From 18af929331d65a8056a0bf865023462e9fb030f0 Mon Sep 17 00:00:00 2001
From: Richard Olson <richardo@canva.com>
Date: Wed, 23 Aug 2023 20:58:07 +1000
Subject: [PATCH 1/3] add name to factory rules

---
 modules/net-firewall-policy/factory.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/net-firewall-policy/factory.tf b/modules/net-firewall-policy/factory.tf
index 4a9c8558..32d9bf0b 100644
--- a/modules/net-firewall-policy/factory.tf
+++ b/modules/net-firewall-policy/factory.tf
@@ -28,6 +28,7 @@ locals {
     for k, v in local._factory_egress_rules : "egress/${k}" => {
       action                  = "deny"
       direction               = "EGRESS"
+      name                    = k
       priority                = v.priority
       description             = lookup(v, "description", null)
       disabled                = lookup(v, "disabled", false)
@@ -71,6 +72,7 @@ locals {
     for k, v in local._factory_ingress_rules : "ingress/${k}" => {
       action                  = "allow"
       direction               = "INGRESS"
+      name                    = k
       priority                = v.priority
       description             = lookup(v, "description", null)
       disabled                = lookup(v, "disabled", false)

From def012d32ef529ee8178d0b05c317e32a1f2190b Mon Sep 17 00:00:00 2001
From: Richard Olson <richardo@canva.com>
Date: Wed, 23 Aug 2023 21:08:23 +1000
Subject: [PATCH 2/3] customisable rule action

---
 modules/net-firewall-policy/factory.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/net-firewall-policy/factory.tf b/modules/net-firewall-policy/factory.tf
index 32d9bf0b..9672381f 100644
--- a/modules/net-firewall-policy/factory.tf
+++ b/modules/net-firewall-policy/factory.tf
@@ -26,10 +26,10 @@ locals {
   )
   factory_egress_rules = {
     for k, v in local._factory_egress_rules : "egress/${k}" => {
-      action                  = "deny"
       direction               = "EGRESS"
       name                    = k
       priority                = v.priority
+      action                  = lookup(v, "action", "deny")
       description             = lookup(v, "description", null)
       disabled                = lookup(v, "disabled", false)
       enable_logging          = lookup(v, "enable_logging", null)
@@ -70,10 +70,10 @@ locals {
   }
   factory_ingress_rules = {
     for k, v in local._factory_ingress_rules : "ingress/${k}" => {
-      action                  = "allow"
       direction               = "INGRESS"
       name                    = k
       priority                = v.priority
+      action                  = lookup(v, "action", "deny")
       description             = lookup(v, "description", null)
       disabled                = lookup(v, "disabled", false)
       enable_logging          = lookup(v, "enable_logging", null)

From 2f4b141d7ad804db3dc309aad3794b2b32ad4b9c Mon Sep 17 00:00:00 2001
From: Richard Olson <richardo@canva.com>
Date: Wed, 23 Aug 2023 21:17:47 +1000
Subject: [PATCH 3/3] switch default behaviour for ingress

---
 modules/net-firewall-policy/factory.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/net-firewall-policy/factory.tf b/modules/net-firewall-policy/factory.tf
index 9672381f..4c22775a 100644
--- a/modules/net-firewall-policy/factory.tf
+++ b/modules/net-firewall-policy/factory.tf
@@ -73,7 +73,7 @@ locals {
       direction               = "INGRESS"
       name                    = k
       priority                = v.priority
-      action                  = lookup(v, "action", "deny")
+      action                  = lookup(v, "action", "allow")
       description             = lookup(v, "description", null)
       disabled                = lookup(v, "disabled", false)
       enable_logging          = lookup(v, "enable_logging", null)