# Google Cloud Network Firewall Policies This module allows creation and management of a [global](https://cloud.google.com/vpc/docs/network-firewall-policies) or [regional](https://cloud.google.com/vpc/docs/regional-firewall-policies) network firewall policy, including its associations and rules. The module interface deviates slightly from the [`net-vpc-firewall`](../net-vpc-firewall/) module since the underlying resources and API objects are different. It also makes fewer assumptions about implicit defaults, only using one to set `match.layer4_configs` to `[{ protocol = "all" }]` if no explicit set of protocols and ports has been specified. A factory implementation will be added in a subsequent release. ## Example ```hcl module "firewall-policy" { source = "./fabric/modules/net-vpc-firewall-policy" name = "test-1" project_id = "my-project" # specify a region to create and manage a regional policy # region = "europe-west8" target_vpcs = [ "projects/my-project/global/networks/shared-vpc" ] egress_rules = { smtp = { priority = 900 match = { destination_ranges = ["0.0.0.0/0"] layer4_configs = [{ protocol = "tcp", ports = ["25"] }] } } } ingress_rules = { icmp = { priority = 1000 match = { source_ranges = ["0.0.0.0/0"] layer4_configs = [{ protocol = "icmp" }] } } mgmt = { priority = 1001 match = { source_ranges = ["10.1.1.0/24"] } } ssh = { priority = 1002 match = { source_ranges = ["10.0.0.0/8"] # source_tags = ["tagValues/123456"] layer4_configs = [{ protocol = "tcp", ports = ["22"] }] } } } } # tftest modules=1 resources=6 ``` ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [name](variables.tf#L98) | Policy name. | string | ✓ | | | [project_id](variables.tf#L104) | Project id of the project that holds the network. | string | ✓ | | | [description](variables.tf#L17) | Policy description. | string | | null | | [egress_rules](variables.tf#L23) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} | | [ingress_rules](variables.tf#L60) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | map(object({…})) | | {} | | [region](variables.tf#L110) | Policy region. Leave null for global policy. | string | | null | | [target_vpcs](variables.tf#L116) | VPC ids to which this policy will be attached. | list(string) | | [] |