2023-03-10 00:21:49 -08:00
/ * *
* Copyright 2023 Google LLC
*
* Licensed under the Apache License , Version 2 . 0 ( the " License " ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
2023-08-08 09:57:59 -07:00
variable " attachments " {
description = " Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. "
type = map ( string )
default = { }
nullable = false
}
2023-03-10 00:21:49 -08:00
variable " description " {
description = " Policy description. "
type = string
default = null
}
variable " egress_rules " {
description = " List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. "
type = map ( object ( {
priority = number
action = optional ( string , " deny " )
description = optional ( string )
disabled = optional ( bool , false )
enable_logging = optional ( bool )
target_service_accounts = optional ( list ( string ) )
target_tags = optional ( list ( string ) )
match = object ( {
2023-08-08 09:57:59 -07:00
address_groups = optional ( list ( string ) )
fqdns = optional ( list ( string ) )
region_codes = optional ( list ( string ) )
threat_intelligences = optional ( list ( string ) )
destination_ranges = optional ( list ( string ) )
source_ranges = optional ( list ( string ) )
source_tags = optional ( list ( string ) )
2023-03-10 00:21:49 -08:00
layer4_configs = optional ( list ( object ( {
protocol = optional ( string , " all " )
ports = optional ( list ( string ) )
} ) ) , [ { } ] )
} )
} ) )
default = { }
nullable = false
validation {
condition = alltrue ( [
for k , v in var . egress_rules :
contains ( [ " allow " , " deny " , " goto_next " ] , v . action )
] )
error_message = " Action can only be one of 'allow', 'deny', 'goto_next'. "
}
}
variable " ingress_rules " {
description = " List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. "
type = map ( object ( {
priority = number
action = optional ( string , " allow " )
description = optional ( string )
disabled = optional ( bool , false )
enable_logging = optional ( bool )
target_service_accounts = optional ( list ( string ) )
target_tags = optional ( list ( string ) )
match = object ( {
2023-08-08 09:57:59 -07:00
address_groups = optional ( list ( string ) )
fqdns = optional ( list ( string ) )
region_codes = optional ( list ( string ) )
threat_intelligences = optional ( list ( string ) )
destination_ranges = optional ( list ( string ) )
source_ranges = optional ( list ( string ) )
source_tags = optional ( list ( string ) )
2023-03-10 00:21:49 -08:00
layer4_configs = optional ( list ( object ( {
protocol = optional ( string , " all " )
ports = optional ( list ( string ) )
} ) ) , [ { } ] )
} )
} ) )
default = { }
nullable = false
validation {
condition = alltrue ( [
for k , v in var . ingress_rules :
contains ( [ " allow " , " deny " , " goto_next " ] , v . action )
] )
error_message = " Action can only be one of 'allow', 'deny', 'goto_next'. "
}
}
variable " name " {
description = " Policy name. "
type = string
nullable = false
}
2023-08-08 09:57:59 -07:00
variable " parent_id " {
description = " Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. "
2023-03-10 00:21:49 -08:00
type = string
nullable = false
}
variable " region " {
2023-08-09 04:23:07 -07:00
description = " Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. "
2023-03-10 00:21:49 -08:00
type = string
default = null
}
2023-08-08 09:57:59 -07:00
variable " rules_factory_config " {
description = " Configuration for the optional rules factory. "
type = object ( {
cidr_file_path = optional ( string )
egress_rules_file_path = optional ( string )
ingress_rules_file_path = optional ( string )
} )
nullable = false
default = { }
2023-03-10 00:21:49 -08:00
}