fix: added allow_proxy firewall rule to create connection between fw rule and mig

pawan1210 · pawan1210 · commit 898f21c1fff7 · 2025-04-03T09:53:19.000Z
diff --git a/modules/backend/README.md b/modules/backend/README.md
@@ -17,6 +17,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | enable\_cdn | Enable Cloud CDN for this BackendService. | `bool` | `false` | no |
 | firewall\_networks | Names of the networks to create firewall rules in | `list(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | firewall\_projects | Names of the projects to create firewall rules in | `list(string)` | <pre>[<br>  "default"<br>]</pre> | no |
+| firewall\_source\_ranges | Source ranges for global Application Load Balancer's proxies. This should be set to ip\_cidr\_range of your REGIONAL\_MANAGED\_PROXY subnet. | `list(string)` | <pre>[<br>  "10.129.0.0/23"<br>]</pre> | no |
 | groups | The list of backend instance group which serves the traffic. | <pre>list(object({<br>    group       = string<br>    description = optional(string)<br><br>    balancing_mode               = optional(string)<br>    capacity_scaler              = optional(number)<br>    max_connections              = optional(number)<br>    max_connections_per_instance = optional(number)<br>    max_connections_per_endpoint = optional(number)<br>    max_rate                     = optional(number)<br>    max_rate_per_instance        = optional(number)<br>    max_rate_per_endpoint        = optional(number)<br>    max_utilization              = optional(number)<br>  }))</pre> | `[]` | no |
 | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | <pre>object({<br>    host                = optional(string, null)<br>    request_path        = optional(string, null)<br>    request             = optional(string, null)<br>    response            = optional(string, null)<br>    port                = optional(number, null)<br>    port_name           = optional(string, null)<br>    proxy_header        = optional(string, null)<br>    port_specification  = optional(string, null)<br>    protocol            = optional(string, null)<br>    check_interval_sec  = optional(number, 5)<br>    timeout_sec         = optional(number, 5)<br>    healthy_threshold   = optional(number, 2)<br>    unhealthy_threshold = optional(number, 2)<br>    logging             = optional(bool, false)<br>  })</pre> | `null` | no |
 | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | <pre>list(object({<br>    host = string<br>    path = string<br>  }))</pre> | <pre>[<br>  {<br>    "host": "*",<br>    "path": "/*"<br>  }<br>]</pre> | no |
diff --git a/modules/backend/main.tf b/modules/backend/main.tf
@@ -289,3 +289,24 @@ resource "google_compute_firewall" "default-hc" {
     ports    = var.health_check.port != null ? [var.health_check.port] : null
   }
 }
+
+resource "google_compute_firewall" "allow_proxy" {
+  count         = var.health_check != null ? length(var.firewall_networks) : 0
+  project       = length(var.firewall_networks) == 1 && var.firewall_projects[0] == "default" ? var.project_id : var.firewall_projects[count.index]
+  name          = "${var.name}-fw-allow-proxies-${count.index}"
+  network       = var.firewall_networks[count.index]
+  source_ranges = var.firewall_source_ranges
+  target_tags   = length(var.target_tags) > 0 ? var.target_tags : null
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  allow {
+    ports    = ["80"]
+    protocol = "tcp"
+  }
+  allow {
+    ports    = ["8080"]
+    protocol = "tcp"
+  }
+}
diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml
@@ -52,6 +52,8 @@ spec:
         location: examples/https-redirect
       - name: internal-lb-cloud-run
         location: examples/internal-lb-cloud-run
+      - name: internal-lb-gce-mig
+        location: examples/internal-lb-gce-mig
       - name: lb-http-separate-frontend-and-backend
         location: examples/lb-http-separate-frontend-and-backend
       - name: mig-nat-http-lb
@@ -286,6 +288,11 @@ spec:
         description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.
         varType: list(string)
         defaultValue: []
+      - name: firewall_source_ranges
+        description: Source ranges for global Application Load Balancer's proxies. This should be set to ip_cidr_range of your REGIONAL_MANAGED_PROXY subnet.
+        varType: list(string)
+        defaultValue:
+          - 10.129.0.0/23
     outputs:
       - name: backend_service_info
         description: Host, path and backend service mapping
diff --git a/modules/backend/variables.tf b/modules/backend/variables.tf
@@ -269,3 +269,9 @@ variable "target_service_accounts" {
   type        = list(string)
   default     = []
 }
+
+variable "firewall_source_ranges" {
+  description = "Source ranges for global Application Load Balancer's proxies. This should be set to ip_cidr_range of your REGIONAL_MANAGED_PROXY subnet."
+  type        = list(string)
+  default     = ["10.129.0.0/23"]
+}
