Modify google_compute_service_attachment resource so it can support secure web proxy as a target service

[apichick]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v5.37.0 on

• provider registry.terraform.io/hashicorp/google v5.37.0
• provider registry.terraform.io/hashicorp/google-beta v5.37.0

Affected Resource(s)

google_compute_service_attachment

Terraform Configuration

resource "google_compute_service_attachment" "swp_service_attachment" {
 project               = replace(lower(var.bu_out_project_id), "_", "-")
 name                  = "csa-${var.location}-${var.environment}-producer-swp"
 description           = "A service attachment for the published PSC producer endpoint for the secure web proxy."
 region                = var.location
 enable_proxy_protocol = false
 connection_preference = "ACCEPT_AUTOMATIC"

 nat_subnets    = [[google_compute_subnetwork.psc_subnetwork.id](http://google_compute_subnetwork.psc_subnetwork.id/)]
 # target_service = [google_compute_forwarding_rule.psc_forwarding_rule.id](http://google_compute_forwarding_rule.psc_forwarding_rule.id/)
 target_service = "[https://networkservices.googleapis.com/v1/projects/${data.google_project.businessunit_outgoing_project.project_id}/locations/${var.location}/gateways/${google_network_services_gateway.swp.name}](https://networkservices.googleapis.com/v1/projects/$%7Bdata.google_project.businessunit_outgoing_project.project_id%7D/locations/$%7Bvar.location%7D/gateways/$%7Bgoogle_network_services_gateway.swp.name%7D)"

 reconcile_connections = true
}

Debug Output

No response

Expected Behavior

Now that secure web proxy can be a PSC producer (https://cloud.google.com/secure-web-proxy/docs/deploy-service-attachment), we would need to be able to specify the URL to access the Secure Web Proxy instance as target service of the service attachment. The target service would need to have the following format:

https://networkservices.googleapis.com/v1/projects/{project_id}/locations/{region}/gateways/{gateway_name}

However in the current code there seems to be a restriction that only accepts a forwarding rule. See here

Actual Behavior

We got the following error when trying to set the target service to point to the secure web proxy instance id.

╷
│ Error: Error creating ServiceAttachment: googleapi: Error 404: The resource 'projects/inga-netout-c-070382-nonprod/regions/europe-west3/forwardingRules/swp-c-070382-europe-west3' was not found, notFound
│ 
│   with google_compute_service_attachment.swp_service_attachment,
│   on [05_secure_web_proxy_ilb.tf](http://05_secure_web_proxy_ilb.tf/) line 170, in resource "google_compute_service_attachment" "swp_service_attachment":
│  170: resource "google_compute_service_attachment" "swp_service_attachment" {
│ 
╵

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

b/352822740

[juliocc]

@apichick this was fixed by GoogleCloudPlatform/magic-modules#11107