logging for default ingress rules in FAST (#2030)

* Add default ingress deny rule with logging to FAST net stages.

Fixes #2024

* Allow firewall factory to omit rules key

* Fix tests

* Fix fast tests

* fix fast tests

fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  trusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  untrusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  trusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  untrusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml

@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false

modules/net-vpc-firewall/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,7 @@ locals {
         for name, rule in ruleset : {
           name                 = name
           deny                 = try(rule.deny, false)
-          rules                = try(rule.rules, [{ protocol = "all" }])
+          rules                = try(rule.rules, [{ protocol = "all", ports = null }])
           description          = try(rule.description, null)
           destination_ranges   = try(rule.destination_ranges, null)
           direction            = upper(direction)

tests/fast/stages/s2_networking_a_peering/stage.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 28
+  modules: 29
-  resources: 148
+  resources: 151

tests/fast/stages/s2_networking_b_vpn/stage.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 30
+  modules: 31
-  resources: 185
+  resources: 188

tests/fast/stages/s2_networking_c_nva/stage.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 42
+  modules: 43
-  resources: 195
+  resources: 199

tests/fast/stages/s2_networking_d_separate_envs/stage.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 21
+  modules: 22
-  resources: 170
+  resources: 172

tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 36
+  modules: 37
-  resources: 206
+  resources: 210