2023-03-10 00:21:49 -08:00
# Google Cloud Network Firewall Policies
This module allows creation and management of a [global ](https://cloud.google.com/vpc/docs/network-firewall-policies ) or [regional ](https://cloud.google.com/vpc/docs/regional-firewall-policies ) network firewall policy, including its associations and rules.
The module interface deviates slightly from the [`net-vpc-firewall` ](../net-vpc-firewall/ ) module since the underlying resources and API objects are different.
It also makes fewer assumptions about implicit defaults, only using one to set `match.layer4_configs` to `[{ protocol = "all" }]` if no explicit set of protocols and ports has been specified.
A factory implementation will be added in a subsequent release.
## Example
```hcl
2023-03-17 00:14:09 -07:00
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "my-network"
}
2023-03-10 00:21:49 -08:00
module "firewall-policy" {
source = "./fabric/modules/net-vpc-firewall-policy"
name = "test-1"
project_id = "my-project"
# specify a region to create and manage a regional policy
# region = "europe-west8"
2023-03-17 00:14:09 -07:00
target_vpcs = {
my-vpc = module.vpc.self_link
}
2023-03-10 00:21:49 -08:00
egress_rules = {
smtp = {
priority = 900
match = {
destination_ranges = ["0.0.0.0/0"]
layer4_configs = [{ protocol = "tcp", ports = ["25"] }]
}
}
}
ingress_rules = {
icmp = {
priority = 1000
match = {
source_ranges = ["0.0.0.0/0"]
layer4_configs = [{ protocol = "icmp" }]
}
}
mgmt = {
priority = 1001
match = {
source_ranges = ["10.1.1.0/24"]
}
}
ssh = {
priority = 1002
match = {
source_ranges = ["10.0.0.0/8"]
# source_tags = ["tagValues/123456"]
layer4_configs = [{ protocol = "tcp", ports = ["22"] }]
}
}
}
}
2023-03-17 00:14:09 -07:00
# tftest modules=2 resources=7
2023-03-10 00:21:49 -08:00
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name ](variables.tf#L98 ) | Policy name. | < code > string</ code > | ✓ | |
| [project_id ](variables.tf#L104 ) | Project id of the project that holds the network. | < code > string</ code > | ✓ | |
| [description ](variables.tf#L17 ) | Policy description. | < code > string</ code > | | < code > null</ code > |
| [egress_rules ](variables.tf#L23 ) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | < code title = "map(object({ priority = number action = optional(string, "deny") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [ingress_rules ](variables.tf#L60 ) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | < code title = "map(object({ priority = number action = optional(string, "allow") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [region ](variables.tf#L110 ) | Policy region. Leave null for global policy. | < code > string</ code > | | < code > null</ code > |
2023-03-17 00:14:09 -07:00
| [target_vpcs ](variables.tf#L116 ) | VPC ids to which this policy will be attached, in descriptive name => self link format. | < code > map( string) </ code > | | < code > {} </ code > |
2023-03-10 00:21:49 -08:00
<!-- END TFDOC -->