Add support for secure tags to (hierarchical) FirewallPolicyWithRules (GoogleCloudPlatform#14380)

LucaPrete · Luca Prete · BBBmau · commit c8a2b1238c8a · 2025-07-28T12:02:25.000-07:00
Co-authored-by: Luca Prete &lt;lucaprete@google.com&gt;
diff --git a/mmv1/products/compute/FirewallPolicyWithRules.yaml b/mmv1/products/compute/FirewallPolicyWithRules.yaml
@@ -46,6 +46,8 @@ examples:
       network: 'network'
       security_profile: 'sp'
       security_profile_group: 'spg'
+      tag_key: 'tag-key'
+      tag_value: 'tag-value'
     test_env_vars:
       org_id: 'ORG_ID'
 parameters:
@@ -206,6 +208,33 @@ properties:
                 The IPs in these lists will be matched against traffic destination.
               item_type:
                 type: String
+            - name: 'srcSecureTag'
+              type: Array
+              description: |
+                List of secure tag values, which should be matched at the source
+                of the traffic.
+                For INGRESS rule, if all the <code>srcSecureTag</code> are INEFFECTIVE,
+                and there is no <code>srcIpRange</code>, this rule will be ignored.
+                Maximum number of source tag values allowed is 256.
+              api_name: srcSecureTags
+              item_type:
+                type: NestedObject
+                properties:
+                  - name: 'name'
+                    type: String
+                    description: |
+                      Name of the secure tag, created with TagManager's TagValue API.
+                      @pattern tagValues/[0-9]+
+                  - name: 'state'
+                    type: Enum
+                    description: |
+                      [Output Only] State of the secure tag, either `EFFECTIVE` or
+                      `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+                      or its network is deleted.
+                    output: true
+                    enum_values:
+                      - 'EFFECTIVE'
+                      - 'INEFFECTIVE'
             - name: 'layer4Config'
               type: Array
               description: |
@@ -235,6 +264,39 @@ properties:
                       ["12345-12349"].
                     item_type:
                       type: String
+        - name: 'targetSecureTag'
+          type: Array
+          description: |
+            A list of secure tags that controls which instances the firewall rule
+            applies to. If <code>targetSecureTag</code> are specified, then the
+            firewall rule applies only to instances in the VPC network that have one
+            of those EFFECTIVE secure tags, if all the target_secure_tag are in
+            INEFFECTIVE state, then this rule will be ignored.
+            <code>targetSecureTag</code> may not be set at the same time as
+            <code>targetServiceAccounts</code>.
+            If neither <code>targetServiceAccounts</code> nor
+            <code>targetSecureTag</code> are specified, the firewall rule applies
+            to all instances on the specified network.
+            Maximum number of target secure tags allowed is 256.
+          api_name: targetSecureTags
+          item_type:
+            type: NestedObject
+            properties:
+              - name: 'name'
+                type: String
+                description: |
+                  Name of the secure tag, created with TagManager's TagValue API.
+                  @pattern tagValues/[0-9]+
+              - name: 'state'
+                type: Enum
+                description: |
+                  [Output Only] State of the secure tag, either `EFFECTIVE` or
+                  `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+                  or its network is deleted.
+                output: true
+                enum_values:
+                  - 'EFFECTIVE'
+                  - 'INEFFECTIVE'
         - name: 'action'
           type: String
           description: |
@@ -436,6 +498,70 @@ properties:
                     output: true
                     item_type:
                       type: String
+            - name: 'srcSecureTag'
+              type: Array
+              description: |
+                List of secure tag values, which should be matched at the source
+                of the traffic.
+                For INGRESS rule, if all the <code>srcSecureTag</code> are INEFFECTIVE,
+                and there is no <code>srcIpRange</code>, this rule will be ignored.
+                Maximum number of source tag values allowed is 256.
+              api_name: srcSecureTags
+              output: true
+              item_type:
+                type: NestedObject
+                properties:
+                  - name: 'name'
+                    type: String
+                    description: |
+                      Name of the secure tag, created with TagManager's TagValue API.
+                      @pattern tagValues/[0-9]+
+                    output: true
+                  - name: 'state'
+                    type: Enum
+                    description: |
+                      [Output Only] State of the secure tag, either `EFFECTIVE` or
+                      `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+                      or its network is deleted.
+                    output: true
+                    enum_values:
+                      - 'EFFECTIVE'
+                      - 'INEFFECTIVE'
+        - name: 'targetSecureTag'
+          type: Array
+          description: |
+            A list of secure tags that controls which instances the firewall rule
+            applies to. If <code>targetSecureTag</code> are specified, then the
+            firewall rule applies only to instances in the VPC network that have one
+            of those EFFECTIVE secure tags, if all the target_secure_tag are in
+            INEFFECTIVE state, then this rule will be ignored.
+            <code>targetSecureTag</code> may not be set at the same time as
+            <code>targetServiceAccounts</code>.
+            If neither <code>targetServiceAccounts</code> nor
+            <code>targetSecureTag</code> are specified, the firewall rule applies
+            to all instances on the specified network.
+            Maximum number of target secure tags allowed is 256.
+          api_name: targetSecureTags
+          output: true
+          item_type:
+            type: NestedObject
+            properties:
+              - name: 'name'
+                type: String
+                description: |
+                  Name of the secure tag, created with TagManager's TagValue API.
+                  @pattern tagValues/[0-9]+
+                output: true
+              - name: 'state'
+                type: Enum
+                description: |
+                  [Output Only] State of the secure tag, either `EFFECTIVE` or
+                  `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted
+                  or its network is deleted.
+                output: true
+                enum_values:
+                  - 'EFFECTIVE'
+                  - 'INEFFECTIVE'
         - name: 'action'
           type: String
           description: |
diff --git a/mmv1/templates/terraform/examples/compute_firewall_policy_with_rules_full.tf.tmpl b/mmv1/templates/terraform/examples/compute_firewall_policy_with_rules_full.tf.tmpl
@@ -68,6 +68,32 @@ resource "google_compute_firewall_policy_with_rules" "{{$.PrimaryResourceId}}" {
       }
     }
   }
+
+  rule {
+    description             = "secure tags"
+    rule_name               = "secure tags rule"
+    priority                = 4000
+    enable_logging          = false
+    action                  = "allow"
+    direction               = "INGRESS"
+
+    target_secure_tag {
+      name = google_tags_tag_value.basic_value.id
+    }
+
+    match {
+      src_ip_ranges = ["11.100.0.1/32"]
+
+      src_secure_tag {
+        name = google_tags_tag_value.basic_value.id
+      }
+
+      layer4_config {
+        ip_protocol = "tcp"
+        ports       = [8080]
+      }
+    }
+  }
 }
 
 resource "google_network_security_address_group" "address_group_1" {
@@ -98,3 +124,20 @@ resource "google_compute_network" "network" {
   name                    = "{{index $.Vars "network"}}"
   auto_create_subnetworks = false
 }
+
+resource "google_tags_tag_key" "basic_key" {
+  description = "For keyname resources."
+  parent      = "organizations/{{index $.TestEnvVars "org_id"}}"
+  purpose     = "GCE_FIREWALL"
+  short_name  = "{{index $.Vars "tag_key"}}"
+
+  purpose_data = {
+    organization = "auto"
+  }
+}
+
+resource "google_tags_tag_value" "basic_value" {
+  description = "For valuename resources."
+  parent      = google_tags_tag_key.basic_key.id
+  short_name  = "{{index $.Vars "tag_value"}}"
+}
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_firewall_policy_with_rules_test.go b/mmv1/third_party/terraform/services/compute/resource_compute_firewall_policy_with_rules_test.go
