Add support for routing_mode to google_network_services_gateway (#11840)

GoogleCloudPlatform · Oct 4, 2024 · 43a7536 · 43a7536
1 parent 55574a4
commit 43a7536
Show file tree

Hide file tree

Showing 3 changed files with 224 additions and 2 deletions.
diff --git a/mmv1/products/networkservices/Gateway.yaml b/mmv1/products/networkservices/Gateway.yaml
@@ -54,7 +54,7 @@ async:
 custom_code:
   constants: 'templates/terraform/constants/network_services_gateway.go.tmpl'
   post_delete: 'templates/terraform/post_delete/network_services_gateway.go.tmpl'
-  pre_update: 'templates/terraform/pre_update/network_services_gateway.tmpl'
+  pre_update: 'templates/terraform/pre_update/network_services_gateway.go.tmpl'
 examples:
   - name: 'network_services_gateway_basic'
     primary_resource_id: 'default'
@@ -206,3 +206,9 @@ properties:
       This feature only applies to gateways of type 'SECURE_WEB_GATEWAY'.
     item_type:
       type: String
+  - name: 'routingMode'
+    type: Enum
+    description: |
+      The routing mode of the Gateway. This field is configurable only for gateways of type SECURE_WEB_GATEWAY. This field is required for gateways of type SECURE_WEB_GATEWAY.
+    enum_values:
+      - 'NEXT_HOP_ROUTING_MODE'
diff --git a/.../pre_update/network_services_gateway.tmpl → ...e_update/network_services_gateway.go.tmpl b/.../pre_update/network_services_gateway.tmpl → ...e_update/network_services_gateway.go.tmpl
@@ -1,4 +1,5 @@
 if d.Get("type") == "SECURE_WEB_GATEWAY" {
     obj["name"] = d.Get("name")
     obj["type"] = d.Get("type")
+    obj["routingMode"] = d.Get("routingMode")
 }
diff --git a/.../third_party/terraform/services/networkservices/resource_network_services_gateway_test.go b/.../third_party/terraform/services/networkservices/resource_network_services_gateway_test.go
@@ -169,7 +169,7 @@ resource "google_network_services_gateway" "default" {
 	return config
 }
 
-func TestAccNetworkServicesGateway_updateSwp(t *testing.T) {
+func TestAccNetworkServicesGateway_swpUpdate(t *testing.T) {
 	cmName := fmt.Sprintf("tf-test-gateway-swp-cm-%s", acctest.RandString(t, 10))
 	netName := fmt.Sprintf("tf-test-gateway-swp-net-%s", acctest.RandString(t, 10))
 	subnetName := fmt.Sprintf("tf-test-gateway-swp-subnet-%s", acctest.RandString(t, 10))
@@ -914,3 +914,218 @@ resource "google_network_services_gateway" "foobar" {
 }
 `, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName)
 }
+
+func TestAccNetworkServicesGateway_swpAsNextHop(t *testing.T) {
+	context := map[string]interface{}{
+		"region":        "us-east1",
+		"random_suffix": fmt.Sprintf("-%s", acctest.RandString(t, 10)),
+		"name_prefix":   "tf-test-gateway-",
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckNetworkServicesGatewayDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkServicesGateway_swpAsNextHop(context),
+			},
+			{
+				ResourceName:            "google_network_services_gateway.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name", "location", "delete_swg_autogen_router_on_destroy"},
+			},
+		},
+	})
+}
+
+func testAccNetworkServicesGateway_swpAsNextHop(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_compute_network" "default" {
+  name                    = "%{name_prefix}network%{random_suffix}"
+  routing_mode            = "REGIONAL"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "proxyonlysubnet" {
+  name          = "%{name_prefix}proxysubnet%{random_suffix}"
+  purpose       = "REGIONAL_MANAGED_PROXY"
+  ip_cidr_range = "192.168.0.0/23"
+  region        = "%{region}"
+  network       = google_compute_network.default.id
+  role          = "ACTIVE"
+}
+
+resource "google_compute_subnetwork" "default" {
+  name          = "%{name_prefix}subnet%{random_suffix}"
+  purpose       = "PRIVATE"
+  ip_cidr_range = "10.128.0.0/20"
+  region        = "%{region}"
+  network       = google_compute_network.default.id
+  role          = "ACTIVE"
+}
+
+resource "google_privateca_ca_pool" "default" {
+  name     = "%{name_prefix}ca-pool%{random_suffix}"
+  location = "%{region}"
+  tier     = "DEVOPS"
+
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl     = false
+  }
+
+  issuance_policy {
+    maximum_lifetime = "1209600s"
+    baseline_values {
+      ca_options {
+        is_ca = false
+      }
+      key_usage {
+        base_key_usage {}
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+}
+  
+resource "google_privateca_certificate_authority" "default" {
+  pool                                   = google_privateca_ca_pool.default.name
+  certificate_authority_id               = "%{name_prefix}certificate-authority%{random_suffix}"
+  location                               = "%{region}"
+  lifetime                               = "86400s"
+  type                                   = "SELF_SIGNED"
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
+
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name  = "private-certificate-authority"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+resource "google_certificate_manager_certificate" "default" {
+  name     = "%{name_prefix}certificate%{random_suffix}"
+  location = "%{region}"
+
+  self_managed {
+    pem_certificate = file("test-fixtures/cert.pem")
+    pem_private_key = file("test-fixtures/private-key.pem")
+  }
+}
+
+resource "google_network_security_tls_inspection_policy" "default" {
+  name     = "%{name_prefix}tls-insp-policy%{random_suffix}"
+  location = "%{region}"
+  ca_pool  = google_privateca_ca_pool.default.id
+
+  depends_on = [
+    google_privateca_ca_pool.default,
+    google_privateca_certificate_authority.default
+  ]
+}
+
+resource "google_network_security_gateway_security_policy" "default" {
+  name                  = "%{name_prefix}sec-policy%{random_suffix}"
+  location              = "%{region}"
+  description           = "my description"
+  tls_inspection_policy = google_network_security_tls_inspection_policy.default.id
+
+  depends_on = [
+    google_network_security_tls_inspection_policy.default
+  ]
+}
+
+resource "google_network_security_gateway_security_policy_rule" "default" {
+  name                    = "%{name_prefix}sec-policy-rule%{random_suffix}"
+  location                = "%{region}"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true
+  description             = "my description"
+  priority                = 0
+  session_matcher         = "host() == 'example.com'"
+  application_matcher     = "request.method == 'POST'"
+  tls_inspection_enabled  = true
+  basic_profile           = "ALLOW"
+}
+
+resource "google_network_services_gateway" "default" {
+  name                                 = "%{name_prefix}swp%{random_suffix}"
+  location                             = "%{region}"
+  addresses                            = ["10.128.0.99"]
+  type                                 = "SECURE_WEB_GATEWAY"
+  routing_mode                         = "NEXT_HOP_ROUTING_MODE"
+  ports                                = [443]
+  description                          = "my description"
+  scope                                = "%s"
+  certificate_urls                     = [google_certificate_manager_certificate.default.id]
+  gateway_security_policy              = google_network_security_gateway_security_policy.default.id
+  network                              = google_compute_network.default.id
+  subnetwork                           = google_compute_subnetwork.default.id
+  delete_swg_autogen_router_on_destroy = true
+  depends_on                           = [google_compute_subnetwork.proxyonlysubnet]
+}
+
+resource "google_compute_route" "default" {
+  name        = "%{name_prefix}route%{random_suffix}"
+  dest_range  = "15.0.0.0/24"
+  network     = google_compute_network.default.name
+  next_hop_ip = google_network_services_gateway.default.addresses[0]
+  priority    = 100
+}
+
+resource "google_network_connectivity_policy_based_route" "swproute" {
+  name            = "%{name_prefix}policy-based-swp-route%{random_suffix}"
+  description     = "My routing policy"
+  network         = google_compute_network.default.id
+  next_hop_ilb_ip = google_network_services_gateway.default.addresses[0]
+  priority        = 2
+
+  filter {
+    protocol_version = "IPV4"
+    src_range        = "10.0.0.0/24"
+    dest_range       = "15.0.0.0/24"
+  }
+}
+
+resource "google_network_connectivity_policy_based_route" "default" {
+  name                  = "%{name_prefix}policy-based-route%{random_suffix}"
+  description           = "My routing policy"
+  network               = google_compute_network.default.id
+  next_hop_other_routes = "DEFAULT_ROUTING"
+  priority              = 1
+
+  filter {
+    protocol_version = "IPV4"
+    src_range        = "10.0.0.0/24"
+    dest_range       = "15.0.0.0/24"
+  }
+}
+	`, context)
+}