diff --git a/factories/firewall-hierarchical-policies/README.md b/factories/firewall-hierarchical-policies/README.md
index f75be55a..b6f7cb8a 100644
--- a/factories/firewall-hierarchical-policies/README.md
+++ b/factories/firewall-hierarchical-policies/README.md
@@ -65,9 +65,12 @@ allow-icmp:
action: allow
# Priority (must be unique on a node)
priority: 1000
- # List of CIDRs this rule applies to
+ # List of CIDRs this rule applies to (for INGRESS rules)
source_ranges:
- 0.0.0.0/0
+ # List of CIDRs this rule applies to (for EGRESS rules)
+ destination_ranges:
+ - 0.0.0.0/0
# List of ports this rule applies to (empty array means all ports)
ports:
tcp: []
@@ -148,14 +151,14 @@ web_frontends:
## Variables
-| name | description | type | required | default |
-|---|---|:---: |:---:|:---:|
-| config_folder | Relative path of the folder containing the hierarchical firewall configuration | string
| ✓ | |
-| templates_folder | Relative path of the folder containing the cidr/service account templates | string
| ✓ | |
+| name | description | type | required | default |
+| ---------------- | ------------------------------------------------------------------------------ | :--------------------------: | :------: | :-----: |
+| config_folder | Relative path of the folder containing the hierarchical firewall configuration | string
| ✓ | |
+| templates_folder | Relative path of the folder containing the cidr/service account templates | string
| ✓ | |
## Outputs
-| name | description | sensitive |
-|---|---|:---:|
-| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules | |
+| name | description | sensitive |
+| --------------------------- | ------------------------------------- | :-------: |
+| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules | |
diff --git a/factories/firewall-hierarchical-policies/main.tf b/factories/firewall-hierarchical-policies/main.tf
index ec3a6431..3b049236 100644
--- a/factories/firewall-hierarchical-policies/main.tf
+++ b/factories/firewall-hierarchical-policies/main.tf
@@ -59,17 +59,16 @@ locals {
])
}
-resource "google_compute_organization_security_policy" "default" {
- provider = google-beta
- for_each = { for rule in local.rules : rule.parent_id => rule.name... }
- display_name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
- parent = each.key
+resource "google_compute_firewall_policy" "default" {
+ for_each = { for rule in local.rules : rule.parent_id => rule.name... }
+ short_name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
+ description = replace("hierarchical-fw-policy-${each.key}", "/", "-")
+ parent = each.key
}
-resource "google_compute_organization_security_policy_rule" "default" {
- provider = google-beta
+resource "google_compute_firewall_policy_rule" "default" {
for_each = { for rule in local.rules : "${rule.parent_id}-${rule.name}" => rule }
- policy_id = google_compute_organization_security_policy.default[each.value.parent_id].id
+ firewall_policy = google_compute_firewall_policy.default[each.value.parent_id].id
action = each.value.action
direction = each.value.direction
priority = each.value.priority
@@ -78,24 +77,22 @@ resource "google_compute_organization_security_policy_rule" "default" {
enable_logging = try(each.value.enable_logging, false)
# preview = each.value.preview
match {
- config {
- src_ip_ranges = each.value.source_ranges
- dynamic "layer4_config" {
- for_each = each.value.ports
- iterator = port
- content {
- ip_protocol = port.key
- ports = port.value
- }
+ src_ip_ranges = each.value.direction == "INGRESS" ? each.value.source_ranges : null
+ dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.destination_ranges : null
+ dynamic "layer4_configs" {
+ for_each = each.value.ports
+ iterator = port
+ content {
+ ip_protocol = port.key
+ ports = port.value
}
}
}
}
-resource "google_compute_organization_security_policy_association" "default" {
- provider = google-beta
- for_each = { for rule in local.rules : rule.parent_id => rule.name... }
- name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
- attachment_id = google_compute_organization_security_policy.default[each.key].parent
- policy_id = google_compute_organization_security_policy.default[each.key].id
+resource "google_compute_firewall_policy_association" "default" {
+ for_each = { for rule in local.rules : rule.parent_id => rule.name... }
+ name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
+ attachment_target = google_compute_firewall_policy.default[each.key].parent
+ firewall_policy = google_compute_firewall_policy.default[each.key].id
}
diff --git a/factories/firewall-hierarchical-policies/outputs.tf b/factories/firewall-hierarchical-policies/outputs.tf
index 25062aaf..42d6738d 100644
--- a/factories/firewall-hierarchical-policies/outputs.tf
+++ b/factories/firewall-hierarchical-policies/outputs.tf
@@ -17,11 +17,10 @@
output "hierarchical-firewall-rules" {
description = "Generated Hierarchical Firewall Rules"
value = {
- for k, v in google_compute_organization_security_policy_rule.default :
+ for k, v in google_compute_firewall_policy_rule.default :
k => {
- parent_id = split("-", k)[0]
- id = v.id
- description = v.match[0].description
+ parent_id = split("-", k)[0]
+ id = v.id
}
}
}
diff --git a/tests/factories/firewall_hierarchical_policies/test_plan.py b/tests/factories/firewall_hierarchical_policies/test_plan.py
index da4de986..aef8ec1d 100644
--- a/tests/factories/firewall_hierarchical_policies/test_plan.py
+++ b/tests/factories/firewall_hierarchical_policies/test_plan.py
@@ -25,25 +25,31 @@ def test_firewall(plan_runner):
_, resources = plan_runner(FIXTURES_DIR)
assert len(resources) == 6
assert set(r["type"] for r in resources) == set([
- "google_compute_organization_security_policy_rule", "google_compute_organization_security_policy_association", "google_compute_organization_security_policy"
+ "google_compute_firewall_policy_rule", "google_compute_firewall_policy_association", "google_compute_firewall_policy"
])
rule_ssh = [r["values"] for r in resources if r["type"] ==
- "google_compute_organization_security_policy_rule" and r["values"]["priority"] == 1001]
+ "google_compute_firewall_policy_rule"
+ and r["values"]["priority"] == 1001]
rule_icmp = [r["values"] for r in resources if r["type"] ==
- "google_compute_organization_security_policy_rule" and r["values"]["priority"] == 1000]
+ "google_compute_firewall_policy_rule"
+ and r["values"]["priority"] == 1000]
association_org = [r["values"] for r in resources if r["type"] ==
- "google_compute_organization_security_policy_association" and r["values"]["attachment_id"] == "organizations/1234567890"]
+ "google_compute_firewall_policy_association"
+ and r["values"]["attachment_target"] == "organizations/1234567890"]
association_folder = [r["values"] for r in resources if r["type"] ==
- "google_compute_organization_security_policy_association" and r["values"]["attachment_id"] == "folders/0987654321"]
+ "google_compute_firewall_policy_association"
+ and r["values"]["attachment_target"] == "folders/0987654321"]
policies_org = [r["values"] for r in resources if r["type"] ==
- "google_compute_organization_security_policy" and r["values"]["parent"] == "organizations/1234567890"]
+ "google_compute_firewall_policy"
+ and r["values"]["parent"] == "organizations/1234567890"]
policies_folder = [r["values"] for r in resources if r["type"] ==
- "google_compute_organization_security_policy" and r["values"]["parent"] == "folders/0987654321"]
+ "google_compute_firewall_policy"
+ and r["values"]["parent"] == "folders/0987654321"]
- assert set(rule_ssh[0]["match"][0]["config"][0]["src_ip_ranges"]) == set(
+ assert set(rule_ssh[0]["match"][0]["src_ip_ranges"]) == set(
["10.0.0.0/24", "10.0.10.0/24", "192.168.1.1/32"])
- assert rule_icmp[0]["match"][0]["config"][0]["layer4_config"][0]["ip_protocol"] == "icmp"
+ assert rule_icmp[0]["match"][0]["layer4_configs"][0]["ip_protocol"] == "icmp"
assert association_org[0]["name"] == "hierarchical-fw-policy-organizations-1234567890"
assert association_folder[0]["name"] == "hierarchical-fw-policy-folders-0987654321"
- assert policies_org[0]["display_name"] == "hierarchical-fw-policy-organizations-1234567890"
- assert policies_folder[0]["display_name"] == "hierarchical-fw-policy-folders-0987654321"
+ assert policies_org[0]["short_name"] == "hierarchical-fw-policy-organizations-1234567890"
+ assert policies_folder[0]["short_name"] == "hierarchical-fw-policy-folders-0987654321"