From e54d60308a022535dd39258f9faa364e0a4b25e1 Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Mon, 7 Nov 2022 17:04:43 -0800
Subject: [PATCH] Add support for network_firewall_policy and
 region_network_firewall_policy (#6693) (#12969)

Co-authored-by: Ghaleb Al-habian <galhabian@google.com>
Co-authored-by: Angel Montero <angelmontero@google.com>
Co-authored-by: Chris Hawk <hawk@google.com>
Signed-off-by: Modular Magician <magic-modules@google.com>

Signed-off-by: Modular Magician <magic-modules@google.com>
Co-authored-by: Ghaleb Al-habian <galhabian@google.com>
Co-authored-by: Angel Montero <angelmontero@google.com>
Co-authored-by: Chris Hawk <hawk@google.com>
---
 .changelog/6693.txt                           |   6 +
 google/provider_dcl_resources.go              |  60 +--
 ...esource_compute_network_firewall_policy.go | 326 ++++++++++++++++
 ..._network_firewall_policy_generated_test.go | 120 ++++++
 ...te_network_firewall_policy_sweeper_test.go |  71 ++++
 ..._compute_region_network_firewall_policy.go | 358 ++++++++++++++++++
 ..._network_firewall_policy_generated_test.go | 126 ++++++
 ...on_network_firewall_policy_sweeper_test.go |  71 ++++
 ...pute_network_firewall_policy.html.markdown | 102 +++++
 ...gion_network_firewall_policy.html.markdown | 109 ++++++
 10 files changed, 1320 insertions(+), 29 deletions(-)
 create mode 100644 .changelog/6693.txt
 create mode 100644 google/resource_compute_network_firewall_policy.go
 create mode 100644 google/resource_compute_network_firewall_policy_generated_test.go
 create mode 100644 google/resource_compute_network_firewall_policy_sweeper_test.go
 create mode 100644 google/resource_compute_region_network_firewall_policy.go
 create mode 100644 google/resource_compute_region_network_firewall_policy_generated_test.go
 create mode 100644 google/resource_compute_region_network_firewall_policy_sweeper_test.go
 create mode 100644 website/docs/r/compute_network_firewall_policy.html.markdown
 create mode 100644 website/docs/r/compute_region_network_firewall_policy.html.markdown

diff --git a/.changelog/6693.txt b/.changelog/6693.txt
new file mode 100644
index 0000000000..ced81a9f90
--- /dev/null
+++ b/.changelog/6693.txt
@@ -0,0 +1,6 @@
+```release-note:new-resource
+`google_compute_network_firewall_policy`
+```
+```release-note:new-resource
+`google_compute_region_network_firewall_policy`
+```
diff --git a/google/provider_dcl_resources.go b/google/provider_dcl_resources.go
index 3596ebcd03..505bb1bfa9 100644
--- a/google/provider_dcl_resources.go
+++ b/google/provider_dcl_resources.go
@@ -20,33 +20,35 @@ import (
 )
 
 var dclResources = map[string]*schema.Resource{
-	"google_apikeys_key":                         resourceApikeysKey(),
-	"google_assured_workloads_workload":          resourceAssuredWorkloadsWorkload(),
-	"google_bigquery_reservation_assignment":     resourceBigqueryReservationAssignment(),
-	"google_cloudbuild_worker_pool":              resourceCloudbuildWorkerPool(),
-	"google_clouddeploy_delivery_pipeline":       resourceClouddeployDeliveryPipeline(),
-	"google_clouddeploy_target":                  resourceClouddeployTarget(),
-	"google_compute_firewall_policy":             resourceComputeFirewallPolicy(),
-	"google_compute_firewall_policy_association": resourceComputeFirewallPolicyAssociation(),
-	"google_compute_firewall_policy_rule":        resourceComputeFirewallPolicyRule(),
-	"google_container_aws_cluster":               resourceContainerAwsCluster(),
-	"google_container_aws_node_pool":             resourceContainerAwsNodePool(),
-	"google_container_azure_client":              resourceContainerAzureClient(),
-	"google_container_azure_cluster":             resourceContainerAzureCluster(),
-	"google_container_azure_node_pool":           resourceContainerAzureNodePool(),
-	"google_dataplex_asset":                      resourceDataplexAsset(),
-	"google_dataplex_lake":                       resourceDataplexLake(),
-	"google_dataplex_zone":                       resourceDataplexZone(),
-	"google_dataproc_workflow_template":          resourceDataprocWorkflowTemplate(),
-	"google_eventarc_trigger":                    resourceEventarcTrigger(),
-	"google_firebaserules_release":               resourceFirebaserulesRelease(),
-	"google_firebaserules_ruleset":               resourceFirebaserulesRuleset(),
-	"google_logging_log_view":                    resourceLoggingLogView(),
-	"google_monitoring_monitored_project":        resourceMonitoringMonitoredProject(),
-	"google_network_connectivity_hub":            resourceNetworkConnectivityHub(),
-	"google_network_connectivity_spoke":          resourceNetworkConnectivitySpoke(),
-	"google_org_policy_policy":                   resourceOrgPolicyPolicy(),
-	"google_os_config_os_policy_assignment":      resourceOsConfigOsPolicyAssignment(),
-	"google_privateca_certificate_template":      resourcePrivatecaCertificateTemplate(),
-	"google_recaptcha_enterprise_key":            resourceRecaptchaEnterpriseKey(),
+	"google_apikeys_key":                            resourceApikeysKey(),
+	"google_assured_workloads_workload":             resourceAssuredWorkloadsWorkload(),
+	"google_bigquery_reservation_assignment":        resourceBigqueryReservationAssignment(),
+	"google_cloudbuild_worker_pool":                 resourceCloudbuildWorkerPool(),
+	"google_clouddeploy_delivery_pipeline":          resourceClouddeployDeliveryPipeline(),
+	"google_clouddeploy_target":                     resourceClouddeployTarget(),
+	"google_compute_firewall_policy":                resourceComputeFirewallPolicy(),
+	"google_compute_firewall_policy_association":    resourceComputeFirewallPolicyAssociation(),
+	"google_compute_firewall_policy_rule":           resourceComputeFirewallPolicyRule(),
+	"google_compute_region_network_firewall_policy": resourceComputeRegionNetworkFirewallPolicy(),
+	"google_compute_network_firewall_policy":        resourceComputeNetworkFirewallPolicy(),
+	"google_container_aws_cluster":                  resourceContainerAwsCluster(),
+	"google_container_aws_node_pool":                resourceContainerAwsNodePool(),
+	"google_container_azure_client":                 resourceContainerAzureClient(),
+	"google_container_azure_cluster":                resourceContainerAzureCluster(),
+	"google_container_azure_node_pool":              resourceContainerAzureNodePool(),
+	"google_dataplex_asset":                         resourceDataplexAsset(),
+	"google_dataplex_lake":                          resourceDataplexLake(),
+	"google_dataplex_zone":                          resourceDataplexZone(),
+	"google_dataproc_workflow_template":             resourceDataprocWorkflowTemplate(),
+	"google_eventarc_trigger":                       resourceEventarcTrigger(),
+	"google_firebaserules_release":                  resourceFirebaserulesRelease(),
+	"google_firebaserules_ruleset":                  resourceFirebaserulesRuleset(),
+	"google_logging_log_view":                       resourceLoggingLogView(),
+	"google_monitoring_monitored_project":           resourceMonitoringMonitoredProject(),
+	"google_network_connectivity_hub":               resourceNetworkConnectivityHub(),
+	"google_network_connectivity_spoke":             resourceNetworkConnectivitySpoke(),
+	"google_org_policy_policy":                      resourceOrgPolicyPolicy(),
+	"google_os_config_os_policy_assignment":         resourceOsConfigOsPolicyAssignment(),
+	"google_privateca_certificate_template":         resourcePrivatecaCertificateTemplate(),
+	"google_recaptcha_enterprise_key":               resourceRecaptchaEnterpriseKey(),
 }
diff --git a/google/resource_compute_network_firewall_policy.go b/google/resource_compute_network_firewall_policy.go
new file mode 100644
index 0000000000..0178a5112a
--- /dev/null
+++ b/google/resource_compute_network_firewall_policy.go
@@ -0,0 +1,326 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules)
+//     and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library).
+//     Changes will need to be made to the DCL or Magic Modules instead of here.
+//
+//     We are not currently able to accept contributions to this file. If changes
+//     are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
+	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
+)
+
+func resourceComputeNetworkFirewallPolicy() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceComputeNetworkFirewallPolicyCreate,
+		Read:   resourceComputeNetworkFirewallPolicyRead,
+		Update: resourceComputeNetworkFirewallPolicyUpdate,
+		Delete: resourceComputeNetworkFirewallPolicyDelete,
+
+		Importer: &schema.ResourceImporter{
+			State: resourceComputeNetworkFirewallPolicyImport,
+		},
+
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(20 * time.Minute),
+			Update: schema.DefaultTimeout(20 * time.Minute),
+			Delete: schema.DefaultTimeout(20 * time.Minute),
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.",
+			},
+
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "An optional description of this resource. Provide this property when you create the resource.",
+			},
+
+			"project": {
+				Type:             schema.TypeString,
+				Computed:         true,
+				Optional:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: compareSelfLinkOrResourceName,
+				Description:      "The project for the resource",
+			},
+
+			"creation_timestamp": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Creation timestamp in RFC3339 text format.",
+			},
+
+			"fingerprint": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Fingerprint of the resource. This field is used internally during updates of this resource.",
+			},
+
+			"network_firewall_policy_id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The unique identifier for the resource. This identifier is defined by the server.",
+			},
+
+			"rule_tuple_count": {
+				Type:        schema.TypeInt,
+				Computed:    true,
+				Description: "Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.",
+			},
+
+			"self_link": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Server-defined URL for the resource.",
+			},
+
+			"self_link_with_id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Server-defined URL for this resource with the resource id.",
+			},
+		},
+	}
+}
+
+func resourceComputeNetworkFirewallPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+	}
+
+	id, err := obj.ID()
+	if err != nil {
+		return fmt.Errorf("error constructing id: %s", err)
+	}
+	d.SetId(id)
+	directive := CreateDirective
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+	billingProject := project
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutCreate))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	res, err := client.ApplyNetworkFirewallPolicy(context.Background(), obj, directive...)
+
+	if _, ok := err.(dcl.DiffAfterApplyError); ok {
+		log.Printf("[DEBUG] Diff after apply returned from the DCL: %s", err)
+	} else if err != nil {
+		// The resource didn't actually create
+		d.SetId("")
+		return fmt.Errorf("Error creating NetworkFirewallPolicy: %s", err)
+	}
+
+	log.Printf("[DEBUG] Finished creating NetworkFirewallPolicy %q: %#v", d.Id(), res)
+
+	return resourceComputeNetworkFirewallPolicyRead(d, meta)
+}
+
+func resourceComputeNetworkFirewallPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+	}
+
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+	billingProject := project
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutRead))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	res, err := client.GetNetworkFirewallPolicy(context.Background(), obj)
+	if err != nil {
+		resourceName := fmt.Sprintf("ComputeNetworkFirewallPolicy %q", d.Id())
+		return handleNotFoundDCLError(err, d, resourceName)
+	}
+
+	if err = d.Set("name", res.Name); err != nil {
+		return fmt.Errorf("error setting name in state: %s", err)
+	}
+	if err = d.Set("description", res.Description); err != nil {
+		return fmt.Errorf("error setting description in state: %s", err)
+	}
+	if err = d.Set("project", res.Project); err != nil {
+		return fmt.Errorf("error setting project in state: %s", err)
+	}
+	if err = d.Set("creation_timestamp", res.CreationTimestamp); err != nil {
+		return fmt.Errorf("error setting creation_timestamp in state: %s", err)
+	}
+	if err = d.Set("fingerprint", res.Fingerprint); err != nil {
+		return fmt.Errorf("error setting fingerprint in state: %s", err)
+	}
+	if err = d.Set("network_firewall_policy_id", res.Id); err != nil {
+		return fmt.Errorf("error setting network_firewall_policy_id in state: %s", err)
+	}
+	if err = d.Set("rule_tuple_count", res.RuleTupleCount); err != nil {
+		return fmt.Errorf("error setting rule_tuple_count in state: %s", err)
+	}
+	if err = d.Set("self_link", res.SelfLink); err != nil {
+		return fmt.Errorf("error setting self_link in state: %s", err)
+	}
+	if err = d.Set("self_link_with_id", res.SelfLinkWithId); err != nil {
+		return fmt.Errorf("error setting self_link_with_id in state: %s", err)
+	}
+
+	return nil
+}
+func resourceComputeNetworkFirewallPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+	}
+	directive := UpdateDirective
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+
+	billingProject := ""
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutUpdate))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	res, err := client.ApplyNetworkFirewallPolicy(context.Background(), obj, directive...)
+
+	if _, ok := err.(dcl.DiffAfterApplyError); ok {
+		log.Printf("[DEBUG] Diff after apply returned from the DCL: %s", err)
+	} else if err != nil {
+		// The resource didn't actually create
+		d.SetId("")
+		return fmt.Errorf("Error updating NetworkFirewallPolicy: %s", err)
+	}
+
+	log.Printf("[DEBUG] Finished creating NetworkFirewallPolicy %q: %#v", d.Id(), res)
+
+	return resourceComputeNetworkFirewallPolicyRead(d, meta)
+}
+
+func resourceComputeNetworkFirewallPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+	}
+
+	log.Printf("[DEBUG] Deleting NetworkFirewallPolicy %q", d.Id())
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+	billingProject := project
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutDelete))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	if err := client.DeleteNetworkFirewallPolicy(context.Background(), obj); err != nil {
+		return fmt.Errorf("Error deleting NetworkFirewallPolicy: %s", err)
+	}
+
+	log.Printf("[DEBUG] Finished deleting NetworkFirewallPolicy %q", d.Id())
+	return nil
+}
+
+func resourceComputeNetworkFirewallPolicyImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	config := meta.(*Config)
+
+	if err := parseImportId([]string{
+		"projects/(?P<project>[^/]+)/global/firewallPolicies/(?P<name>[^/]+)",
+		"(?P<project>[^/]+)/(?P<name>[^/]+)",
+		"(?P<name>[^/]+)",
+	}, d, config); err != nil {
+		return nil, err
+	}
+
+	// Replace import id for the resource id
+	id, err := replaceVarsForId(d, config, "projects/{{project}}/global/firewallPolicies/{{name}}")
+	if err != nil {
+		return nil, fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	return []*schema.ResourceData{d}, nil
+}
diff --git a/google/resource_compute_network_firewall_policy_generated_test.go b/google/resource_compute_network_firewall_policy_generated_test.go
new file mode 100644
index 0000000000..03b35a2655
--- /dev/null
+++ b/google/resource_compute_network_firewall_policy_generated_test.go
@@ -0,0 +1,120 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules)
+//     and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library).
+//     Changes will need to be made to the DCL or Magic Modules instead of here.
+//
+//     We are not currently able to accept contributions to this file. If changes
+//     are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"context"
+	"fmt"
+	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
+	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"strings"
+	"testing"
+)
+
+func TestAccComputeNetworkFirewallPolicy_GlobalHandWritten(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_name":  getTestProjectFromEnv(),
+		"random_suffix": randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckComputeNetworkFirewallPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeNetworkFirewallPolicy_GlobalHandWritten(context),
+			},
+			{
+				ResourceName:      "google_compute_network_firewall_policy.primary",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeNetworkFirewallPolicy_GlobalHandWrittenUpdate0(context),
+			},
+			{
+				ResourceName:      "google_compute_network_firewall_policy.primary",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccComputeNetworkFirewallPolicy_GlobalHandWritten(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_network_firewall_policy" "primary" {
+  name = "tf-test-policy%{random_suffix}"
+  project = "%{project_name}"
+  description = "Sample global network firewall policy"
+}
+
+`, context)
+}
+
+func testAccComputeNetworkFirewallPolicy_GlobalHandWrittenUpdate0(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_network_firewall_policy" "primary" {
+  name = "tf-test-policy%{random_suffix}"
+  project = "%{project_name}"
+  description = "Updated global network firewall policy"
+}
+
+`, context)
+}
+
+func testAccCheckComputeNetworkFirewallPolicyDestroyProducer(t *testing.T) func(s *terraform.State) error {
+	return func(s *terraform.State) error {
+		for name, rs := range s.RootModule().Resources {
+			if rs.Type != "rs.google_compute_network_firewall_policy" {
+				continue
+			}
+			if strings.HasPrefix(name, "data.") {
+				continue
+			}
+
+			config := googleProviderConfig(t)
+
+			billingProject := ""
+			if config.BillingProject != "" {
+				billingProject = config.BillingProject
+			}
+
+			obj := &compute.NetworkFirewallPolicy{
+				Name:              dcl.String(rs.Primary.Attributes["name"]),
+				Description:       dcl.String(rs.Primary.Attributes["description"]),
+				Project:           dcl.StringOrNil(rs.Primary.Attributes["project"]),
+				CreationTimestamp: dcl.StringOrNil(rs.Primary.Attributes["creation_timestamp"]),
+				Fingerprint:       dcl.StringOrNil(rs.Primary.Attributes["fingerprint"]),
+				Id:                dcl.StringOrNil(rs.Primary.Attributes["network_firewall_policy_id"]),
+				SelfLink:          dcl.StringOrNil(rs.Primary.Attributes["self_link"]),
+				SelfLinkWithId:    dcl.StringOrNil(rs.Primary.Attributes["self_link_with_id"]),
+			}
+
+			client := NewDCLComputeClient(config, config.userAgent, billingProject, 0)
+			_, err := client.GetNetworkFirewallPolicy(context.Background(), obj)
+			if err == nil {
+				return fmt.Errorf("google_compute_network_firewall_policy still exists %v", obj)
+			}
+		}
+		return nil
+	}
+}
diff --git a/google/resource_compute_network_firewall_policy_sweeper_test.go b/google/resource_compute_network_firewall_policy_sweeper_test.go
new file mode 100644
index 0000000000..7f02312e52
--- /dev/null
+++ b/google/resource_compute_network_firewall_policy_sweeper_test.go
@@ -0,0 +1,71 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules)
+//     and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library).
+//     Changes will need to be made to the DCL or Magic Modules instead of here.
+//
+//     We are not currently able to accept contributions to this file. If changes
+//     are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"context"
+	"log"
+	"testing"
+
+	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func init() {
+	resource.AddTestSweepers("ComputeNetworkFirewallPolicy", &resource.Sweeper{
+		Name: "ComputeNetworkFirewallPolicy",
+		F:    testSweepComputeNetworkFirewallPolicy,
+	})
+}
+
+func testSweepComputeNetworkFirewallPolicy(region string) error {
+	log.Print("[INFO][SWEEPER_LOG] Starting sweeper for ComputeNetworkFirewallPolicy")
+
+	config, err := sharedConfigForRegion(region)
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err)
+		return err
+	}
+
+	err = config.LoadAndValidate(context.Background())
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err)
+		return err
+	}
+
+	t := &testing.T{}
+	billingId := getTestBillingAccountFromEnv(t)
+
+	// Setup variables to be used for Delete arguments.
+	d := map[string]string{
+		"project":         config.Project,
+		"region":          region,
+		"location":        region,
+		"zone":            "-",
+		"billing_account": billingId,
+	}
+
+	client := NewDCLComputeClient(config, config.userAgent, "", 0)
+	err = client.DeleteAllNetworkFirewallPolicy(context.Background(), d["project"], d["location"], isDeletableComputeNetworkFirewallPolicy)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func isDeletableComputeNetworkFirewallPolicy(r *compute.NetworkFirewallPolicy) bool {
+	return isSweepableTestResource(*r.Name)
+}
diff --git a/google/resource_compute_region_network_firewall_policy.go b/google/resource_compute_region_network_firewall_policy.go
new file mode 100644
index 0000000000..071809d8cb
--- /dev/null
+++ b/google/resource_compute_region_network_firewall_policy.go
@@ -0,0 +1,358 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules)
+//     and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library).
+//     Changes will need to be made to the DCL or Magic Modules instead of here.
+//
+//     We are not currently able to accept contributions to this file. If changes
+//     are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
+	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
+)
+
+func resourceComputeRegionNetworkFirewallPolicy() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceComputeRegionNetworkFirewallPolicyCreate,
+		Read:   resourceComputeRegionNetworkFirewallPolicyRead,
+		Update: resourceComputeRegionNetworkFirewallPolicyUpdate,
+		Delete: resourceComputeRegionNetworkFirewallPolicyDelete,
+
+		Importer: &schema.ResourceImporter{
+			State: resourceComputeRegionNetworkFirewallPolicyImport,
+		},
+
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(20 * time.Minute),
+			Update: schema.DefaultTimeout(20 * time.Minute),
+			Delete: schema.DefaultTimeout(20 * time.Minute),
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.",
+			},
+
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "An optional description of this resource. Provide this property when you create the resource.",
+			},
+
+			"project": {
+				Type:             schema.TypeString,
+				Computed:         true,
+				Optional:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: compareSelfLinkOrResourceName,
+				Description:      "The project for the resource",
+			},
+
+			"region": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "The location of this resource.",
+			},
+
+			"creation_timestamp": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Creation timestamp in RFC3339 text format.",
+			},
+
+			"fingerprint": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Fingerprint of the resource. This field is used internally during updates of this resource.",
+			},
+
+			"region_network_firewall_policy_id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The unique identifier for the resource. This identifier is defined by the server.",
+			},
+
+			"rule_tuple_count": {
+				Type:        schema.TypeInt,
+				Computed:    true,
+				Description: "Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.",
+			},
+
+			"self_link": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Server-defined URL for the resource.",
+			},
+
+			"self_link_with_id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Server-defined URL for this resource with the resource id.",
+			},
+		},
+	}
+}
+
+func resourceComputeRegionNetworkFirewallPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+	region, err := getRegion(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+		Location:    dcl.String(region),
+	}
+
+	id, err := replaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+	if err != nil {
+		return fmt.Errorf("error constructing id: %s", err)
+	}
+	d.SetId(id)
+	directive := CreateDirective
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+	billingProject := project
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutCreate))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	res, err := client.ApplyNetworkFirewallPolicy(context.Background(), obj, directive...)
+
+	if _, ok := err.(dcl.DiffAfterApplyError); ok {
+		log.Printf("[DEBUG] Diff after apply returned from the DCL: %s", err)
+	} else if err != nil {
+		// The resource didn't actually create
+		d.SetId("")
+		return fmt.Errorf("Error creating NetworkFirewallPolicy: %s", err)
+	}
+
+	log.Printf("[DEBUG] Finished creating NetworkFirewallPolicy %q: %#v", d.Id(), res)
+
+	return resourceComputeRegionNetworkFirewallPolicyRead(d, meta)
+}
+
+func resourceComputeRegionNetworkFirewallPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+	region, err := getRegion(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+		Location:    dcl.String(region),
+	}
+
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+	billingProject := project
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutRead))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	res, err := client.GetNetworkFirewallPolicy(context.Background(), obj)
+	if err != nil {
+		resourceName := fmt.Sprintf("ComputeRegionNetworkFirewallPolicy %q", d.Id())
+		return handleNotFoundDCLError(err, d, resourceName)
+	}
+
+	if err = d.Set("name", res.Name); err != nil {
+		return fmt.Errorf("error setting name in state: %s", err)
+	}
+	if err = d.Set("description", res.Description); err != nil {
+		return fmt.Errorf("error setting description in state: %s", err)
+	}
+	if err = d.Set("project", res.Project); err != nil {
+		return fmt.Errorf("error setting project in state: %s", err)
+	}
+	if err = d.Set("region", res.Location); err != nil {
+		return fmt.Errorf("error setting region in state: %s", err)
+	}
+	if err = d.Set("creation_timestamp", res.CreationTimestamp); err != nil {
+		return fmt.Errorf("error setting creation_timestamp in state: %s", err)
+	}
+	if err = d.Set("fingerprint", res.Fingerprint); err != nil {
+		return fmt.Errorf("error setting fingerprint in state: %s", err)
+	}
+	if err = d.Set("region_network_firewall_policy_id", res.Id); err != nil {
+		return fmt.Errorf("error setting region_network_firewall_policy_id in state: %s", err)
+	}
+	if err = d.Set("rule_tuple_count", res.RuleTupleCount); err != nil {
+		return fmt.Errorf("error setting rule_tuple_count in state: %s", err)
+	}
+	if err = d.Set("self_link", res.SelfLink); err != nil {
+		return fmt.Errorf("error setting self_link in state: %s", err)
+	}
+	if err = d.Set("self_link_with_id", res.SelfLinkWithId); err != nil {
+		return fmt.Errorf("error setting self_link_with_id in state: %s", err)
+	}
+
+	return nil
+}
+func resourceComputeRegionNetworkFirewallPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+	region, err := getRegion(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+		Location:    dcl.String(region),
+	}
+	directive := UpdateDirective
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+
+	billingProject := ""
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutUpdate))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	res, err := client.ApplyNetworkFirewallPolicy(context.Background(), obj, directive...)
+
+	if _, ok := err.(dcl.DiffAfterApplyError); ok {
+		log.Printf("[DEBUG] Diff after apply returned from the DCL: %s", err)
+	} else if err != nil {
+		// The resource didn't actually create
+		d.SetId("")
+		return fmt.Errorf("Error updating NetworkFirewallPolicy: %s", err)
+	}
+
+	log.Printf("[DEBUG] Finished creating NetworkFirewallPolicy %q: %#v", d.Id(), res)
+
+	return resourceComputeRegionNetworkFirewallPolicyRead(d, meta)
+}
+
+func resourceComputeRegionNetworkFirewallPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+	region, err := getRegion(d, config)
+	if err != nil {
+		return err
+	}
+
+	obj := &compute.NetworkFirewallPolicy{
+		Name:        dcl.String(d.Get("name").(string)),
+		Description: dcl.String(d.Get("description").(string)),
+		Project:     dcl.String(project),
+		Location:    dcl.String(region),
+	}
+
+	log.Printf("[DEBUG] Deleting NetworkFirewallPolicy %q", d.Id())
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+	if err != nil {
+		return err
+	}
+	billingProject := project
+	// err == nil indicates that the billing_project value was found
+	if bp, err := getBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+	client := NewDCLComputeClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutDelete))
+	if bp, err := replaceVars(d, config, client.Config.BasePath); err != nil {
+		d.SetId("")
+		return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err)
+	} else {
+		client.Config.BasePath = bp
+	}
+	if err := client.DeleteNetworkFirewallPolicy(context.Background(), obj); err != nil {
+		return fmt.Errorf("Error deleting NetworkFirewallPolicy: %s", err)
+	}
+
+	log.Printf("[DEBUG] Finished deleting NetworkFirewallPolicy %q", d.Id())
+	return nil
+}
+
+func resourceComputeRegionNetworkFirewallPolicyImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	config := meta.(*Config)
+
+	if err := parseImportId([]string{
+		"projects/(?P<project>[^/]+)/regions/(?P<region>[^/]+)/firewallPolicies/(?P<name>[^/]+)",
+		"(?P<project>[^/]+)/(?P<region>[^/]+)/(?P<name>[^/]+)",
+		"(?P<region>[^/]+)/(?P<name>[^/]+)",
+		"(?P<name>[^/]+)",
+	}, d, config); err != nil {
+		return nil, err
+	}
+
+	// Replace import id for the resource id
+	id, err := replaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}")
+	if err != nil {
+		return nil, fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	return []*schema.ResourceData{d}, nil
+}
diff --git a/google/resource_compute_region_network_firewall_policy_generated_test.go b/google/resource_compute_region_network_firewall_policy_generated_test.go
new file mode 100644
index 0000000000..418895e69b
--- /dev/null
+++ b/google/resource_compute_region_network_firewall_policy_generated_test.go
@@ -0,0 +1,126 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules)
+//     and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library).
+//     Changes will need to be made to the DCL or Magic Modules instead of here.
+//
+//     We are not currently able to accept contributions to this file. If changes
+//     are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"context"
+	"fmt"
+	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
+	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"strings"
+	"testing"
+)
+
+func TestAccComputeRegionNetworkFirewallPolicy_RegionalHandWritten(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_name":  getTestProjectFromEnv(),
+		"region":        getTestRegionFromEnv(),
+		"random_suffix": randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckComputeRegionNetworkFirewallPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionNetworkFirewallPolicy_RegionalHandWritten(context),
+			},
+			{
+				ResourceName:      "google_compute_region_network_firewall_policy.primary",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccComputeRegionNetworkFirewallPolicy_RegionalHandWrittenUpdate0(context),
+			},
+			{
+				ResourceName:      "google_compute_region_network_firewall_policy.primary",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccComputeRegionNetworkFirewallPolicy_RegionalHandWritten(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_region_network_firewall_policy" "primary" {
+  name = "tf-test-policy%{random_suffix}"
+  project = "%{project_name}"
+  description = "Sample regional network firewall policy"
+  region = "%{region}"
+}
+
+
+`, context)
+}
+
+func testAccComputeRegionNetworkFirewallPolicy_RegionalHandWrittenUpdate0(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_region_network_firewall_policy" "primary" {
+  name = "tf-test-policy%{random_suffix}"
+  project = "%{project_name}"
+  description = "Updated regional network firewall policy"
+  region = "%{region}"
+}
+
+
+`, context)
+}
+
+func testAccCheckComputeRegionNetworkFirewallPolicyDestroyProducer(t *testing.T) func(s *terraform.State) error {
+	return func(s *terraform.State) error {
+		for name, rs := range s.RootModule().Resources {
+			if rs.Type != "rs.google_compute_region_network_firewall_policy" {
+				continue
+			}
+			if strings.HasPrefix(name, "data.") {
+				continue
+			}
+
+			config := googleProviderConfig(t)
+
+			billingProject := ""
+			if config.BillingProject != "" {
+				billingProject = config.BillingProject
+			}
+
+			obj := &compute.NetworkFirewallPolicy{
+				Name:              dcl.String(rs.Primary.Attributes["name"]),
+				Description:       dcl.String(rs.Primary.Attributes["description"]),
+				Project:           dcl.StringOrNil(rs.Primary.Attributes["project"]),
+				Location:          dcl.StringOrNil(rs.Primary.Attributes["region"]),
+				CreationTimestamp: dcl.StringOrNil(rs.Primary.Attributes["creation_timestamp"]),
+				Fingerprint:       dcl.StringOrNil(rs.Primary.Attributes["fingerprint"]),
+				Id:                dcl.StringOrNil(rs.Primary.Attributes["region_network_firewall_policy_id"]),
+				SelfLink:          dcl.StringOrNil(rs.Primary.Attributes["self_link"]),
+				SelfLinkWithId:    dcl.StringOrNil(rs.Primary.Attributes["self_link_with_id"]),
+			}
+
+			client := NewDCLComputeClient(config, config.userAgent, billingProject, 0)
+			_, err := client.GetNetworkFirewallPolicy(context.Background(), obj)
+			if err == nil {
+				return fmt.Errorf("google_compute_region_network_firewall_policy still exists %v", obj)
+			}
+		}
+		return nil
+	}
+}
diff --git a/google/resource_compute_region_network_firewall_policy_sweeper_test.go b/google/resource_compute_region_network_firewall_policy_sweeper_test.go
new file mode 100644
index 0000000000..0f39b1d375
--- /dev/null
+++ b/google/resource_compute_region_network_firewall_policy_sweeper_test.go
@@ -0,0 +1,71 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules)
+//     and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library).
+//     Changes will need to be made to the DCL or Magic Modules instead of here.
+//
+//     We are not currently able to accept contributions to this file. If changes
+//     are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"context"
+	"log"
+	"testing"
+
+	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func init() {
+	resource.AddTestSweepers("ComputeRegionNetworkFirewallPolicy", &resource.Sweeper{
+		Name: "ComputeRegionNetworkFirewallPolicy",
+		F:    testSweepComputeRegionNetworkFirewallPolicy,
+	})
+}
+
+func testSweepComputeRegionNetworkFirewallPolicy(region string) error {
+	log.Print("[INFO][SWEEPER_LOG] Starting sweeper for ComputeRegionNetworkFirewallPolicy")
+
+	config, err := sharedConfigForRegion(region)
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err)
+		return err
+	}
+
+	err = config.LoadAndValidate(context.Background())
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err)
+		return err
+	}
+
+	t := &testing.T{}
+	billingId := getTestBillingAccountFromEnv(t)
+
+	// Setup variables to be used for Delete arguments.
+	d := map[string]string{
+		"project":         config.Project,
+		"region":          region,
+		"location":        region,
+		"zone":            "-",
+		"billing_account": billingId,
+	}
+
+	client := NewDCLComputeClient(config, config.userAgent, "", 0)
+	err = client.DeleteAllNetworkFirewallPolicy(context.Background(), d["project"], d["location"], isDeletableComputeRegionNetworkFirewallPolicy)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func isDeletableComputeRegionNetworkFirewallPolicy(r *compute.NetworkFirewallPolicy) bool {
+	return isSweepableTestResource(*r.Name)
+}
diff --git a/website/docs/r/compute_network_firewall_policy.html.markdown b/website/docs/r/compute_network_firewall_policy.html.markdown
new file mode 100644
index 0000000000..6e8b2c0f58
--- /dev/null
+++ b/website/docs/r/compute_network_firewall_policy.html.markdown
@@ -0,0 +1,102 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is managed by Magic Modules (https:#github.com/GoogleCloudPlatform/magic-modules)
+#     and is based on the DCL (https:#github.com/GoogleCloudPlatform/declarative-resource-client-library).
+#     Changes will need to be made to the DCL or Magic Modules instead of here.
+#
+#     We are not currently able to accept contributions to this file. If changes
+#     are required, please file an issue at https:#github.com/hashicorp/terraform-provider-google/issues/new/choose
+#
+# ----------------------------------------------------------------------------
+subcategory: "Compute Engine"
+page_title: "Google: google_compute_network_firewall_policy"
+description: |-
+  The Compute NetworkFirewallPolicy resource
+---
+
+# google_compute_network_firewall_policy
+
+The Compute NetworkFirewallPolicy resource
+
+## Example Usage - global
+```hcl
+resource "google_compute_network_firewall_policy" "primary" {
+  name = "policy"
+  project = "my-project-name"
+  description = "Sample global network firewall policy"
+}
+
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` -
+  (Required)
+  User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
+  
+
+
+- - -
+
+* `description` -
+  (Optional)
+  An optional description of this resource. Provide this property when you create the resource.
+  
+* `project` -
+  (Optional)
+  The project for the resource
+  
+
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `id` - an identifier for the resource with format `projects/{{project}}/global/firewallPolicies/{{name}}`
+
+* `creation_timestamp` -
+  Creation timestamp in RFC3339 text format.
+  
+* `fingerprint` -
+  Fingerprint of the resource. This field is used internally during updates of this resource.
+  
+* `network_firewall_policy_id` -
+  The unique identifier for the resource. This identifier is defined by the server.
+  
+* `rule_tuple_count` -
+  Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
+  
+* `self_link` -
+  Server-defined URL for the resource.
+  
+* `self_link_with_id` -
+  Server-defined URL for this resource with the resource id.
+  
+## Timeouts
+
+This resource provides the following
+[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
+- `delete` - Default is 20 minutes.
+
+## Import
+
+NetworkFirewallPolicy can be imported using any of these accepted formats:
+
+```
+$ terraform import google_compute_network_firewall_policy.default projects/{{project}}/global/firewallPolicies/{{name}}
+$ terraform import google_compute_network_firewall_policy.default {{project}}/{{name}}
+$ terraform import google_compute_network_firewall_policy.default {{name}}
+```
+
+
+
diff --git a/website/docs/r/compute_region_network_firewall_policy.html.markdown b/website/docs/r/compute_region_network_firewall_policy.html.markdown
new file mode 100644
index 0000000000..22d0a9f706
--- /dev/null
+++ b/website/docs/r/compute_region_network_firewall_policy.html.markdown
@@ -0,0 +1,109 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: DCL     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is managed by Magic Modules (https:#github.com/GoogleCloudPlatform/magic-modules)
+#     and is based on the DCL (https:#github.com/GoogleCloudPlatform/declarative-resource-client-library).
+#     Changes will need to be made to the DCL or Magic Modules instead of here.
+#
+#     We are not currently able to accept contributions to this file. If changes
+#     are required, please file an issue at https:#github.com/hashicorp/terraform-provider-google/issues/new/choose
+#
+# ----------------------------------------------------------------------------
+subcategory: "Compute Engine"
+page_title: "Google: google_compute_region_network_firewall_policy"
+description: |-
+  The Compute NetworkFirewallPolicy resource
+---
+
+# google_compute_region_network_firewall_policy
+
+The Compute NetworkFirewallPolicy resource
+
+## Example Usage - regional
+```hcl
+resource "google_compute_region_network_firewall_policy" "primary" {
+  name = "policy"
+  project = "my-project-name"
+  description = "Sample regional network firewall policy"
+  region = "us-west1"
+}
+
+
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` -
+  (Required)
+  User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
+  
+
+
+- - -
+
+* `description` -
+  (Optional)
+  An optional description of this resource. Provide this property when you create the resource.
+  
+* `region` -
+  (Optional)
+  The location of this resource.
+  
+* `project` -
+  (Optional)
+  The project for the resource
+  
+
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `id` - an identifier for the resource with format `projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}`
+
+* `creation_timestamp` -
+  Creation timestamp in RFC3339 text format.
+  
+* `fingerprint` -
+  Fingerprint of the resource. This field is used internally during updates of this resource.
+  
+* `region_network_firewall_policy_id` -
+  The unique identifier for the resource. This identifier is defined by the server.
+  
+* `rule_tuple_count` -
+  Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
+  
+* `self_link` -
+  Server-defined URL for the resource.
+  
+* `self_link_with_id` -
+  Server-defined URL for this resource with the resource id.
+  
+## Timeouts
+
+This resource provides the following
+[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
+- `delete` - Default is 20 minutes.
+
+## Import
+
+NetworkFirewallPolicy can be imported using any of these accepted formats:
+
+```
+$ terraform import google_compute_region_network_firewall_policy.default projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}
+$ terraform import google_compute_region_network_firewall_policy.default {{project}}/{{region}}/{{name}}
+$ terraform import google_compute_region_network_firewall_policy.default {{region}}/{{name}}
+$ terraform import google_compute_region_network_firewall_policy.default {{name}}
+```
+
+
+