diff --git a/apis/compute/v1beta1/computefirewallpolicyrule_types.go b/apis/compute/v1beta1/computefirewallpolicyrule_types.go new file mode 100644 index 0000000000..36861f8d24 --- /dev/null +++ b/apis/compute/v1beta1/computefirewallpolicyrule_types.go @@ -0,0 +1,160 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + refs "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1" + commonv1alpha1 "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/apis/common/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +kcc:proto=google.cloud.compute.v1.FirewallPolicyRuleMatcherLayer4Config +type FirewallpolicyruleLayer4Configs struct { + /* The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (`tcp`, `udp`, `icmp`, `esp`, `ah`, `ipip`, `sctp`), or the IP protocol number. */ + IpProtocol string `json:"ipProtocol"` + + /* An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``. */ + // +optional + Ports []string `json:"ports,omitempty"` +} + +// +kcc:proto=google.cloud.compute.v1.FirewallPolicyRuleMatcher +type FirewallpolicyruleMatch struct { + /* Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules. */ + // +optional + DestAddressGroups []string `json:"destAddressGroups,omitempty"` + + /* Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress. */ + // +optional + DestFqdns []string `json:"destFqdns,omitempty"` + + /* CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256. */ + // +optional + DestIPRanges []string `json:"destIPRanges,omitempty"` + + /* The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress. */ + // +optional + DestRegionCodes []string `json:"destRegionCodes,omitempty"` + + /* Name of the Google Cloud Threat Intelligence list. */ + // +optional + DestThreatIntelligences []string `json:"destThreatIntelligences,omitempty"` + + /* Pairs of IP protocols and ports that the rule should match. */ + Layer4Configs []FirewallpolicyruleLayer4Configs `json:"layer4Configs"` + + /* Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules. */ + // +optional + SrcAddressGroups []string `json:"srcAddressGroups,omitempty"` + + /* Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress. */ + // +optional + SrcFqdns []string `json:"srcFqdns,omitempty"` + + /* CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256. */ + // +optional + SrcIPRanges []string `json:"srcIPRanges,omitempty"` + + /* The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress. */ + // +optional + SrcRegionCodes []string `json:"srcRegionCodes,omitempty"` + + /* Name of the Google Cloud Threat Intelligence list. */ + // +optional + SrcThreatIntelligences []string `json:"srcThreatIntelligences,omitempty"` +} + +// +kcc:proto=google.cloud.compute.v1.FirewallPolicyRule +type ComputeFirewallPolicyRuleSpec struct { + /* The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next". */ + Action string `json:"action"` + + /* An optional description for this resource. */ + // +optional + Description *string `json:"description,omitempty"` + + /* The direction in which this rule applies. Possible values: INGRESS, EGRESS */ + Direction string `json:"direction"` + + /* Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ + // +optional + Disabled *bool `json:"disabled,omitempty"` + + /* Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. */ + // +optional + EnableLogging *bool `json:"enableLogging,omitempty"` + + /* Immutable. */ + FirewallPolicyRef *refs.ComputeFirewallPolicyRef `json:"firewallPolicyRef"` + + /* A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. */ + Match *FirewallpolicyruleMatch `json:"match"` + + /* Immutable. An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ + Priority int64 `json:"priority"` + + // +optional + TargetResources []*refs.ComputeNetworkRef `json:"targetResources,omitempty"` + + // +optional + TargetServiceAccounts []*refs.IAMServiceAccountRef `json:"targetServiceAccounts,omitempty"` +} + +// +kcc:proto=google.cloud.compute.v1.FirewallPolicyRule +type ComputeFirewallPolicyRuleStatus struct { + commonv1alpha1.CommonStatus `json:",inline"` + /* Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ + // +optional + Kind *string `json:"kind,omitempty"` + + /* Calculation of the complexity of a single firewall policy rule. */ + // +optional + RuleTupleCount *int64 `json:"ruleTupleCount,omitempty"` +} + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=gcp,shortName=gcpcomputefirewallpolicyrule;gcpcomputefirewallpolicyrules +// +kubebuilder:subresource:status +// +kubebuilder:metadata:labels="cnrm.cloud.google.com/dcl2crd=true";"cnrm.cloud.google.com/managed-by-kcc=true";"cnrm.cloud.google.com/stability-level=stable";"cnrm.cloud.google.com/system=true" +// +kubebuilder:printcolumn:name="Age",JSONPath=".metadata.creationTimestamp",type="date" +// +kubebuilder:printcolumn:name="Ready",JSONPath=".status.conditions[?(@.type=='Ready')].status",type="string",description="When 'True', the most recent reconcile of the resource succeeded" +// +kubebuilder:printcolumn:name="Status",JSONPath=".status.conditions[?(@.type=='Ready')].reason",type="string",description="The reason for the value in 'Ready'" +// +kubebuilder:printcolumn:name="Status Age",JSONPath=".status.conditions[?(@.type=='Ready')].lastTransitionTime",type="date",description="The last transition time for the value in 'Status'" + +// ComputeFirewallPolicyRule is the Schema for the compute API +// +k8s:openapi-gen=true +type ComputeFirewallPolicyRule struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec ComputeFirewallPolicyRuleSpec `json:"spec,omitempty"` + Status ComputeFirewallPolicyRuleStatus `json:"status,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ComputeFirewallPolicyRuleList contains a list of ComputeFirewallPolicyRule +type ComputeFirewallPolicyRuleList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ComputeFirewallPolicyRule `json:"items"` +} + +func init() { + SchemeBuilder.Register(&ComputeFirewallPolicyRule{}, &ComputeFirewallPolicyRuleList{}) +} diff --git a/apis/compute/v1beta1/zz_generated.deepcopy.go b/apis/compute/v1beta1/zz_generated.deepcopy.go index ff478dceb1..f3d27803f0 100644 --- a/apis/compute/v1beta1/zz_generated.deepcopy.go +++ b/apis/compute/v1beta1/zz_generated.deepcopy.go @@ -23,6 +23,157 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ComputeFirewallPolicyRule) DeepCopyInto(out *ComputeFirewallPolicyRule) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComputeFirewallPolicyRule. +func (in *ComputeFirewallPolicyRule) DeepCopy() *ComputeFirewallPolicyRule { + if in == nil { + return nil + } + out := new(ComputeFirewallPolicyRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ComputeFirewallPolicyRule) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ComputeFirewallPolicyRuleList) DeepCopyInto(out *ComputeFirewallPolicyRuleList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ComputeFirewallPolicyRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComputeFirewallPolicyRuleList. +func (in *ComputeFirewallPolicyRuleList) DeepCopy() *ComputeFirewallPolicyRuleList { + if in == nil { + return nil + } + out := new(ComputeFirewallPolicyRuleList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ComputeFirewallPolicyRuleList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ComputeFirewallPolicyRuleSpec) DeepCopyInto(out *ComputeFirewallPolicyRuleSpec) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Disabled != nil { + in, out := &in.Disabled, &out.Disabled + *out = new(bool) + **out = **in + } + if in.EnableLogging != nil { + in, out := &in.EnableLogging, &out.EnableLogging + *out = new(bool) + **out = **in + } + if in.FirewallPolicyRef != nil { + in, out := &in.FirewallPolicyRef, &out.FirewallPolicyRef + *out = new(refsv1beta1.ComputeFirewallPolicyRef) + **out = **in + } + if in.Match != nil { + in, out := &in.Match, &out.Match + *out = new(FirewallpolicyruleMatch) + (*in).DeepCopyInto(*out) + } + if in.TargetResources != nil { + in, out := &in.TargetResources, &out.TargetResources + *out = make([]*refsv1beta1.ComputeNetworkRef, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(refsv1beta1.ComputeNetworkRef) + **out = **in + } + } + } + if in.TargetServiceAccounts != nil { + in, out := &in.TargetServiceAccounts, &out.TargetServiceAccounts + *out = make([]*refsv1beta1.IAMServiceAccountRef, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(refsv1beta1.IAMServiceAccountRef) + **out = **in + } + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComputeFirewallPolicyRuleSpec. +func (in *ComputeFirewallPolicyRuleSpec) DeepCopy() *ComputeFirewallPolicyRuleSpec { + if in == nil { + return nil + } + out := new(ComputeFirewallPolicyRuleSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ComputeFirewallPolicyRuleStatus) DeepCopyInto(out *ComputeFirewallPolicyRuleStatus) { + *out = *in + in.CommonStatus.DeepCopyInto(&out.CommonStatus) + if in.Kind != nil { + in, out := &in.Kind, &out.Kind + *out = new(string) + **out = **in + } + if in.RuleTupleCount != nil { + in, out := &in.RuleTupleCount, &out.RuleTupleCount + *out = new(int64) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComputeFirewallPolicyRuleStatus. +func (in *ComputeFirewallPolicyRuleStatus) DeepCopy() *ComputeFirewallPolicyRuleStatus { + if in == nil { + return nil + } + out := new(ComputeFirewallPolicyRuleStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ComputeForwardingRule) DeepCopyInto(out *ComputeForwardingRule) { *out = *in @@ -266,6 +417,100 @@ func (in *ComputeForwardingRuleStatus) DeepCopy() *ComputeForwardingRuleStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallpolicyruleLayer4Configs) DeepCopyInto(out *FirewallpolicyruleLayer4Configs) { + *out = *in + if in.Ports != nil { + in, out := &in.Ports, &out.Ports + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallpolicyruleLayer4Configs. +func (in *FirewallpolicyruleLayer4Configs) DeepCopy() *FirewallpolicyruleLayer4Configs { + if in == nil { + return nil + } + out := new(FirewallpolicyruleLayer4Configs) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallpolicyruleMatch) DeepCopyInto(out *FirewallpolicyruleMatch) { + *out = *in + if in.DestAddressGroups != nil { + in, out := &in.DestAddressGroups, &out.DestAddressGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DestFqdns != nil { + in, out := &in.DestFqdns, &out.DestFqdns + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DestIPRanges != nil { + in, out := &in.DestIPRanges, &out.DestIPRanges + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DestRegionCodes != nil { + in, out := &in.DestRegionCodes, &out.DestRegionCodes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DestThreatIntelligences != nil { + in, out := &in.DestThreatIntelligences, &out.DestThreatIntelligences + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Layer4Configs != nil { + in, out := &in.Layer4Configs, &out.Layer4Configs + *out = make([]FirewallpolicyruleLayer4Configs, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.SrcAddressGroups != nil { + in, out := &in.SrcAddressGroups, &out.SrcAddressGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SrcFqdns != nil { + in, out := &in.SrcFqdns, &out.SrcFqdns + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SrcIPRanges != nil { + in, out := &in.SrcIPRanges, &out.SrcIPRanges + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SrcRegionCodes != nil { + in, out := &in.SrcRegionCodes, &out.SrcRegionCodes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SrcThreatIntelligences != nil { + in, out := &in.SrcThreatIntelligences, &out.SrcThreatIntelligences + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallpolicyruleMatch. +func (in *FirewallpolicyruleMatch) DeepCopy() *FirewallpolicyruleMatch { + if in == nil { + return nil + } + out := new(FirewallpolicyruleMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ForwardingruleFilterLabels) DeepCopyInto(out *ForwardingruleFilterLabels) { *out = *in diff --git a/apis/refs/v1beta1/computerefs.go b/apis/refs/v1beta1/computerefs.go index c56ffb803c..9297361124 100644 --- a/apis/refs/v1beta1/computerefs.go +++ b/apis/refs/v1beta1/computerefs.go @@ -271,3 +271,13 @@ type ComputeTargetVPNGatewayRef struct { /* The `namespace` field of a `ComputeTargetVPNGateway` resource. */ Namespace string `json:"namespace,omitempty"` } + +type ComputeFirewallPolicyRef struct { + // A reference to an externally managed ComputeFirewallPolicy resource. + // Should be in the format `locations/global/firewallPolicies/`. + External string `json:"external,omitempty"` + /* The `name` field of a `ComputeFirewall olicy ` resource. */ + Name string `json:"name,omitempty"` + /* The `namespace` field of a `ComputeFirewallPolicy ` resource. */ + Namespace string `json:"namespace,omitempty"` +} diff --git a/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml b/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml index fef8a5b31f..560ad14b88 100644 --- a/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml +++ b/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml @@ -16,6 +16,7 @@ spec: categories: - gcp kind: ComputeFirewallPolicyRule + listKind: ComputeFirewallPolicyRuleList plural: computefirewallpolicyrules shortNames: - gcpcomputefirewallpolicyrule @@ -43,16 +44,17 @@ spec: name: v1beta1 schema: openAPIV3Schema: + description: ComputeFirewallPolicyRule is the Schema for the compute API properties: apiVersion: - description: 'apiVersion defines the versioned schema of this representation + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'kind is a string value representing the REST resource this + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -99,16 +101,15 @@ spec: - external properties: external: - description: |- - The firewall policy of the resource. - - Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resource (format: `locations/global/firewallPolicies/{{name}}`). + description: A reference to an externally managed ComputeFirewallPolicy + resource. Should be in the format `locations/global/firewallPolicies/`. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: The `name` field of a `ComputeFirewall olicy ` resource. type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: The `namespace` field of a `ComputeFirewallPolicy + ` resource. type: string type: object match: @@ -234,14 +235,14 @@ spec: - external properties: external: - description: 'Allowed value: The `selfLink` field of a `ComputeNetwork` - resource.' + description: A reference to an externally managed Compute Network + resource. Should be in the format `projects//global/networks/`. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: The `name` field of a `ComputeNetwork` resource. type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: The `namespace` field of a `ComputeNetwork` resource. type: string type: object type: array @@ -263,8 +264,7 @@ spec: - external properties: external: - description: 'Allowed value: The Google Cloud resource name - of an `IAMServiceAccount` resource (format: `projects/{{project}}/serviceAccounts/{{name}}@{{project}}.iam.gserviceaccount.com`).' + description: The `email` field of an `IAMServiceAccount` resource. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' @@ -284,8 +284,8 @@ spec: status: properties: conditions: - description: Conditions represent the latest available observation - of the resource's current state. + description: Conditions represent the latest available observations + of the object's current state. items: properties: lastTransitionTime: @@ -309,6 +309,10 @@ spec: type: string type: object type: array + externalRef: + description: A unique Config Connector specifier for the resource + in GCP. + type: string kind: description: Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules @@ -319,6 +323,7 @@ spec: If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. + format: int64 type: integer ruleTupleCount: description: Calculation of the complexity of a single firewall policy @@ -326,16 +331,8 @@ spec: format: int64 type: integer type: object - required: - - spec type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/clients/generated/apis/compute/v1beta1/computefirewallpolicyrule_types.go b/pkg/clients/generated/apis/compute/v1beta1/computefirewallpolicyrule_types.go index 2e2bfaca25..b97f41929d 100644 --- a/pkg/clients/generated/apis/compute/v1beta1/computefirewallpolicyrule_types.go +++ b/pkg/clients/generated/apis/compute/v1beta1/computefirewallpolicyrule_types.go @@ -128,6 +128,10 @@ type ComputeFirewallPolicyRuleStatus struct { /* Conditions represent the latest available observations of the ComputeFirewallPolicyRule's current state. */ Conditions []v1alpha1.Condition `json:"conditions,omitempty"` + /* A unique Config Connector specifier for the resource in GCP. */ + // +optional + ExternalRef *string `json:"externalRef,omitempty"` + /* Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ // +optional Kind *string `json:"kind,omitempty"` diff --git a/pkg/clients/generated/apis/compute/v1beta1/zz_generated.deepcopy.go b/pkg/clients/generated/apis/compute/v1beta1/zz_generated.deepcopy.go index 32ada6f9ac..c376fe0585 100644 --- a/pkg/clients/generated/apis/compute/v1beta1/zz_generated.deepcopy.go +++ b/pkg/clients/generated/apis/compute/v1beta1/zz_generated.deepcopy.go @@ -2381,6 +2381,11 @@ func (in *ComputeFirewallPolicyRuleStatus) DeepCopyInto(out *ComputeFirewallPoli *out = make([]v1alpha1.Condition, len(*in)) copy(*out, *in) } + if in.ExternalRef != nil { + in, out := &in.ExternalRef, &out.ExternalRef + *out = new(string) + **out = **in + } if in.Kind != nil { in, out := &in.Kind, &out.Kind *out = new(string) diff --git a/pkg/controller/direct/compute/firewallpolicyrule/mapper.generated.go b/pkg/controller/direct/compute/firewallpolicyrule/mapper.generated.go new file mode 100644 index 0000000000..7dd3baf256 --- /dev/null +++ b/pkg/controller/direct/compute/firewallpolicyrule/mapper.generated.go @@ -0,0 +1,138 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewallpolicyrule + +import ( + pb "cloud.google.com/go/compute/apiv1/computepb" + krm "github.com/GoogleCloudPlatform/k8s-config-connector/apis/compute/v1beta1" + "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct" +) + +func ComputeFirewallPolicyRuleSpec_FromProto(mapCtx *direct.MapContext, in *pb.FirewallPolicyRule) *krm.ComputeFirewallPolicyRuleSpec { + if in == nil { + return nil + } + out := &krm.ComputeFirewallPolicyRuleSpec{} + out.Action = in.GetAction() + out.Description = in.Description + out.Direction = in.GetDescription() + out.Disabled = in.Disabled + out.EnableLogging = in.EnableLogging + out.Match = FirewallpolicyruleMatch_FromProto(mapCtx, in.Match) + out.Priority = int64(in.GetPriority()) + // MISSING: RuleName + // MISSING: SecurityProfileGroup + out.TargetResources = ComputeFirewallPolicyRuleSpec_TargetResources_FromProto(mapCtx, in.TargetResources) + // MISSING: TargetSecureTags + out.TargetServiceAccounts = ComputeFirewallPolicyRuleSpec_TargetServiceAccounts_FromProto(mapCtx, in.TargetServiceAccounts) + // MISSING: TlsInspect + return out +} +func ComputeFirewallPolicyRuleSpec_ToProto(mapCtx *direct.MapContext, in *krm.ComputeFirewallPolicyRuleSpec) *pb.FirewallPolicyRule { + if in == nil { + return nil + } + out := &pb.FirewallPolicyRule{} + out.Action = direct.LazyPtr(in.Action) + out.Description = in.Description + out.Direction = direct.LazyPtr(in.Direction) + out.Disabled = in.Disabled + out.EnableLogging = in.EnableLogging + out.Match = FirewallpolicyruleMatch_ToProto(mapCtx, in.Match) + out.Priority = direct.LazyPtr(int32(in.Priority)) + // MISSING: RuleName + // MISSING: SecurityProfileGroup + out.TargetResources = ComputeFirewallPolicyRuleSpec_TargetResources_ToProto(mapCtx, in.TargetResources) + out.TargetServiceAccounts = ComputeFirewallPolicyRuleSpec_TargetServiceAccounts_ToProto(mapCtx, in.TargetServiceAccounts) + // MISSING: TlsInspect + return out +} +func ComputeFirewallPolicyRuleStatus_FromProto(mapCtx *direct.MapContext, in *pb.FirewallPolicyRule) *krm.ComputeFirewallPolicyRuleStatus { + if in == nil { + return nil + } + out := &krm.ComputeFirewallPolicyRuleStatus{} + out.Kind = in.Kind + out.RuleTupleCount = direct.LazyPtr(int64(in.GetRuleTupleCount())) + // MISSING: TargetSecureTags + return out +} +func ComputeFirewallPolicyRuleStatus_ToProto(mapCtx *direct.MapContext, in *krm.ComputeFirewallPolicyRuleStatus) *pb.FirewallPolicyRule { + if in == nil { + return nil + } + out := &pb.FirewallPolicyRule{} + out.Kind = in.Kind + out.RuleTupleCount = direct.LazyPtr(int32(*in.RuleTupleCount)) + // MISSING: TargetSecureTags + return out +} + +func FirewallpolicyruleLayer4Configs_FromProto(mapCtx *direct.MapContext, in *pb.FirewallPolicyRuleMatcherLayer4Config) *krm.FirewallpolicyruleLayer4Configs { + if in == nil { + return nil + } + out := &krm.FirewallpolicyruleLayer4Configs{} + out.IpProtocol = in.GetIpProtocol() + out.Ports = in.Ports + return out +} +func FirewallpolicyruleLayer4Configs_ToProto(mapCtx *direct.MapContext, in *krm.FirewallpolicyruleLayer4Configs) *pb.FirewallPolicyRuleMatcherLayer4Config { + if in == nil { + return nil + } + out := &pb.FirewallPolicyRuleMatcherLayer4Config{} + out.IpProtocol = direct.LazyPtr(in.IpProtocol) + out.Ports = in.Ports + return out +} +func FirewallpolicyruleMatch_FromProto(mapCtx *direct.MapContext, in *pb.FirewallPolicyRuleMatcher) *krm.FirewallpolicyruleMatch { + if in == nil { + return nil + } + out := &krm.FirewallpolicyruleMatch{} + out.DestAddressGroups = in.DestAddressGroups + out.DestFqdns = in.DestFqdns + out.DestIPRanges = in.DestIpRanges + out.DestRegionCodes = in.DestRegionCodes + out.DestThreatIntelligences = in.DestThreatIntelligences + out.Layer4Configs = direct.Slice_FromProto(mapCtx, in.Layer4Configs, FirewallpolicyruleLayer4Configs_FromProto) + out.SrcAddressGroups = in.SrcAddressGroups + out.SrcFqdns = in.SrcFqdns + out.SrcIPRanges = in.SrcIpRanges + out.SrcRegionCodes = in.SrcRegionCodes + // MISSING: SrcSecureTags + out.SrcThreatIntelligences = in.SrcThreatIntelligences + return out +} +func FirewallpolicyruleMatch_ToProto(mapCtx *direct.MapContext, in *krm.FirewallpolicyruleMatch) *pb.FirewallPolicyRuleMatcher { + if in == nil { + return nil + } + out := &pb.FirewallPolicyRuleMatcher{} + out.DestAddressGroups = in.DestAddressGroups + out.DestFqdns = in.DestFqdns + out.DestIpRanges = in.DestIPRanges + out.DestRegionCodes = in.DestRegionCodes + out.DestThreatIntelligences = in.DestThreatIntelligences + out.Layer4Configs = direct.Slice_ToProto(mapCtx, in.Layer4Configs, FirewallpolicyruleLayer4Configs_ToProto) + out.SrcAddressGroups = in.SrcAddressGroups + out.SrcFqdns = in.SrcFqdns + out.SrcIpRanges = in.SrcIPRanges + out.SrcRegionCodes = in.SrcRegionCodes + // MISSING: SrcSecureTags + out.SrcThreatIntelligences = in.SrcThreatIntelligences + return out +} diff --git a/pkg/controller/direct/compute/firewallpolicyrule/mapper.go b/pkg/controller/direct/compute/firewallpolicyrule/mapper.go new file mode 100644 index 0000000000..00c96e62f1 --- /dev/null +++ b/pkg/controller/direct/compute/firewallpolicyrule/mapper.go @@ -0,0 +1,81 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewallpolicyrule + +import ( + refs "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1" + + "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct" +) + +func ComputeFirewallPolicyRuleSpec_TargetResources_ToProto(mapCtx *direct.MapContext, in []*refs.ComputeNetworkRef) []string { + if in == nil { + return nil + } + var out []string + for _, i := range in { + if i == nil { + continue + } + if i.External == "" { + mapCtx.Errorf("reference %s was not pre-resolved", i.Name) + } + out = append(out, i.External) + } + return out +} + +func ComputeFirewallPolicyRuleSpec_TargetServiceAccounts_ToProto(mapCtx *direct.MapContext, in []*refs.IAMServiceAccountRef) []string { + if in == nil { + return nil + } + var out []string + for _, i := range in { + if i == nil { + continue + } + if i.External == "" { + mapCtx.Errorf("reference %s was not pre-resolved", i.Name) + } + out = append(out, i.External) + } + return out +} + +func ComputeFirewallPolicyRuleSpec_TargetResources_FromProto(mapCtx *direct.MapContext, in []string) []*refs.ComputeNetworkRef { + if in == nil { + return nil + } + var out []*refs.ComputeNetworkRef + for _, i := range in { + out = append(out, &refs.ComputeNetworkRef{ + External: i, + }) + } + return out +} + +func ComputeFirewallPolicyRuleSpec_TargetServiceAccounts_FromProto(mapCtx *direct.MapContext, in []string) []*refs.IAMServiceAccountRef { + if in == nil { + return nil + } + var out []*refs.IAMServiceAccountRef + for _, i := range in { + out = append(out, &refs.IAMServiceAccountRef{ + External: i, + }) + } + return out +} diff --git a/pkg/controller/direct/compute/firewallpolicyrule/roundtrip_test.go b/pkg/controller/direct/compute/firewallpolicyrule/roundtrip_test.go new file mode 100644 index 0000000000..a7df1bd0e9 --- /dev/null +++ b/pkg/controller/direct/compute/firewallpolicyrule/roundtrip_test.go @@ -0,0 +1,84 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewallpolicyrule + +import ( + "math/rand" + "testing" + + pb "cloud.google.com/go/compute/apiv1/computepb" + + "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct" + "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/fuzz" + "github.com/google/go-cmp/cmp" + "google.golang.org/protobuf/encoding/prototext" + "google.golang.org/protobuf/reflect/protoreflect" + "google.golang.org/protobuf/testing/protocmp" + "k8s.io/apimachinery/pkg/util/sets" +) + +func FuzzComputeFirewallPolicyRuleSpec(f *testing.F) { + f.Fuzz(func(t *testing.T, seed int64) { + randStream := rand.New(rand.NewSource(seed)) + + p1 := &pb.FirewallPolicyRule{} + fuzz.FillWithRandom(t, randStream, p1) + + // We don't expect output fields to round-trip + outputFields := sets.New(".etag") + + // A few fields are not implemented yet in KRM, don't test them + unimplementedFields := sets.New[string]() + + // Status fields + unimplementedFields.Insert(".rule_tuple_count") + // Not supported in KRM + unimplementedFields.Insert(".rule_name") + unimplementedFields.Insert(".target_secure_tags") + + //unimplementedFields.Insert(".target_resources") + unimplementedFields.Insert(".match") + + // Remove any output only or known-unimplemented fields + clearFields := &fuzz.ClearFields{ + Paths: unimplementedFields.Union(outputFields), + } + fuzz.Visit("", p1.ProtoReflect(), nil, clearFields) + + r := &fuzz.ReplaceFields{} + r.Func = func(path string, val protoreflect.Value) (protoreflect.Value, bool) { + // TODO: Any values that must follow a pattern + return protoreflect.Value{}, false + } + fuzz.Visit("", p1.ProtoReflect(), nil, r) + + ctx := &direct.MapContext{} + k := ComputeFirewallPolicyRuleSpec_FromProto(ctx, p1) + if ctx.Err() != nil { + t.Fatalf("error mapping from proto to krm: %v", ctx.Err()) + } + + p2 := ComputeFirewallPolicyRuleSpec_ToProto(ctx, k) + if ctx.Err() != nil { + t.Fatalf("error mapping from krm to proto: %v", ctx.Err()) + } + + if diff := cmp.Diff(p1, p2, protocmp.Transform()); diff != "" { + t.Logf("p1 = %v", prototext.Format(p1)) + t.Logf("p2 = %v", prototext.Format(p2)) + t.Errorf("roundtrip failed; diff:\n%s", diff) + } + }) +} diff --git a/pkg/controller/direct/compute/client.go b/pkg/controller/direct/compute/forwardingrule/client.go similarity index 99% rename from pkg/controller/direct/compute/client.go rename to pkg/controller/direct/compute/forwardingrule/client.go index a65fbe4e08..252092f30b 100644 --- a/pkg/controller/direct/compute/client.go +++ b/pkg/controller/direct/compute/forwardingrule/client.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package compute +package forwardingrule import ( "context" diff --git a/pkg/controller/direct/compute/forwardingrule_controller.go b/pkg/controller/direct/compute/forwardingrule/forwardingrule_controller.go similarity index 99% rename from pkg/controller/direct/compute/forwardingrule_controller.go rename to pkg/controller/direct/compute/forwardingrule/forwardingrule_controller.go index a91caba4cd..946e43ccd7 100644 --- a/pkg/controller/direct/compute/forwardingrule_controller.go +++ b/pkg/controller/direct/compute/forwardingrule/forwardingrule_controller.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package compute +package forwardingrule import ( "context" diff --git a/pkg/controller/direct/compute/forwardingrule_externalresource.go b/pkg/controller/direct/compute/forwardingrule/forwardingrule_externalresource.go similarity index 99% rename from pkg/controller/direct/compute/forwardingrule_externalresource.go rename to pkg/controller/direct/compute/forwardingrule/forwardingrule_externalresource.go index f9cbd5f0c2..1cd309f94d 100644 --- a/pkg/controller/direct/compute/forwardingrule_externalresource.go +++ b/pkg/controller/direct/compute/forwardingrule/forwardingrule_externalresource.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package compute +package forwardingrule import ( "fmt" diff --git a/pkg/controller/direct/compute/mapper.generated.go b/pkg/controller/direct/compute/forwardingrule/mapper.generated.go similarity index 99% rename from pkg/controller/direct/compute/mapper.generated.go rename to pkg/controller/direct/compute/forwardingrule/mapper.generated.go index 29dd3cec21..dcb91047c4 100644 --- a/pkg/controller/direct/compute/mapper.generated.go +++ b/pkg/controller/direct/compute/forwardingrule/mapper.generated.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package compute +package forwardingrule import ( pb "cloud.google.com/go/compute/apiv1/computepb" diff --git a/pkg/controller/direct/compute/mapper.go b/pkg/controller/direct/compute/forwardingrule/mapper.go similarity index 99% rename from pkg/controller/direct/compute/mapper.go rename to pkg/controller/direct/compute/forwardingrule/mapper.go index 653735a3f3..2c346d8202 100644 --- a/pkg/controller/direct/compute/mapper.go +++ b/pkg/controller/direct/compute/forwardingrule/mapper.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package compute +package forwardingrule import ( "strconv" diff --git a/pkg/controller/direct/compute/refs.go b/pkg/controller/direct/compute/forwardingrule/refs.go similarity index 99% rename from pkg/controller/direct/compute/refs.go rename to pkg/controller/direct/compute/forwardingrule/refs.go index 77e3a07ef5..88c0c39288 100644 --- a/pkg/controller/direct/compute/refs.go +++ b/pkg/controller/direct/compute/forwardingrule/refs.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package compute +package forwardingrule import ( "context" diff --git a/pkg/controller/direct/compute/roundtrip_test.go b/pkg/controller/direct/compute/forwardingrule/roundtrip_test.go similarity index 99% rename from pkg/controller/direct/compute/roundtrip_test.go rename to pkg/controller/direct/compute/forwardingrule/roundtrip_test.go index bd71c54308..2654098868 100644 --- a/pkg/controller/direct/compute/roundtrip_test.go +++ b/pkg/controller/direct/compute/forwardingrule/roundtrip_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package compute +package forwardingrule import ( "math/rand" diff --git a/pkg/controller/direct/register/register.go b/pkg/controller/direct/register/register.go index e2b4e60f98..bbc0ae0aa0 100644 --- a/pkg/controller/direct/register/register.go +++ b/pkg/controller/direct/register/register.go @@ -21,7 +21,8 @@ import ( _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/bigquerydatatransfer" _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/certificatemanager" _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/cloudbuild" - _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/compute" + _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/compute/firewallpolicyrule" + _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/compute/forwardingrule" _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/dataflow" _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/dataform" _ "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/firestore" diff --git a/scripts/generate-google3-docs/resource-reference/generated/resource-docs/compute/computefirewallpolicyrule.md b/scripts/generate-google3-docs/resource-reference/generated/resource-docs/compute/computefirewallpolicyrule.md index 87e088b5b6..33ea612b34 100644 --- a/scripts/generate-google3-docs/resource-reference/generated/resource-docs/compute/computefirewallpolicyrule.md +++ b/scripts/generate-google3-docs/resource-reference/generated/resource-docs/compute/computefirewallpolicyrule.md @@ -117,7 +117,7 @@ targetServiceAccounts:

action

-

Required

+

Required*

string

@@ -137,7 +137,7 @@ targetServiceAccounts:

direction

-

Required

+

Required*

string

@@ -167,7 +167,7 @@ targetServiceAccounts:

firewallPolicyRef

-

Required

+

Required*

object

@@ -181,9 +181,7 @@ targetServiceAccounts:

string

-

{% verbatim %}The firewall policy of the resource. - -Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resource (format: `locations/global/firewallPolicies/{{name}}`).{% endverbatim %}

+

{% verbatim %}A reference to an externally managed ComputeFirewallPolicy resource. Should be in the format `locations/global/firewallPolicies/`.{% endverbatim %}

@@ -193,7 +191,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

string

-

{% verbatim %}Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names{% endverbatim %}

+

{% verbatim %}The `name` field of a `ComputeFirewall olicy ` resource.{% endverbatim %}

@@ -203,13 +201,13 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

string

-

{% verbatim %}Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/{% endverbatim %}

+

{% verbatim %}The `namespace` field of a `ComputeFirewallPolicy ` resource.{% endverbatim %}

match

-

Required

+

Required*

object

@@ -319,7 +317,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

match.layer4Configs

-

Required

+

Required*

list (object)

@@ -329,7 +327,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

match.layer4Configs[]

-

Required

+

Required*

object

@@ -339,7 +337,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

match.layer4Configs[].ipProtocol

-

Required

+

Required*

string

@@ -469,7 +467,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

priority

-

Required

+

Required*

integer

@@ -503,7 +501,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

string

-

{% verbatim %}Allowed value: The `selfLink` field of a `ComputeNetwork` resource.{% endverbatim %}

+

{% verbatim %}A reference to an externally managed Compute Network resource. Should be in the format `projects//global/networks/`.{% endverbatim %}

@@ -513,7 +511,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

string

-

{% verbatim %}Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names{% endverbatim %}

+

{% verbatim %}The `name` field of a `ComputeNetwork` resource.{% endverbatim %}

@@ -523,7 +521,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

string

-

{% verbatim %}Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/{% endverbatim %}

+

{% verbatim %}The `namespace` field of a `ComputeNetwork` resource.{% endverbatim %}

@@ -553,7 +551,7 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou

string

-

{% verbatim %}Allowed value: The Google Cloud resource name of an `IAMServiceAccount` resource (format: `projects/{{project}}/serviceAccounts/{{name}}@{{project}}.iam.gserviceaccount.com`).{% endverbatim %}

+

{% verbatim %}The `email` field of an `IAMServiceAccount` resource.{% endverbatim %}

@@ -580,6 +578,8 @@ Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resou +

* Field is required when parent field is specified

+ ### Status #### Schema @@ -590,6 +590,7 @@ conditions: reason: string status: string type: string +externalRef: string kind: string observedGeneration: integer ruleTupleCount: integer @@ -606,7 +607,7 @@ ruleTupleCount: integer conditions

list (object)

-

{% verbatim %}Conditions represent the latest available observation of the resource's current state.{% endverbatim %}

+

{% verbatim %}Conditions represent the latest available observations of the object's current state.{% endverbatim %}

@@ -651,6 +652,13 @@ ruleTupleCount: integer

{% verbatim %}Type is the type of the condition.{% endverbatim %}

+ + externalRef + +

string

+

{% verbatim %}A unique Config Connector specifier for the resource in GCP.{% endverbatim %}

+ + kind