From 98ede70b87cd4f3522980ee3e775ce9d628c977b Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 19:45:50 +0000 Subject: [PATCH 1/7] feat(gke): Add support for pod_snapshots_config to google_container_cluster This change adds the `pod_snapshots_config` field to the `addons_config` block of the `google_container_cluster` resource. This new field allows users to enable or disable the Pod Snapshots feature for their GKE clusters. --- .../resource_container_cluster.go.tmpl | 34 +++++++++++++++++++ .../resource_container_cluster_test.go.tmpl | 6 ++++ .../docs/r/container_cluster.html.markdown | 2 ++ 3 files changed, 42 insertions(+) diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl index 863516165f85..0ea7c5926a15 100644 --- a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl +++ b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl @@ -98,6 +98,7 @@ var ( "addons_config.0.ray_operator_config", "addons_config.0.parallelstore_csi_driver_config", "addons_config.0.lustre_csi_driver_config", + "addons_config.0.pod_snapshots_config", {{- if ne $.TargetVersionName "ga" }} "addons_config.0.istio_config", "addons_config.0.kalm_config", @@ -341,6 +342,23 @@ func ResourceContainerCluster() *schema.Resource { }, }, }, + "pod_snapshots_config": { + Type: schema.TypeList, + Optional: true, + Computed: true, + AtLeastOneOf: addonsConfigKeys, + MaxItems: 1, + Description: `Configuration for the Pod Snapshots feature.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enabled": { + Type: schema.TypeBool, + Required: true, + Description: `Whether the Pod Snapshots feature is enabled for this cluster.`, + }, + }, + }, + }, "horizontal_pod_autoscaling": { Type: schema.TypeList, Optional: true, @@ -5489,6 +5507,14 @@ func expandClusterAddonsConfig(configured interface{}) *container.AddonsConfig { } } + if v, ok := config["pod_snapshots_config"]; ok && len(v.([]interface{})) > 0 { + addon := v.([]interface{})[0].(map[string]interface{}) + ac.PodSnapshotsConfig = &container.PodSnapshotsConfig{ + Enabled: addon["enabled"].(bool), + ForceSendFields: []string{"Enabled"}, + } + } + {{ if ne $.TargetVersionName `ga` -}} if v, ok := config["istio_config"]; ok && len(v.([]interface{})) > 0 { addon := v.([]interface{})[0].(map[string]interface{}) @@ -7008,6 +7034,14 @@ func flattenClusterAddonsConfig(c *container.AddonsConfig) []map[string]interfac } } + if c.PodSnapshotsConfig != nil { + result["pod_snapshots_config"] = []map[string]interface{}{ + { + "enabled": c.PodSnapshotsConfig.Enabled, + }, + } + } + {{ if ne $.TargetVersionName `ga` -}} if c.IstioConfig != nil { result["istio_config"] = []map[string]interface{}{ diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl index 485a8005c3fd..0e33e1ed8f2e 100644 --- a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl +++ b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl @@ -7109,6 +7109,9 @@ resource "google_container_cluster" "primary" { lustre_csi_driver_config { enabled = false } + pod_snapshots_config { + enabled = false + } {{- if ne $.TargetVersionName "ga" }} istio_config { disabled = true @@ -7191,6 +7194,9 @@ resource "google_container_cluster" "primary" { enabled = true enable_legacy_lustre_port=true } + pod_snapshots_config { + enabled = true + } {{- if ne $.TargetVersionName "ga" }} istio_config { disabled = false diff --git a/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown b/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown index 00fdbdfa2f0b..3677c8d1b0b9 100644 --- a/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown +++ b/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown @@ -524,6 +524,8 @@ Fleet configuration for the cluster. Structure is [documented below](#nested_fle This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes. See [Enable Lustre CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/lustre-csi-driver-new-volume) for more information. +* `pod_snapshots_config` - (Optional) The status of the Pod Snapshots addon. It is disabled by default. Set `enabled = true` to enable. + This example `addons_config` disables two addons: ```hcl From f0062b5d6182213d3449f9d3cd21024267b5af22 Mon Sep 17 00:00:00 2001 From: "Stephen Lewis (Burrows)" Date: Mon, 29 Sep 2025 10:44:30 -0700 Subject: [PATCH 2/7] Marked dashboard_json as covering the entire monitoring dashboard resource (#15258) --- docs/content/reference/metadata.md | 1 + .../services/monitoring/resource_monitoring_dashboard_meta.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/content/reference/metadata.md b/docs/content/reference/metadata.md index b9885a133ab7..e5f19ca6a86d 100644 --- a/docs/content/reference/metadata.md +++ b/docs/content/reference/metadata.md @@ -42,3 +42,4 @@ The list of fields used by this resource. Each field can contain the following a - `field`: The name of the field in Terraform, including the path e.g., "build_config.source.storage_source.bucket" - `api_field`: The name of the field in the API, including the path e.g., "build_config.source.storage_source.bucket". Defaults to the value of `field`. - `provider_only`: If true, the field is only present in the provider. This primarily applies for virtual fields and url-only parameters. When set to true, `api_field` should be left empty, as it will be ignored. Default: `false`. +- `json`: If true, this is a JSON field which "covers" all child API fields. As a special case, JSON fields which cover an entire resource can have `api_field` set to `*`. diff --git a/mmv1/third_party/terraform/services/monitoring/resource_monitoring_dashboard_meta.yaml b/mmv1/third_party/terraform/services/monitoring/resource_monitoring_dashboard_meta.yaml index ca764c6567b1..de65faeba1cd 100644 --- a/mmv1/third_party/terraform/services/monitoring/resource_monitoring_dashboard_meta.yaml +++ b/mmv1/third_party/terraform/services/monitoring/resource_monitoring_dashboard_meta.yaml @@ -5,5 +5,6 @@ api_version: 'v1' api_resource_type_kind: 'Dashboard' fields: - field: 'dashboard_json' + api_field: '*' json: true - field: 'project' From f8dd15b801a5e08e7f514c39ba8fc031f5ae1ed2 Mon Sep 17 00:00:00 2001 From: Ramon Vermeulen Date: Mon, 29 Sep 2025 20:04:00 +0200 Subject: [PATCH 3/7] new-resource: `google_vertex_ai_cache_config` (#15157) --- mmv1/products/vertexai/CacheConfig.yaml | 52 +++++++++++++++++++ .../examples/vertex_ai_cache_config.tf.tmpl | 4 ++ 2 files changed, 56 insertions(+) create mode 100644 mmv1/products/vertexai/CacheConfig.yaml create mode 100644 mmv1/templates/terraform/examples/vertex_ai_cache_config.tf.tmpl diff --git a/mmv1/products/vertexai/CacheConfig.yaml b/mmv1/products/vertexai/CacheConfig.yaml new file mode 100644 index 000000000000..dc7ae2a75d03 --- /dev/null +++ b/mmv1/products/vertexai/CacheConfig.yaml @@ -0,0 +1,52 @@ +# Copyright 2025 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +name: 'CacheConfig' +description: |- + Config of GenAI caching features. This is a singleton resource. +references: + guides: + 'Official Documentation': 'https://cloud.google.com/vertex-ai/generative-ai/docs/reference/rest/Shared.Types/CacheConfig' + api: 'https://cloud.google.com/vertex-ai/generative-ai/docs/reference/rest/v1/projects/updateCacheConfig' +docs: +import_format: + - 'projects/{{project}}/cacheConfig' +base_url: 'projects/{{project}}/cacheConfig' +self_link: 'projects/{{project}}/cacheConfig' +examples: + - name: 'vertex_ai_cache_config' + primary_resource_id: 'cache_config' + test_env_vars: + project: 'PROJECT_NAME' +create_verb: 'PATCH' +update_verb: 'PATCH' +exclude_delete: true +async: + actions: ['create', 'update'] + type: 'OpAsync' + operation: + base_url: '{{op_id}}' + result: + resource_inside_response: true +properties: + - name: 'name' + type: String + description: | + Identifier. name of the cache config. Format: - `projects/{project}/cacheConfig`. + output: true + - name: 'disableCache' + type: Boolean + description: | + If set to true, disables GenAI caching. Otherwise caching is enabled. + required: true diff --git a/mmv1/templates/terraform/examples/vertex_ai_cache_config.tf.tmpl b/mmv1/templates/terraform/examples/vertex_ai_cache_config.tf.tmpl new file mode 100644 index 000000000000..fe1273fb1d69 --- /dev/null +++ b/mmv1/templates/terraform/examples/vertex_ai_cache_config.tf.tmpl @@ -0,0 +1,4 @@ +resource "google_vertex_ai_cache_config" "{{$.PrimaryResourceId}}" { + project = "{{index $.TestEnvVars "project"}}" + disable_cache = true +} From 014c4bd93f6edef37bef0382aa0c332257397d40 Mon Sep 17 00:00:00 2001 From: Betto Cerrillos <32439055+Berro321@users.noreply.github.com> Date: Mon, 29 Sep 2025 11:06:43 -0700 Subject: [PATCH 4/7] Add SPA fields to `beyondcorp_security_gateway_application` (#15233) --- .../SecurityGatewayApplication.yaml | 107 +++++++++++++++++- ...curity_gateway_application_spa_api.tf.tmpl | 21 ++++ ...rity_gateway_application_spa_proxy.tf.tmpl | 43 +++++++ 3 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_api.tf.tmpl create mode 100644 mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_proxy.tf.tmpl diff --git a/mmv1/products/beyondcorp/SecurityGatewayApplication.yaml b/mmv1/products/beyondcorp/SecurityGatewayApplication.yaml index 35cc5a00ee43..f775027a0e6d 100644 --- a/mmv1/products/beyondcorp/SecurityGatewayApplication.yaml +++ b/mmv1/products/beyondcorp/SecurityGatewayApplication.yaml @@ -43,6 +43,18 @@ examples: vars: security_gateway_name: default-sg application_name: my-vm-service2 + - name: beyondcorp_security_gateway_application_spa_api + primary_resource_id: example-spa + primary_resource_name: 'fmt.Sprintf("tf-test-default-sg-spa-api%s", context["random_suffix"]), fmt.Sprintf("tf-test-google-sga%s", context["random_suffix"])' + vars: + security_gateway_name: default-sg-spa-api + application_discovery_name: app-discovery + - name: beyondcorp_security_gateway_application_spa_proxy + primary_resource_id: example-spa + primary_resource_name: 'fmt.Sprintf("tf-test-default-sg-spa-proxy%s", context["random_suffix"]), fmt.Sprintf("tf-test-google-sga%s", context["random_suffix"])' + vars: + security_gateway_name: default-sg-spa-proxy + application_proxy_name: app-proxy autogen_async: true async: operation: @@ -102,7 +114,6 @@ properties: EXAMPLES: Hostname - ("*.abc.com"), ("xyz.abc.com") Hostname and Ports - ("abc.com" and "22"), ("abc.com" and "22,33") etc - required: true item_type: type: NestedObject properties: @@ -141,6 +152,100 @@ properties: Required. Network name is of the format: `projects/{project}/global/networks/{network}` required: true + - name: external + type: NestedObject + description: List of the external endpoints to forward traffic to. + properties: + - name: endpoints + type: Array + description: List of the endpoints to forward traffic to. + required: true + item_type: + type: NestedObject + properties: + - name: hostname + type: String + description: Hostname of the endpoint. + required: true + - name: port + type: Integer + description: Port of the endpoint. + required: true + - name: proxyProtocol + type: NestedObject + description: Shared proxy configuration for all apps. + properties: + - name: allowedClientHeaders + type: Array + description: The configuration for the proxy. + item_type: + type: string + - name: contextualHeaders + type: NestedObject + description: Configuration for the contextual headers. + properties: + - name: userInfo + type: NestedObject + description: User info configuration. + properties: + - name: outputType + type: Enum + description: The output type of the delegated user info. + enum_values: + - 'PROTOBUF' + - 'JSON' + - 'NONE' + - name: groupInfo + type: NestedObject + description: Group info configuration. + properties: + - name: outputType + type: Enum + description: The output type of the delegated group info. + enum_values: + - 'PROTOBUF' + - 'JSON' + - 'NONE' + - name: deviceInfo + type: NestedObject + description: Device info configuration. + properties: + - name: outputType + type: Enum + description: The output type of the delegated device info. + enum_values: + - 'PROTOBUF' + - 'JSON' + - 'NONE' + - name: outputType + type: Enum + description: Default output type for all enabled headers. + enum_values: + - 'PROTOBUF' + - 'JSON' + - 'NONE' + - name: metadataHeaders + type: KeyValuePairs + description: |- + Custom resource specific headers along with the values. + The names should conform to RFC 9110: + > Field names SHOULD constrain themselves to alphanumeric characters, "-", + and ".", and SHOULD begin with a letter. + > Field values SHOULD contain only ASCII printable characters and tab. + - name: gatewayIdentity + type: Enum + description: Gateway identity configuration. + enum_values: + - 'RESOURCE_NAME' + - name: clientIp + type: Boolean + description: Client IP configuration. The client IP address is included if true. + - name: schema + type: Enum + description: Type of the external application. + enum_values: + - 'PROXY_GATEWAY' + - 'API_GATEWAY' - name: name type: String description: Identifier. Name of the resource. diff --git a/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_api.tf.tmpl b/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_api.tf.tmpl new file mode 100644 index 000000000000..086d8ff9f656 --- /dev/null +++ b/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_api.tf.tmpl @@ -0,0 +1,21 @@ +resource "google_beyondcorp_security_gateway" "default" { + security_gateway_id = "{{index $.Vars "security_gateway_name"}}" + display_name = "My SPA Security Gateway resource" +} + +resource "google_beyondcorp_security_gateway_application" "{{$.PrimaryResourceId}}" { + security_gateway_id = google_beyondcorp_security_gateway.default.security_gateway_id + application_id = "{{index $.Vars "application_discovery_name"}}" + upstreams { + external { + endpoints { + hostname = "my.discovery.service.com" + port = 443 + } + } + proxy_protocol { + allowed_client_headers= ["header"] + } + } + schema = "API_GATEWAY" +} diff --git a/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_proxy.tf.tmpl b/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_proxy.tf.tmpl new file mode 100644 index 000000000000..fedf730662a4 --- /dev/null +++ b/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_spa_proxy.tf.tmpl @@ -0,0 +1,43 @@ +resource "google_beyondcorp_security_gateway" "default" { + security_gateway_id = "{{index $.Vars "security_gateway_name"}}" + display_name = "My SPA Security Gateway resource" +} + +resource "google_beyondcorp_security_gateway_application" "{{$.PrimaryResourceId}}" { + security_gateway_id = google_beyondcorp_security_gateway.default.security_gateway_id + application_id = "{{index $.Vars "application_proxy_name"}}" + endpoint_matchers { + hostname = "a.site.com" + ports = [443] + } + upstreams { + external { + endpoints { + hostname = "my.proxy.service.com" + port = 443 + } + } + proxy_protocol { + allowed_client_headers = ["header1", "header2"] + contextual_headers { + user_info { + output_type = "PROTOBUF" + } + group_info { + output_type = "JSON" + } + device_info { + output_type = "NONE" + } + output_type = "JSON" + } + metadata_headers = { + metadata-header1 = "value1" + metadata-header2 = "value2" + } + gateway_identity = "RESOURCE_NAME" + client_ip = true + } + } + schema = "PROXY_GATEWAY" +} \ No newline at end of file From ab08ecc96b9edd3b68c460e86d955bff869df93e Mon Sep 17 00:00:00 2001 From: Max Portocarrero CI&T <105444618+maxi-cit@users.noreply.github.com> Date: Mon, 29 Sep 2025 13:31:02 -0500 Subject: [PATCH 5/7] Fix Test and Update AuthZ policy resource to support new API signature (#15070) --- .../products/networksecurity/AuthzPolicy.yaml | 148 ++++++++- ...ork_services_authz_policy_advanced.tf.tmpl | 10 +- ...urce_network_services_authz_policy_test.go | 290 ++++++++---------- 3 files changed, 277 insertions(+), 171 deletions(-) diff --git a/mmv1/products/networksecurity/AuthzPolicy.yaml b/mmv1/products/networksecurity/AuthzPolicy.yaml index d69a146ed56e..17f8dd4db778 100644 --- a/mmv1/products/networksecurity/AuthzPolicy.yaml +++ b/mmv1/products/networksecurity/AuthzPolicy.yaml @@ -140,10 +140,25 @@ properties: - name: 'sources' type: Array description: | - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. + Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 1 source. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. item_type: type: NestedObject properties: + - name: 'ipBlocks' + type: Array + description: | + A list of IP addresses or IP address ranges to match against the source IP address of the request. Limited to 10 ipBlocks per Authorization Policy + item_type: + type: NestedObject + properties: + - name: 'prefix' + type: String + description: The address prefix. + required: true + - name: 'length' + type: Integer + description: The length of the address range. + required: true - name: 'principals' type: Array description: | @@ -152,34 +167,83 @@ properties: item_type: type: NestedObject properties: + - name: 'principalSelector' + type: Enum + description: | + An enum to decide what principal value the principal rule will match against. If not specified, the PrincipalSelector is CLIENT_CERT_URI_SAN. + default_value: "CLIENT_CERT_URI_SAN" + enum_values: + - 'PRINCIPAL_SELECTOR_UNSPECIFIED' + - 'CLIENT_CERT_URI_SAN' + - 'CLIENT_CERT_DNS_NAME_SAN' + - 'CLIENT_CERT_COMMON_NAME' + - name: 'principal' + type: NestedObject + description: | + Required. A non-empty string whose value is matched against the principal value based on the principalSelector. + Only exact match can be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, CLIENT_CERT_COMMON_NAME selectors. + properties: + - name: 'ignoreCase' + type: Boolean + description: | + If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true. + - name: 'exact' + type: String + description: | + The input string must match exactly the string specified here. + Examples: + * abc only matches the value abc. + - name: 'prefix' + type: String + description: | + The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead. + Examples: + * abc matches the value abc.xyz + - name: 'suffix' + type: String + description: | + The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead. + Examples: + * abc matches the value xyz.abc + - name: 'contains' + type: String + description: | + The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead. + Examples: + * abc matches the value xyz.abc.def - name: 'ignoreCase' type: Boolean description: | If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true. + deprecation_message: '`principals.ignore_case` is deprecated and will be removed in a future major release. Use `principals.principal.ignore_case` instead.' - name: 'exact' type: String description: | The input string must match exactly the string specified here. Examples: * abc only matches the value abc. + deprecation_message: '`principals.exact` is deprecated and will be removed in a future major release. Use `principals.principal.exact` instead.' - name: 'prefix' type: String description: | The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead. Examples: * abc matches the value abc.xyz + deprecation_message: '`principals.prefix` is deprecated and will be removed in a future major release. Use `principals.principal.prefix` instead.' - name: 'suffix' type: String description: | The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead. Examples: * abc matches the value xyz.abc + deprecation_message: '`principals.suffix` is deprecated and will be removed in a future major release. Use `principals.principal.suffix` instead.' - name: 'contains' type: String description: | The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead. Examples: * abc matches the value xyz.abc.def + deprecation_message: '`principals.contains` is deprecated and will be removed in a future major release. Use `principals.principal.contains` instead.' - name: 'resources' type: Array description: | @@ -236,10 +300,25 @@ properties: - name: 'notSources' type: Array description: | - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. + Describes the negated properties of request sources. Matches requests from sources that do not match the criteria specified in this field. At least one of sources or notSources must be specified. Limited to 1 not_source. item_type: type: NestedObject properties: + - name: 'ipBlocks' + type: Array + description: | + A list of IP addresses or IP address ranges to match against the source IP address of the request. Limited to 10 ipBlocks per Authorization Policy + item_type: + type: NestedObject + properties: + - name: 'prefix' + type: String + description: The address prefix. + required: true + - name: 'length' + type: Integer + description: The length of the address range. + required: true - name: 'principals' type: Array description: | @@ -248,34 +327,83 @@ properties: item_type: type: NestedObject properties: + - name: 'principalSelector' + type: Enum + description: | + An enum to decide what principal value the principal rule will match against. If not specified, the PrincipalSelector is CLIENT_CERT_URI_SAN. + default_value: "CLIENT_CERT_URI_SAN" + enum_values: + - 'PRINCIPAL_SELECTOR_UNSPECIFIED' + - 'CLIENT_CERT_URI_SAN' + - 'CLIENT_CERT_DNS_NAME_SAN' + - 'CLIENT_CERT_COMMON_NAME' + - name: 'principal' + type: NestedObject + description: | + Required. A non-empty string whose value is matched against the principal value based on the principalSelector. + Only exact match can be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, CLIENT_CERT_COMMON_NAME selectors. + properties: + - name: 'ignoreCase' + type: Boolean + description: | + If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true. + - name: 'exact' + type: String + description: | + The input string must match exactly the string specified here. + Examples: + * abc only matches the value abc. + - name: 'prefix' + type: String + description: | + The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead. + Examples: + * abc matches the value abc.xyz + - name: 'suffix' + type: String + description: | + The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead. + Examples: + * abc matches the value xyz.abc + - name: 'contains' + type: String + description: | + The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead. + Examples: + * abc matches the value xyz.abc.def - name: 'ignoreCase' type: Boolean description: | If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true. + deprecation_message: '`principals.ignore_case` is deprecated and will be removed in a future major release. Use `principals.principal.ignore_case` instead.' - name: 'exact' type: String description: | The input string must match exactly the string specified here. Examples: * abc only matches the value abc. + deprecation_message: '`principals.exact` is deprecated and will be removed in a future major release. Use `principals.principal.exact` instead.' - name: 'prefix' type: String description: | The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead. Examples: * abc matches the value abc.xyz + deprecation_message: '`principals.prefix` is deprecated and will be removed in a future major release. Use `principals.principal.prefix` instead.' - name: 'suffix' type: String description: | The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead. Examples: * abc matches the value xyz.abc + deprecation_message: '`principals.suffix` is deprecated and will be removed in a future major release. Use `principals.principal.suffix` instead.' - name: 'contains' type: String description: | The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead. Examples: * abc matches the value xyz.abc.def + deprecation_message: '`principals.contains` is deprecated and will be removed in a future major release. Use `principals.principal.contains` instead.' - name: 'resources' type: Array description: | @@ -337,7 +465,7 @@ properties: - name: 'operations' type: Array description: | - Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. + Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 1 operation. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. item_type: type: NestedObject properties: @@ -349,7 +477,7 @@ properties: - name: 'headers' type: Array description: | - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. + A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 10 matches. item_type: type: NestedObject properties: @@ -394,7 +522,7 @@ properties: type: Array description: | A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. - Limited to 5 matches. + Limited to 10 matches. item_type: type: NestedObject properties: @@ -430,7 +558,7 @@ properties: type: Array description: | A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. - Limited to 5 matches. + Limited to 10 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. item_type: type: NestedObject @@ -472,7 +600,7 @@ properties: - name: 'notOperations' type: Array description: | - Describes the negated properties of the targets of a request. Matches requests for operations that do not match the criteria specified in this field. At least one of operations or notOperations must be specified. + Describes the negated properties of the targets of a request. Matches requests for operations that do not match the criteria specified in this field. At least one of operations or notOperations must be specified. Limited to 1 not_operation. item_type: type: NestedObject properties: @@ -484,7 +612,7 @@ properties: - name: 'headers' type: Array description: | - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. + A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 10 matches. item_type: type: NestedObject properties: @@ -529,7 +657,7 @@ properties: type: Array description: | A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. - Limited to 5 matches. + Limited to 10 matches. item_type: type: NestedObject properties: @@ -565,7 +693,7 @@ properties: type: Array description: | A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. - Limited to 5 matches. + Limited to 10 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. item_type: type: NestedObject diff --git a/mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl b/mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl index a04d051ef18d..b4df4fa10304 100644 --- a/mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl +++ b/mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl @@ -203,8 +203,16 @@ resource "google_network_security_authz_policy" "{{$.PrimaryResourceId}}" { http_rules { from { not_sources { + ip_blocks { + length = 24 + prefix = "10.1.5.0" + } principals { - exact = "dummy-principal" + principal_selector = "CLIENT_CERT_URI_SAN" + principal { + ignore_case = true + exact = "exact" + } } } } diff --git a/mmv1/third_party/terraform/services/networksecurity/resource_network_services_authz_policy_test.go b/mmv1/third_party/terraform/services/networksecurity/resource_network_services_authz_policy_test.go index 406f59e19eb4..ca36a59e7480 100644 --- a/mmv1/third_party/terraform/services/networksecurity/resource_network_services_authz_policy_test.go +++ b/mmv1/third_party/terraform/services/networksecurity/resource_network_services_authz_policy_test.go @@ -162,272 +162,242 @@ resource "google_network_security_authz_policy" "default" { http_rules { from { - not_sources { - # Prefix - principals { - ignore_case = false - prefix = "prefix" + not_sources { + ip_blocks { + length = 24 + prefix = "10.1.5.0" } - resources { - iam_service_account { - ignore_case = false - prefix = "prefix" - } - tag_value_id_set { - ids = ["1"] - } + + ip_blocks { + length = 24 + prefix = "10.1.6.0" } - # Suffix / Ignore case - principals { - ignore_case = true - suffix = "suffix" - } - resources { - iam_service_account { - ignore_case = true - suffix = "suffix" - } - tag_value_id_set { - ids = ["2"] - } - } - # Exact - principals { - ignore_case = true - exact = "exact" - } - resources { - iam_service_account { - ignore_case = true - exact = "exact" - } - tag_value_id_set { - ids = ["3"] - } - } - # Contains / Ignore case - principals { - ignore_case = true - contains = "contains" - } - resources { - iam_service_account { - ignore_case = true - contains = "contains" - } - tag_value_id_set { - ids = ["4"] - } - } - } - sources { - # Prefix + + # Exact principals { - ignore_case = false - prefix = "prefix" - } - resources { - iam_service_account { - ignore_case = false - prefix = "prefix" - } - tag_value_id_set { - ids = ["1"] + principal_selector = "CLIENT_CERT_URI_SAN" + principal { + ignore_case = true + exact = "exact" } } - # Suffix / Ignore case - principals { - ignore_case = true - suffix = "suffix" - } + resources { iam_service_account { ignore_case = true - suffix = "suffix" + exact = "exact" } tag_value_id_set { - ids = ["2"] + ids = ["3"] } } - # Exact - principals { - exact = "exact" - ignore_case = false + } + + sources { + ip_blocks { + length = 24 + prefix = "10.10.5.0" } - resources { - iam_service_account { + + ip_blocks { + length = 24 + prefix = "10.10.6.0" + } + + # Exact + principals { + principal_selector = "CLIENT_CERT_URI_SAN" + principal { exact = "exact" - ignore_case = false - } - tag_value_id_set { - ids = ["3"] + ignore_case = false } } - # Contains / Ignore case - principals { - contains = "contains" - ignore_case = true - } + resources { iam_service_account { - contains = "contains" - ignore_case = true + exact = "exact" + ignore_case = false } tag_value_id_set { - ids = ["4"] + ids = ["3"] } } } } + to { operations { - methods = ["GET", "PUT", "POST", "HEAD", "PATCH", "DELETE", "OPTIONS"] - header_set { + methods = ["GET", "PUT", "POST", "HEAD", "PATCH"] + header_set { # Prefix - headers { + headers { name = "PrefixHeader" value { - ignore_case = false - prefix = "prefix" + ignore_case = false + prefix = "prefix" } } - # Suffix / Ignore case - headers { - name = "SuffixHeader" - value { - ignore_case = true - suffix = "suffix" - } - } - # Exact - headers { + + # Suffix / Ignore case + headers { + name = "SuffixHeader" + value { + ignore_case = true + suffix = "suffix" + } + } + + # Exact + headers { name = "ExactHeader" value { exact = "exact" - ignore_case = false + ignore_case = false } } - # Contains / Ignore case - headers { + + # Contains / Ignore case + headers { name = "ContainsHeader" value { contains = "contains" - ignore_case = true + ignore_case = true } } } + # Prefix - hosts { - ignore_case = false - prefix = "prefix" + hosts { + ignore_case = false + prefix = "prefix" } - paths { + + paths { ignore_case = false prefix = "prefix" } - # Suffix / Ignore case - hosts { + + # Suffix / Ignore case + hosts { ignore_case = true suffix = "suffix" } + paths { ignore_case = true suffix = "suffix" } - # Exact - hosts { + + # Exact + hosts { exact = "exact" ignore_case = false } - paths { - exact = "exact" - ignore_case = false + + paths { + exact = "exact" + ignore_case = false } - # Contains / Ignore case - hosts { + + # Contains / Ignore case + hosts { contains = "contains" ignore_case = true } - paths { + + paths { contains = "contains" ignore_case = true } } + not_operations { - methods = ["GET", "PUT", "POST", "HEAD", "PATCH", "DELETE", "OPTIONS"] - header_set { + methods = ["GET", "PUT", "POST", "HEAD", "PATCH"] + header_set { # Prefix - headers { + headers { name = "PrefixHeader" value { - ignore_case = false - prefix = "prefix" + ignore_case = false + prefix = "prefix" + } + } + + # Suffix / Ignore case + headers { + name = "SuffixHeader" + value { + ignore_case = true + suffix = "suffix" } } - # Suffix / Ignore case - headers { - name = "SuffixHeader" - value { - ignore_case = true - suffix = "suffix" - } - } - # Exact - headers { + + # Exact + headers { name = "ExactHeader" value { exact = "exact" - ignore_case = false + ignore_case = false } } - # Contains / Ignore case - headers { + + # Contains / Ignore case + headers { name = "ContainsHeader" value { contains = "contains" - ignore_case = true + ignore_case = true } } } + # Prefix - hosts { - ignore_case = false - prefix = "prefix" + hosts { + ignore_case = false + prefix = "prefix" } - paths { + + paths { ignore_case = false prefix = "prefix" } - # Suffix / Ignore case - hosts { + + # Suffix / Ignore case + hosts { ignore_case = true suffix = "suffix" } + paths { ignore_case = true suffix = "suffix" } - # Exact - hosts { + + # Exact + hosts { exact = "exact" ignore_case = false } - paths { - exact = "exact" - ignore_case = false + + paths { + exact = "exact" + ignore_case = false } - # Contains / Ignore case - hosts { + + # Contains / Ignore case + hosts { contains = "contains" ignore_case = true } - paths { + + paths { contains = "contains" ignore_case = true } } } - when = "request.host.endsWith('.example.com')" + + when = "request.host.endsWith('.example.com')" } labels = { From 517aec8908807392ee2744aea82d867a6db601cd Mon Sep 17 00:00:00 2001 From: Shuya Ma <87669292+shuyama1@users.noreply.github.com> Date: Mon, 29 Sep 2025 11:53:07 -0700 Subject: [PATCH 6/7] update machine type in TestAccComputeRegionInstanceTemplate_AdvancedMachineFeatures (#15255) --- .../resource_compute_region_instance_template_test.go.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_instance_template_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_region_instance_template_test.go.tmpl index f72b199f4b04..f8207dedb54a 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_region_instance_template_test.go.tmpl +++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_instance_template_test.go.tmpl @@ -3646,7 +3646,7 @@ data "google_compute_image" "my_image" { resource "google_compute_region_instance_template" "foobar" { name = "tf-test-instance-template-%s" region = "us-central1" - machine_type = "c2-standard-2" + machine_type = "n2-standard-2" disk { source_image = data.google_compute_image.my_image.self_link From b89731249d21723e04dc2d854ba62ac9ac0c4add Mon Sep 17 00:00:00 2001 From: Hanchi Zhang Date: Tue, 30 Sep 2025 00:24:15 +0000 Subject: [PATCH 7/7] Fix typo. --- .../resource_container_cluster.go.tmpl | 18 +++++++++--------- .../resource_container_cluster_test.go.tmpl | 4 ++-- .../docs/r/container_cluster.html.markdown | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl index 0ea7c5926a15..9466c19fb7c6 100644 --- a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl +++ b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl @@ -98,7 +98,7 @@ var ( "addons_config.0.ray_operator_config", "addons_config.0.parallelstore_csi_driver_config", "addons_config.0.lustre_csi_driver_config", - "addons_config.0.pod_snapshots_config", + "addons_config.0.pod_snapshot_config", {{- if ne $.TargetVersionName "ga" }} "addons_config.0.istio_config", "addons_config.0.kalm_config", @@ -342,19 +342,19 @@ func ResourceContainerCluster() *schema.Resource { }, }, }, - "pod_snapshots_config": { + "pod_snapshot_config": { Type: schema.TypeList, Optional: true, Computed: true, AtLeastOneOf: addonsConfigKeys, MaxItems: 1, - Description: `Configuration for the Pod Snapshots feature.`, + Description: `Configuration for the Pod Snapshot feature.`, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "enabled": { Type: schema.TypeBool, Required: true, - Description: `Whether the Pod Snapshots feature is enabled for this cluster.`, + Description: `Whether the Pod Snapshot feature is enabled for this cluster.`, }, }, }, @@ -5507,9 +5507,9 @@ func expandClusterAddonsConfig(configured interface{}) *container.AddonsConfig { } } - if v, ok := config["pod_snapshots_config"]; ok && len(v.([]interface{})) > 0 { + if v, ok := config["pod_snapshot_config"]; ok && len(v.([]interface{})) > 0 { addon := v.([]interface{})[0].(map[string]interface{}) - ac.PodSnapshotsConfig = &container.PodSnapshotsConfig{ + ac.PodSnapshotConfig = &container.PodSnapshotConfig{ Enabled: addon["enabled"].(bool), ForceSendFields: []string{"Enabled"}, } @@ -7034,10 +7034,10 @@ func flattenClusterAddonsConfig(c *container.AddonsConfig) []map[string]interfac } } - if c.PodSnapshotsConfig != nil { - result["pod_snapshots_config"] = []map[string]interface{}{ + if c.PodSnapshotConfig != nil { + result["pod_snapshot_config"] = []map[string]interface{}{ { - "enabled": c.PodSnapshotsConfig.Enabled, + "enabled": c.PodSnapshotConfig.Enabled, }, } } diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl index 0e33e1ed8f2e..093ec2193d72 100644 --- a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl +++ b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl @@ -7109,7 +7109,7 @@ resource "google_container_cluster" "primary" { lustre_csi_driver_config { enabled = false } - pod_snapshots_config { + pod_snapshot_config { enabled = false } {{- if ne $.TargetVersionName "ga" }} @@ -7194,7 +7194,7 @@ resource "google_container_cluster" "primary" { enabled = true enable_legacy_lustre_port=true } - pod_snapshots_config { + pod_snapshot_config { enabled = true } {{- if ne $.TargetVersionName "ga" }} diff --git a/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown b/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown index 3677c8d1b0b9..7cb3f9f2e58e 100644 --- a/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown +++ b/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown @@ -524,7 +524,7 @@ Fleet configuration for the cluster. Structure is [documented below](#nested_fle This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes. See [Enable Lustre CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/lustre-csi-driver-new-volume) for more information. -* `pod_snapshots_config` - (Optional) The status of the Pod Snapshots addon. It is disabled by default. Set `enabled = true` to enable. +* `pod_snapshot_config` - (Optional) The status of the Pod Snapshot addon. It is disabled by default. Set `enabled = true` to enable. This example `addons_config` disables two addons: