IPS support for Firewall Policy (#2291)
* Adding apply_security_profile_group as action option and be able to provide a security_profile_group. * Removing default null for optional variable. * Updating README. --------- Co-authored-by: Julio Castillo <jccb@google.com>
This commit is contained in:
Ricardo Godoy
GitHub
parent
1ecd637932
commit
79b36b614b
|
|
@ -258,14 +258,14 @@ issue-1995:
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L113) | Policy name. | <code>string</code> | ✓ | |
|
||||
| [parent_id](variables.tf#L119) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L115) | Policy name. | <code>string</code> | ✓ | |
|
||||
| [parent_id](variables.tf#L121) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | <code>string</code> | ✓ | |
|
||||
| [attachments](variables.tf#L17) | Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [description](variables.tf#L24) | Policy description. | <code>string</code> | | <code>null</code> |
|
||||
| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | <code title="map(object({ priority = number action = optional(string, "deny") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_resources = optional(list(string)) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L66) | Paths to folders for the optional factories. | <code title="object({ cidr_file_path = optional(string) egress_rules_file_path = optional(string) ingress_rules_file_path = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L77) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | <code title="map(object({ priority = number action = optional(string, "allow") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_resources = optional(list(string)) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [region](variables.tf#L125) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | <code>string</code> | | <code>null</code> |
|
||||
| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format. | <code title="map(object({ priority = number action = optional(string, "deny") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) security_profile_group = optional(string) target_resources = optional(list(string)) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L67) | Paths to folders for the optional factories. | <code title="object({ cidr_file_path = optional(string) egress_rules_file_path = optional(string) ingress_rules_file_path = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L78) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. | <code title="map(object({ priority = number action = optional(string, "allow") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) security_profile_group = optional(string) target_resources = optional(list(string)) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [region](variables.tf#L127) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ locals {
|
|||
description = lookup(v, "description", null)
|
||||
disabled = lookup(v, "disabled", false)
|
||||
enable_logging = lookup(v, "enable_logging", null)
|
||||
security_profile_group = lookup(v, "security_profile_group", null)
|
||||
target_resources = lookup(v, "target_resources", null)
|
||||
target_service_accounts = lookup(v, "target_service_accounts", null)
|
||||
target_tags = lookup(v, "target_tags", null)
|
||||
|
|
@ -80,6 +81,7 @@ locals {
|
|||
description = lookup(v, "description", null)
|
||||
disabled = lookup(v, "disabled", false)
|
||||
enable_logging = lookup(v, "enable_logging", null)
|
||||
security_profile_group = lookup(v, "security_profile_group", null)
|
||||
target_resources = lookup(v, "target_resources", null)
|
||||
target_service_accounts = lookup(v, "target_service_accounts", null)
|
||||
target_tags = lookup(v, "target_tags", null)
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
|
|||
action = local.rules[each.key].action
|
||||
description = local.rules[each.key].description
|
||||
direction = local.rules[each.key].direction
|
||||
security_profile_group = local.rules[each.key].security_profile_group
|
||||
disabled = local.rules[each.key].disabled
|
||||
enable_logging = local.rules[each.key].enable_logging
|
||||
priority = local.rules[each.key].priority
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ resource "google_compute_network_firewall_policy_rule" "net-global" {
|
|||
action = local.rules[each.key].action
|
||||
description = local.rules[each.key].description
|
||||
direction = local.rules[each.key].direction
|
||||
security_profile_group = local.rules[each.key].security_profile_group
|
||||
disabled = local.rules[each.key].disabled
|
||||
enable_logging = local.rules[each.key].enable_logging
|
||||
priority = local.rules[each.key].priority
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ resource "google_compute_region_network_firewall_policy_rule" "net-regional" {
|
|||
action = local.rules[each.key].action
|
||||
description = local.rules[each.key].description
|
||||
direction = local.rules[each.key].direction
|
||||
security_profile_group = local.rules[each.key].security_profile_group
|
||||
disabled = local.rules[each.key].disabled
|
||||
enable_logging = local.rules[each.key].enable_logging
|
||||
priority = local.rules[each.key].priority
|
||||
|
|
|
|||
|
|
@ -28,13 +28,14 @@ variable "description" {
|
|||
}
|
||||
|
||||
variable "egress_rules" {
|
||||
description = "List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format."
|
||||
description = "List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format."
|
||||
type = map(object({
|
||||
priority = number
|
||||
action = optional(string, "deny")
|
||||
description = optional(string)
|
||||
disabled = optional(bool, false)
|
||||
enable_logging = optional(bool)
|
||||
security_profile_group = optional(string)
|
||||
target_resources = optional(list(string))
|
||||
target_service_accounts = optional(list(string))
|
||||
target_tags = optional(list(string))
|
||||
|
|
@ -57,9 +58,9 @@ variable "egress_rules" {
|
|||
validation {
|
||||
condition = alltrue([
|
||||
for k, v in var.egress_rules :
|
||||
contains(["allow", "deny", "goto_next"], v.action)
|
||||
contains(["allow", "deny", "goto_next", "apply_security_profile_group"], v.action)
|
||||
])
|
||||
error_message = "Action can only be one of 'allow', 'deny', 'goto_next'."
|
||||
error_message = "Action can only be one of 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -75,13 +76,14 @@ variable "factories_config" {
|
|||
}
|
||||
|
||||
variable "ingress_rules" {
|
||||
description = "List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'."
|
||||
description = "List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
|
||||
type = map(object({
|
||||
priority = number
|
||||
action = optional(string, "allow")
|
||||
description = optional(string)
|
||||
disabled = optional(bool, false)
|
||||
enable_logging = optional(bool)
|
||||
security_profile_group = optional(string)
|
||||
target_resources = optional(list(string))
|
||||
target_service_accounts = optional(list(string))
|
||||
target_tags = optional(list(string))
|
||||
|
|
@ -104,9 +106,9 @@ variable "ingress_rules" {
|
|||
validation {
|
||||
condition = alltrue([
|
||||
for k, v in var.ingress_rules :
|
||||
contains(["allow", "deny", "goto_next"], v.action)
|
||||
contains(["allow", "deny", "goto_next", "apply_security_profile_group"], v.action)
|
||||
])
|
||||
error_message = "Action can only be one of 'allow', 'deny', 'goto_next'."
|
||||
error_message = "Action can only be one of 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue