Bump Cloud Armor Hierchical Policies - Security Policy Associations to GA

[maxi-cit]

Release Note Template for Downstream PRs (will be copied)

See Write release notes for guidance.

`google_compute_organization_security_policy_association`  (GA)

compute: deprecated `FIREWALL` enum value for `type` field in `google_compute_organization_security_policy` resource. Use `google_compute_firewall_policy` instead. 

[github-actions[bot]]

Hello! I am a robot. Tests will require approval from a repository maintainer to run.

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@zli82016, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 1144 insertions(+), 13 deletions(-)) google-beta provider: Diff ( 4 files changed, 4 insertions(+), 18 deletions(-))

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1295 Passed tests: 1211 Skipped tests: 84 Affected tests: 0

Click here to see the affected service packages

• compute

🟢 All tests passed!

View the build log

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 1144 insertions(+), 13 deletions(-)) google-beta provider: Diff ( 4 files changed, 4 insertions(+), 18 deletions(-))

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[zli82016]

@maxi-cit , can you first fix the failed checks?

--- FAIL: TestTemplatesStillNeedToBeTemplates (0.03s) validate_third_party_test.go:75: The following 2 .tmpl files in third_party directory don't contain any template syntax and no longer need to be templates: validate_third_party_test.go:79: - third_party/terraform/services/compute/resource_compute_organization_security_policy_test.go.tmpl validate_third_party_test.go:79: - third_party/terraform/services/compute/security_policy_association_utils.go.tmpl validate_third_party_test.go:82: Consider removing the .tmpl extension from these files.

Thanks.

[zli82016]

I will review it once all of the checks, especially the tests pass.

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1295 Passed tests: 1211 Skipped tests: 84 Affected tests: 0

Click here to see the affected service packages

• compute

🟢 All tests passed!

View the build log

[zli82016]

Release Note Template for Downstream PRs (will be copied)

See Write release notes for guidance.

The release note is needed.

[maxi-cit]

Thanks for the remainder!

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 1146 insertions(+), 15 deletions(-)) google-beta provider: Diff ( 6 files changed, 6 insertions(+), 20 deletions(-))

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1295 Passed tests: 1211 Skipped tests: 84 Affected tests: 0

Click here to see the affected service packages

• compute

🟢 All tests passed!

View the build log

[zli82016]

I run these tests in CI.

Three testes failed in Terraform GA provider with the same error, but passed in Terraform beta provider.

> * TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
> * TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
> * TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

The error is as below

=== CONT  TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
    resource_compute_organization_security_policy_generated_test.go:40: Step 1/2 error: Error running apply: exit status 1
        Error: Error creating OrganizationSecurityPolicy: googleapi: Error 400: Invalid value for field 'resource.shortName': ''. SecurityPolicy must have a user-assigned name., invalid
          with google_compute_organization_security_policy.policy,
          on terraform_plugin_test.tf line 2, in resource "google_compute_organization_security_policy" "policy":
           2: resource "google_compute_organization_security_policy" "policy" {

@maxi-cit, do you know if something changed for the field shortName in the GA API? Thanks.

[zli82016]

Can you also fix the gofmt error, @maxi-cit ? Thanks.

1s
Run GOFMT_OUTPUT="$(gofmt -l .)"
The following files are not formatted properly:
mmv1/third_party/terraform/services/compute/resource_compute_organization_security_policy_test.go

[zli82016]

I run these tests in CI.

Three testes failed in Terraform GA provider with the same error, but passed in Terraform beta provider.

> * TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
> * TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
> * TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

The error is as below

=== CONT  TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
    resource_compute_organization_security_policy_generated_test.go:40: Step 1/2 error: Error running apply: exit status 1
        Error: Error creating OrganizationSecurityPolicy: googleapi: Error 400: Invalid value for field 'resource.shortName': ''. SecurityPolicy must have a user-assigned name., invalid
          with google_compute_organization_security_policy.policy,
          on terraform_plugin_test.tf line 2, in resource "google_compute_organization_security_policy" "policy":
           2: resource "google_compute_organization_security_policy" "policy" {

@maxi-cit, do you know if something changed for the field shortName in the GA API? Thanks.

I don't think it is good solution to add short_name to the test.

Can you help to understand the reason that the field shortName is needed in the GA API, @maxi-cit ? Thanks.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 1178 insertions(+), 16 deletions(-)) google-beta provider: Diff ( 7 files changed, 39 insertions(+), 22 deletions(-))

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[maxi-cit]

Hello @zli82016, there is been a lot of internal chat during these days.. but the arising issues come from the fact that GA and Beta API have differences in their signatures, docs and behaviour.

Default policy type for Beta and GA are FIREWALL and CLOUD_ARMOR respectively. So, I tried to change the test so it works in both, but CLOUD_ARMOR uses short name instead of display name. but then I just realize GA API does not return the "parent" field as the BETA does in the GET endpoint, so it breaks TF state reconciliation.. I though on working on a diff suppress func but it does not seem like it will work either.

Google folks, can push this addition but it will be done in the order of weeks and they need this in GA asap.

any thoughts?

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1295 Passed tests: 1210 Skipped tests: 84 Affected tests: 1

Click here to see the affected service packages

• compute

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode: TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample [Debug log]

🟢 No issues found for passed tests after REPLAYING rerun.

---

🟢 All tests passed!

View the build log or the debug log for each test

[zli82016]

The differences between GA and Beta APIs I observed are as following:

1. The default value of Type field GA: CLOUD_ARMOR BETA: ~~FIREWALL~~ CLOUD_ARMOR, but Terraform has default value FIREWALL
2. parent field is not returned in GA API.
3. shortName for type FIREWALL
   • GA: required
   • BETA: not required
4. API returns type CLOUD_ARMOR with type FIREWALL in request.

[zli82016]

@maxi-cit , can you also fix the test TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample? Thanks.

------- Stdout: ------- === RUN TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample === PAUSE TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample === CONT TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample resource_compute_organization_security_policy_test.go:35: Step 1/4 error: Error running apply: exit status 1 Error: Error creating OrganizationSecurityPolicy: googleapi: Error 400: Invalid value for field 'resource.shortName': ''. SecurityPolicy must have a user-assigned name., invalid with google_compute_organization_security_policy.policy, on terraform_plugin_test.tf line 2, in resource "google_compute_organization_security_policy" "policy": 2: resource "google_compute_organization_security_policy" "policy" { --- FAIL: TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample (3.69s) FAIL

[zli82016]

The differences between GA and Beta APIs I observed are as following:

1. The default value of Type field GA: CLOUD_ARMOR BETA: ~FIREWALL~ CLOUD_ARMOR, but Terraform has default value FIREWALL

2. parent field is not returned in GA API.

3. shortName for type FIREWALL

   • GA: required
   • BETA: not required

4. API returns type CLOUD_ARMOR with type FIREWALL in request.

@maxi-cit , to address these issues,

1. use default_from_api: true
2. use ignore_read: true
3. and 4. ~~Change the type of type field from ENUM to String. Add the validation that FIREWALL is not allowed in GA provider.~~ Modify the description of type field to add a note that FIREWALL should be avoided to create a new resource in GA provider, as it is not visible in v1 API.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 16 files changed, 2293 insertions(+), 25 deletions(-)) google-beta provider: Diff ( 12 files changed, 51 insertions(+), 70 deletions(-))

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field type default value changed from FIREWALL to <nil> on google_compute_organization_security_policy - reference

If you believe this detection to be incorrect please raise the concern with your reviewer. If you intend to make this change you will need to wait for a major release window. An override-breaking-change label can be added to allow merging.

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association, google_compute_organization_security_policy_rule. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[zli82016]

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field type default value changed from FIREWALL to <nil> on google_compute_organization_security_policy - reference

If you believe this detection to be incorrect please raise the concern with your reviewer. If you intend to make this change you will need to wait for a major release window. An override-breaking-change label can be added to allow merging.

This change has to be made as the default value has changed for the field type in Beta API. In GA API, the default value is also not FIREWALL.

default_from_api: true has been used, instead.

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1295 Passed tests: 1206 Skipped tests: 84 Affected tests: 5

Click here to see the affected service packages

• compute

Action taken

Found 5 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample
• TestAccComputeRegionBackendService_regionBackendServiceHaPolicyManualLeader_update

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode: TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample [Debug log] TestAccComputeRegionBackendService_regionBackendServiceHaPolicyManualLeader_update [Debug log]

🔴 Tests failed when rerunning REPLAYING mode: TestAccComputeRegionBackendService_regionBackendServiceHaPolicyManualLeader_update [Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

🔴 Tests failed during RECORDING mode: TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample [Error message] [Debug log] TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleBasicExample [Error message] [Debug log] TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 1131 insertions(+), 40 deletions(-)) google-beta provider: Diff ( 10 files changed, 49 insertions(+), 102 deletions(-))

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field type default value changed from FIREWALL to <nil> on google_compute_organization_security_policy - reference

If you believe this detection to be incorrect please raise the concern with your reviewer. If you intend to make this change you will need to wait for a major release window. An override-breaking-change label can be added to allow merging.

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1296 Passed tests: 1208 Skipped tests: 84 Affected tests: 4

Click here to see the affected service packages

• compute

Action taken

Found 4 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample
• TestAccComputeRegionBackendService_regionBackendServiceHaPolicyManualLeader_update

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode: TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample [Debug log] TestAccComputeRegionBackendService_regionBackendServiceHaPolicyManualLeader_update [Debug log]

🔴 Tests failed when rerunning REPLAYING mode: TestAccComputeRegionBackendService_regionBackendServiceHaPolicyManualLeader_update [Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

🔴 Tests failed during RECORDING mode: TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleBasicExample [Error message] [Debug log] TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 1136 insertions(+), 40 deletions(-)) google-beta provider: Diff ( 10 files changed, 49 insertions(+), 102 deletions(-))

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Field type default value changed from FIREWALL to <nil> on google_compute_organization_security_policy - reference

If you believe this detection to be incorrect please raise the concern with your reviewer. If you intend to make this change you will need to wait for a major release window. An override-breaking-change label can be added to allow merging.

Multiple resources added

This PR adds multiple new resources: google_compute_organization_security_policy, google_compute_organization_security_policy_association. This makes review significantly more difficult. Please split it into multiple PRs, one per resource. An override-multiple-resources label can be added to allow merging.

[modular-magician]

Non-exercised tests

🔴 Tests were added that are GA-only additions and require manual runs:

• TestAccComputeOrganizationSecurityPolicyAssociation_organizationSecurityPolicyAssociationBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyBasicExample
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyShortName
• TestAccComputeOrganizationSecurityPolicy_organizationSecurityPolicyUpdateExample

Tests analytics

Total tests: 1296 Passed tests: 1210 Skipped tests: 84 Affected tests: 2

Click here to see the affected service packages

• compute

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleBasicExample
• TestAccComputeOrganizationSecurityPolicyRule_organizationSecurityPolicyRuleUpdateExample

Get to know how VCR tests work