From 43a75362f6b99c8948441667d144a1fb9b21ae13 Mon Sep 17 00:00:00 2001 From: Samir Ribeiro <42391123+Samir-Cit@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:41:26 -0300 Subject: [PATCH] Add support for routing_mode to google_network_services_gateway (#11840) --- mmv1/products/networkservices/Gateway.yaml | 8 +- ....tmpl => network_services_gateway.go.tmpl} | 1 + .../resource_network_services_gateway_test.go | 217 +++++++++++++++++- 3 files changed, 224 insertions(+), 2 deletions(-) rename mmv1/templates/terraform/pre_update/{network_services_gateway.tmpl => network_services_gateway.go.tmpl} (68%) diff --git a/mmv1/products/networkservices/Gateway.yaml b/mmv1/products/networkservices/Gateway.yaml index 99e3df6ad299..d68da1c01f5d 100644 --- a/mmv1/products/networkservices/Gateway.yaml +++ b/mmv1/products/networkservices/Gateway.yaml @@ -54,7 +54,7 @@ async: custom_code: constants: 'templates/terraform/constants/network_services_gateway.go.tmpl' post_delete: 'templates/terraform/post_delete/network_services_gateway.go.tmpl' - pre_update: 'templates/terraform/pre_update/network_services_gateway.tmpl' + pre_update: 'templates/terraform/pre_update/network_services_gateway.go.tmpl' examples: - name: 'network_services_gateway_basic' primary_resource_id: 'default' @@ -206,3 +206,9 @@ properties: This feature only applies to gateways of type 'SECURE_WEB_GATEWAY'. item_type: type: String + - name: 'routingMode' + type: Enum + description: | + The routing mode of the Gateway. This field is configurable only for gateways of type SECURE_WEB_GATEWAY. This field is required for gateways of type SECURE_WEB_GATEWAY. + enum_values: + - 'NEXT_HOP_ROUTING_MODE' diff --git a/mmv1/templates/terraform/pre_update/network_services_gateway.tmpl b/mmv1/templates/terraform/pre_update/network_services_gateway.go.tmpl similarity index 68% rename from mmv1/templates/terraform/pre_update/network_services_gateway.tmpl rename to mmv1/templates/terraform/pre_update/network_services_gateway.go.tmpl index feed1adcc26e..3f976f267b19 100644 --- a/mmv1/templates/terraform/pre_update/network_services_gateway.tmpl +++ b/mmv1/templates/terraform/pre_update/network_services_gateway.go.tmpl @@ -1,4 +1,5 @@ if d.Get("type") == "SECURE_WEB_GATEWAY" { obj["name"] = d.Get("name") obj["type"] = d.Get("type") + obj["routingMode"] = d.Get("routingMode") } \ No newline at end of file diff --git a/mmv1/third_party/terraform/services/networkservices/resource_network_services_gateway_test.go b/mmv1/third_party/terraform/services/networkservices/resource_network_services_gateway_test.go index b889daba865e..6f20ec7a7dae 100644 --- a/mmv1/third_party/terraform/services/networkservices/resource_network_services_gateway_test.go +++ b/mmv1/third_party/terraform/services/networkservices/resource_network_services_gateway_test.go @@ -169,7 +169,7 @@ resource "google_network_services_gateway" "default" { return config } -func TestAccNetworkServicesGateway_updateSwp(t *testing.T) { +func TestAccNetworkServicesGateway_swpUpdate(t *testing.T) { cmName := fmt.Sprintf("tf-test-gateway-swp-cm-%s", acctest.RandString(t, 10)) netName := fmt.Sprintf("tf-test-gateway-swp-net-%s", acctest.RandString(t, 10)) subnetName := fmt.Sprintf("tf-test-gateway-swp-subnet-%s", acctest.RandString(t, 10)) @@ -914,3 +914,218 @@ resource "google_network_services_gateway" "foobar" { } `, netName, subnetName, pSubnetName, policyName, ruleName, gatewayName) } + +func TestAccNetworkServicesGateway_swpAsNextHop(t *testing.T) { + context := map[string]interface{}{ + "region": "us-east1", + "random_suffix": fmt.Sprintf("-%s", acctest.RandString(t, 10)), + "name_prefix": "tf-test-gateway-", + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckNetworkServicesGatewayDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccNetworkServicesGateway_swpAsNextHop(context), + }, + { + ResourceName: "google_network_services_gateway.default", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"name", "location", "delete_swg_autogen_router_on_destroy"}, + }, + }, + }) +} + +func testAccNetworkServicesGateway_swpAsNextHop(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_compute_network" "default" { + name = "%{name_prefix}network%{random_suffix}" + routing_mode = "REGIONAL" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "proxyonlysubnet" { + name = "%{name_prefix}proxysubnet%{random_suffix}" + purpose = "REGIONAL_MANAGED_PROXY" + ip_cidr_range = "192.168.0.0/23" + region = "%{region}" + network = google_compute_network.default.id + role = "ACTIVE" +} + +resource "google_compute_subnetwork" "default" { + name = "%{name_prefix}subnet%{random_suffix}" + purpose = "PRIVATE" + ip_cidr_range = "10.128.0.0/20" + region = "%{region}" + network = google_compute_network.default.id + role = "ACTIVE" +} + +resource "google_privateca_ca_pool" "default" { + name = "%{name_prefix}ca-pool%{random_suffix}" + location = "%{region}" + tier = "DEVOPS" + + publishing_options { + publish_ca_cert = false + publish_crl = false + } + + issuance_policy { + maximum_lifetime = "1209600s" + baseline_values { + ca_options { + is_ca = false + } + key_usage { + base_key_usage {} + extended_key_usage { + server_auth = true + } + } + } + } +} + +resource "google_privateca_certificate_authority" "default" { + pool = google_privateca_ca_pool.default.name + certificate_authority_id = "%{name_prefix}certificate-authority%{random_suffix}" + location = "%{region}" + lifetime = "86400s" + type = "SELF_SIGNED" + deletion_protection = false + skip_grace_period = true + ignore_active_certificates_on_deletion = true + + config { + subject_config { + subject { + organization = "Test LLC" + common_name = "private-certificate-authority" + } + } + x509_config { + ca_options { + is_ca = true + } + key_usage { + base_key_usage { + cert_sign = true + crl_sign = true + } + extended_key_usage { + server_auth = false + } + } + } + } + + key_spec { + algorithm = "RSA_PKCS1_4096_SHA256" + } +} + +resource "google_certificate_manager_certificate" "default" { + name = "%{name_prefix}certificate%{random_suffix}" + location = "%{region}" + + self_managed { + pem_certificate = file("test-fixtures/cert.pem") + pem_private_key = file("test-fixtures/private-key.pem") + } +} + +resource "google_network_security_tls_inspection_policy" "default" { + name = "%{name_prefix}tls-insp-policy%{random_suffix}" + location = "%{region}" + ca_pool = google_privateca_ca_pool.default.id + + depends_on = [ + google_privateca_ca_pool.default, + google_privateca_certificate_authority.default + ] +} + +resource "google_network_security_gateway_security_policy" "default" { + name = "%{name_prefix}sec-policy%{random_suffix}" + location = "%{region}" + description = "my description" + tls_inspection_policy = google_network_security_tls_inspection_policy.default.id + + depends_on = [ + google_network_security_tls_inspection_policy.default + ] +} + +resource "google_network_security_gateway_security_policy_rule" "default" { + name = "%{name_prefix}sec-policy-rule%{random_suffix}" + location = "%{region}" + gateway_security_policy = google_network_security_gateway_security_policy.default.name + enabled = true + description = "my description" + priority = 0 + session_matcher = "host() == 'example.com'" + application_matcher = "request.method == 'POST'" + tls_inspection_enabled = true + basic_profile = "ALLOW" +} + +resource "google_network_services_gateway" "default" { + name = "%{name_prefix}swp%{random_suffix}" + location = "%{region}" + addresses = ["10.128.0.99"] + type = "SECURE_WEB_GATEWAY" + routing_mode = "NEXT_HOP_ROUTING_MODE" + ports = [443] + description = "my description" + scope = "%s" + certificate_urls = [google_certificate_manager_certificate.default.id] + gateway_security_policy = google_network_security_gateway_security_policy.default.id + network = google_compute_network.default.id + subnetwork = google_compute_subnetwork.default.id + delete_swg_autogen_router_on_destroy = true + depends_on = [google_compute_subnetwork.proxyonlysubnet] +} + +resource "google_compute_route" "default" { + name = "%{name_prefix}route%{random_suffix}" + dest_range = "15.0.0.0/24" + network = google_compute_network.default.name + next_hop_ip = google_network_services_gateway.default.addresses[0] + priority = 100 +} + +resource "google_network_connectivity_policy_based_route" "swproute" { + name = "%{name_prefix}policy-based-swp-route%{random_suffix}" + description = "My routing policy" + network = google_compute_network.default.id + next_hop_ilb_ip = google_network_services_gateway.default.addresses[0] + priority = 2 + + filter { + protocol_version = "IPV4" + src_range = "10.0.0.0/24" + dest_range = "15.0.0.0/24" + } +} + +resource "google_network_connectivity_policy_based_route" "default" { + name = "%{name_prefix}policy-based-route%{random_suffix}" + description = "My routing policy" + network = google_compute_network.default.id + next_hop_other_routes = "DEFAULT_ROUTING" + priority = 1 + + filter { + protocol_version = "IPV4" + src_range = "10.0.0.0/24" + dest_range = "15.0.0.0/24" + } +} + `, context) +}