From 9c1afa62616a005c806854be74248232ad4a0c7d Mon Sep 17 00:00:00 2001
From: Blake Corbitt <157174302+bcorbitt-ps@users.noreply.github.com>
Date: Thu, 25 Jan 2024 10:56:17 -0700
Subject: [PATCH] Issue #2011 - add support for target_resources in
hierarchical policy for net-firewall-policy module. (#2012)
* Issue #2011 - Add support for target_resources in hierarchical firewall policy
* Removing errant character in factory.tf
---
modules/net-firewall-policy/README.md | 13 ++++++-------
modules/net-firewall-policy/factory.tf | 2 ++
modules/net-firewall-policy/hierarchical.tf | 1 +
modules/net-firewall-policy/variables.tf | 2 ++
4 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/modules/net-firewall-policy/README.md b/modules/net-firewall-policy/README.md
index cc624282..ab4d1a0c 100644
--- a/modules/net-firewall-policy/README.md
+++ b/modules/net-firewall-policy/README.md
@@ -249,20 +249,19 @@ issue-1995:
- 1-65535
- protocol: icmp
```
-
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L100) | Policy name. | string | ✓ | |
-| [parent_id](variables.tf#L106) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | string | ✓ | |
+| [name](variables.tf#L102) | Policy name. | string | ✓ | |
+| [parent_id](variables.tf#L108) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | string | ✓ | |
| [attachments](variables.tf#L17) | Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. | map(string) | | {} |
| [description](variables.tf#L24) | Policy description. | string | | null |
-| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} |
-| [ingress_rules](variables.tf#L65) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | map(object({…})) | | {} |
-| [region](variables.tf#L112) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | string | | null |
-| [rules_factory_config](variables.tf#L118) | Configuration for the optional rules factory. | object({…}) | | {} |
+| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} |
+| [ingress_rules](variables.tf#L66) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | map(object({…})) | | {} |
+| [region](variables.tf#L114) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | string | | null |
+| [rules_factory_config](variables.tf#L120) | Configuration for the optional rules factory. | object({…}) | | {} |
## Outputs
diff --git a/modules/net-firewall-policy/factory.tf b/modules/net-firewall-policy/factory.tf
index 01c27da9..be065b9b 100644
--- a/modules/net-firewall-policy/factory.tf
+++ b/modules/net-firewall-policy/factory.tf
@@ -33,6 +33,7 @@ locals {
description = lookup(v, "description", null)
disabled = lookup(v, "disabled", false)
enable_logging = lookup(v, "enable_logging", null)
+ target_resources = lookup(v, "target_resources", null)
target_service_accounts = lookup(v, "target_service_accounts", null)
target_tags = lookup(v, "target_tags", null)
match = {
@@ -77,6 +78,7 @@ locals {
description = lookup(v, "description", null)
disabled = lookup(v, "disabled", false)
enable_logging = lookup(v, "enable_logging", null)
+ target_resources = lookup(v, "target_resources", null)
target_service_accounts = lookup(v, "target_service_accounts", null)
target_tags = lookup(v, "target_tags", null)
match = {
diff --git a/modules/net-firewall-policy/hierarchical.tf b/modules/net-firewall-policy/hierarchical.tf
index 44238560..8311bfdc 100644
--- a/modules/net-firewall-policy/hierarchical.tf
+++ b/modules/net-firewall-policy/hierarchical.tf
@@ -40,6 +40,7 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
disabled = local.rules[each.key].disabled
enable_logging = local.rules[each.key].enable_logging
priority = local.rules[each.key].priority
+ target_resources = local.rules[each.key].target_resources
target_service_accounts = local.rules[each.key].target_service_accounts
match {
dest_ip_ranges = local.rules[each.key].match.destination_ranges
diff --git a/modules/net-firewall-policy/variables.tf b/modules/net-firewall-policy/variables.tf
index 891c0af4..c419d7c0 100644
--- a/modules/net-firewall-policy/variables.tf
+++ b/modules/net-firewall-policy/variables.tf
@@ -35,6 +35,7 @@ variable "egress_rules" {
description = optional(string)
disabled = optional(bool, false)
enable_logging = optional(bool)
+ target_resources = optional(list(string))
target_service_accounts = optional(list(string))
target_tags = optional(list(string))
match = object({
@@ -70,6 +71,7 @@ variable "ingress_rules" {
description = optional(string)
disabled = optional(bool, false)
enable_logging = optional(bool)
+ target_resources = optional(list(string))
target_service_accounts = optional(list(string))
target_tags = optional(list(string))
match = object({