Feature gap: Add missed enable_flow_logs & state to subnetwork (#13093)

modular-magician · modular-magician · commit 65f05474aa6b · 2025-03-13T02:16:21.000Z
Signed-off-by: Cezary Sobczak &lt;Cezary.Sobczak@infogain.com&gt;

[upstream:7fe6b89e3bcd4c180198da7f5fd7405d968b91e8]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/13093.txt b/.changelog/13093.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: added `enable_flow_logs` and `state` fields to `google_compute_subnetwork` resource
+```
diff --git a/google-beta/services/compute/resource_compute_subnetwork.go b/google-beta/services/compute/resource_compute_subnetwork.go
@@ -88,6 +88,16 @@ func sendSecondaryIpRangeIfEmptyDiff(_ context.Context, diff *schema.ResourceDif
 	return nil
 }
 
+// DiffSuppressFunc for fields inside `log_config`.
+func subnetworkLogConfigDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
+	// If the enable_flow_logs is not enabled, we don't need to check for differences.
+	if enable_flow_logs := d.Get("enable_flow_logs"); !enable_flow_logs.(bool) {
+		return true
+	}
+
+	return false
+}
+
 func ResourceComputeSubnetwork() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceComputeSubnetworkCreate,
@@ -150,6 +160,15 @@ via BGP even if their destinations match existing subnet ranges.`,
 				Description: `An optional description of this resource. Provide this property when
 you create the resource. This field can be set only at resource
 creation time.`,
+			},
+			"enable_flow_logs": {
+				Type:     schema.TypeBool,
+				Computed: true,
+				Optional: true,
+				Description: `Whether to enable flow logging for this subnetwork. If this field is not explicitly set,
+it will not appear in get listings. If not set the default behavior is determined by the
+org policy, if there is no org policy specified, then it will default to disabled.
+This field isn't supported if the subnet purpose field is set to REGIONAL_MANAGED_PROXY.`,
 			},
 			"external_ipv6_prefix": {
 				Type:        schema.TypeString,
@@ -192,8 +211,10 @@ or the first time the subnet is updated into IPV4_IPV6 dual stack. If the ipv6_t
 cannot enable direct path. Possible values: ["EXTERNAL", "INTERNAL"]`,
 			},
 			"log_config": {
-				Type:     schema.TypeList,
-				Optional: true,
+				Type:             schema.TypeList,
+				Computed:         true,
+				Optional:         true,
+				DiffSuppressFunc: subnetworkLogConfigDiffSuppress,
 				Description: `This field denotes the VPC flow logging options for this subnetwork. If
 logging is enabled, logs are exported to Cloud Logging. Flow logging
 isn't supported if the subnet 'purpose' field is set to subnetwork is
@@ -388,6 +409,14 @@ outside this subnetwork.`,
   gets external IPv6 ranges from a public delegated prefix and cannot be used to create NetLb.
   * VM_AND_FR: The subnetwork can be used for creating both VM instances and Forwarding Rules. It can also be used to reserve
   IPv6 addresses with both VM and FR endpoint types. Such a subnetwork gets its IPv6 range from Google IP Pool directly.`,
+			},
+			"state": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: `'The state of the subnetwork, which can be one of the following values:
+ READY: Subnetwork is created and ready to use DRAINING: only applicable to subnetworks that have the purpose
+ set to INTERNAL_HTTPS_LOAD_BALANCER and indicates that connections to the load balancer are being drained.
+ A subnetwork that is draining cannot be used or modified until it reaches a status of READY'`,
 			},
 			"subnetwork_id": {
 				Type:        schema.TypeInt,
@@ -577,6 +606,12 @@ func resourceComputeSubnetworkCreate(d *schema.ResourceData, meta interface{}) e
 	} else if v, ok := d.GetOkExists("allow_subnet_cidr_routes_overlap"); ok || !reflect.DeepEqual(v, allowSubnetCidrRoutesOverlapProp) {
 		obj["allowSubnetCidrRoutesOverlap"] = allowSubnetCidrRoutesOverlapProp
 	}
+	enableFlowLogsProp, err := expandComputeSubnetworkEnableFlowLogs(d.Get("enable_flow_logs"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("enable_flow_logs"); ok || !reflect.DeepEqual(v, enableFlowLogsProp) {
+		obj["enableFlowLogs"] = enableFlowLogsProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/subnetworks")
 	if err != nil {
@@ -743,6 +778,12 @@ func resourceComputeSubnetworkRead(d *schema.ResourceData, meta interface{}) err
 	if err := d.Set("allow_subnet_cidr_routes_overlap", flattenComputeSubnetworkAllowSubnetCidrRoutesOverlap(res["allowSubnetCidrRoutesOverlap"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Subnetwork: %s", err)
 	}
+	if err := d.Set("enable_flow_logs", flattenComputeSubnetworkEnableFlowLogs(res["enableFlowLogs"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Subnetwork: %s", err)
+	}
+	if err := d.Set("state", flattenComputeSubnetworkState(res["state"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Subnetwork: %s", err)
+	}
 	if err := d.Set("self_link", tpgresource.ConvertSelfLinkToV1(res["selfLink"].(string))); err != nil {
 		return fmt.Errorf("Error reading Subnetwork: %s", err)
 	}
@@ -857,7 +898,7 @@ func resourceComputeSubnetworkUpdate(d *schema.ResourceData, meta interface{}) e
 			return err
 		}
 	}
-	if d.HasChange("private_ipv6_google_access") || d.HasChange("stack_type") || d.HasChange("ipv6_access_type") || d.HasChange("allow_subnet_cidr_routes_overlap") {
+	if d.HasChange("private_ipv6_google_access") || d.HasChange("stack_type") || d.HasChange("ipv6_access_type") || d.HasChange("allow_subnet_cidr_routes_overlap") || d.HasChange("enable_flow_logs") {
 		obj := make(map[string]interface{})
 
 		getUrl, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/subnetworks/{{name}}")
@@ -907,6 +948,12 @@ func resourceComputeSubnetworkUpdate(d *schema.ResourceData, meta interface{}) e
 		} else if v, ok := d.GetOkExists("allow_subnet_cidr_routes_overlap"); ok || !reflect.DeepEqual(v, allowSubnetCidrRoutesOverlapProp) {
 			obj["allowSubnetCidrRoutesOverlap"] = allowSubnetCidrRoutesOverlapProp
 		}
+		enableFlowLogsProp, err := expandComputeSubnetworkEnableFlowLogs(d.Get("enable_flow_logs"), d, config)
+		if err != nil {
+			return err
+		} else if v, ok := d.GetOkExists("enable_flow_logs"); ok || !reflect.DeepEqual(v, enableFlowLogsProp) {
+			obj["enableFlowLogs"] = enableFlowLogsProp
+		}
 
 		url, err := tpgresource.ReplaceVars(d, config, "{{ComputeBasePath}}projects/{{project}}/regions/{{region}}/subnetworks/{{name}}")
 		if err != nil {
@@ -1542,6 +1589,14 @@ func flattenComputeSubnetworkAllowSubnetCidrRoutesOverlap(v interface{}, d *sche
 	return v
 }
 
+func flattenComputeSubnetworkEnableFlowLogs(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenComputeSubnetworkState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandComputeSubnetworkDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -1648,8 +1703,10 @@ func expandComputeSubnetworkLogConfig(v interface{}, d tpgresource.TerraformReso
 			// Subnetworks for regional L7 ILB/XLB or cross-regional L7 ILB do not accept any values for logConfig
 			return nil, nil
 		}
-		// send enable = false to ensure logging is disabled if there is no config
-		transformed["enable"] = false
+
+		// set enable field basing on the enable_flow_logs field. It's needed for case when enable_flow_logs
+		// is set to true to avoid conflict with the API. In that case API will return default values for log_config
+		transformed["enable"] = d.Get("enable_flow_logs")
 		return transformed, nil
 	}
 
@@ -1688,3 +1745,7 @@ func expandComputeSubnetworkIpCollection(v interface{}, d tpgresource.TerraformR
 func expandComputeSubnetworkAllowSubnetCidrRoutesOverlap(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandComputeSubnetworkEnableFlowLogs(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
diff --git a/google-beta/services/compute/resource_compute_subnetwork_generated_meta.yaml b/google-beta/services/compute/resource_compute_subnetwork_generated_meta.yaml
@@ -8,6 +8,7 @@ fields:
   - field: 'allow_subnet_cidr_routes_overlap'
   - field: 'creation_timestamp'
   - field: 'description'
+  - field: 'enable_flow_logs'
   - field: 'external_ipv6_prefix'
   - field: 'gateway_address'
   - field: 'internal_ipv6_prefix'
@@ -38,5 +39,6 @@ fields:
   - field: 'send_secondary_ip_range_if_empty'
     provider_only: true
   - field: 'stack_type'
+  - field: 'state'
   - field: 'subnetwork_id'
     api_field: 'id'
diff --git a/google-beta/services/compute/resource_compute_subnetwork_test.go b/google-beta/services/compute/resource_compute_subnetwork_test.go
@@ -493,6 +493,66 @@ func TestAccComputeSubnetwork_internal_ipv6(t *testing.T) {
 	})
 }
 
+func TestAccComputeSubnetwork_enableFlowLogs(t *testing.T) {
+	t.Parallel()
+	var subnetwork compute.Subnetwork
+
+	cnName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+	subnetworkName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeSubnetworkDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeSubnetwork_enableFlowLogs(cnName, subnetworkName, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeSubnetworkExists(t, "google_compute_subnetwork.subnetwork", &subnetwork),
+					testAccCheckComputeSubnetworkIfLogConfigExists(&subnetwork, "google_compute_subnetwork.subnetwork"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.enable", "true"),
+					resource.TestCheckResourceAttr("google_compute_subnetwork.subnetwork", "enable_flow_logs", "true"),
+				),
+			},
+			{
+				ResourceName:      "google_compute_subnetwork.subnetwork",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeSubnetwork_enableFlowLogs_with_logConfig(cnName, subnetworkName, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeSubnetworkExists(t, "google_compute_subnetwork.subnetwork", &subnetwork),
+					resource.TestCheckResourceAttr("google_compute_subnetwork.subnetwork", "enable_flow_logs", "true"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.enable", "true"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.aggregation_interval", "INTERVAL_1_MIN"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.metadata", "INCLUDE_ALL_METADATA"),
+				),
+			},
+			{
+				ResourceName:      "google_compute_subnetwork.subnetwork",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeSubnetwork_enableFlowLogs(cnName, subnetworkName, false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeSubnetworkExists(t, "google_compute_subnetwork.subnetwork", &subnetwork),
+					resource.TestCheckResourceAttr("google_compute_subnetwork.subnetwork", "enable_flow_logs", "false"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.enable", "false"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.aggregation_interval", "INTERVAL_1_MIN"),
+					testAccCheckComputeSubnetworkLogConfig(&subnetwork, "log_config.0.metadata", "INCLUDE_ALL_METADATA"),
+				),
+			},
+			{
+				ResourceName:      "google_compute_subnetwork.subnetwork",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckComputeSubnetworkExists(t *testing.T, n string, subnetwork *compute.Subnetwork) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -553,6 +613,111 @@ func testAccCheckComputeSubnetworkHasNotSecondaryIpRange(subnetwork *compute.Sub
 	}
 }
 
+func testAccCheckComputeSubnetworkIfLogConfigExists(subnetwork *compute.Subnetwork, resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Retrieve the resource state using a fixed resource name
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("resource google_compute_subnetwork.subnetwork not found in state")
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("resource ID is not set")
+		}
+
+		// Ensure that the log_config exists in the API response.
+		if subnetwork.LogConfig == nil {
+			return fmt.Errorf("no log_config exists in subnetwork")
+		}
+
+		stateAttrs := rs.Primary.Attributes
+
+		// Check aggregation_interval.
+		aggInterval, ok := stateAttrs["log_config.0.aggregation_interval"]
+		if !ok {
+			return fmt.Errorf("aggregation_interval not found in state")
+		}
+		if subnetwork.LogConfig.AggregationInterval != aggInterval {
+			return fmt.Errorf("aggregation_interval mismatch: expected %s, got %s", aggInterval, subnetwork.LogConfig.AggregationInterval)
+		}
+
+		// Check flow_sampling.
+		fsState, ok := stateAttrs["log_config.0.flow_sampling"]
+		if !ok {
+			return fmt.Errorf("flow_sampling not found in state")
+		}
+		actualFS := fmt.Sprintf("%g", subnetwork.LogConfig.FlowSampling)
+		if actualFS != fsState {
+			return fmt.Errorf("flow_sampling mismatch: expected %s, got %s", fsState, actualFS)
+		}
+
+		// Check metadata.
+		metadata, ok := stateAttrs["log_config.0.metadata"]
+		if !ok {
+			return fmt.Errorf("metadata not found in state")
+		}
+		if subnetwork.LogConfig.Metadata != metadata {
+			return fmt.Errorf("metadata mismatch: expected %s, got %s", metadata, subnetwork.LogConfig.Metadata)
+		}
+
+		// Optionally, check filter_expr if it exists.
+		if subnetwork.LogConfig.FilterExpr != "" {
+			filterExpr, ok := stateAttrs["log_config.0.filter_expr"]
+			if !ok {
+				return fmt.Errorf("filter_expr is set in API but not found in state")
+			}
+			if subnetwork.LogConfig.FilterExpr != filterExpr {
+				return fmt.Errorf("filter_expr mismatch: expected %s, got %s", filterExpr, subnetwork.LogConfig.FilterExpr)
+			}
+		}
+
+		// Optionally, check metadata_fields if present.
+		if len(subnetwork.LogConfig.MetadataFields) > 0 {
+			if _, ok := stateAttrs["log_config.0.metadata_fields"]; !ok {
+				return fmt.Errorf("metadata_fields are set in API but not found in state")
+			}
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckComputeSubnetworkLogConfig(subnetwork *compute.Subnetwork, key, value string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if subnetwork.LogConfig == nil {
+			return fmt.Errorf("no log_config found")
+		}
+
+		switch key {
+		case "log_config.0.enable":
+			if subnetwork.LogConfig.Enable != (value == "true") {
+				return fmt.Errorf("expected %s to be '%s', got '%t'", key, value, subnetwork.LogConfig.Enable)
+			}
+		case "log_config.0.aggregation_interval":
+			if subnetwork.LogConfig.AggregationInterval != value {
+				return fmt.Errorf("expected %s to be '%s', got '%s'", key, value, subnetwork.LogConfig.AggregationInterval)
+			}
+		case "log_config.0.metadata":
+			if subnetwork.LogConfig.Metadata != value {
+				return fmt.Errorf("expected %s to be '%s', got '%s'", key, value, subnetwork.LogConfig.Metadata)
+			}
+		case "log_config.0.flow_sampling":
+			flowSamplingStr := fmt.Sprintf("%g", subnetwork.LogConfig.FlowSampling)
+			if flowSamplingStr != value {
+				return fmt.Errorf("expected %s to be '%s', got '%s'", key, value, flowSamplingStr)
+			}
+		case "log_config.0.filterExpr":
+			if subnetwork.LogConfig.FilterExpr != value {
+				return fmt.Errorf("expected %s to be '%s', got '%s'", key, value, subnetwork.LogConfig.FilterExpr)
+			}
+		default:
+			return fmt.Errorf("unknown log_config key: %s", key)
+		}
+
+		return nil
+	}
+}
+
 func testAccComputeSubnetwork_basic(cnName, subnetwork1Name, subnetwork2Name, subnetwork3Name string) string {
 	return fmt.Sprintf(`
 resource "google_compute_network" "custom-test" {
@@ -1030,3 +1195,42 @@ resource "google_compute_subnetwork" "subnetwork" {
 }
 `, cnName, subnetworkName)
 }
+
+func testAccComputeSubnetwork_enableFlowLogs(cnName, subnetworkName string, enableFlowLogs bool) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "custom-test" {
+  name                    = "%s"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "subnetwork" {
+  name          = "%s"
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+  network       = google_compute_network.custom-test.self_link
+  enable_flow_logs = %t
+}
+`, cnName, subnetworkName, enableFlowLogs)
+}
+
+func testAccComputeSubnetwork_enableFlowLogs_with_logConfig(cnName, subnetworkName string, enableFlowLogs bool) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "custom-test" {
+  name                    = "%s"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "subnetwork" {
+  name          = "%s"
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+  network       = google_compute_network.custom-test.self_link
+  enable_flow_logs = %t
+
+  log_config {
+    aggregation_interval = "INTERVAL_1_MIN"
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
+`, cnName, subnetworkName, enableFlowLogs)
+}
diff --git a/website/docs/r/compute_subnetwork.html.markdown b/website/docs/r/compute_subnetwork.html.markdown

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+compute: added `enable_flow_logs` and `state` fields to `google_compute_subnetwork` resource
	`3`	+```