fix: network attachment error in firewall policy sub-module (#478)

Author: imrannayer

build/int.cloudbuild.yaml

@@ -168,7 +168,7 @@ steps:
   args: ['/bin/bash', '-c', 'cft test run TestPrivateServiceConnect --stage teardown --verbose']
 - id: converge global-firewall-policy
   waitFor:
-    - create all
+    - destroy private-service-connect
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestGlobalNetworkFirewallPolicy --stage apply --verbose']
 - id: verify global-firewall-policy
@@ -183,7 +183,7 @@ steps:
   args: ['/bin/bash', '-c', 'cft test run TestGlobalNetworkFirewallPolicy --stage teardown --verbose']
 - id: converge regional-firewall-policy
   waitFor:
-    - create all
+    - destroy global-firewall-policy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkFirewallPolicy --stage apply --verbose']
 - id: verify regional-firewall-policy
@@ -198,7 +198,7 @@ steps:
   args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkFirewallPolicy --stage teardown --verbose']
 - id: converge firewall-rule
   waitFor:
-    - create all
+    - destroy regional-firewall-policy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage apply --verbose']
 - id: verify firewall-rule

examples/global-network-firewall-policy/main.tf

@@ -34,6 +34,11 @@ resource "google_compute_network" "network" {
   name    = "${local.prefix}-network"
 }
 
+resource "google_compute_network" "network_backup" {
+  project = var.project_id
+  name    = "${local.prefix}-network-backup"
+}
+
 resource "google_tags_tag_key" "tag_key" {
 
   description = "For keyname resources."
@@ -74,7 +79,10 @@ module "firewal_policy" {
   project_id  = var.project_id
   policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}"
   description = "test ${local.prefix} firewall policy"
-  target_vpcs = ["projects/${var.project_id}/global/networks/${local.prefix}-network"]
+  target_vpcs = [
+    "projects/${var.project_id}/global/networks/${local.prefix}-network",
+    "projects/${var.project_id}/global/networks/${local.prefix}-network-backup",
+  ]
 
   rules = [
     {

examples/regional-network-firewall-policy/main.tf

@@ -36,6 +36,11 @@ resource "google_compute_network" "network" {
   name = "${local.prefix}-network"
 }
 
+resource "google_compute_network" "network_backup" {
+  project = var.project_id
+  name    = "${local.prefix}-network-backup"
+}
+
 resource "google_tags_tag_key" "tag_key" {
 
   description = "For keyname resources."
@@ -73,11 +78,15 @@ resource "google_service_account" "service_account" {
 }
 
 module "firewal_policy" {
-  source        = "../../modules/network-firewall-policy"
-  project_id    = var.project_id
-  policy_name   = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}"
-  description   = "test ${local.prefix} firewall policy"
-  target_vpcs   = ["projects/${var.project_id}/global/networks/${local.prefix}-network"]
+  source      = "../../modules/network-firewall-policy"
+  project_id  = var.project_id
+  policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}"
+  description = "test ${local.prefix} firewall policy"
+  target_vpcs = [
+    "projects/${var.project_id}/global/networks/${local.prefix}-network",
+    "projects/${var.project_id}/global/networks/${local.prefix}-network-backup",
+  ]
+
   policy_region = local.location
 
   rules = [

modules/network-firewall-policy/README.md

@@ -29,7 +29,7 @@ There are examples included for [global](https://github.com/terraform-google-mod
 ```hcl
 module "firewall_rules" {
   source       = "terraform-google-modules/network/google//modules/network-firewall-policy"
-  version      = "~> 8.0"
+  version      = "~> 7.2"
   project_id   = var.project_id
   policy_name  = "my-firewall-policy"
   description  = "Test firewall policy"
@@ -173,7 +173,7 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli
     enable_logging          = true
     target_secure_tags      = ["tagValues/${google_tags_tag_value.tag_value.name}",]
     target_service_accounts = ["fw-test-svc-acct@$my-project-id.iam.gserviceaccount.com"]
-    match = object({
+    match = {
       src_ip_ranges             = ["10.100.0.2"]
       src_fqdns                 = []
       src_region_codes          = []

modules/network-firewall-policy/main.tf

@@ -30,7 +30,7 @@ resource "google_compute_network_firewall_policy" "fw_policy" {
 
 resource "google_compute_network_firewall_policy_association" "vpc_associations" {
   for_each          = local.global && length(var.target_vpcs) > 0 ? { for x in var.target_vpcs : base64encode(x) => x } : {}
-  name              = local.prefix
+  name              = "${local.prefix}-${element(split("/", each.value), length(split("/", each.value)) - 1)}"
   attachment_target = each.value
   firewall_policy   = google_compute_network_firewall_policy.fw_policy[0].name
   project           = var.project_id
@@ -103,7 +103,7 @@ resource "google_compute_region_network_firewall_policy" "fw_policy" {
 
 resource "google_compute_region_network_firewall_policy_association" "vpc_associations" {
   for_each          = !local.global && length(var.target_vpcs) > 0 ? { for x in var.target_vpcs : base64encode(x) => x } : {}
-  name              = local.prefix
+  name              = "${local.prefix}-${element(split("/", each.value), length(split("/", each.value)) - 1)}"
   attachment_target = each.value
   firewall_policy   = google_compute_region_network_firewall_policy.fw_policy[0].name
   project           = var.project_id