fix logic for default source range in firewall ingress rules (#1815)

modules/net-vpc-firewall/README.md

@@ -7,6 +7,19 @@ This module allows creation and management of different types of firewall rules
 
 The predefined rules are enabled by default and set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. See the relevant section below on how to configure or disable them.
 
+<!-- BEGIN TOC -->
+- [Examples](#examples)
+  - [Minimal open firewall](#minimal-open-firewall)
+  - [Custom rules](#custom-rules)
+  - [Controlling or turning off default rules](#controlling-or-turning-off-default-rules)
+    - [Overriding default tags and ranges](#overriding-default-tags-and-ranges)
+    - [Disabling predefined rules](#disabling-predefined-rules)
+  - [Including source & destination ranges](#including-source-destination-ranges)
+  - [Rules Factory](#rules-factory)
+- [Variables](#variables)
+- [Outputs](#outputs)
+<!-- END TOC -->
+
 ## Examples
 
 ### Minimal open firewall

modules/net-vpc-firewall/main.tf

@@ -97,7 +97,7 @@ resource "google_compute_firewall" "custom-rules" {
   source_ranges = (
     each.value.direction == "INGRESS"
     ? (
-      each.value.source_ranges == null
+      each.value.source_ranges == null && each.value.sources == null
       ? ["0.0.0.0/0"]
       : each.value.source_ranges
     )

tests/modules/net_vpc_firewall/examples/factory.yaml

@@ -53,8 +53,6 @@ values:
     network: my-network
     priority: 1000
     project: my-project
-    source_ranges:
-    - 0.0.0.0/0
     source_service_accounts:
     - service-1@my-project.iam.gserviceaccount.com
     source_tags: null