add serverTLSpolicy to google_compute_region_target_https_proxy (#9105)…

… (#7280) [upstream:a9430683005fe7908171c8e537eb929985964f48] Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Apr 23, 2024 · afcb54a · afcb54a
1 parent 0dc9aa9
commit afcb54a
Show file tree

Hide file tree

Showing 3 changed files with 291 additions and 2 deletions.
diff --git a/google-beta/services/compute/resource_compute_region_target_https_proxy.go b/google-beta/services/compute/resource_compute_region_target_https_proxy.go
@@ -101,6 +101,21 @@ Accepted format is '//certificatemanager.googleapis.com/projects/{project}/locat
 				DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
 				Description: `The Region in which the created target https proxy should reside.
 If it is not provided, the provider region is used.`,
+			},
+			"server_tls_policy": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
+				Description: `A URL referring to a networksecurity.ServerTlsPolicy
+resource that describes how the proxy should authenticate inbound
+traffic. serverTlsPolicy only applies to a global TargetHttpsProxy
+attached to globalForwardingRules with the loadBalancingScheme
+set to INTERNAL_SELF_MANAGED or EXTERNAL or EXTERNAL_MANAGED.
+For details which ServerTlsPolicy resources are accepted with
+INTERNAL_SELF_MANAGED and which with EXTERNAL, EXTERNAL_MANAGED
+loadBalancingScheme consult ServerTlsPolicy documentation.
+If left blank, communications are not encrypted.`,
 			},
 			"ssl_certificates": {
 				Type:     schema.TypeList,
@@ -192,6 +207,12 @@ func resourceComputeRegionTargetHttpsProxyCreate(d *schema.ResourceData, meta in
 	} else if v, ok := d.GetOkExists("url_map"); !tpgresource.IsEmptyValue(reflect.ValueOf(urlMapProp)) && (ok || !reflect.DeepEqual(v, urlMapProp)) {
 		obj["urlMap"] = urlMapProp
 	}
+	serverTlsPolicyProp, err := expandComputeRegionTargetHttpsProxyServerTlsPolicy(d.Get("server_tls_policy"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("server_tls_policy"); !tpgresource.IsEmptyValue(reflect.ValueOf(serverTlsPolicyProp)) && (ok || !reflect.DeepEqual(v, serverTlsPolicyProp)) {
+		obj["serverTlsPolicy"] = serverTlsPolicyProp
+	}
 	regionProp, err := expandComputeRegionTargetHttpsProxyRegion(d.Get("region"), d, config)
 	if err != nil {
 		return err
@@ -338,6 +359,9 @@ func resourceComputeRegionTargetHttpsProxyRead(d *schema.ResourceData, meta inte
 	if err := d.Set("url_map", flattenComputeRegionTargetHttpsProxyUrlMap(res["urlMap"], d, config)); err != nil {
 		return fmt.Errorf("Error reading RegionTargetHttpsProxy: %s", err)
 	}
+	if err := d.Set("server_tls_policy", flattenComputeRegionTargetHttpsProxyServerTlsPolicy(res["serverTlsPolicy"], d, config)); err != nil {
+		return fmt.Errorf("Error reading RegionTargetHttpsProxy: %s", err)
+	}
 	if err := d.Set("region", flattenComputeRegionTargetHttpsProxyRegion(res["region"], d, config)); err != nil {
 		return fmt.Errorf("Error reading RegionTargetHttpsProxy: %s", err)
 	}
@@ -608,6 +632,13 @@ func flattenComputeRegionTargetHttpsProxyUrlMap(v interface{}, d *schema.Resourc
 	return tpgresource.ConvertSelfLinkToV1(v.(string))
 }
 
+func flattenComputeRegionTargetHttpsProxyServerTlsPolicy(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	return tpgresource.ConvertSelfLinkToV1(v.(string))
+}
+
 func flattenComputeRegionTargetHttpsProxyRegion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -680,6 +711,10 @@ func expandComputeRegionTargetHttpsProxyUrlMap(v interface{}, d tpgresource.Terr
 	return f.RelativeLink(), nil
 }
 
+func expandComputeRegionTargetHttpsProxyServerTlsPolicy(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandComputeRegionTargetHttpsProxyRegion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	f, err := tpgresource.ParseGlobalFieldValue("regions", v.(string), "project", d, config, true)
 	if err != nil {

diff --git a/google-beta/services/compute/resource_compute_region_target_https_proxy_generated_test.go b/google-beta/services/compute/resource_compute_region_target_https_proxy_generated_test.go
@@ -49,7 +49,7 @@ func TestAccComputeRegionTargetHttpsProxy_regionTargetHttpsProxyBasicExample(t *
 				ResourceName:            "google_compute_region_target_https_proxy.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ssl_policy", "url_map", "region"},
+				ImportStateVerifyIgnore: []string{"ssl_policy", "url_map", "server_tls_policy", "region"},
 			},
 		},
 	})
@@ -114,6 +114,137 @@ resource "google_compute_region_health_check" "default" {
 `, context)
 }
 
+func TestAccComputeRegionTargetHttpsProxy_regionTargetHttpsProxyMtlsExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckComputeRegionTargetHttpsProxyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionTargetHttpsProxy_regionTargetHttpsProxyMtlsExample(context),
+			},
+			{
+				ResourceName:            "google_compute_region_target_https_proxy.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ssl_policy", "url_map", "server_tls_policy", "region"},
+			},
+		},
+	})
+}
+
+func testAccComputeRegionTargetHttpsProxy_regionTargetHttpsProxyMtlsExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+data "google_project" "project" {
+  provider = google-beta
+}
+
+resource "google_compute_region_target_https_proxy" "default" {
+  provider          = google-beta
+  region           = "us-central1"
+  name              = "tf-test-test-mtls-proxy%{random_suffix}"
+  url_map           = google_compute_region_url_map.default.id
+  ssl_certificates  = [google_compute_region_ssl_certificate.default.id]
+  server_tls_policy = google_network_security_server_tls_policy.default.id
+}
+
+resource "google_certificate_manager_trust_config" "default" {
+  provider    = google-beta
+  location    = "us-central1"
+  name        = "tf-test-my-trust-config%{random_suffix}"
+  description = "sample description for trust config"
+
+  trust_stores {
+    trust_anchors {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+    intermediate_cas {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+  }
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+resource "google_network_security_server_tls_policy" "default" {
+  provider               = google-beta
+  location               = "us-central1"
+  name                   = "tf-test-my-tls-policy%{random_suffix}"
+  description            = "my description"
+  allow_open             = "false"
+  mtls_policy {
+    client_validation_mode = "REJECT_INVALID"
+    client_validation_trust_config = "projects/${data.google_project.project.number}/locations/us-central1/trustConfigs/${google_certificate_manager_trust_config.default.name}"
+  }
+}
+
+resource "google_compute_region_ssl_certificate" "default" {
+  provider    = google-beta
+  region      = "us-central1"
+  name        = "tf-test-my-certificate%{random_suffix}"
+  private_key = file("test-fixtures/test.key")
+  certificate = file("test-fixtures/test.crt")
+}
+
+resource "google_compute_region_url_map" "default" {
+  provider    = google-beta
+  region      = "us-central1"
+  name        = "tf-test-url-map%{random_suffix}"
+  description = "a description"
+
+  default_service = google_compute_region_backend_service.default.id
+
+  host_rule {
+    hosts        = ["mysite.com"]
+    path_matcher = "allpaths"
+  }
+
+  path_matcher {
+    name            = "allpaths"
+    default_service = google_compute_region_backend_service.default.id
+
+    path_rule {
+      paths   = ["/*"]
+      service = google_compute_region_backend_service.default.id
+    }
+  }
+}
+
+resource "google_compute_region_backend_service" "default" {
+  provider    = google-beta
+  region      = "us-central1"
+  name        = "tf-test-backend-service%{random_suffix}"
+  port_name   = "http"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  load_balancing_scheme = "INTERNAL_MANAGED"
+
+  health_checks = [google_compute_region_health_check.default.id]
+}
+
+resource "google_compute_region_health_check" "default" {
+  provider           = google-beta
+  region             = "us-central1"
+  name               = "tf-test-http-health-check%{random_suffix}"
+  check_interval_sec = 1
+  timeout_sec        = 1
+
+  http_health_check {
+    port = 80
+  }
+}
+`, context)
+}
+
 func TestAccComputeRegionTargetHttpsProxy_regionTargetHttpsProxyCertificateManagerCertificateExample(t *testing.T) {
 	t.Parallel()
 
@@ -133,7 +264,7 @@ func TestAccComputeRegionTargetHttpsProxy_regionTargetHttpsProxyCertificateManag
 				ResourceName:            "google_compute_region_target_https_proxy.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ssl_policy", "url_map", "region"},
+				ImportStateVerifyIgnore: []string{"ssl_policy", "url_map", "server_tls_policy", "region"},
 			},
 		},
 	})

diff --git a/website/docs/r/compute_region_target_https_proxy.html.markdown b/website/docs/r/compute_region_target_https_proxy.html.markdown
@@ -94,6 +94,117 @@ resource "google_compute_region_health_check" "default" {
   }
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_target_https_proxy_mtls&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Region Target Https Proxy Mtls
+
+
+```hcl
+data "google_project" "project" {
+  provider = google-beta
+}
+
+resource "google_compute_region_target_https_proxy" "default" {
+  provider          = google-beta
+  region           = "us-central1"
+  name              = "test-mtls-proxy"
+  url_map           = google_compute_region_url_map.default.id
+  ssl_certificates  = [google_compute_region_ssl_certificate.default.id]
+  server_tls_policy = google_network_security_server_tls_policy.default.id
+}
+
+resource "google_certificate_manager_trust_config" "default" {
+  provider    = google-beta
+  location    = "us-central1"
+  name        = "my-trust-config"
+  description = "sample description for trust config"
+
+  trust_stores {
+    trust_anchors {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+    intermediate_cas {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+  }
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+resource "google_network_security_server_tls_policy" "default" {
+  provider               = google-beta
+  location               = "us-central1"
+  name                   = "my-tls-policy"
+  description            = "my description"
+  allow_open             = "false"
+  mtls_policy {
+    client_validation_mode = "REJECT_INVALID"
+    client_validation_trust_config = "projects/${data.google_project.project.number}/locations/us-central1/trustConfigs/${google_certificate_manager_trust_config.default.name}"
+  }
+}
+
+resource "google_compute_region_ssl_certificate" "default" {
+  provider    = google-beta
+  region      = "us-central1"
+  name        = "my-certificate"
+  private_key = file("path/to/private.key")
+  certificate = file("path/to/certificate.crt")
+}
+
+resource "google_compute_region_url_map" "default" {
+  provider    = google-beta
+  region      = "us-central1"
+  name        = "url-map"
+  description = "a description"
+
+  default_service = google_compute_region_backend_service.default.id
+
+  host_rule {
+    hosts        = ["mysite.com"]
+    path_matcher = "allpaths"
+  }
+
+  path_matcher {
+    name            = "allpaths"
+    default_service = google_compute_region_backend_service.default.id
+
+    path_rule {
+      paths   = ["/*"]
+      service = google_compute_region_backend_service.default.id
+    }
+  }
+}
+
+resource "google_compute_region_backend_service" "default" {
+  provider    = google-beta
+  region      = "us-central1"
+  name        = "backend-service"
+  port_name   = "http"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  load_balancing_scheme = "INTERNAL_MANAGED"
+
+  health_checks = [google_compute_region_health_check.default.id]
+}
+
+resource "google_compute_region_health_check" "default" {
+  provider           = google-beta
+  region             = "us-central1"
+  name               = "http-health-check"
+  check_interval_sec = 1
+  timeout_sec        = 1
+
+  http_health_check {
+    port = 80
+  }
+}
+```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_target_https_proxy_certificate_manager_certificate&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
@@ -180,6 +291,18 @@ The following arguments are supported:
   the TargetHttpsProxy resource. If not set, the TargetHttpsProxy
   resource will not have any SSL policy configured.
 
+* `server_tls_policy` -
+  (Optional)
+  A URL referring to a networksecurity.ServerTlsPolicy
+  resource that describes how the proxy should authenticate inbound
+  traffic. serverTlsPolicy only applies to a global TargetHttpsProxy
+  attached to globalForwardingRules with the loadBalancingScheme
+  set to INTERNAL_SELF_MANAGED or EXTERNAL or EXTERNAL_MANAGED.
+  For details which ServerTlsPolicy resources are accepted with
+  INTERNAL_SELF_MANAGED and which with EXTERNAL, EXTERNAL_MANAGED
+  loadBalancingScheme consult ServerTlsPolicy documentation.
+  If left blank, communications are not encrypted.
+
 * `region` -
   (Optional)
   The Region in which the created target https proxy should reside.