compute: added support for resource level iam policy to FirewallPolicy

[chandlerding]

Fix b/475675077.

`google_compute_firewall_policy_iam_binding`

`google_compute_firewall_policy_iam_member`

`google_compute_firewall_policy_iam_policy`

`google_compute_network_firewall_policy_iam_binding`

`google_compute_network_firewall_policy_iam_member`

`google_compute_network_firewall_policy_iam_policy`

`google_compute_region_network_firewall_policy_iam_binding`

`google_compute_region_network_firewall_policy_iam_member`

`google_compute_region_network_firewall_policy_iam_policy`

[github-actions]

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@roaks3, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[chandlerding]

performed integration tested locally against live environment and everything working as expected ,e.g.
terraform plan/apply/import/destroy of below templates

terraform {
  required_providers {
      google = {
      # Points to your local build if configured via dev_overrides
      source = "hashicorp/google" 
    }
  }
}

# ------------------------------------------------------------------------------
# PROVIDER CONFIGURATION
# ------------------------------------------------------------------------------
provider "google" {
  project = "PROJECT_ID" # REPLACE with your Project ID
  region  = "us-central1"     # REPLACE with your default region
}

locals {
  test_user = "user:test@example.com"
}# ==============================================================================
# 1. GLOBAL NETWORK FIREWALL POLICY
# ==============================================================================
resource "google_compute_network_firewall_policy" "global_policy" {
  name        = "tf-test-global-fw-policy"
  description = "Minimal global policy to verify IAM"
}

resource "google_compute_network_firewall_policy_iam_binding" "global_binding" {
  name    = google_compute_network_firewall_policy.global_policy.name
  role    = "roles/compute.securityAdmin"
  members = [local.test_user]
}

# ==============================================================================
# 2. REGIONAL NETWORK FIREWALL POLICY
# ==============================================================================
resource "google_compute_region_network_firewall_policy" "regional_policy" {
  name        = "tf-test-regional-fw-policy"
  description = "Minimal regional policy to verify IAM"
}

resource "google_compute_region_network_firewall_policy_iam_binding" "regional_binding" {
  name    = google_compute_region_network_firewall_policy.regional_policy.name
  region  = google_compute_region_network_firewall_policy.regional_policy.region
  project = google_compute_region_network_firewall_policy.regional_policy.project
  role    = "roles/compute.securityAdmin"
  members = [local.test_user]
}

# ==============================================================================
# 3. HIERARCHICAL FIREWALL POLICY
# ==============================================================================
resource "google_compute_firewall_policy" "hierarchical_policy" {
  # Hierarchical policies MUST be attached to a Folder or Organization, not a Project
  parent      = "organizations/ORG_ID" # REPLACE with your Org ID or Folder ID (e.g., folders/123456)
  short_name  = "tftesthierarchical"         # short_name cannot contain dashes in some API versions
  description = "Minimal hierarchical policy to verify IAM"
}

resource "google_compute_firewall_policy_iam_binding" "hierarchical_binding" {
  # Hierarchical policies typically reference the system-generated ID
  name = google_compute_firewall_policy.hierarchical_policy.id 
  role            = "roles/compute.securityAdmin"
  members         = [local.test_user]
}

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes for commit 94a6b46:

Diff report

Your PR generated the following diffs in downstream repositories:

Repository	Diff Link	Changes
google provider	View Diff	12 files changed, 2328 insertions(+)
google-beta provider	View Diff	12 files changed, 2328 insertions(+)
terraform-google-conversion	View Diff	6 files changed, 1094 insertions(+)

Multiple resources added

This PR adds multiple new resources: google_compute_firewall_policy_iam_*, google_compute_network_firewall_policy_iam_*, google_compute_region_network_firewall_policy_iam_*. This makes review significantly more difficult. Please split it into multiple PRs, one per resource.
An override-multiple-resources label can be added to allow merging.

Test report

Analytics

Total Tests	Passed	Skipped	Affected
1492	1390	93	9

Affected Service Packages

• compute

Learn how VCR tests work

---

Step 1: Replaying Mode

Action taken

Found 9 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit.

Click here to see the affected tests

• TestAccComputeFirewallPolicyIamBindingGenerated
• TestAccComputeFirewallPolicyIamMemberGenerated
• TestAccComputeFirewallPolicyIamPolicyGenerated
• TestAccComputeNetworkFirewallPolicyIamBindingGenerated
• TestAccComputeNetworkFirewallPolicyIamMemberGenerated
• TestAccComputeNetworkFirewallPolicyIamPolicyGenerated
• TestAccComputeRegionNetworkFirewallPolicyIamBindingGenerated
• TestAccComputeRegionNetworkFirewallPolicyIamMemberGenerated
• TestAccComputeRegionNetworkFirewallPolicyIamPolicyGenerated

View the replaying VCR build log

---

Step 2: Recording Mode

Recording Mode	Replaying Rerun	Test Name
✅ Log	✅	TestAccComputeFirewallPolicyIamBindingGenerated
✅ Log	✅	TestAccComputeFirewallPolicyIamMemberGenerated
✅ Log	✅	TestAccComputeFirewallPolicyIamPolicyGenerated
✅ Log	✅	TestAccComputeNetworkFirewallPolicyIamBindingGenerated
✅ Log	✅	TestAccComputeNetworkFirewallPolicyIamMemberGenerated
✅ Log	✅	TestAccComputeNetworkFirewallPolicyIamPolicyGenerated
✅ Log	✅	TestAccComputeRegionNetworkFirewallPolicyIamBindingGenerated
✅ Log	✅	TestAccComputeRegionNetworkFirewallPolicyIamMemberGenerated
✅ Log	✅	TestAccComputeRegionNetworkFirewallPolicyIamPolicyGenerated

🟢 All tests passed!

View the recording VCR build log or the debug logs folder for detailed results.

@chandlerding, @roaks3 VCR tests complete for 94a6b46!