From a5418b40729e6f72b3f3e0c76825381f7aa68d9d Mon Sep 17 00:00:00 2001
From: Imran Nayer <imrannayer@google.com>
Date: Thu, 2 Nov 2023 18:39:33 -0500
Subject: [PATCH] fix: network-firewall-policy not able to use
 target_secure_tags (#514)

---
 modules/network-firewall-policy/README.md                 | 2 +-
 modules/network-firewall-policy/variables.tf              | 2 +-
 .../global_firewall_policy_test.go                        | 8 ++++++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/modules/network-firewall-policy/README.md b/modules/network-firewall-policy/README.md
index c88a9b3d..dd741814 100644
--- a/modules/network-firewall-policy/README.md
+++ b/modules/network-firewall-policy/README.md
@@ -135,7 +135,7 @@ module "firewall_rules" {
 | policy\_name | User-provided name of the Network firewall policy | `string` | n/a | yes |
 | policy\_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | `string` | `null` | no |
 | project\_id | Project ID of the Network firewall policy | `string` | n/a | yes |
-| rules | List of Ingress/Egress rules | <pre>list(object({<br>    priority                = number<br>    direction               = string<br>    action                  = string<br>    rule_name               = optional(string)<br>    disabled                = optional(bool)<br>    description             = optional(string)<br>    enable_logging          = optional(bool)<br>    target_secure_tags      = optional(list(string))<br>    target_service_accounts = optional(list(string), [])<br>    match = object({<br>      src_ip_ranges             = optional(list(string), [])<br>      src_fqdns                 = optional(list(string), [])<br>      src_region_codes          = optional(list(string), [])<br>      src_secure_tags           = optional(list(string), [])<br>      src_address_groups        = optional(list(string), [])<br>      dest_ip_ranges            = optional(list(string), [])<br>      dest_fqdns                = optional(list(string), [])<br>      dest_region_codes         = optional(list(string), [])<br>      dest_threat_intelligences = optional(list(string), [])<br>      dest_address_groups       = optional(list(string), [])<br>      layer4_configs = optional(list(object({<br>        ip_protocol = optional(string, "all")<br>        ports       = optional(list(string), [])<br>      })), [{}])<br>    })<br>  }))</pre> | `[]` | no |
+| rules | List of Ingress/Egress rules | <pre>list(object({<br>    priority                = number<br>    direction               = string<br>    action                  = string<br>    rule_name               = optional(string)<br>    disabled                = optional(bool)<br>    description             = optional(string)<br>    enable_logging          = optional(bool)<br>    target_secure_tags      = optional(list(string))<br>    target_service_accounts = optional(list(string))<br>    match = object({<br>      src_ip_ranges             = optional(list(string), [])<br>      src_fqdns                 = optional(list(string), [])<br>      src_region_codes          = optional(list(string), [])<br>      src_secure_tags           = optional(list(string), [])<br>      src_address_groups        = optional(list(string), [])<br>      dest_ip_ranges            = optional(list(string), [])<br>      dest_fqdns                = optional(list(string), [])<br>      dest_region_codes         = optional(list(string), [])<br>      dest_threat_intelligences = optional(list(string), [])<br>      dest_address_groups       = optional(list(string), [])<br>      layer4_configs = optional(list(object({<br>        ip_protocol = optional(string, "all")<br>        ports       = optional(list(string), [])<br>      })), [{}])<br>    })<br>  }))</pre> | `[]` | no |
 | target\_vpcs | List of target VPC IDs that the firewall policy will be attached to | `list(string)` | `[]` | no |
 
 ## Outputs
diff --git a/modules/network-firewall-policy/variables.tf b/modules/network-firewall-policy/variables.tf
index 65bccaaf..f8fd67c8 100644
--- a/modules/network-firewall-policy/variables.tf
+++ b/modules/network-firewall-policy/variables.tf
@@ -57,7 +57,7 @@ variable "rules" {
     description             = optional(string)
     enable_logging          = optional(bool)
     target_secure_tags      = optional(list(string))
-    target_service_accounts = optional(list(string), [])
+    target_service_accounts = optional(list(string))
     match = object({
       src_ip_ranges             = optional(list(string), [])
       src_fqdns                 = optional(list(string), [])
diff --git a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go
index 166d2f24..f07378f9 100644
--- a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go
+++ b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go
@@ -55,8 +55,8 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
 			assert.Equal("10.100.0.1/32", sp1.Get("match.srcIpRanges").Array()[0].String(), "has expected srcIpRanges")
 			assert.Equal("US", sp1.Get("match.srcRegionCodes").Array()[0].String(), "has expected srcRegionCodes")
 			assert.Equal("all", sp1.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
-			secureTags := sp1.Get("match.srcSecureTags").Array()
-			assert.Equal(1, len(secureTags), "should have the correct srcSecureTags count")
+			secureTags1 := sp1.Get("match.srcSecureTags").Array()
+			assert.Equal(1, len(secureTags1), "should have the correct srcSecureTags count - 1")
 			srcAddressGroups := sp1.Get("match.srcAddressGroups").Array()
 			assert.Equal(1, len(srcAddressGroups), "should have the correct srcAddressGroups count")
 
@@ -72,6 +72,8 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
 			assert.Equal("10.100.0.2/32", sp2.Get("match.srcIpRanges").Array()[0].String(), "has expected srcIpRanges")
 			assert.Equal("BE", sp2.Get("match.srcRegionCodes").Array()[0].String(), "has expected srcRegionCodes")
 			assert.Equal("all", sp2.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
+			secureTags2 := sp2.Get("targetSecureTags").Array()
+			assert.Equal(1, len(secureTags2), "should have the correct targetSecureTags count - 1")
 
 			rule3 := gcloud.Runf(t, "compute network-firewall-policies rules describe 3 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId)
 			sp3 := rule3.Array()[0]
@@ -116,6 +118,8 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
 			assert.Equal("10.100.0.2/32", sp102.Get("match.destIpRanges").Array()[0].String(), "has expected destIpRanges")
 			assert.Equal("AR", sp102.Get("match.destRegionCodes").Array()[0].String(), "has expected destRegionCodes")
 			assert.Equal("all", sp102.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
+			secureTags102 := sp2.Get("targetSecureTags").Array()
+			assert.Equal(1, len(secureTags102), "should have the correct targetSecureTags count - 1")
 
 			rule103 := gcloud.Runf(t, "compute network-firewall-policies rules describe 103 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId)
 			sp103 := rule103.Array()[0]