From db3c48736c71ff685ee7d603d9148a9d098a081f Mon Sep 17 00:00:00 2001 From: Fawzi Date: Mon, 10 Apr 2023 01:28:12 +1000 Subject: [PATCH] add firewall enforcement variable to VPC --- modules/net-vpc/README.md | 31 ++++++++++++++++--------------- modules/net-vpc/main.tf | 18 ++++++++++-------- modules/net-vpc/variables.tf | 11 +++++++++++ 3 files changed, 37 insertions(+), 23 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 7f992660..5d3848bc 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -424,26 +424,27 @@ module "vpc" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L60) | The name of the network being created. | string | ✓ | | -| [project_id](variables.tf#L76) | The ID of the project where this VPC will be created. | string | ✓ | | +| [name](variables.tf#L71) | The name of the network being created. | string | ✓ | | +| [project_id](variables.tf#L87) | The ID of the project where this VPC will be created. | string | ✓ | | | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool | | false | | [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | string | | null | | [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | bool | | false | | [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | | [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | object({…}) | | null | -| [mtu](variables.tf#L54) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | -| [peering_config](variables.tf#L65) | VPC peering configuration. | object({…}) | | null | -| [psa_config](variables.tf#L81) | The Private Service Access configuration for Service Networking. | object({…}) | | null | -| [routes](variables.tf#L91) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L111) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L121) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L127) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnet_iam](variables.tf#L133) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | -| [subnet_iam_additive](variables.tf#L139) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | -| [subnets](variables.tf#L146) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L171) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L183) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L194) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [firewall_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string | | "AFTER_CLASSIC_FIREWALL" | +| [mtu](variables.tf#L65) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | +| [peering_config](variables.tf#L76) | VPC peering configuration. | object({…}) | | null | +| [psa_config](variables.tf#L92) | The Private Service Access configuration for Service Networking. | object({…}) | | null | +| [routes](variables.tf#L102) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L122) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L132) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L138) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnet_iam](variables.tf#L144) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | +| [subnet_iam_additive](variables.tf#L150) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [subnets](variables.tf#L157) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L182) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L194) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L205) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf index d1505801..aa52cd97 100644 --- a/modules/net-vpc/main.tf +++ b/modules/net-vpc/main.tf @@ -34,14 +34,16 @@ data "google_compute_network" "network" { } resource "google_compute_network" "network" { - count = var.vpc_create ? 1 : 0 - project = var.project_id - name = var.name - description = var.description - auto_create_subnetworks = var.auto_create_subnetworks - delete_default_routes_on_create = var.delete_default_routes_on_create - mtu = var.mtu - routing_mode = var.routing_mode + count = var.vpc_create ? 1 : 0 + project = var.project_id + name = var.name + description = var.description + auto_create_subnetworks = var.auto_create_subnetworks + delete_default_routes_on_create = var.delete_default_routes_on_create + mtu = var.mtu + routing_mode = var.routing_mode + network_firewall_policy_enforcement_order = var.firewall_enforcement_order + } resource "google_compute_network_peering" "local" { diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index e05ece3f..32ae43d9 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -51,6 +51,17 @@ variable "dns_policy" { default = null } +variable "firewall_enforcement_order" { + description = "Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'." + type = string + default = "AFTER_CLASSIC_FIREWALL" + + validation { + condition = var.firewall_enforcement_order == "BEFORE_CLASSIC_FIREWALL" || var.firewall_enforcement_order == "AFTER_CLASSIC_FIREWALL" + error_message = "Enforcement order must be BEFORE_CLASSIC_FIREWALL or AFTER_CLASSIC_FIREWALL." + } +} + variable "mtu" { description = "Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes." type = number