terraform-provider-google
terraform-provider-google copied to clipboard
hashicorp
Add new resource to support firewall plus
Community Note
- Please vote on this issue by adding a š reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.
Description
New or Affected Resource(s)
- google_network_security_security_profile
- google_network_security_security_profile_group
- google_network_security_firewall_endpoint
- google_network_security_firewall_endpoint_association
Potential Terraform Configuration
# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.
References
API
- https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/organizations.locations.firewallEndpoints
- https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/projects.locations.firewallEndpointAssociations
- https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/organizations.locations.securityProfiles
- https://cloud.google.com/firewall/docs/reference/network-security/rest/v1beta1/organizations.locations.securityProfileGroups
b/303808491
Posting these because I got a little mixed up here- there's two networksecurity.googleapis.com API definitions. Weird!
- https://cloud.google.com/firewall/docs/reference/network-security/rest
- https://cloud.google.com/secure-web-proxy/docs/reference/network-security/rest
@rileykarson second link is for secure web proxy. First one is the correct one for network firewall policy.
Yep! What's unusual is that they share a service endpoint, I got mixed up looking for these resources because of that
Hello folks, I will be working on these as part of the NGFW construct support
Hey @imrannayer, according to docs, there will be two more affected (updated) resources in order to support firewall plus
- google_network_security_tls_inspection_policy which requires support for trustConfig minTlsVersion, tlsFeatureProfile, customTlsFeatures.
- ref: Configure TLS inspection Policy
- API: https://cloud.google.com/secure-web-proxy/docs/reference/network-security/rest/v1beta1/projects.locations.tlsInspectionPolicies
- google_compute_network_firewall_policy_rule (DCL), which requires support for security_profile_group and tls_inspect
- ref: Firewall Policies
- API: https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies/addRule
could you add them to the list, please? thanks
Hey @LucaPrete, could you tell me which resource are you referring to, please? is it the google_network_security_security_profile? when are you opening this PR?
Yes. Iām verifying the latest tests now. Almost done
Il giorno mer 10 gen 2024 alle 17:40 Max Portocarrero CI&T < @.***> ha scritto:
Hey @LucaPrete https://github.com/LucaPrete, could you tell me which resource are you referring to, please? is it the google_network_security_security_profile? when are you opening this PR?
ā Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-google/issues/15779#issuecomment-1885207781, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARY7UF7FOGFBRX2ZW4CFVTYN277VAVCNFSM6AAAAAA4QVVSFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGIYDONZYGE . You are receiving this because you were mentioned.Message ID: @.***>
Hey @LucaPrete, gotcha, its totally fine. the only issue is that I already had some effort on the same resource. So I recommend you to open a draft PR or claim for the specific resource before start working on the PR the way I did in previous comment. This way, the community does not duplicate the work.
PD: I will move to the firewall related resources and the other updates.
Hello I am will start working on the security profile groups. The google_network_security_security_profile_group
Max, thanks!
Any chance we can first finalize the support to secure tags in gke node pools?
Il giorno mer 10 gen 2024 alle 18:27 paulomarquescit < @.***> ha scritto:
Hello I am will start working on the security profile groups.
ā Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-google/issues/15779#issuecomment-1885292356, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARY7UEL6AFAMRDPPUEEQF3YN3FQZAVCNFSM6AAAAAA4QVVSFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGI4TEMZVGY . You are receiving this because you were mentioned.Message ID: @.***>
Hello @LucaPrete Yes Iām verifying the latest tests. Almost done
I know I claimed for the firewall resources but did you have something on them already
PD: I am glad of your help on the product implementation. I just pointed out we need to sync our efforts
Yep. Makes sense!
I thought you were not from Google! Can you please contact me internally? Iām not able to find you.
-Luca
Il giorno mer 10 gen 2024 alle 19:08 Max Portocarrero CI&T < @.***> ha scritto:
Hello @LucaPrete https://github.com/LucaPrete Yes Iām verifying the latest tests. Almost done
I know I claimed for the firewall resources but did you have something on them already
PD: I am glad of your help on the product implementation. I just pointed out we need to sync our efforts
ā Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-google/issues/15779#issuecomment-1885366388, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARY7UFGYE2HW6SJXX5DYYDYN3KJBAVCNFSM6AAAAAA4QVVSFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGM3DMMZYHA . You are receiving this because you were mentioned.Message ID: @.***>
Hello I am will start working on the security profile groups. The google_network_security_security_profile_group
Hi @paulomarquescit I can do this today if for you is ok. Have you already started? Don't want to seem rude. I'm trying to speed up the process a bit... ;)
Hi @LucaPrete if you can finish today, you can continue work on the google_network_security_security_profile_group
Hello I am will start working on the firewall endpoint resource. The google_network_security_firewall_endpoint
@paulomarquescit I agreed with @maxi-cit that I would have continued to work on this until Monday. Then I'll be out for 3 weeks :) I already have something in place for endpoints as well (PR coming). Sorry for the continuous overlaps. Just trying to commit whatever I can before my leave
@paulomarquescit I agreed with @maxi-cit that I would have continued to work on this until Monday. Then I'll be out for 3 weeks :) I already have something in place for endpoints as well (PR coming). Sorry for the continuous overlaps. Just trying to commit whatever I can before my leave
...Following up on this...it seems an interesting conversation to have. FirewallEndpoints currently take 60+ minutes to be created, so I'd exclude we want to run real tests for them. Also, product documentation recommends to create them asynchronously, given the time it takes to create them. It uses a special requestId urlParam for this, that users can optionally insert in each request. Anyway, I would think this is not applicable to terraform. What do you think @maxi-cit @paulomarquescit @rileykarson ?
Hello @LucaPrete , that was an issue Paulo told me about. Currently, I do not know of a way to customize the generated custom function other than increasing the timeout time or going for a hand written resource.
So, I think I made it. Please, try to have a look.
I basically used the same approach we've been using for gcve clusters which suffers from the same issue. TL;DR I skip test in the examples and I use acctest.SkipIfVcr(t) in the manual test.
The resource should be ready and I ran the manual test which passed.
-Luca
Il giorno ven 12 gen 2024 alle ore 16:35 Max Portocarrero CI&T < @.***> ha scritto:
Hello @LucaPrete https://github.com/LucaPrete , that was an issue Paulo told me about. Currently, I do not know of a way to customize the generated custom function other than increasing the timeout time or going for a hand written resource.
ā Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-google/issues/15779#issuecomment-1889521298, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARY7UFTLUOZLE3BC35NDL3YOFJ4PAVCNFSM6AAAAAA4QVVSFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBZGUZDCMRZHA . You are receiving this because you were mentioned.Message ID: @.***>
Sorry for the noise (I missed this before merging the most recent PR), reopening again since not all resources are supported
@melinath actually we should reopen it, as we still miss endpoint associations (my pr under review) and a new action in firewall policies
I'm going to lock this issue because it has been closed for 30 days ā³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}