Adds server TLS policy property to target HTTPS proxy resource#8857
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Hello! I am a robot. It looks like you are a: Community Contributor @SarahFrench, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
| allow_open = "false" | ||
| mtls_policy { | ||
| client_validation_mode = "ALLOW_INVALID_OR_MISSING_CLIENT_CERT" | ||
| client_validation_trust_config = "projects/${data.google_project.project.number}/locations/global/trustConfigs/${google_certificate_manager_trust_config.default.name}" |
There was a problem hiding this comment.
At first I tried using the id of the google_certificate_manager_trust_config resource in this parameter. However, when the tests executed the same configuration resulted in a plan that wanted to update the tls_policy from client_validation_trust_config = projects/${data.google_project.project.id}/locations/global/trustConfigs/${google_certificate_manager_trust_config.default.name} to client_validation_trust_config = projects/${data.google_project.project.number}/locations/global/trustConfigs/${google_certificate_manager_trust_config.default.name} (i.e. the trust config reference link used the project number in the API but the project ID in the terraform state). I'm not sure if this is a problem with my example, a bug with the trust_config resource, or a bug with the server_tls_policy resource.
|
Not sure why the CLA check is failing. I have signed the CLA on behalf of Fiskil PTY LTD but I don't see it in the "manage CLAs" page. |
Is that as as Individual signer (versus Corporate signer)? For individual signers you need the email address used to sign the CLA to match the email present on your commits in this PR. Is the email used on this commit that same as you used for the CLA? It's different for corporate signers - see here for details about both scenarios |
|
Yeah I got an email that the CLA was voided (as a corporate signer), they've told me what I need to do to fix it. I'll get that sorted out. |
|
CLA issues resolved! :) |
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 4 files changed, 169 insertions(+), 2 deletions(-)) |
Tests analyticsTotal tests: Action takenFound 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected testsTestAccComputeTargetHttpsProxy_targetHttpsProxyMtlsExample|TestAccDataSourceGoogleServiceAccountAccessToken_basic|TestAccProjectIamPolicy_invalidMembers |
|
Rerun these tests in REPLAYING mode to catch issues
|
| - !ruby/object:Provider::Terraform::Examples | ||
| name: 'target_https_proxy_mtls' | ||
| primary_resource_id: 'default' | ||
| min_version: 'beta' |
There was a problem hiding this comment.
I was unsure whether this field should be in the beta or ga provider. The field is available in the v1 API, but the networksecurity.ServerTlsPolicy resource is only available with the beta API. Any guidance here would be appreciated.
Generally we make sure that the GA/Beta versions of the provider match v1/beta versions of Google APIs.
Having said that, this situation is more complex and I wasn't sure what we'd do in a situation where a test is focused on a GA resource but needs a beta resource present in the test. From a quick look, I can't see any tests in the GA provider that include provider = google-beta so I think you've made the correct choice of how to handle the test. Thanks!
There was a problem hiding this comment.
I need to run the test manually to make sure it's working as expected, but assuming it passes I'll approve this PR
There was a problem hiding this comment.
The test ran ok, but currently there's a freeze on merging PRs. Once that's lifted I'll approve and merge
Fixes hashicorp/terraform-provider-google#14980
Adds the
server_tls_policyproperty to theTargetHTTPSProxyresource so that it may be configured with mTLS.I was unsure whether this field should be in the
betaorgaprovider. The field is available in thev1API, but thenetworksecurity.ServerTlsPolicyresource is only available with thebetaAPI. Any guidance here would be appreciated.This is the last change required for end-to-end deployment of mTLS load balancers with terraform.
Release Note Template for Downstream PRs (will be copied)