Skip to content

Commit

Permalink
Vgm vpc subseg (#9298) (#6553)
Browse files Browse the repository at this point in the history
* First commit for VPC sub-segmentation feature. All relevant resources and tests updated.

* Adding access levels instead of using a fake access level name. Also moving a VPC network to the top level instead of (incorrectly) inside another resource.

* Fixing conflict between ip_subnetworks and vpc_ip_subnetworks

* Undoing changes to access level condition test

* Undoing changes to access level condition test

* Ran gofmt

* Re-adding access level conditions tests

* Changing resource names to camel case to match what the HTTP response from the API returns. Also removing the 'resource' field because it's behind an allowlist.

* Parameterizing the names of VPC networks created in tests

* Fixing access level condition test

* Fixed formatting with gofmt

* Added missing fields in egress_from for service perimeter test.

* Added "required: true" for AccessLevel.VpcNetworkSource.network field to
match description.

* Added egress source changes to test data in: example_access_context_manager_service_perimeter.tfplan.json

* Add Egress Source/source restriction changes to example_access_context_manager_service_perimeter.tf

* Attempt to fix example_access_context_manager_service_perimeter.tfplan.json to make it parse correctly

* Add Egress Source to expected tcg test result data

* Fixing expected output format in example_access_context_manager_service_perimeter.json

* Fix Access Level format in expected output in example_access_context_manager_service_perimeter.json

---------



[upstream:d30384c9aa2002c56102ce4c8f0c76c77706b923]

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
modular-magician authored Oct 20, 2023
1 parent cc6a213 commit 7f00660
Show file tree
Hide file tree
Showing 19 changed files with 1,146 additions and 23 deletions.
3 changes: 3 additions & 0 deletions .changelog/9298.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
accesscontextmanager: added support for Access Context Manager's VPC Sub-segmentation feature
```
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,38 @@ Format: accessPolicies/{policy_id}/accessLevels/{short_name}`,
Type: schema.TypeString,
},
},
"vpc_network_sources": {
Type: schema.TypeList,
Optional: true,
Description: `The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with 'ip_subnetworks'.`,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"vpc_subnetwork": {
Type: schema.TypeList,
Optional: true,
Description: `Sub networks within a VPC network.`,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"network": {
Type: schema.TypeString,
Required: true,
Description: `Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires 'compute.network.get' permission to be granted to caller.`,
},
"vpc_ip_subnetworks": {
Type: schema.TypeList,
Optional: true,
Description: `CIDR block IP subnetwork specification. Must be IPv4.`,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
},
},
},
},
},
},
},
},
Expand Down Expand Up @@ -672,6 +704,7 @@ func flattenAccessContextManagerAccessLevelBasicConditions(v interface{}, d *sch
"negate": flattenAccessContextManagerAccessLevelBasicConditionsNegate(original["negate"], d, config),
"device_policy": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicy(original["devicePolicy"], d, config),
"regions": flattenAccessContextManagerAccessLevelBasicConditionsRegions(original["regions"], d, config),
"vpc_network_sources": flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSources(original["vpcNetworkSources"], d, config),
})
}
return transformed
Expand Down Expand Up @@ -771,6 +804,47 @@ func flattenAccessContextManagerAccessLevelBasicConditionsRegions(v interface{},
return v
}

func flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return v
}
l := v.([]interface{})
transformed := make([]interface{}, 0, len(l))
for _, raw := range l {
original := raw.(map[string]interface{})
if len(original) < 1 {
// Do not include empty json objects coming back from the api
continue
}
transformed = append(transformed, map[string]interface{}{
"vpc_subnetwork": flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetwork(original["vpcSubnetwork"], d, config),
})
}
return transformed
}
func flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil
}
transformed := make(map[string]interface{})
transformed["network"] =
flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkNetwork(original["network"], d, config)
transformed["vpc_ip_subnetworks"] =
flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(original["vpcIpSubnetworks"], d, config)
return []interface{}{transformed}
}
func flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkNetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenAccessContextManagerAccessLevelCustom(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
Expand Down Expand Up @@ -913,6 +987,13 @@ func expandAccessContextManagerAccessLevelBasicConditions(v interface{}, d tpgre
transformed["regions"] = transformedRegions
}

transformedVpcNetworkSources, err := expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSources(original["vpc_network_sources"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedVpcNetworkSources); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["vpcNetworkSources"] = transformedVpcNetworkSources
}

req = append(req, transformed)
}
return req, nil
Expand Down Expand Up @@ -1060,6 +1141,62 @@ func expandAccessContextManagerAccessLevelBasicConditionsRegions(v interface{},
return v, nil
}

func expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSources(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
req := make([]interface{}, 0, len(l))
for _, raw := range l {
if raw == nil {
continue
}
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})

transformedVpcSubnetwork, err := expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetwork(original["vpc_subnetwork"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedVpcSubnetwork); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["vpcSubnetwork"] = transformedVpcSubnetwork
}

req = append(req, transformed)
}
return req, nil
}

func expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil, nil
}
raw := l[0]
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})

transformedNetwork, err := expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkNetwork(original["network"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedNetwork); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["network"] = transformedNetwork
}

transformedVpcIpSubnetworks, err := expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(original["vpc_ip_subnetworks"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedVpcIpSubnetworks); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["vpcIpSubnetworks"] = transformedVpcIpSubnetworks
}

return transformed, nil
}

func expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkNetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandAccessContextManagerAccessLevelBasicConditionsVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandAccessContextManagerAccessLevelCustom(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,42 @@ Format: accessPolicies/{policy_id}/accessLevels/{short_name}`,
Type: schema.TypeString,
},
},
"vpc_network_sources": {
Type: schema.TypeList,
Optional: true,
ForceNew: true,
Description: `The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with 'ip_subnetworks'.`,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"vpc_subnetwork": {
Type: schema.TypeList,
Optional: true,
ForceNew: true,
Description: `Sub networks within a VPC network.`,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"network": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Description: `Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires 'compute.network.get' permission to be granted to caller.`,
},
"vpc_ip_subnetworks": {
Type: schema.TypeList,
Optional: true,
ForceNew: true,
Description: `CIDR block IP subnetwork specification. Must be IPv4.`,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
},
},
},
},
},
},
UseJSONNumber: true,
}
Expand Down Expand Up @@ -244,6 +280,12 @@ func resourceAccessContextManagerAccessLevelConditionCreate(d *schema.ResourceDa
} else if v, ok := d.GetOkExists("regions"); !tpgresource.IsEmptyValue(reflect.ValueOf(regionsProp)) && (ok || !reflect.DeepEqual(v, regionsProp)) {
obj["regions"] = regionsProp
}
vpcNetworkSourcesProp, err := expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSources(d.Get("vpc_network_sources"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("vpc_network_sources"); !tpgresource.IsEmptyValue(reflect.ValueOf(vpcNetworkSourcesProp)) && (ok || !reflect.DeepEqual(v, vpcNetworkSourcesProp)) {
obj["vpcNetworkSources"] = vpcNetworkSourcesProp
}

lockName, err := tpgresource.ReplaceVars(d, config, "{{access_level}}")
if err != nil {
Expand Down Expand Up @@ -408,6 +450,9 @@ func resourceAccessContextManagerAccessLevelConditionRead(d *schema.ResourceData
if err := d.Set("regions", flattenNestedAccessContextManagerAccessLevelConditionRegions(res["regions"], d, config)); err != nil {
return fmt.Errorf("Error reading AccessLevelCondition: %s", err)
}
if err := d.Set("vpc_network_sources", flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSources(res["vpcNetworkSources"], d, config)); err != nil {
return fmt.Errorf("Error reading AccessLevelCondition: %s", err)
}

return nil
}
Expand Down Expand Up @@ -557,6 +602,47 @@ func flattenNestedAccessContextManagerAccessLevelConditionRegions(v interface{},
return v
}

func flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return v
}
l := v.([]interface{})
transformed := make([]interface{}, 0, len(l))
for _, raw := range l {
original := raw.(map[string]interface{})
if len(original) < 1 {
// Do not include empty json objects coming back from the api
continue
}
transformed = append(transformed, map[string]interface{}{
"vpc_subnetwork": flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetwork(original["vpcSubnetwork"], d, config),
})
}
return transformed
}
func flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil
}
transformed := make(map[string]interface{})
transformed["network"] =
flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkNetwork(original["network"], d, config)
transformed["vpc_ip_subnetworks"] =
flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(original["vpcIpSubnetworks"], d, config)
return []interface{}{transformed}
}
func flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkNetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func expandNestedAccessContextManagerAccessLevelConditionIpSubnetworks(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}
Expand Down Expand Up @@ -688,6 +774,62 @@ func expandNestedAccessContextManagerAccessLevelConditionRegions(v interface{},
return v, nil
}

func expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSources(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
req := make([]interface{}, 0, len(l))
for _, raw := range l {
if raw == nil {
continue
}
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})

transformedVpcSubnetwork, err := expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetwork(original["vpc_subnetwork"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedVpcSubnetwork); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["vpcSubnetwork"] = transformedVpcSubnetwork
}

req = append(req, transformed)
}
return req, nil
}

func expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil, nil
}
raw := l[0]
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})

transformedNetwork, err := expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkNetwork(original["network"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedNetwork); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["network"] = transformedNetwork
}

transformedVpcIpSubnetworks, err := expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(original["vpc_ip_subnetworks"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedVpcIpSubnetworks); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["vpcIpSubnetworks"] = transformedVpcIpSubnetworks
}

return transformed, nil
}

func expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkNetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandNestedAccessContextManagerAccessLevelConditionVpcNetworkSourcesVpcSubnetworkVpcIpSubnetworks(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func flattenNestedAccessContextManagerAccessLevelCondition(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
var v interface{}
var ok bool
Expand Down
Loading

0 comments on commit 7f00660

Please sign in to comment.