compute: add labels to google_compute_region_security_policy (#17993)

[jbbqqf]

Summary

Adds labels (KeyValueLabels) and labelFingerprint (output Fingerprint) to the google_compute_region_security_policy mmv1 schema. The global google_compute_security_policy already supports labels (via the same Cloud Armor labels API); this PR brings the regional resource to parity.

Fixes hashicorp/terraform-provider-google#17993 — see hashicorp/terraform-provider-google#17993

Why

Cloud Armor security policies — both global and regional — accept Labels per the Compute REST API. The global resource already exposes a labels attribute (google_compute_security_policy, see resource_compute_security_policy.go:685 in tpg). The regional sibling, also a real Cloud Armor policy resource, omits it, breaking parity for users who tag regional security policies for cost allocation, environment routing, or run-tag tracking.

The regional setLabels endpoint is exposed in the v1 compute SDK as RegionSecurityPoliciesService.SetLabels (google.golang.org/api/compute/v1/compute3-gen.go:24694), so no client-library work is required.

GCP API reference:

• REST resource: https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies
• setLabels: https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies/setLabels
• Cloud Armor labels guide: https://cloud.google.com/armor/docs/security-policy-overview

What changed

mmv1 YAML edit only — the generated tpg/tpgb code follows automatically via the standard KeyValueLabels + update_url=…/setLabels pattern that's already used by:

• mmv1/products/compute/HaVpnGateway.yaml (regional)
• mmv1/products/compute/InterconnectAttachment.yaml (regional)
• mmv1/products/compute/GlobalAddress.yaml (global), …

 mmv1/products/compute/RegionSecurityPolicy.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Adds two properties just after the existing fingerprint field:

  - name: 'labels'
    type: KeyValueLabels
    update_url: 'projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}/setLabels'
    update_verb: 'POST'
    description: |
      Labels for this resource. These can only be added or modified by the setLabels method.
      Each label key/value pair must comply with RFC1035. Label values may be empty.
  - name: 'labelFingerprint'
    type: Fingerprint
    update_url: 'projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}/setLabels'
    update_verb: 'POST'
    description: |
      A fingerprint for the labels being applied to this security policy, …
    output: true

The KeyValueLabels type is the standard mmv1 abstraction that auto-generates labels, terraform_labels, and effective_labels schema attributes plus the tpgresource.SetLabelsDiff CustomizeDiff hook that the rest of the provider uses.

Edge cases tested

#	Scenario	HCL excerpt	Expected	Verified by
1	Default — labels omitted	# labels not set	Resource creates without a labels attr; no plan diff after apply	smoke before (plan_failed: 'Unsupported argument labels' → gap reproduced) / after (plan ok, apply ok, destroy ok)
2	Typical — three labels at create time	labels = { run_tag = "...", scenario = "typical", env = "smoke" }	Apply succeeds; labels are persisted; destroy clean	smoke after — apply ok, destroy ok
3	Edge — empty-string label value (allowed per RFC1035 / API: "Label values may be empty")	labels = { ..., blank = "" }	Apply succeeds; empty value preserved	smoke after — apply ok, destroy ok

Before / After (Terraform)

Before — gap reproduced

tofu plan against tpg origin/main (binary rebuilt from origin):

Error: Unsupported argument
  on main.tf line 47, in resource "google_compute_region_security_policy" "typical":
  47:   labels = {
An argument named "labels" is not expected here.

After — fix proven

tofu apply against tpg with this branch's mmv1 regen applied:

google_compute_region_security_policy.default_unset:   Creation complete after 12s
google_compute_region_security_policy.typical:         Creation complete after 13s
google_compute_region_security_policy.edge_empty_value: Creation complete after 11s

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Followed by tofu destroy — all three policies cleanly removed.

Test protocol

Test	Result	Notes
yq validation of the edited YAML	OK
go run . --output $TPG --product compute (mmv1 ga regen)	OK	Done MM generation.
go run . --output $TPGB --product compute --version beta (tpgb regen)	OK
go build ./... on tpg	OK
go build ./... on tpgb	OK
go vet ./google/services/compute/... on tpg	OK	(3 pre-existing warnings on unrelated firewall_policy_with_rules.go files; not introduced by this change)
Live BEFORE smoke (binary built from origin/main)	plan_failed (gap reproduced)	Unsupported argument 'labels'
Live AFTER smoke (binary built with mmv1 regen from this branch)	apply ok	three policies created on gcp-masterclasses / us-central1
Destroy (after phase)	ok	confirmed via gcloud compute security-policies list --filter='region:us-central1'

Verdict: 🟢 GREEN — BEFORE: plan_failed, AFTER: ok. Gap reproduced and fix proven end-to-end against the real GCP API.

Reproduction

# From a magic-modules clone with this branch checked out:
cd mmv1
go run . --output $GOPATH/src/github.com/hashicorp/terraform-provider-google --version ga --no-docs --product compute
go run . --output $GOPATH/src/github.com/hashicorp/terraform-provider-google-beta --version beta --product compute

# Then build either provider and apply the smoke main.tf.

A live BEFORE/AFTER reproduction (matching what was run for this PR) is available via the magic-modules-bootstrap smoke-tpg harness — see commit notes.

Resources

• Original issue: add labels to google_compute_region_security_policy and google_compute_security_policy hashicorp/terraform-provider-google#17993
• Compute regionSecurityPolicies REST: https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies
• setLabels API: https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies/setLabels
• Existing global parity: hashicorp/terraform-provider-google resource_compute_security_policy.go:685 (handwritten)
• Mmv1 reference pattern: mmv1/products/compute/HaVpnGateway.yaml:184-201

Release notes

compute: added `labels` field to `google_compute_security_policy` and `google_compute_region_security_policy`.

Disclosure

This PR was drafted with assistance from Claude Code as part of a focused contribution batch on additive schema gaps. The mmv1 YAML diff was reviewed manually against the GCP REST API documentation and the existing global-vs-regional parity pattern. The live before/after smoke harness exercised real GCP resources in the author's sandbox project (gcp-masterclasses); all resources were destroyed after the test phase, and a follow-up gcloud compute security-policies list confirmed no orphans.

The author (a human) reviewed the diff, the test outputs, and the smoke verdict before opening this PR.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@zli82016, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.