Add support for context to net-cloudnat, net-firewall-policy modules (#3414)

* net-cloudnat

* net firewall policy

tests/modules/net_cloudnat/context.tfvars

@@ -0,0 +1,28 @@
+context = {
+  addresses = {
+    test = "35.10.10.10"
+  }
+  locations = {
+    ew8 = "europe-west8"
+  }
+  networks = {
+    test = "projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0"
+  }
+  project_ids = {
+    test = "foo-test-0"
+  }
+  subnets = {
+    test = "projects/foo-dev-net-spoke-0/regions/europe-west1/subnetworks/gce"
+  }
+}
+addresses = ["$addresses:test"]
+config_source_subnetworks = {
+  all = false
+  subnetworks = [{
+    self_link = "$subnets:test"
+  }]
+}
+name           = "test"
+project_id     = "$project_ids:test"
+region         = "$locations:ew8"
+router_network = "$networks:test"

tests/modules/net_cloudnat/context.yaml

@@ -0,0 +1,61 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_router.router[0]:
+    bgp: []
+    description: null
+    encrypted_interconnect_router: null
+    md5_authentication_keys: []
+    name: test-nat
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    project: foo-test-0
+    region: europe-west8
+    timeouts: null
+  google_compute_router_nat.nat:
+    enable_dynamic_port_allocation: false
+    enable_endpoint_independent_mapping: true
+    icmp_idle_timeout_sec: 30
+    initial_nat_ips: null
+    log_config:
+    - enable: false
+      filter: ALL
+    max_ports_per_vm: 65536
+    name: test
+    nat64_subnetwork: []
+    nat_ip_allocate_option: MANUAL_ONLY
+    nat_ips:
+    - 35.10.10.10
+    project: foo-test-0
+    region: europe-west8
+    router: test-nat
+    rules: []
+    source_subnetwork_ip_ranges_to_nat: LIST_OF_SUBNETWORKS
+    source_subnetwork_ip_ranges_to_nat64: null
+    subnetwork:
+    - name: projects/foo-dev-net-spoke-0/regions/europe-west1/subnetworks/gce
+      secondary_ip_range_names: []
+      source_ip_ranges_to_nat:
+      - ALL_IP_RANGES
+    tcp_established_idle_timeout_sec: 1200
+    tcp_time_wait_timeout_sec: 120
+    tcp_transitory_idle_timeout_sec: 30
+    timeouts: null
+    type: PUBLIC
+    udp_idle_timeout_sec: 30
+counts:
+  google_compute_router: 1
+  google_compute_router_nat: 1
+  modules: 0
+  resources: 2

tests/modules/net_cloudnat/tftest.yaml

@@ -0,0 +1,17 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: modules/net-cloudnat
+tests:
+  context:

tests/modules/net_firewall_policy/context-g.tfvars

@@ -0,0 +1,52 @@
+context = {
+  cidr_ranges = {
+    rfc1918-10 = "10.0.0.0/8"
+  }
+  folder_ids = {
+    test = "folders/1234567890"
+  }
+  iam_principals = {
+    test = "serviceAccount:test@test-project.iam.gserviceaccount.com"
+  }
+  locations = {
+    ew8 = "europe-west8"
+  }
+  networks = {
+    test = "projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0"
+  }
+  project_ids = {
+    test = "foo-test-0"
+  }
+  tag_values = {
+    "test" = "tagValues/1234567890"
+  }
+}
+name      = "test-1"
+parent_id = "$project_ids:test"
+region    = "global"
+attachments = {
+  test = "$networks:test"
+}
+egress_rules = {
+  smtp = {
+    priority                = 900
+    target_service_accounts = ["$iam_principals:test"]
+    match = {
+      destination_ranges = ["$cidr_ranges:rfc1918-10"]
+      layer4_configs     = [{ protocol = "tcp", ports = ["25"] }]
+      source_tags        = ["$tag_values:test"]
+    }
+  }
+}
+ingress_rules = {
+  icmp = {
+    priority         = 1000
+    enable_logging   = true
+    target_resources = ["$networks:test"]
+    target_tags      = ["$tag_values:test"]
+    match = {
+      source_ranges  = ["$cidr_ranges:rfc1918-10"]
+      layer4_configs = [{ protocol = "icmp" }]
+    }
+  }
+}

tests/modules/net_firewall_policy/context-g.yaml

@@ -0,0 +1,99 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_network_firewall_policy.net-global[0]:
+    description: null
+    name: test-1
+    project: foo-test-0
+    timeouts: null
+  google_compute_network_firewall_policy_association.net-global["test"]:
+    attachment_target: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    firewall_policy: test-1
+    name: test-1-test
+    project: foo-test-0
+    timeouts: null
+  google_compute_network_firewall_policy_rule.net-global["egress/smtp"]:
+    action: deny
+    description: null
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    firewall_policy: test-1
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 10.0.0.0/8
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '25'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags:
+      - name: tagValues/1234567890
+      src_threat_intelligences: null
+    priority: 900
+    project: foo-test-0
+    rule_name: smtp
+    security_profile_group: null
+    target_secure_tags: []
+    target_service_accounts:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    timeouts: null
+    tls_inspect: null
+  google_compute_network_firewall_policy_rule.net-global["ingress/icmp"]:
+    action: allow
+    description: null
+    direction: INGRESS
+    disabled: false
+    enable_logging: true
+    firewall_policy: test-1
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: icmp
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 10.0.0.0/8
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 1000
+    project: foo-test-0
+    rule_name: icmp
+    security_profile_group: null
+    target_secure_tags:
+    - name: tagValues/1234567890
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+
+counts:
+  google_compute_network_firewall_policy: 1
+  google_compute_network_firewall_policy_association: 1
+  google_compute_network_firewall_policy_rule: 2
+  modules: 0
+  resources: 4

tests/modules/net_firewall_policy/context-h.tfvars

@@ -0,0 +1,49 @@
+context = {
+  cidr_ranges = {
+    rfc1918-10 = "10.0.0.0/8"
+  }
+  folder_ids = {
+    test = "folders/1234567890"
+  }
+  iam_principals = {
+    test = "serviceAccount:test@test-project.iam.gserviceaccount.com"
+  }
+  locations = {
+    ew8 = "europe-west8"
+  }
+  networks = {
+    test = "projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0"
+  }
+  project_ids = {
+    test = "foo-test-0"
+  }
+  tag_values = {
+    "test/one" = "tagValues/1234567890"
+  }
+}
+name      = "test-1"
+parent_id = "$folder_ids:test"
+attachments = {
+  test = "$folder_ids:test"
+}
+egress_rules = {
+  smtp = {
+    priority = 900
+    match = {
+      destination_ranges = ["$cidr_ranges:rfc1918-10"]
+      layer4_configs     = [{ protocol = "tcp", ports = ["25"] }]
+    }
+  }
+}
+ingress_rules = {
+  icmp = {
+    priority                = 1000
+    enable_logging          = true
+    target_resources        = ["$networks:test"]
+    target_service_accounts = ["$iam_principals:test"]
+    match = {
+      source_ranges  = ["$cidr_ranges:rfc1918-10"]
+      layer4_configs = [{ protocol = "icmp" }]
+    }
+  }
+}

tests/modules/net_firewall_policy/context-h.yaml

@@ -0,0 +1,92 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_firewall_policy.hierarchical[0]:
+    description: null
+    parent: folders/1234567890
+    short_name: test-1
+    timeouts: null
+  google_compute_firewall_policy_association.hierarchical["test"]:
+    attachment_target: folders/1234567890
+    name: test-1-test
+    timeouts: null
+  google_compute_firewall_policy_rule.hierarchical["egress/smtp"]:
+    action: deny
+    description: null
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 10.0.0.0/8
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '25'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 900
+    security_profile_group: null
+    target_resources: null
+    target_secure_tags: []
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+  google_compute_firewall_policy_rule.hierarchical["ingress/icmp"]:
+    action: allow
+    description: null
+    direction: INGRESS
+    disabled: false
+    enable_logging: true
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: icmp
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 10.0.0.0/8
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 1000
+    security_profile_group: null
+    target_resources:
+    - projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    target_secure_tags: []
+    target_service_accounts:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    timeouts: null
+    tls_inspect: null
+
+counts:
+  google_compute_firewall_policy: 1
+  google_compute_firewall_policy_association: 1
+  google_compute_firewall_policy_rule: 2
+  modules: 0
+  resources: 4

tests/modules/net_firewall_policy/context-r.tfvars

@@ -0,0 +1,52 @@
+context = {
+  cidr_ranges = {
+    rfc1918-10 = "10.0.0.0/8"
+  }
+  folder_ids = {
+    test = "folders/1234567890"
+  }
+  iam_principals = {
+    test = "serviceAccount:test@test-project.iam.gserviceaccount.com"
+  }
+  locations = {
+    ew8 = "europe-west8"
+  }
+  networks = {
+    test = "projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0"
+  }
+  project_ids = {
+    test = "foo-test-0"
+  }
+  tag_values = {
+    "test" = "tagValues/1234567890"
+  }
+}
+name      = "test-1"
+parent_id = "$project_ids:test"
+region    = "$locations:ew8"
+attachments = {
+  test = "$networks:test"
+}
+egress_rules = {
+  smtp = {
+    priority                = 900
+    target_service_accounts = ["$iam_principals:test"]
+    match = {
+      destination_ranges = ["$cidr_ranges:rfc1918-10"]
+      layer4_configs     = [{ protocol = "tcp", ports = ["25"] }]
+      source_tags        = ["$tag_values:test"]
+    }
+  }
+}
+ingress_rules = {
+  icmp = {
+    priority         = 1000
+    enable_logging   = true
+    target_resources = ["$networks:test"]
+    target_tags      = ["$tag_values:test"]
+    match = {
+      source_ranges  = ["$cidr_ranges:rfc1918-10"]
+      layer4_configs = [{ protocol = "icmp" }]
+    }
+  }
+}

tests/modules/net_firewall_policy/context-r.yaml

@@ -0,0 +1,103 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_region_network_firewall_policy.net-regional[0]:
+    description: null
+    name: test-1
+    project: foo-test-0
+    region: europe-west8
+    timeouts: null
+  google_compute_region_network_firewall_policy_association.net-regional["test"]:
+    attachment_target: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    firewall_policy: test-1
+    name: test-1-test
+    project: foo-test-0
+    region: europe-west8
+    timeouts: null
+  google_compute_region_network_firewall_policy_rule.net-regional["egress/smtp"]:
+    action: deny
+    description: null
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    firewall_policy: test-1
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 10.0.0.0/8
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '25'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags:
+      - name: tagValues/1234567890
+      src_threat_intelligences: null
+    priority: 900
+    project: foo-test-0
+    region: europe-west8
+    rule_name: smtp
+    security_profile_group: null
+    target_secure_tags: []
+    target_service_accounts:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    timeouts: null
+    tls_inspect: null
+  google_compute_region_network_firewall_policy_rule.net-regional["ingress/icmp"]:
+    action: allow
+    description: null
+    direction: INGRESS
+    disabled: false
+    enable_logging: true
+    firewall_policy: test-1
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: icmp
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 10.0.0.0/8
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 1000
+    project: foo-test-0
+    region: europe-west8
+    rule_name: icmp
+    security_profile_group: null
+    target_secure_tags:
+    - name: tagValues/1234567890
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+
+counts:
+  google_compute_region_network_firewall_policy: 1
+  google_compute_region_network_firewall_policy_association: 1
+  google_compute_region_network_firewall_policy_rule: 2
+  modules: 0
+  resources: 4

tests/modules/net_firewall_policy/tftest.yaml

@@ -0,0 +1,19 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: modules/net-firewall-policy
+tests:
+  context-g:
+  context-h:
+  context-r: