From ae5fd4294ec591c199e27e66f4c27034e3e3180e Mon Sep 17 00:00:00 2001 From: Gemma Hou Date: Mon, 7 Oct 2024 00:08:25 +0000 Subject: [PATCH] add direct controller for compute firewall policy rule --- .../compute/firewallpolicyrule/client.go | 88 +++ .../firewallpolicyrule_externalresource.go | 26 + ...ject_computefirewallpolicyrule.golden.yaml | 33 + .../computefirewallpolicyrule/_http.log | 721 ++++++++++++++++++ ...firewallpolicyrule-egress-full.golden.yaml | 2 +- .../_http.log | 115 ++- ...irewallpolicyrule-ingress-full.golden.yaml | 2 +- .../_http.log | 22 +- .../_http.log | 17 +- 9 files changed, 1019 insertions(+), 7 deletions(-) create mode 100644 pkg/controller/direct/compute/firewallpolicyrule/client.go create mode 100644 pkg/controller/direct/compute/firewallpolicyrule/firewallpolicyrule_externalresource.go create mode 100644 pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_generated_object_computefirewallpolicyrule.golden.yaml create mode 100644 pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_http.log diff --git a/pkg/controller/direct/compute/firewallpolicyrule/client.go b/pkg/controller/direct/compute/firewallpolicyrule/client.go new file mode 100644 index 0000000000..cbcc0207ae --- /dev/null +++ b/pkg/controller/direct/compute/firewallpolicyrule/client.go @@ -0,0 +1,88 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewallpolicyrule + +import ( + "context" + "fmt" + "net/http" + + api "cloud.google.com/go/compute/apiv1" + "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/config" + "google.golang.org/api/option" +) + +type gcpClient struct { + config config.ControllerConfig +} + +func newGCPClient(ctx context.Context, config *config.ControllerConfig) (*gcpClient, error) { + gcpClient := &gcpClient{ + config: *config, + } + return gcpClient, nil +} + +func (m *gcpClient) options() ([]option.ClientOption, error) { + var opts []option.ClientOption + if m.config.UserAgent != "" { + opts = append(opts, option.WithUserAgent(m.config.UserAgent)) + } + if m.config.HTTPClient != nil { + // TODO: Set UserAgent in this scenario (error is: WithHTTPClient is incompatible with gRPC dial options) + + httpClient := &http.Client{} + *httpClient = *m.config.HTTPClient + httpClient.Transport = &optionsRoundTripper{ + config: m.config, + inner: m.config.HTTPClient.Transport, + } + opts = append(opts, option.WithHTTPClient(httpClient)) + } + if m.config.UserProjectOverride && m.config.BillingProject != "" { + opts = append(opts, option.WithQuotaProject(m.config.BillingProject)) + } + + // TODO: support endpoints? + // if m.config.Endpoint != "" { + // opts = append(opts, option.WithEndpoint(m.config.Endpoint)) + // } + + return opts, nil +} + +type optionsRoundTripper struct { + config config.ControllerConfig + inner http.RoundTripper +} + +func (m *optionsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + if m.config.UserAgent != "" { + req.Header.Set("User-Agent", m.config.UserAgent) + } + return m.inner.RoundTrip(req) +} + +func (m *gcpClient) firewallPoliciesClient(ctx context.Context) (*api.FirewallPoliciesClient, error) { + opts, err := m.options() + if err != nil { + return nil, err + } + client, err := api.NewFirewallPoliciesRESTClient(ctx, opts...) + if err != nil { + return nil, fmt.Errorf("building FirewallPolicy client: %w", err) + } + return client, err +} diff --git a/pkg/controller/direct/compute/firewallpolicyrule/firewallpolicyrule_externalresource.go b/pkg/controller/direct/compute/firewallpolicyrule/firewallpolicyrule_externalresource.go new file mode 100644 index 0000000000..fc8edc4366 --- /dev/null +++ b/pkg/controller/direct/compute/firewallpolicyrule/firewallpolicyrule_externalresource.go @@ -0,0 +1,26 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package firewallpolicyrule + +const ( + serviceDomain = "//compute.googleapis.com" +) + +type FirewallPolicyRuleIdentity struct { + firewallPolicy string + priority int64 +} diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_generated_object_computefirewallpolicyrule.golden.yaml b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_generated_object_computefirewallpolicyrule.golden.yaml new file mode 100644 index 0000000000..15fc632b25 --- /dev/null +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_generated_object_computefirewallpolicyrule.golden.yaml @@ -0,0 +1,33 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewallPolicyRule +metadata: + annotations: + cnrm.cloud.google.com/management-conflict-prevention-policy: none + finalizers: + - cnrm.cloud.google.com/finalizer + - cnrm.cloud.google.com/deletion-defender + generation: 2 + labels: + cnrm-test: "true" + name: firewallpolicyrule-${uniqueId} + namespace: ${uniqueId} +spec: + action: allow + direction: INGRESS + firewallPolicyRef: + name: firewallpolicyrule-${uniqueId} + match: + layer4Configs: + - ipProtocol: tcp + srcIPRanges: + - 10.100.0.1/32 + priority: 9000 +status: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: The resource is up to date + reason: UpToDate + status: "True" + type: Ready + observedGeneration: 2 + ruleTupleCount: 2 diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_http.log b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_http.log new file mode 100644 index 0000000000..5d0391a394 --- /dev/null +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/_http.log @@ -0,0 +1,721 @@ +POST https://www.googleapis.com/compute/v1/locations/global/firewallPolicies?alt=json&parentId=organizations%2F128653134652 +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +{ + "description": "A basic folder firewall policy", + "parent": "organizations/${organizationID}", + "shortName": "firewallpolicy-${uniqueId}" +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "createFirewallPolicy", + "progress": 0, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "RUNNING", + "user": "user@example.com" +} + +--- + +GET https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}?alt=json&parentId=organizations%2F128653134652 +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "endTime": "2024-04-01T12:34:56.123456Z", + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "createFirewallPolicy", + "progress": 100, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "DONE", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012?alt=json +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "creationTimestamp": "2024-04-01T12:34:56.123456Z", + "description": "A basic folder firewall policy", + "displayName": "firewallpolicy-${uniqueId}", + "fingerprint": "abcdef0123A=", + "id": "000000000000000000000", + "kind": "compute#firewallPolicy", + "name": "774029050012", + "parent": "organizations/${organizationID}", + "ruleTupleCount": 8, + "rules": [ + { + "action": "goto_next", + "description": "default egress rule ipv6", + "direction": "EGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "destIpRanges": [ + "::/0" + ], + "layer4Configs": [ + { + "ipProtocol": "all" + } + ] + }, + "priority": 2147483644, + "ruleTupleCount": 2 + }, + { + "action": "goto_next", + "description": "default ingress rule ipv6", + "direction": "INGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "layer4Configs": [ + { + "ipProtocol": "all" + } + ], + "srcIpRanges": [ + "::/0" + ] + }, + "priority": 2147483645, + "ruleTupleCount": 2 + }, + { + "action": "goto_next", + "description": "default egress rule", + "direction": "EGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "destIpRanges": [ + "0.0.0.0/0" + ], + "layer4Configs": [ + { + "ipProtocol": "all" + } + ] + }, + "priority": 2147483646, + "ruleTupleCount": 2 + }, + { + "action": "goto_next", + "description": "default ingress rule", + "direction": "INGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "layer4Configs": [ + { + "ipProtocol": "all" + } + ], + "srcIpRanges": [ + "0.0.0.0/0" + ] + }, + "priority": 2147483647, + "ruleTupleCount": 2 + } + ], + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "selfLinkWithId": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/774029050012", + "shortName": "firewallpolicy-${uniqueId}" +} + +--- + +GET https://compute.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/getRule?priority=9000 +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: firewall_policy=774029050012 + +400 Bad Request +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." + } +} + +--- + +POST https://compute.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/addRule +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: firewall_policy=774029050012 + +{ + "action": "deny", + "direction": "INGRESS", + "match": { + "layer4Configs": [ + { + "ipProtocol": "tcp" + } + ], + "srcIpRanges": [ + "10.100.0.1/32" + ] + }, + "priority": 9000 +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "addFirewallRuleToFirewallPolicy", + "progress": 0, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "RUNNING", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://compute.googleapis.com/compute/v1/locations/global/operations/${operationID} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: operation=${operationID} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "endTime": "2024-04-01T12:34:56.123456Z", + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "addFirewallRuleToFirewallPolicy", + "progress": 100, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "DONE", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://compute.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/getRule?priority=9000 +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: firewall_policy=774029050012 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "action": "deny", + "description": "", + "direction": "INGRESS", + "kind": "compute#firewallPolicyRule", + "match": { + "layer4Configs": [ + { + "ipProtocol": "tcp" + } + ], + "srcIpRanges": [ + "10.100.0.1/32" + ] + }, + "priority": 9000, + "ruleTupleCount": 2 +} + +--- + +POST https://compute.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/patchRule?priority=9000 +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: firewall_policy=774029050012 + +{ + "action": "allow", + "direction": "INGRESS", + "match": { + "layer4Configs": [ + { + "ipProtocol": "tcp" + } + ], + "srcIpRanges": [ + "10.100.0.1/32" + ] + }, + "priority": 9000 +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "patchFirewallRuleInFirewallPolicy", + "progress": 0, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "RUNNING", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://compute.googleapis.com/compute/v1/locations/global/operations/${operationID} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: operation=${operationID} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "endTime": "2024-04-01T12:34:56.123456Z", + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "patchFirewallRuleInFirewallPolicy", + "progress": 100, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "DONE", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://compute.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/getRule?priority=9000 +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: firewall_policy=774029050012 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "action": "allow", + "description": "", + "direction": "INGRESS", + "kind": "compute#firewallPolicyRule", + "match": { + "layer4Configs": [ + { + "ipProtocol": "tcp" + } + ], + "srcIpRanges": [ + "10.100.0.1/32" + ] + }, + "priority": 9000, + "ruleTupleCount": 2 +} + +--- + +POST https://compute.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/removeRule?priority=9000 +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: firewall_policy=774029050012 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "removeFirewallRuleFromFirewallPolicy", + "progress": 0, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "RUNNING", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://compute.googleapis.com/compute/v1/locations/global/operations/${operationID} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: operation=${operationID} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "endTime": "2024-04-01T12:34:56.123456Z", + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "removeFirewallRuleFromFirewallPolicy", + "progress": 100, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "DONE", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012?alt=json +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "creationTimestamp": "2024-04-01T12:34:56.123456Z", + "description": "A basic folder firewall policy", + "displayName": "firewallpolicy-${uniqueId}", + "fingerprint": "abcdef0123A=", + "id": "000000000000000000000", + "kind": "compute#firewallPolicy", + "name": "774029050012", + "parent": "organizations/${organizationID}", + "ruleTupleCount": 8, + "rules": [ + { + "action": "goto_next", + "description": "default egress rule ipv6", + "direction": "EGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "destIpRanges": [ + "::/0" + ], + "layer4Configs": [ + { + "ipProtocol": "all" + } + ] + }, + "priority": 2147483644, + "ruleTupleCount": 2 + }, + { + "action": "goto_next", + "description": "default ingress rule ipv6", + "direction": "INGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "layer4Configs": [ + { + "ipProtocol": "all" + } + ], + "srcIpRanges": [ + "::/0" + ] + }, + "priority": 2147483645, + "ruleTupleCount": 2 + }, + { + "action": "goto_next", + "description": "default egress rule", + "direction": "EGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "destIpRanges": [ + "0.0.0.0/0" + ], + "layer4Configs": [ + { + "ipProtocol": "all" + } + ] + }, + "priority": 2147483646, + "ruleTupleCount": 2 + }, + { + "action": "goto_next", + "description": "default ingress rule", + "direction": "INGRESS", + "enableLogging": false, + "kind": "compute#firewallPolicyRule", + "match": { + "layer4Configs": [ + { + "ipProtocol": "all" + } + ], + "srcIpRanges": [ + "0.0.0.0/0" + ] + }, + "priority": 2147483647, + "ruleTupleCount": 2 + } + ], + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "selfLinkWithId": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012/774029050012", + "shortName": "firewallpolicy-${uniqueId}" +} + +--- + +DELETE https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012?alt=json +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "deleteFirewallPolicy", + "progress": 0, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "RUNNING", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}?alt=json +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "endTime": "2024-04-01T12:34:56.123456Z", + "id": "000000000000000000000", + "insertTime": "2024-04-01T12:34:56.123456Z", + "kind": "compute#operation", + "name": "${operationID}", + "operationType": "deleteFirewallPolicy", + "progress": 100, + "selfLink": "https://www.googleapis.com/compute/v1/locations/global/operations/${operationID}", + "startTime": "2024-04-01T12:34:56.123456Z", + "status": "DONE", + "targetId": "774029050012", + "targetLink": "https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012", + "user": "user@example.com" +} + +--- + +GET https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/774029050012?alt=json +Content-Type: application/json +User-Agent: kcc/controller-manager DeclarativeClientLib/0.0.1 + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "errors": [ + { + "domain": "global", + "message": "The resource 'locations/global/firewallPolicies/774029050012' was not found", + "reason": "notFound" + } + ], + "message": "The resource 'locations/global/firewallPolicies/774029050012' was not found" + } +} \ No newline at end of file diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_generated_object_computefirewallpolicyrule-egress-full.golden.yaml b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_generated_object_computefirewallpolicyrule-egress-full.golden.yaml index 4893b524e3..95335ff087 100644 --- a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_generated_object_computefirewallpolicyrule-egress-full.golden.yaml +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_generated_object_computefirewallpolicyrule-egress-full.golden.yaml @@ -48,4 +48,4 @@ status: type: Ready kind: compute#firewallPolicyRule observedGeneration: 2 - ruleTupleCount: 4 + ruleTupleCount: 110 diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_http.log b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_http.log index 246637e3be..5817ee2cd4 100644 --- a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_http.log +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-egress-full/_http.log @@ -304,6 +304,7 @@ X-Xss-Protection: 0 "name": "network-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-${uniqueId}", @@ -439,6 +440,7 @@ X-Xss-Protection: 0 "name": "network-2-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-2-${uniqueId}", @@ -534,6 +536,99 @@ X-Xss-Protection: 0 --- +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/sa-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "errors": [ + { + "domain": "global", + "message": "Service account projects/${projectId}/serviceAccounts/sa-${uniqueId}@${projectId}.iam.gserviceaccount.com does not exist.", + "reason": "notFound" + } + ], + "message": "Service account projects/${projectId}/serviceAccounts/sa-${uniqueId}@${projectId}.iam.gserviceaccount.com does not exist.", + "status": "NOT_FOUND" + } +} + +--- + +POST https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts?alt=json&prettyPrint=false +Content-Type: application/json +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{ + "accountId": "sa-${uniqueId}", + "serviceAccount": {} +} + +409 Conflict +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 409, + "errors": [ + { + "domain": "global", + "message": "Service account sa-${uniqueId} already exists within project projects/${projectId}.", + "reason": "alreadyExists" + } + ], + "message": "Service account sa-${uniqueId} already exists within project projects/${projectId}.", + "status": "ALREADY_EXISTS" + } +} + +--- + +GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/sa-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "email": "sa-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "etag": "abcdef0123A=", + "name": "projects/${projectId}/serviceAccounts/sa-${uniqueId}@${projectId}.iam.gserviceaccount.com", + "oauth2ClientId": "888888888888888888888", + "projectId": "${projectId}", + "uniqueId": "111111111111111111111" +} + +--- + GET https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/sa-2-${uniqueId}@${projectId}.iam.gserviceaccount.com?alt=json&prettyPrint=false User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager @@ -640,6 +735,13 @@ X-Xss-Protection: 0 { "error": { "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." } } @@ -803,7 +905,7 @@ X-Xss-Protection: 0 ] }, "priority": 9000, - "ruleTupleCount": 4, + "ruleTupleCount": 109, "targetResources": [ "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-${uniqueId}" ], @@ -972,7 +1074,7 @@ X-Xss-Protection: 0 ] }, "priority": 9000, - "ruleTupleCount": 4, + "ruleTupleCount": 110, "targetResources": [ "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-2-${uniqueId}" ], @@ -1069,6 +1171,13 @@ X-Xss-Protection: 0 { "error": { "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." } } @@ -1184,6 +1293,7 @@ X-Xss-Protection: 0 "name": "network-2-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-2-${uniqueId}", @@ -1279,6 +1389,7 @@ X-Xss-Protection: 0 "name": "network-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-${uniqueId}", diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_generated_object_computefirewallpolicyrule-ingress-full.golden.yaml b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_generated_object_computefirewallpolicyrule-ingress-full.golden.yaml index 0d2386e0df..65e5585f7f 100644 --- a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_generated_object_computefirewallpolicyrule-ingress-full.golden.yaml +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_generated_object_computefirewallpolicyrule-ingress-full.golden.yaml @@ -48,4 +48,4 @@ status: type: Ready kind: compute#firewallPolicyRule observedGeneration: 2 - ruleTupleCount: 4 + ruleTupleCount: 110 diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_http.log b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_http.log index 7a13ce286b..17b6fb2fbf 100644 --- a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_http.log +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-ingress-full/_http.log @@ -304,6 +304,7 @@ X-Xss-Protection: 0 "name": "network-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-${uniqueId}", @@ -439,6 +440,7 @@ X-Xss-Protection: 0 "name": "network-2-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-2-${uniqueId}", @@ -640,6 +642,13 @@ X-Xss-Protection: 0 { "error": { "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." } } @@ -803,7 +812,7 @@ X-Xss-Protection: 0 ] }, "priority": 9000, - "ruleTupleCount": 4, + "ruleTupleCount": 109, "targetResources": [ "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-${uniqueId}" ], @@ -972,7 +981,7 @@ X-Xss-Protection: 0 ] }, "priority": 9000, - "ruleTupleCount": 4, + "ruleTupleCount": 110, "targetResources": [ "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-2-${uniqueId}" ], @@ -1069,6 +1078,13 @@ X-Xss-Protection: 0 { "error": { "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." } } @@ -1184,6 +1200,7 @@ X-Xss-Protection: 0 "name": "network-2-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-2-${uniqueId}", @@ -1279,6 +1296,7 @@ X-Xss-Protection: 0 "name": "network-${uniqueId}", "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL", "routingConfig": { + "bgpBestPathSelectionMode": "LEGACY", "routingMode": "REGIONAL" }, "selfLink": "https://www.googleapis.com/compute/v1/projects/${projectId}/global/networks/network-${uniqueId}", diff --git a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-minimal/_http.log b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-minimal/_http.log index c08bdcdb0b..b9c2b34321 100644 --- a/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-minimal/_http.log +++ b/pkg/test/resourcefixture/testdata/basic/compute/v1beta1/computefirewallpolicyrule/computefirewallpolicyrule-minimal/_http.log @@ -196,6 +196,13 @@ X-Xss-Protection: 0 { "error": { "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." } } @@ -339,7 +346,8 @@ x-goog-request-params: firewall_policy=${firewallPolicyId} "srcIpRanges": [ "10.100.0.1/32" ] - } + }, + "priority": 9000 } 200 OK @@ -527,6 +535,13 @@ X-Xss-Protection: 0 { "error": { "code": 400, + "errors": [ + { + "domain": "global", + "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000.", + "reason": "invalid" + } + ], "message": "Invalid value for field 'priority': '9000'. The firewall policy does not contain a rule at priority 9000." } }