diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 5d3848bc..4cd34290 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -424,27 +424,27 @@ module "vpc" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L71) | The name of the network being created. | string
| ✓ | |
-| [project_id](variables.tf#L87) | The ID of the project where this VPC will be created. | string
| ✓ | |
+| [name](variables.tf#L72) | The name of the network being created. | string
| ✓ | |
+| [project_id](variables.tf#L88) | The ID of the project where this VPC will be created. | string
| ✓ | |
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool
| | false
|
| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | string
| | null
|
| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | bool
| | false
|
| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | string
| | "Terraform-managed."
|
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | object({…})
| | null
|
-| [firewall_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string
| | "AFTER_CLASSIC_FIREWALL"
|
-| [mtu](variables.tf#L65) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number
| | null
|
-| [peering_config](variables.tf#L76) | VPC peering configuration. | object({…})
| | null
|
-| [psa_config](variables.tf#L92) | The Private Service Access configuration for Service Networking. | object({…})
| | null
|
-| [routes](variables.tf#L102) | Network routes, keyed by name. | map(object({…}))
| | {}
|
-| [routing_mode](variables.tf#L122) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
-| [shared_vpc_host](variables.tf#L132) | Enable shared VPC for this project. | bool
| | false
|
-| [shared_vpc_service_projects](variables.tf#L138) | Shared VPC service projects to register with this host. | list(string)
| | []
|
-| [subnet_iam](variables.tf#L144) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string)))
| | {}
|
-| [subnet_iam_additive](variables.tf#L150) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
-| [subnets](variables.tf#L157) | Subnet configuration. | list(object({…}))
| | []
|
-| [subnets_proxy_only](variables.tf#L182) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
-| [subnets_psc](variables.tf#L194) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
-| [vpc_create](variables.tf#L205) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
+| [firewall_policy_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string
| | "AFTER_CLASSIC_FIREWALL"
|
+| [mtu](variables.tf#L66) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number
| | null
|
+| [peering_config](variables.tf#L77) | VPC peering configuration. | object({…})
| | null
|
+| [psa_config](variables.tf#L93) | The Private Service Access configuration for Service Networking. | object({…})
| | null
|
+| [routes](variables.tf#L103) | Network routes, keyed by name. | map(object({…}))
| | {}
|
+| [routing_mode](variables.tf#L123) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
+| [shared_vpc_host](variables.tf#L133) | Enable shared VPC for this project. | bool
| | false
|
+| [shared_vpc_service_projects](variables.tf#L139) | Shared VPC service projects to register with this host. | list(string)
| | []
|
+| [subnet_iam](variables.tf#L145) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string)))
| | {}
|
+| [subnet_iam_additive](variables.tf#L151) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
+| [subnets](variables.tf#L158) | Subnet configuration. | list(object({…}))
| | []
|
+| [subnets_proxy_only](variables.tf#L183) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
+| [subnets_psc](variables.tf#L195) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
+| [vpc_create](variables.tf#L206) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
## Outputs
diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf
index aa52cd97..60dcd6a9 100644
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@@ -42,8 +42,7 @@ resource "google_compute_network" "network" {
delete_default_routes_on_create = var.delete_default_routes_on_create
mtu = var.mtu
routing_mode = var.routing_mode
- network_firewall_policy_enforcement_order = var.firewall_enforcement_order
-
+ network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
}
resource "google_compute_network_peering" "local" {
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 32ae43d9..8f0f3ab4 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -51,13 +51,14 @@ variable "dns_policy" {
default = null
}
-variable "firewall_enforcement_order" {
+variable "firewall_policy_enforcement_order" {
description = "Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'."
type = string
+ nullable = false
default = "AFTER_CLASSIC_FIREWALL"
validation {
- condition = var.firewall_enforcement_order == "BEFORE_CLASSIC_FIREWALL" || var.firewall_enforcement_order == "AFTER_CLASSIC_FIREWALL"
+ condition = var.firewall_policy_enforcement_order == "BEFORE_CLASSIC_FIREWALL" || var.firewall_policy_enforcement_order == "AFTER_CLASSIC_FIREWALL"
error_message = "Enforcement order must be BEFORE_CLASSIC_FIREWALL or AFTER_CLASSIC_FIREWALL."
}
}