Creating a compute.NetworkFirewallPolicy fails

[julienfouilhe]

What happened?

I'm trying to create a NetworkFirewallPolicy to allow some external FQDNs. This feature is not available in @pulumi/gcp yet so thought I would try google-native.

  const network = new gcp.compute.Network("network", {
    name: "network",
    autoCreateSubnetworks: false,
  });

  new google_native.compute.alpha.NetworkFirewallPolicy(
    "allow-external-services-via-fqdns",
    {
      project: gcp.config.project,
      associations: [{ attachmentTarget: network.id }],
      rules: [
        {
          priority: 1,
          action: "allow",
          description: "Allow traffic to authorized external services",
          direction: "EGRESS",
          match: {
            destFqdns: allowedDestFQDNs,
          },
        },
      ],
    },
  );

I get this error:

error sending request: googleapi: Error 400: Invalid value for field 'resource.rules': ''. Rules must be added using the addRule method.

I tried with v1 and beta, same error.

Expected Behavior

The network firewall policy should be created properly, or there should be another way to declare firewall policies rules.

Steps to reproduce

Copy paste my code and run pulumi up.

Output of pulumi about

CLI
Version      3.64.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME    VERSION
nodejs  unknown

Host
OS       darwin
Version  13.3
Arch     arm64

This project is written in nodejs: executable='/private/var/folders/s9/x9s630sd4xd287p7xfg6r49h0000gn/T/xfs-e77973b3/node' version='v18.12.0'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[rquitales]

@julienfouilhe Thanks for reporting this issue. It looks like this is due to a limitation in the way we are generating this provider from the upstream Google Discovery Documents.

Looking at the official REST API guide from GCP, and using their sandbox from: https://cloud.google.com/compute/docs/reference/rest/v1/networkFirewallPolicies/insert

It looks like to actually create a firewall policy with rules, at least 2 API calls are actually needed. The first POST request is with the insert method/endpoint to create the firewall policy. Then, another POST request needs to be made to the addRule for each rule you'd want to attach to the policy.

For our next steps to support this, we'll need to look into how we can support multiple API calls towards these 2 endpoints when creating a NetworkFirewallPolicy resource in this provider.