Issue #2011 - add support for target_resources in hierarchical policy for net-firewall-policy module. (#2012)
* Issue #2011 - Add support for target_resources in hierarchical firewall policy * Removing errant character in factory.tf
This commit is contained in:
parent
1a8400e60e
commit
9c1afa6261
|
@ -249,20 +249,19 @@ issue-1995:
|
||||||
- 1-65535
|
- 1-65535
|
||||||
- protocol: icmp
|
- protocol: icmp
|
||||||
```
|
```
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [name](variables.tf#L100) | Policy name. | <code>string</code> | ✓ | |
|
| [name](variables.tf#L102) | Policy name. | <code>string</code> | ✓ | |
|
||||||
| [parent_id](variables.tf#L106) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | <code>string</code> | ✓ | |
|
| [parent_id](variables.tf#L108) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | <code>string</code> | ✓ | |
|
||||||
| [attachments](variables.tf#L17) | Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. | <code>map(string)</code> | | <code>{}</code> |
|
| [attachments](variables.tf#L17) | Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [description](variables.tf#L24) | Policy description. | <code>string</code> | | <code>null</code> |
|
| [description](variables.tf#L24) | Policy description. | <code>string</code> | | <code>null</code> |
|
||||||
| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | <code title="map(object({ priority = number action = optional(string, "deny") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | <code title="map(object({ priority = number action = optional(string, "deny") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_resources = optional(list(string)) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [ingress_rules](variables.tf#L65) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | <code title="map(object({ priority = number action = optional(string, "allow") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [ingress_rules](variables.tf#L66) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | <code title="map(object({ priority = number action = optional(string, "allow") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_resources = optional(list(string)) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [region](variables.tf#L112) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | <code>string</code> | | <code>null</code> |
|
| [region](variables.tf#L114) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | <code>string</code> | | <code>null</code> |
|
||||||
| [rules_factory_config](variables.tf#L118) | Configuration for the optional rules factory. | <code title="object({ cidr_file_path = optional(string) egress_rules_file_path = optional(string) ingress_rules_file_path = optional(string) })">object({…})</code> | | <code>{}</code> |
|
| [rules_factory_config](variables.tf#L120) | Configuration for the optional rules factory. | <code title="object({ cidr_file_path = optional(string) egress_rules_file_path = optional(string) ingress_rules_file_path = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,7 @@ locals {
|
||||||
description = lookup(v, "description", null)
|
description = lookup(v, "description", null)
|
||||||
disabled = lookup(v, "disabled", false)
|
disabled = lookup(v, "disabled", false)
|
||||||
enable_logging = lookup(v, "enable_logging", null)
|
enable_logging = lookup(v, "enable_logging", null)
|
||||||
|
target_resources = lookup(v, "target_resources", null)
|
||||||
target_service_accounts = lookup(v, "target_service_accounts", null)
|
target_service_accounts = lookup(v, "target_service_accounts", null)
|
||||||
target_tags = lookup(v, "target_tags", null)
|
target_tags = lookup(v, "target_tags", null)
|
||||||
match = {
|
match = {
|
||||||
|
@ -77,6 +78,7 @@ locals {
|
||||||
description = lookup(v, "description", null)
|
description = lookup(v, "description", null)
|
||||||
disabled = lookup(v, "disabled", false)
|
disabled = lookup(v, "disabled", false)
|
||||||
enable_logging = lookup(v, "enable_logging", null)
|
enable_logging = lookup(v, "enable_logging", null)
|
||||||
|
target_resources = lookup(v, "target_resources", null)
|
||||||
target_service_accounts = lookup(v, "target_service_accounts", null)
|
target_service_accounts = lookup(v, "target_service_accounts", null)
|
||||||
target_tags = lookup(v, "target_tags", null)
|
target_tags = lookup(v, "target_tags", null)
|
||||||
match = {
|
match = {
|
||||||
|
|
|
@ -40,6 +40,7 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
|
||||||
disabled = local.rules[each.key].disabled
|
disabled = local.rules[each.key].disabled
|
||||||
enable_logging = local.rules[each.key].enable_logging
|
enable_logging = local.rules[each.key].enable_logging
|
||||||
priority = local.rules[each.key].priority
|
priority = local.rules[each.key].priority
|
||||||
|
target_resources = local.rules[each.key].target_resources
|
||||||
target_service_accounts = local.rules[each.key].target_service_accounts
|
target_service_accounts = local.rules[each.key].target_service_accounts
|
||||||
match {
|
match {
|
||||||
dest_ip_ranges = local.rules[each.key].match.destination_ranges
|
dest_ip_ranges = local.rules[each.key].match.destination_ranges
|
||||||
|
|
|
@ -35,6 +35,7 @@ variable "egress_rules" {
|
||||||
description = optional(string)
|
description = optional(string)
|
||||||
disabled = optional(bool, false)
|
disabled = optional(bool, false)
|
||||||
enable_logging = optional(bool)
|
enable_logging = optional(bool)
|
||||||
|
target_resources = optional(list(string))
|
||||||
target_service_accounts = optional(list(string))
|
target_service_accounts = optional(list(string))
|
||||||
target_tags = optional(list(string))
|
target_tags = optional(list(string))
|
||||||
match = object({
|
match = object({
|
||||||
|
@ -70,6 +71,7 @@ variable "ingress_rules" {
|
||||||
description = optional(string)
|
description = optional(string)
|
||||||
disabled = optional(bool, false)
|
disabled = optional(bool, false)
|
||||||
enable_logging = optional(bool)
|
enable_logging = optional(bool)
|
||||||
|
target_resources = optional(list(string))
|
||||||
target_service_accounts = optional(list(string))
|
target_service_accounts = optional(list(string))
|
||||||
target_tags = optional(list(string))
|
target_tags = optional(list(string))
|
||||||
match = object({
|
match = object({
|
||||||
|
|
Loading…
Reference in New Issue