences', 'src_fqdns', 'src_region_codes', and 'src_threat_intelligences' to 'google_compute_firewall_policy_rule' resource.
+```
+```release-note:enhancement
+compute: added 'source_ip_ranges' and 'base_forwarding_rule' to 'google_compute_forwarding_rule' resource
+```
+```release-note:enhancement
+compute: added 'allow_psc_global_access' to 'google_compute_forwarding_rule' resource (beta)
+```
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ go 1.19
 
 require (
 	cloud.google.com/go/bigtable v1.17.0
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.37.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/davecgh/go-spew v1.1.1
 	github.com/dnaeon/go-vcr v1.0.1

diff --git a/go.sum b/go.sum
@@ -731,3 +731,7 @@ rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0 h1:V+wsGvuLEFV0ba4GxnZmDvRPc0W7bwuvVV3O374d/d8=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.38.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
diff --git a/google/resource_compute_firewall_policy_rule.go b/google/resource_compute_firewall_policy_rule.go
@@ -48,7 +48,7 @@ func ResourceComputeFirewallPolicyRule() *schema.Resource {
 			"action": {
 				Type:        schema.TypeString,
 				Required:    true,
-				Description: "The Action to perform when the client connection triggers the rule. Can currently be either \"allow\" or \"deny()\" where valid values for status are 403, 404, and 502.",
+				Description: "The Action to perform when the client connection triggers the rule. Valid actions are \"allow\", \"deny\" and \"goto_next\".",
 			},
 
 			"direction": {
@@ -138,19 +138,61 @@ func ComputeFirewallPolicyRuleMatchSchema() *schema.Resource {
 				Elem:        ComputeFirewallPolicyRuleMatchLayer4ConfigsSchema(),
 			},
 
+			"dest_fqdns": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
 			"dest_ip_ranges": {
 				Type:        schema.TypeList,
 				Optional:    true,
 				Description: "CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.",
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
 
+			"dest_region_codes": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
+			"dest_threat_intelligences": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Name of the Google Cloud Threat Intelligence list.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
+			"src_fqdns": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
 			"src_ip_ranges": {
 				Type:        schema.TypeList,
 				Optional:    true,
 				Description: "CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.",
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
+
+			"src_region_codes": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
+			"src_threat_intelligences": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Name of the Google Cloud Threat Intelligence list.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
 		},
 	}
 }
@@ -423,9 +465,15 @@ func expandComputeFirewallPolicyRuleMatch(o interface{}) *compute.FirewallPolicy
 	}
 	obj := objArr[0].(map[string]interface{})
 	return &compute.FirewallPolicyRuleMatch{
-		Layer4Configs: expandComputeFirewallPolicyRuleMatchLayer4ConfigsArray(obj["layer4_configs"]),
-		DestIPRanges:  expandStringArray(obj["dest_ip_ranges"]),
-		SrcIPRanges:   expandStringArray(obj["src_ip_ranges"]),
+		Layer4Configs:           expandComputeFirewallPolicyRuleMatchLayer4ConfigsArray(obj["layer4_configs"]),
+		DestFqdns:               expandStringArray(obj["dest_fqdns"]),
+		DestIPRanges:            expandStringArray(obj["dest_ip_ranges"]),
+		DestRegionCodes:         expandStringArray(obj["dest_region_codes"]),
+		DestThreatIntelligences: expandStringArray(obj["dest_threat_intelligences"]),
+		SrcFqdns:                expandStringArray(obj["src_fqdns"]),
+		SrcIPRanges:             expandStringArray(obj["src_ip_ranges"]),
+		SrcRegionCodes:          expandStringArray(obj["src_region_codes"]),
+		SrcThreatIntelligences:  expandStringArray(obj["src_threat_intelligences"]),
 	}
 }
 
@@ -434,9 +482,15 @@ func flattenComputeFirewallPolicyRuleMatch(obj *compute.FirewallPolicyRuleMatch)
 		return nil
 	}
 	transformed := map[string]interface{}{
-		"layer4_configs": flattenComputeFirewallPolicyRuleMatchLayer4ConfigsArray(obj.Layer4Configs),
-		"dest_ip_ranges": obj.DestIPRanges,
-		"src_ip_ranges":  obj.SrcIPRanges,
+		"layer4_configs":            flattenComputeFirewallPolicyRuleMatchLayer4ConfigsArray(obj.Layer4Configs),
+		"dest_fqdns":                obj.DestFqdns,
+		"dest_ip_ranges":            obj.DestIPRanges,
+		"dest_region_codes":         obj.DestRegionCodes,
+		"dest_threat_intelligences": obj.DestThreatIntelligences,
+		"src_fqdns":                 obj.SrcFqdns,
+		"src_ip_ranges":             obj.SrcIPRanges,
+		"src_region_codes":          obj.SrcRegionCodes,
+		"src_threat_intelligences":  obj.SrcThreatIntelligences,
 	}
 
 	return []interface{}{transformed}

diff --git a/google/resource_compute_firewall_policy_rule_test.go b/google/resource_compute_firewall_policy_rule_test.go
@@ -108,6 +108,9 @@ resource "google_compute_firewall_policy_rule" "default" {
       ports = [80, 8080]
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = []
+    dest_region_codes = []
+    dest_threat_intelligences = []
   }
 }
 `, context)
@@ -162,6 +165,9 @@ resource "google_compute_firewall_policy_rule" "default" {
       ports = [22]
     }
     dest_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
   target_resources = [google_compute_network.network1.self_link, google_compute_network.network2.self_link]
   target_service_accounts = [google_service_account.service_account.email]
@@ -214,6 +220,9 @@ resource "google_compute_firewall_policy_rule" "default" {
       ports = [22]
     }
     src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
   target_resources = [google_compute_network.network1.self_link]
   target_service_accounts = [google_service_account.service_account.email, google_service_account.service_account2.email]
@@ -294,6 +303,9 @@ resource "google_compute_firewall_policy_rule" "rule1" {
       ports = [80, 8080]
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -314,6 +326,9 @@ resource "google_compute_firewall_policy_rule" "rule2" {
       ip_protocol = "all"
     }
     src_ip_ranges = ["11.100.0.1/32"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 `, context)
@@ -345,6 +360,9 @@ resource "google_compute_firewall_policy_rule" "rule1" {
       ip_protocol = "tcp"
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -365,6 +383,9 @@ resource "google_compute_firewall_policy_rule" "rule2" {
       ip_protocol = "all"
     }
     src_ip_ranges = ["11.100.0.1/32"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -382,6 +403,9 @@ resource "google_compute_firewall_policy_rule" "rule3" {
       ports = [8000]
     }
     src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 `, context)
@@ -414,6 +438,9 @@ resource "google_compute_firewall_policy_rule" "rule1" {
       ports = [80, 8080]
     }
     dest_ip_ranges = ["11.100.0.1/32"]
+    dest_fqdns = ["google.com"]
+    dest_region_codes = ["US"]
+    dest_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 
@@ -431,6 +458,9 @@ resource "google_compute_firewall_policy_rule" "rule3" {
       ports = [8000]
     }
     src_ip_ranges = ["11.100.0.1/32", "10.0.0.0/24"]
+    src_fqdns = ["google.com"]
+    src_region_codes = ["US"]
+    src_threat_intelligences = ["iplist-known-malicious-ips"]
   }
 }
 `, context)

diff --git a/google/resource_compute_forwarding_rule.go b/google/resource_compute_forwarding_rule.go
@@ -190,6 +190,14 @@ func ResourceComputeForwardingRule() *schema.Resource {
 				ValidateFunc: validateGCEName,
 			},
 
+			"source_ip_ranges": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "If not empty, this Forwarding Rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a Forwarding Rule can only have up to 64 source IP ranges, and this field can only be used with a regional Forwarding Rule whose scheme is EXTERNAL. Each sourceIpRange entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
 			"subnetwork": {
 				Type:             schema.TypeString,
 				Computed:         true,
@@ -206,6 +214,12 @@ func ResourceComputeForwardingRule() *schema.Resource {
 				Description:      "The URL of the target resource to receive the matched traffic. For regional forwarding rules, this target must live in the same region as the forwarding rule. For global forwarding rules, this target must be a global load balancing resource. The forwarded traffic must be of a type appropriate to the target object. For `INTERNAL_SELF_MANAGED` load balancing, only `targetHttpProxy` is valid, not `targetHttpsProxy`.",
 			},
 
+			"base_forwarding_rule": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "[Output Only] The URL for the corresponding base Forwarding Rule. By base Forwarding Rule, we mean the Forwarding Rule that has the same IP address, protocol, and port settings with the current Forwarding Rule, but without sourceIPRanges specified. Always empty if the current Forwarding Rule does not have sourceIPRanges specified.",
+			},
+
 			"creation_timestamp": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -296,6 +310,7 @@ func resourceComputeForwardingRuleCreate(d *schema.ResourceData, meta interface{
 		Location:                      dcl.String(region),
 		ServiceDirectoryRegistrations: expandComputeForwardingRuleServiceDirectoryRegistrationsArray(d.Get("service_directory_registrations")),
 		ServiceLabel:                  dcl.String(d.Get("service_label").(string)),
+		SourceIPRanges:                expandStringArray(d.Get("source_ip_ranges")),
 		Subnetwork:                    dcl.StringOrNil(d.Get("subnetwork").(string)),
 		Target:                        dcl.String(d.Get("target").(string)),
 	}
@@ -367,6 +382,7 @@ func resourceComputeForwardingRuleRead(d *schema.ResourceData, meta interface{})
 		Location:                      dcl.String(region),
 		ServiceDirectoryRegistrations: expandComputeForwardingRuleServiceDirectoryRegistrationsArray(d.Get("service_directory_registrations")),
 		ServiceLabel:                  dcl.String(d.Get("service_label").(string)),
+		SourceIPRanges:                expandStringArray(d.Get("source_ip_ranges")),
 		Subnetwork:                    dcl.StringOrNil(d.Get("subnetwork").(string)),
 		Target:                        dcl.String(d.Get("target").(string)),
 	}
@@ -447,12 +463,18 @@ func resourceComputeForwardingRuleRead(d *schema.ResourceData, meta interface{})
 	if err = d.Set("service_label", res.ServiceLabel); err != nil {
 		return fmt.Errorf("error setting service_label in state: %s", err)
 	}
+	if err = d.Set("source_ip_ranges", res.SourceIPRanges); err != nil {
+		return fmt.Errorf("error setting source_ip_ranges in state: %s", err)
+	}
 	if err = d.Set("subnetwork", res.Subnetwork); err != nil {
 		return fmt.Errorf("error setting subnetwork in state: %s", err)
 	}
 	if err = d.Set("target", res.Target); err != nil {
 		return fmt.Errorf("error setting target in state: %s", err)
 	}
+	if err = d.Set("base_forwarding_rule", res.BaseForwardingRule); err != nil {
+		return fmt.Errorf("error setting base_forwarding_rule in state: %s", err)
+	}
 	if err = d.Set("creation_timestamp", res.CreationTimestamp); err != nil {
 		return fmt.Errorf("error setting creation_timestamp in state: %s", err)
 	}
@@ -504,6 +526,7 @@ func resourceComputeForwardingRuleUpdate(d *schema.ResourceData, meta interface{
 		Location:                      dcl.String(region),
 		ServiceDirectoryRegistrations: expandComputeForwardingRuleServiceDirectoryRegistrationsArray(d.Get("service_directory_registrations")),
 		ServiceLabel:                  dcl.String(d.Get("service_label").(string)),
+		SourceIPRanges:                expandStringArray(d.Get("source_ip_ranges")),
 		Subnetwork:                    dcl.StringOrNil(d.Get("subnetwork").(string)),
 		Target:                        dcl.String(d.Get("target").(string)),
 	}
@@ -570,6 +593,7 @@ func resourceComputeForwardingRuleDelete(d *schema.ResourceData, meta interface{
 		Location:                      dcl.String(region),
 		ServiceDirectoryRegistrations: expandComputeForwardingRuleServiceDirectoryRegistrationsArray(d.Get("service_directory_registrations")),
 		ServiceLabel:                  dcl.String(d.Get("service_label").(string)),
+		SourceIPRanges:                expandStringArray(d.Get("source_ip_ranges")),
 		Subnetwork:                    dcl.StringOrNil(d.Get("subnetwork").(string)),
 		Target:                        dcl.String(d.Get("target").(string)),
 	}

diff --git a/google/resource_compute_global_forwarding_rule.go b/google/resource_compute_global_forwarding_rule.go
@@ -140,6 +140,20 @@ func ResourceComputeGlobalForwardingRule() *schema.Resource {
 				Description:      "The project this resource belongs in.",
 			},
 
+			"source_ip_ranges": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "If not empty, this Forwarding Rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a Forwarding Rule can only have up to 64 source IP ranges, and this field can only be used with a regional Forwarding Rule whose scheme is EXTERNAL. Each sourceIpRange entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
+			"base_forwarding_rule": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "[Output Only] The URL for the corresponding base Forwarding Rule. By base Forwarding Rule, we mean the Forwarding Rule that has the same IP address, protocol, and port settings with the current Forwarding Rule, but without sourceIPRanges specified. Always empty if the current Forwarding Rule does not have sourceIPRanges specified.",
+			},
+
 			"label_fingerprint": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -230,6 +244,7 @@ func resourceComputeGlobalForwardingRuleCreate(d *schema.ResourceData, meta inte
 		Network:             dcl.StringOrNil(d.Get("network").(string)),
 		PortRange:           dcl.String(d.Get("port_range").(string)),
 		Project:             dcl.String(project),
+		SourceIPRanges:      expandStringArray(d.Get("source_ip_ranges")),
 	}
 
 	id, err := obj.ID()
@@ -289,6 +304,7 @@ func resourceComputeGlobalForwardingRuleRead(d *schema.ResourceData, meta interf
 		Network:             dcl.StringOrNil(d.Get("network").(string)),
 		PortRange:           dcl.String(d.Get("port_range").(string)),
 		Project:             dcl.String(project),
+		SourceIPRanges:      expandStringArray(d.Get("source_ip_ranges")),
 	}
 
 	userAgent, err := generateUserAgentString(d, config.UserAgent)
@@ -349,6 +365,12 @@ func resourceComputeGlobalForwardingRuleRead(d *schema.ResourceData, meta interf
 	if err = d.Set("project", res.Project); err != nil {
 		return fmt.Errorf("error setting project in state: %s", err)
 	}
+	if err = d.Set("source_ip_ranges", res.SourceIPRanges); err != nil {
+		return fmt.Errorf("error setting source_ip_ranges in state: %s", err)
+	}
+	if err = d.Set("base_forwarding_rule", res.BaseForwardingRule); err != nil {
+		return fmt.Errorf("error setting base_forwarding_rule in state: %s", err)
+	}
 	if err = d.Set("label_fingerprint", res.LabelFingerprint); err != nil {
 		return fmt.Errorf("error setting label_fingerprint in state: %s", err)
 	}
@@ -384,6 +406,7 @@ func resourceComputeGlobalForwardingRuleUpdate(d *schema.ResourceData, meta inte
 		Network:             dcl.StringOrNil(d.Get("network").(string)),
 		PortRange:           dcl.String(d.Get("port_range").(string)),
 		Project:             dcl.String(project),
+		SourceIPRanges:      expandStringArray(d.Get("source_ip_ranges")),
 	}
 	directive := UpdateDirective
 	userAgent, err := generateUserAgentString(d, config.UserAgent)
@@ -438,6 +461,7 @@ func resourceComputeGlobalForwardingRuleDelete(d *schema.ResourceData, meta inte
 		Network:             dcl.StringOrNil(d.Get("network").(string)),
 		PortRange:           dcl.String(d.Get("port_range").(string)),
 		Project:             dcl.String(project),
+		SourceIPRanges:      expandStringArray(d.Get("source_ip_ranges")),
 	}
 
 	log.Printf("[DEBUG] Deleting ForwardingRule %q", d.Id())