SWP Policy Rule - Mitigate multiple rules issue (#12704) (#21643)

[upstream:e8431c4467c7d067460a8e3a8ea50439345c8ec6] Signed-off-by: Modular Magician <[email protected]>
hashicorp · Feb 27, 2025 · bb06371 · bb06371
1 parent dd74841
commit bb06371
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 0 deletions.
diff --git a/.changelog/12704.txt b/.changelog/12704.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+networksecurity: added wait time on `google_network_security_gateway_security_policy_rule` resource when creating and deleting to prevent race conditions
+```
diff --git a/google/services/networksecurity/resource_network_security_gateway_security_policy_rule.go b/google/services/networksecurity/resource_network_security_gateway_security_policy_rule.go
@@ -194,6 +194,13 @@ func resourceNetworkSecurityGatewaySecurityPolicyRuleCreate(d *schema.ResourceDa
 		obj["basicProfile"] = basicProfileProp
 	}
 
+	lockName, err := tpgresource.ReplaceVars(d, config, "gatewaySecurityPolicies/{{gateway_security_policy}}/rules")
+	if err != nil {
+		return err
+	}
+	transport_tpg.MutexStore.Lock(lockName)
+	defer transport_tpg.MutexStore.Unlock(lockName)
+
 	url, err := tpgresource.ReplaceVars(d, config, "{{NetworkSecurityBasePath}}projects/{{project}}/locations/{{location}}/gatewaySecurityPolicies/{{gateway_security_policy}}/rules?gatewaySecurityPolicyRuleId={{name}}")
 	if err != nil {
 		return err
@@ -385,6 +392,13 @@ func resourceNetworkSecurityGatewaySecurityPolicyRuleUpdate(d *schema.ResourceDa
 		obj["basicProfile"] = basicProfileProp
 	}
 
+	lockName, err := tpgresource.ReplaceVars(d, config, "gatewaySecurityPolicies/{{gateway_security_policy}}/rules")
+	if err != nil {
+		return err
+	}
+	transport_tpg.MutexStore.Lock(lockName)
+	defer transport_tpg.MutexStore.Unlock(lockName)
+
 	url, err := tpgresource.ReplaceVars(d, config, "{{NetworkSecurityBasePath}}projects/{{project}}/locations/{{location}}/gatewaySecurityPolicies/{{gateway_security_policy}}/rules/{{name}}")
 	if err != nil {
 		return err
@@ -479,6 +493,13 @@ func resourceNetworkSecurityGatewaySecurityPolicyRuleDelete(d *schema.ResourceDa
 	}
 	billingProject = project
 
+	lockName, err := tpgresource.ReplaceVars(d, config, "gatewaySecurityPolicies/{{gateway_security_policy}}/rules")
+	if err != nil {
+		return err
+	}
+	transport_tpg.MutexStore.Lock(lockName)
+	defer transport_tpg.MutexStore.Unlock(lockName)
+
 	url, err := tpgresource.ReplaceVars(d, config, "{{NetworkSecurityBasePath}}projects/{{project}}/locations/{{location}}/gatewaySecurityPolicies/{{gateway_security_policy}}/rules/{{name}}")
 	if err != nil {
 		return err

diff --git a/...e/services/networksecurity/resource_network_security_gateway_security_policy_rule_test.go b/...e/services/networksecurity/resource_network_security_gateway_security_policy_rule_test.go
@@ -50,6 +50,50 @@ func TestAccNetworkSecurityGatewaySecurityPolicyRule_update(t *testing.T) {
 	})
 }
 
+func TestAccNetworkSecurityGatewaySecurityPolicyRule_multiple(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckNetworkSecurityGatewaySecurityPolicyRuleDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkSecurityGatewaySecurityPolicyRule_multiple(context),
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule1",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule2",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule3",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule4",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      "google_network_security_gateway_security_policy_rule.rule5",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccNetworkSecurityGatewaySecurityPolicyRule_basic(gatewaySecurityPolicyName, gatewaySecurityPolicyRuleName string) string {
 	return fmt.Sprintf(`
 resource "google_network_security_gateway_security_policy" "default" {
@@ -94,3 +138,76 @@ resource "google_network_security_gateway_security_policy_rule" "foobar" {
 }
 `, gatewaySecurityPolicyName, gatewaySecurityPolicyRuleName)
 }
+
+func testAccNetworkSecurityGatewaySecurityPolicyRule_multiple(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_network_security_gateway_security_policy" "default" {
+  name        = "tf-test-gateway-sp-%{random_suffix}"
+  location    = "us-central1"
+  description = "gateway security policy created to be used as reference by the rule."
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule1" {
+  name                    = "tf-test-gateway-sp-rule1-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Highest priority rule"
+  priority                = 0
+  session_matcher         = "host() == 'example.com'"
+  application_matcher     = "request.method == 'POST'"
+  basic_profile           = "ALLOW"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule2" {
+  name                    = "tf-test-gateway-sp-rule2-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Rule priority 762"
+  priority                = 762
+  session_matcher         = "host() == 'example.com'"
+  application_matcher     = "request.method == 'GET'"
+  tls_inspection_enabled  = false
+  basic_profile           = "DENY"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule3" {
+  name                    = "tf-test-gateway-sp-rule3-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Rule priority 37961"
+  priority                = 37961
+  session_matcher         = "host() == 'update.com'"
+  application_matcher     = "request.method == 'POST'"
+  basic_profile           = "ALLOW"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule4" {
+  name                    = "tf-test-gateway-sp-rule4-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Rule priority 9572843"
+  priority                = 9572843
+  session_matcher         = "host() == 'update.com'"
+  application_matcher     = "request.method == 'GET'"
+  tls_inspection_enabled  = false
+  basic_profile           = "DENY"
+}
+
+resource "google_network_security_gateway_security_policy_rule" "rule5" {
+  name                    = "tf-test-gateway-sp-rule5-%{random_suffix}"
+  location                = "us-central1"
+  gateway_security_policy = google_network_security_gateway_security_policy.default.name
+  enabled                 = true  
+  description             = "Lowest priority rule"
+  priority                = 2147483647
+  session_matcher         = "host() == 'update.com'"
+  application_matcher     = "request.method == 'GET'"
+  tls_inspection_enabled  = false
+  basic_profile           = "DENY"
+}
+`, context)
+}