terraform-google-modules · namcxn · Dec 11, 2025 · Dec 12, 2025
@@ -502,7 +502,14 @@ resource "google_compute_health_check" "default" {
 }
 
 resource "google_compute_firewall" "default-hc" {
+  {% if dynamic_backends %}
+  {# options only used for dynamic_backends module #}
+  count   = var.enable_firewall ? length(var.firewall_networks) : 0
+  {% endif %}
+  {% if not dynamic_backends %}
+  {# options only used for non-dynamic_backends module #}
   count   = length(var.firewall_networks)
+  {% endif %}
   project = length(var.firewall_networks) == 1 && var.firewall_projects[0] == "default" ? var.project : var.firewall_projects[count.index]
   name    = "${var.name}-hc-${count.index}"
   network = var.firewall_networks[count.index]

@@ -68,6 +68,15 @@ variable "firewall_projects" {
   default     = ["default"]
 }
 
+{% if dynamic_backends %}
+  {# options unused for serverless LBs #}
+  variable "enable_firewall" {
+    description = "Enable or disable the health check firewall rule"
+    type        = bool
+    default     = true
+  }
+{% endif %}
+
 variable "target_tags" {
   description = "List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified."
   type        = list(string)

@@ -96,6 +96,7 @@ module "gce-lb-http" {
 | create\_ssl\_certificate | If `true`, Create certificate using `private_key/certificate` | `bool` | `false` | no |
 | create\_url\_map | Set to `false` if url\_map variable is provided. | `bool` | `true` | no |
 | edge\_security\_policy | The resource URL for the edge security policy to associate with the backend service | `string` | `null` | no |
+| enable\_firewall | Enable or disable the health check firewall rule | `bool` | `true` | no |
 | enable\_ipv6 | Enable IPv6 address on the CDN load-balancer | `bool` | `false` | no |
 | firewall\_networks | Names of the networks to create firewall rules in | `list(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | firewall\_projects | Names of the projects to create firewall rules in | `list(string)` | <pre>[<br>  "default"<br>]</pre> | no |

@@ -436,7 +436,7 @@ resource "google_compute_health_check" "default" {
 }
 
 resource "google_compute_firewall" "default-hc" {
-  count   = length(var.firewall_networks)
+  count   = var.enable_firewall ? length(var.firewall_networks) : 0
   project = length(var.firewall_networks) == 1 && var.firewall_projects[0] == "default" ? var.project : var.firewall_projects[count.index]
   name    = "${var.name}-hc-${count.index}"
   network = var.firewall_networks[count.index]

@@ -114,6 +114,10 @@ spec:
         varType: list(string)
         defaultValue:
           - default
+      - name: enable_firewall
+        description: Enable or disable the health check firewall rule
+        varType: bool
+        defaultValue: true
       - name: target_tags
         description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.
         varType: list(string)
@@ -332,13 +336,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
-          - roles/iam.serviceAccountUser
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

@@ -66,6 +66,12 @@ variable "firewall_projects" {
   default     = ["default"]
 }
 
+variable "enable_firewall" {
+  description = "Enable or disable the health check firewall rule"
+  type        = bool
+  default     = true
+}
+
 variable "target_tags" {
   description = "List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified."
   type        = list(string)