feat(TPG>6.28)!: added support for packet mirroring firewall policy rule, src_networks, src_network_scope and dest_network_scope (#596)

Author: imrannayer

README.md

@@ -9,30 +9,34 @@ It supports creating:
 - Secondary ranges for the subnets (if applicable)
 - routes
 - firewall rules
-
-[Sub modules](./modules/) are provided for creating individual vpc, subnets, routes, firewall rules, and firewall policies. See the [modules](./modules/) directory for the various sub modules usage.
-- [vpc](./modules/vpc/)
-- [subnet](./modules/subnets/)
-- [route](./modules/routes/)
-- [firewall rules](./modules/firewall-rules/)
-- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/)
-- [network firewall policy](./modules/network-firewall-policy/)
-- [serverless vpc  access connector](./modules/vpc-serverless-connector-beta/)
-- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/)
+- network firewall policy
+- hierarchical firewall policy
+- serverless vpc  access connector
+- network connectivity center
+
+[Sub modules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules) are provided for creating individual vpc, subnets, routes, firewall rules, network firewall policies, hierarchical firewall policy, serverless vpc  access connector and network connectivity center. See the [modules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules) directory for the various sub modules usage.
+- [vpc](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/vpc)
+- [subnet](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/subnets/)
+- [route](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/routes)
+- [firewall rules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/firewall-rules)
+- [network firewall policy](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-firewall-policy)
+- [hierarchical firewall policy](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/hierarchical-firewall-policy)
+- [serverless vpc  access connector](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/vpc-serverless-connector-beta)
+- [network connectivity center](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-connectivity-center)
 
 ## Compatibility
 
-This module is meant for use with Terraform 1.3+ and tested using Terraform 1.4+.
+This module is meant for use with Terraform 1.3+.
 If you find incompatibilities using Terraform `>=1.3`, please open an issue.
 
 
 ## Usage
-You can go to the [examples](./examples/) folder, however the usage of the module could be like this in your own main.tf file:
+Comprehensive examples are available in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/main/examples) folder. Simple usage:
 
 ```hcl
 module "vpc" {
     source  = "terraform-google-modules/network/google"
-    version = "~> 10.0"
+    version = "~> 11.0"
 
     project_id   = "<PROJECT ID>"
     network_name = "example-vpc"
@@ -191,9 +195,6 @@ The routes list contains maps, where each object represents a route. For the nex
 ## Requirements
 ### Installed Software
 - [Terraform](https://www.terraform.io/downloads.html) >= 1.3
-- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.25
-- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.25
-- [gcloud](https://cloud.google.com/sdk/gcloud/) >243.0.0
 
 ### Configure a Service Account
 In order to execute this module you must have a Service Account with the following roles:
@@ -214,6 +215,3 @@ In order to operate with the Service Account you must activate the following API
 
 Refer to the [contribution guidelines](./CONTRIBUTING.md) for
 information on contributing to this module.
-
-[terraform-0.13-upgrade]: https://www.terraform.io/upgrade-guides/0-13.html
-[2.6.0]: https://registry.terraform.io/modules/terraform-google-modules/network/google/2.6.0

docs/upgrading_to_v11.0.0.md

@@ -0,0 +1,8 @@
+# Upgrading to v11.0.0
+
+The v11.0 release contains backwards-incompatible changes.
+
+This update requires upgrading:
+- minimum provider version of `hashicorp/google` to `6.28` and `hashicorp/google-beta` to `6.28` for network-firewall-policy sub-module.
+- minimum provider version of `hashicorp/google` to `6.19` for vpc sub-module.
+- minimum provider version of `hashicorp/google` to `6.18` for hierarchical-firewall-policy sub-module.

examples/global-network-firewall-policy/README.md

@@ -1,12 +1,13 @@
 #  Network Firewall Policy Rule
 
-This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules.
+This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. It also creates a packet mirroring rule for out of band network service integration.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| org\_id | The project ID to host the network in | `any` | n/a | yes |
 | project\_id | The project ID to host the network in | `any` | n/a | yes |
 
 ## Outputs

examples/global-network-firewall-policy/main.tf

@@ -74,9 +74,62 @@ resource "google_service_account" "service_account" {
   display_name = "${local.prefix} firewall policy test service account"
 }
 
+################################
+#          VPC Spoke           #
+################################
+module "vpc" {
+  source  = "terraform-google-modules/network/google//modules/vpc"
+  version = "~> 10.0"
+
+  project_id   = var.project_id
+  network_name = "global-sec-policy-test-vpc"
+
+  # shared_vpc_host = false
+}
+
+resource "google_network_security_mirroring_deployment_group" "mirroring_deployment_group" {
+  project                       = var.project_id
+  mirroring_deployment_group_id = "${local.prefix}-mirroring-dg"
+  location                      = "global"
+  description                   = "suricata mirroring deployment group"
+  network                       = module.vpc.network_id
+}
+
+resource "google_network_security_mirroring_endpoint_group" "mirroring_endpoint_group" {
+  provider                    = google-beta
+  project                     = var.project_id
+  mirroring_endpoint_group_id = "${local.prefix}-mirroring-eg"
+  location                    = "global"
+  description                 = "suricata mirroring endpoint group"
+  mirroring_deployment_group  = google_network_security_mirroring_deployment_group.mirroring_deployment_group.id
+}
+
+
+resource "google_network_security_security_profile" "security_profile" {
+  provider    = google-beta
+  name        = "${local.prefix}-security-profile"
+  parent      = "organizations/${var.org_id}"
+  description = "Security profile description"
+  type        = "CUSTOM_MIRRORING"
+
+  custom_mirroring_profile {
+    mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.mirroring_endpoint_group.id
+  }
+}
+
+resource "google_network_security_security_profile_group" "security_profile_group" {
+  provider                 = google-beta
+  name                     = "${local.prefix}-sec-profile-group"
+  parent                   = "organizations/${var.org_id}"
+  description              = "Security profile group"
+  custom_mirroring_profile = google_network_security_security_profile.security_profile.id
+}
+
+
+
 module "firewal_policy" {
   source  = "terraform-google-modules/network/google//modules/network-firewall-policy"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   project_id  = var.project_id
   policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}"
@@ -205,6 +258,27 @@ module "firewal_policy" {
         ]
       }
     },
+    {
+      is_mirroring            = true
+      priority                = "200"
+      direction               = "EGRESS"
+      action                  = "mirror"
+      rule_name               = "egress-200"
+      disabled                = false
+      description             = "test egress mirroring rule 200"
+      target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"]
+      match = {
+        src_ip_ranges  = ["0.0.0.0/0"]
+        dest_ip_ranges = ["0.0.0.0/0"]
+        layer4_configs = [
+          {
+            ip_protocol = "tcp"
+            ports       = ["80"]
+          }
+        ]
+      }
+      security_profile_group_id = google_network_security_security_profile_group.security_profile_group.id
+    },
 
   ]
 
@@ -216,7 +290,7 @@ module "firewal_policy" {
 
 module "firewal_policy_no_rule" {
   source      = "terraform-google-modules/network/google//modules/network-firewall-policy"
-  version     = "~> 10.0"
+  version     = "~> 11.0"
   project_id  = var.project_id
   policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}"
   description = "${local.prefix} test firewall policy without any rules"

examples/global-network-firewall-policy/variables.tf

@@ -17,3 +17,7 @@
 variable "project_id" {
   description = "The project ID to host the network in"
 }
+
+variable "org_id" {
+  description = "The project ID to host the network in"
+}

examples/hierarchical-firewall-policy/main.tf

@@ -43,7 +43,7 @@ resource "google_compute_network" "network_backup" {
 
 module "firewal_policy" {
   source  = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   parent_node    = "folders/${var.folder1}"
   policy_name    = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}"
@@ -181,7 +181,7 @@ module "firewal_policy" {
 
 module "firewal_policy_no_rule" {
   source  = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   parent_node = "folders/${var.folder1}"
   policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}"

metadata.yaml

@@ -39,6 +39,8 @@ spec:
         location: modules/firewall-rules
       - name: hierarchical-firewall-policy
         location: modules/hierarchical-firewall-policy
+      - name: network-connectivity-center
+        location: modules/network-connectivity-center
       - name: network-firewall-policy
         location: modules/network-firewall-policy
       - name: network-peering
@@ -84,6 +86,8 @@ spec:
         location: examples/ilb_routing
       - name: multi_vpc
         location: examples/multi_vpc
+      - name: network_connectivity_center
+        location: examples/network_connectivity_center
       - name: network_service_tiers
         location: examples/network_service_tiers
       - name: packet_mirroring
@@ -228,6 +232,14 @@ spec:
         description: The name of the network being created
         varType: string
         required: true
+      - name: network_profile
+        description: |
+          "A full or partial URL of the network profile to apply to this network.
+          This field can be set only at resource creation time. For example, the
+          following are valid URLs:
+            * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name}
+            * projects/{projectId}/global/networkProfiles/{network_profile_name}
+        varType: string
       - name: project_id
         description: The ID of the project where this VPC will be created
         varType: string
@@ -305,6 +317,7 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/compute.instanceAdmin
           - roles/compute.networkAdmin
           - roles/compute.securityAdmin
           - roles/iam.serviceAccountUser
@@ -314,11 +327,21 @@ spec:
           - roles/resourcemanager.tagAdmin
           - roles/iam.serviceAccountAdmin
           - roles/compute.orgFirewallPolicyAdmin
+          - roles/networkconnectivity.hubAdmin
+          - roles/networksecurity.mirroringDeploymentAdmin
+          - roles/networksecurity.mirroringEndpointAdmin
+          - roles/networksecurity.securityProfileAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - compute.googleapis.com
       - serviceusage.googleapis.com
       - vpcaccess.googleapis.com
       - dns.googleapis.com
       - networksecurity.googleapis.com
+      - networkconnectivity.googleapis.com
       - iam.googleapis.com
+    providerVersions:
+      - source: hashicorp/google
+        version: ">= 4.64, < 7"
+      - source: hashicorp/google-beta
+        version: ">= 4.64, < 7"

modules/fabric-net-firewall/metadata.yaml

@@ -58,6 +58,8 @@ spec:
         location: examples/ilb_routing
       - name: multi_vpc
         location: examples/multi_vpc
+      - name: network_connectivity_center
+        location: examples/network_connectivity_center
       - name: network_service_tiers
         location: examples/network_service_tiers
       - name: packet_mirroring
@@ -190,6 +192,7 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/compute.instanceAdmin
           - roles/compute.networkAdmin
           - roles/compute.securityAdmin
           - roles/iam.serviceAccountUser
@@ -199,11 +202,21 @@ spec:
           - roles/resourcemanager.tagAdmin
           - roles/iam.serviceAccountAdmin
           - roles/compute.orgFirewallPolicyAdmin
+          - roles/networkconnectivity.hubAdmin
+          - roles/networksecurity.mirroringDeploymentAdmin
+          - roles/networksecurity.mirroringEndpointAdmin
+          - roles/networksecurity.securityProfileAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - compute.googleapis.com
       - serviceusage.googleapis.com
       - vpcaccess.googleapis.com
       - dns.googleapis.com
       - networksecurity.googleapis.com
+      - networkconnectivity.googleapis.com
       - iam.googleapis.com
+    providerVersions:
+      - source: hashicorp/google
+        version: ">= 4.64, < 7"
+      - source: hashicorp/google-beta
+        version: ">= 4.64, < 7"

modules/fabric-net-firewall/versions.tf

@@ -16,6 +16,7 @@
 
 terraform {
   required_version = ">= 1.3"
+
   required_providers {
     google = {
       source  = "hashicorp/google"

modules/fabric-net-svpc-access/README.md

@@ -19,7 +19,8 @@ Basic usage of this module is as follows:
 ```hcl
 module "net-shared-vpc-access" {
   source              = "terraform-google-modules/network/google//modules/fabric-net-svpc-access"
-  version             = "~> 1.4.0"
+  version             = "~> 11.0"
+
   host_project_id     = "my-host-project-id"
   service_project_num = 1
   service_project_ids = ["my-service-project-id"]