From 28248ecb1a08e0e38a723b1df2a8b7871fbd01ed Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Wed, 13 Jul 2022 16:32:04 +0000 Subject: [PATCH] promote security policy args to ga (#6258) * promote sec policy args to ga * update `adaptive_protection_config` * add enum to `type` * enum enforce_on_key * redundent Signed-off-by: Modular Magician --- .changelog/6258.txt | 6 +++++ .../resource_compute_security_policy.go | 23 ++++++++++++------- .../r/compute_security_policy.html.markdown | 12 +++++----- 3 files changed, 27 insertions(+), 14 deletions(-) create mode 100644 .changelog/6258.txt diff --git a/.changelog/6258.txt b/.changelog/6258.txt new file mode 100644 index 0000000000..9b43c3e7cc --- /dev/null +++ b/.changelog/6258.txt @@ -0,0 +1,6 @@ +```release-note:enhancement +compute: promote `rules.rate_limit_options`, `rules.redirect_options`, `adaptive_protection_config` in `compute_security_policy` to ga +``` +```release-note:bug +compute: allow properly updating `adaptive_protection_config` in `compute_security_policy` +``` diff --git a/google-beta/resource_compute_security_policy.go b/google-beta/resource_compute_security_policy.go index 62503a3d44..283b7c488f 100644 --- a/google-beta/resource_compute_security_policy.go +++ b/google-beta/resource_compute_security_policy.go @@ -54,10 +54,11 @@ func resourceComputeSecurityPolicy() *schema.Resource { }, "type": { - Type: schema.TypeString, - Optional: true, - Computed: true, - Description: `The type indicates the intended use of the security policy. CLOUD_ARMOR - Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. CLOUD_ARMOR_EDGE - Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache.`, + Type: schema.TypeString, + Optional: true, + Computed: true, + Description: `The type indicates the intended use of the security policy. CLOUD_ARMOR - Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. CLOUD_ARMOR_EDGE - Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache.`, + ValidateFunc: validation.StringInSlice([]string{"CLOUD_ARMOR", "CLOUD_ARMOR_EDGE", "CLOUD_ARMOR_INTERNAL_SERVICE"}, false), }, "rule": { @@ -202,10 +203,11 @@ func resourceComputeSecurityPolicy() *schema.Resource { }, "enforce_on_key": { - Type: schema.TypeString, - Optional: true, - Default: "ALL", - Description: `Determines the key to enforce the rateLimitThreshold on`, + Type: schema.TypeString, + Optional: true, + Default: "ALL", + Description: `Determines the key to enforce the rateLimitThreshold on`, + ValidateFunc: validation.StringInSlice([]string{"ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE"}, false), }, "enforce_on_key_name": { @@ -531,6 +533,11 @@ func resourceComputeSecurityPolicyUpdate(d *schema.ResourceData, meta interface{ securityPolicy.ForceSendFields = append(securityPolicy.ForceSendFields, "AdvancedOptionsConfig", "advancedOptionsConfig.jsonParsing", "advancedOptionsConfig.logLevel") } + if d.HasChange("adaptive_protection_config") { + securityPolicy.AdaptiveProtectionConfig = expandSecurityPolicyAdaptiveProtectionConfig(d.Get("adaptive_protection_config").([]interface{})) + securityPolicy.ForceSendFields = append(securityPolicy.ForceSendFields, "AdaptiveProtectionConfig", "adaptiveProtectionConfig.layer7DdosDefenseConfig.enable", "adaptiveProtectionConfig.layer7DdosDefenseConfig.ruleVisibility") + } + if len(securityPolicy.ForceSendFields) > 0 { client := config.NewComputeClient(userAgent) diff --git a/website/docs/r/compute_security_policy.html.markdown b/website/docs/r/compute_security_policy.html.markdown index ec0eaa78f7..acc5f82ea6 100644 --- a/website/docs/r/compute_security_policy.html.markdown +++ b/website/docs/r/compute_security_policy.html.markdown @@ -76,7 +76,7 @@ The following arguments are supported: * NORMAL - Normal log level. * VERBOSE - Verbose log level. -* `adaptive_protection_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for [Google Cloud Armor Adaptive Protection](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is [documented below](#nested_adaptive_protection_config). +* `adaptive_protection_config` - (Optional) Configuration for [Google Cloud Armor Adaptive Protection](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is [documented below](#nested_adaptive_protection_config). * `type` - The type indicates the intended use of the security policy. * CLOUD_ARMOR - Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. @@ -105,10 +105,10 @@ The following arguments are supported: * `preview` - (Optional) When set to true, the `action` specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such. -* `rate_limit_options` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) +* `rate_limit_options` - (Optional) Must be specified if the `action` is "rate_based_bad" or "throttle". Cannot be specified for other actions. Structure is [documented below](#nested_rate_limit_options). -* `redirect_options` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) +* `redirect_options` - (Optional) Can be specified if the `action` is "redirect". Cannot be specified for other actions. Structure is [documented below](#nested_redirect_options). The `match` block supports: @@ -179,13 +179,13 @@ The following arguments are supported: The `adaptive_protection_config` block supports: -* `layer_7_ddos_defense_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for [Google Cloud Armor Adaptive Protection Layer 7 DDoS Defense](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is [documented below](#nested_layer_7_ddos_defense_config). +* `layer_7_ddos_defense_config` - (Optional) Configuration for [Google Cloud Armor Adaptive Protection Layer 7 DDoS Defense](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is [documented below](#nested_layer_7_ddos_defense_config). The `layer_7_ddos_defense_config` block supports: -* `enable` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) If set to true, enables CAAP for L7 DDoS detection. +* `enable` - (Optional) If set to true, enables CAAP for L7 DDoS detection. -* `rule_visibility` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. +* `rule_visibility` - (Optional) Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. ## Attributes Reference