Ludo hfw fixes (#400)

* fix tfdoc replacement * ignore changes to rule description * add folder example, fixes #339
2021-12-22 10:46:27 +01:00 · 2021-12-22 10:46:27 +01:00 · e2f5b96f4a
parent 54367f2947
commit e2f5b96f4a
3 changed files with 65 additions and 0 deletions
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@ -47,6 +47,61 @@ module "folder" {
 # tftest:modules=1:resources=4
 ```

+### Firewall policy factory
+
+In the same way as for the [organization]()../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
+
+```hcl
+module "folder" {
+  source          = "./modules/folder"
+  parent = "organizations/1234567890"
+  name  = "Folder name"
+  firewall_policy_factory = {
+    cidr_file   = "data/cidrs.yaml
+    policy_name = null
+    rules_file  = "data/rules.yaml"
+  }
+}
+# tftest:skip
+```
+
+```yaml
+# cidrs.yaml
+
+rfc1918:
+  - 10.0.0.0/8
+  - 172.168.0.0/12
+  - 192.168.0.0/16
+```
+
+```yaml
+# rules.yaml
+
+allow-admins:
+  description: Access from the admin subnet to all subnets
+  direction: INGRESS
+  action: allow
+  priority: 1000
+  ranges:
+    - $rfc1918
+  ports:
+    all: []
+  target_resources: null
+  enable_logging: false
+
+allow-ssh-from-iap:
+  description: Enable SSH from IAP
+  direction: INGRESS
+  action: allow
+  priority: 1002
+  ranges:
+    - 35.235.240.0/20
+  ports:
+    tcp: ["22"]
+  target_resources: null
+  enable_logging: false
+```
+
 ### Logging Sinks

 ```hcl
--- a/modules/folder/firewall-policy.tf
+++ b/modules/folder/firewall-policy.tf
@ -85,6 +85,11 @@ resource "google_compute_organization_security_policy_rule" "rule" {
      }
    }
  }
+  # TODO: remove once provider issues is fixed
+  # https://github.com/hashicorp/terraform-provider-google/issues/7790
+  lifecycle {
+    ignore_changes = [description]
+  }
 }

 resource "google_compute_organization_security_policy_association" "attachment" {
--- a/modules/organization/firewall-policy.tf
+++ b/modules/organization/firewall-policy.tf
@ -92,6 +92,11 @@ resource "google_compute_organization_security_policy_rule" "rule" {
      }
    }
  }
+  # TODO: remove once provider issues is fixed
+  # https://github.com/hashicorp/terraform-provider-google/issues/7790
+  lifecycle {
+    ignore_changes = [description]
+  }
 }

 resource "google_compute_organization_security_policy_association" "attachment" {