networksecurity: ForceNew name+location on address_group (#17287)

[jbbqqf]

Summary

Mark name and location URL parameters as immutable on google_network_security_address_group (and the org-scoped equivalent), so the provider plans a replacement instead of an in-place update when either changes.

Fixes hashicorp/terraform-provider-google#17287 — see hashicorp/terraform-provider-google#17287

Why

The Network Security Address Groups REST API uses name and location as URL path parameters; the underlying Update (PATCH) endpoint cannot rename or relocate the resource. When a user changes location (or name), the current schema lets Terraform plan an in-place update, the PATCH succeeds against the old URL, and Terraform then reads back state from the new URL it expected — producing the inconsistent-after-apply error reported by users (and the maintainer-acknowledged fix in #17287).

Marking both parameters immutable: true in the mmv1 schema causes mmv1 to emit ForceNew: true, which is what the resource has always needed.

GCP API reference:

• https://cloud.google.com/traffic-director/docs/reference/network-security/rest/v1beta1/organizations.locations.addressGroups (org-scoped — name + location in URL)
• https://cloud.google.com/traffic-director/docs/reference/network-security/rest/v1/projects.locations.addressGroups (project-scoped — same)

What changed

mmv1 YAML edits, two files:

mmv1/products/networksecurity/AddressGroup.yaml        | 2 ++
mmv1/products/networksecurity/ProjectAddressGroup.yaml | 2 ++

Adds immutable: true to the name and location URL parameters on both resources.

Edge cases tested

#	Scenario	Expected	Verified by
1	Plan-only review of generated diff	ForceNew: true is emitted on name and location schema fields in the generated resource_network_security_address_group.go	Static — schema entries currently have only Required: true; with immutable: true mmv1 emits Required: true, ForceNew: true (this is the same pattern already used by parent on the org-scoped resource and by every other URL param across mmv1).
2	Same yaml diff applies to both org and project flavors	Both AddressGroup.yaml (org) and ProjectAddressGroup.yaml (project, the one users hit via google_network_security_address_group) get the fix	Diff is symmetric, two parameters per file.
3	No change to existing acceptance tests required	Existing tests don't change name or location mid-test	Inspected mmv1/templates/terraform/examples/network_security_address_groups_*.tf.tmpl — none mutate name/location.

Test protocol

Test	Result	Notes
YAML lint / mmv1 generation	n/a in this PR	Will be exercised by mmv1 CI — the fields used (immutable: true) are the most common modifier across mmv1 and require no code generation changes.
Live BEFORE/AFTER smoke	not run	Skipped: this is a 4-line additive ForceNew on URL parameters — the gap is structurally proven by the Go code (Required: true with no ForceNew) and acknowledged by the maintainer in the issue. The "after" effect is mechanical: mmv1 always lowers immutable: true on a url_param_only field to ForceNew: true on the schema. Running a real apply ; change location ; apply on GCP would only re-prove what the code already shows; risk-of-regression is essentially zero.

The author (a human) reviewed the diff against the generated Go in tpg main:

"location": {
    Type:     schema.TypeString,
    Required: true,                  // ← missing ForceNew
    Description: `The location of the gateway security policy. ...`,
},
"name": {
    Type:        schema.TypeString,
    Required:    true,                // ← missing ForceNew
    ...
},

Both already follow the pattern of parent (which has immutable: true and emits ForceNew: true). This PR aligns name and location with parent.

Resources

• Original issue: google_network_security_address_group inconsistent result after apply hashicorp/terraform-provider-google#17287
• GCP API documentation: see "Why" section.
• Maintainer acknowledgement: edwardmedia confirmed ForceNew is missing on location; subsequent commenters reported the same on name.

Disclosure

This PR was implemented with assistance from Claude Code as part of a focused contribution batch on hand-written and mmv1 fixes. The diff is 4 lines of YAML; it was reviewed manually against the GCP REST API documentation (URL parameters cannot be renamed via PATCH) and against the generated Go schema in tpg main (which currently has Required: true with no ForceNew on these fields, exactly matching the maintainer's diagnosis).

The author (a human) reviewed the diff and the issue thread before opening this PR.