Skip to content

Commit 663f1d8

Browse files
imrannayerimrannayer
authored
feat: add ingress and egress firewall rules to main module (#485)
1 parent a2d1d9b commit 663f1d8

File tree

4 files changed

+90
-8
lines changed

4 files changed

+90
-8
lines changed

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,9 @@ Then perform the following commands on the root folder:
102102
| auto\_create\_subnetworks | When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. | `bool` | `false` | no |
103103
| delete\_default\_internet\_gateway\_routes | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no |
104104
| description | An optional description of this resource. The resource must be recreated to modify this field. | `string` | `""` | no |
105-
| firewall\_rules | List of firewall rules | `any` | `[]` | no |
105+
| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty | <pre>list(object({<br> name = string<br> description = optional(string, null)<br> priority = optional(number, null)<br> destination_ranges = optional(list(string), [])<br> source_ranges = optional(list(string), [])<br> source_tags = optional(list(string))<br> source_service_accounts = optional(list(string))<br> target_tags = optional(list(string))<br> target_service_accounts = optional(list(string))<br><br> allow = optional(list(object({<br> protocol = string<br> ports = optional(list(string))<br> })), [])<br> deny = optional(list(object({<br> protocol = string<br> ports = optional(list(string))<br> })), [])<br> log_config = optional(object({<br> metadata = string<br> }))<br> }))</pre> | `[]` | no |
106+
| firewall\_rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of firewall rules | <pre>list(object({<br> name = string<br> description = optional(string, null)<br> direction = optional(string, "INGRESS")<br> priority = optional(number, null)<br> ranges = optional(list(string), [])<br> source_tags = optional(list(string))<br> source_service_accounts = optional(list(string))<br> target_tags = optional(list(string))<br> target_service_accounts = optional(list(string))<br><br> allow = optional(list(object({<br> protocol = string<br> ports = optional(list(string))<br> })), [])<br> deny = optional(list(object({<br> protocol = string<br> ports = optional(list(string))<br> })), [])<br> log_config = optional(object({<br> metadata = string<br> }))<br> }))</pre> | `[]` | no |
107+
| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty | <pre>list(object({<br> name = string<br> description = optional(string, null)<br> priority = optional(number, null)<br> destination_ranges = optional(list(string), [])<br> source_ranges = optional(list(string), [])<br> source_tags = optional(list(string))<br> source_service_accounts = optional(list(string))<br> target_tags = optional(list(string))<br> target_service_accounts = optional(list(string))<br><br> allow = optional(list(object({<br> protocol = string<br> ports = optional(list(string))<br> })), [])<br> deny = optional(list(object({<br> protocol = string<br> ports = optional(list(string))<br> })), [])<br> log_config = optional(object({<br> metadata = string<br> }))<br> }))</pre> | `[]` | no |
106108
| mtu | The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively. | `number` | `0` | no |
107109
| network\_name | The name of the network being created | `string` | n/a | yes |
108110
| project\_id | The ID of the project where this VPC will be created | `string` | n/a | yes |

main.tf

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -74,8 +74,10 @@ locals {
7474
}
7575

7676
module "firewall_rules" {
77-
source = "./modules/firewall-rules"
78-
project_id = var.project_id
79-
network_name = module.vpc.network_name
80-
rules = local.rules
77+
source = "./modules/firewall-rules"
78+
project_id = var.project_id
79+
network_name = module.vpc.network_name
80+
rules = local.rules
81+
ingress_rules = var.ingress_rules
82+
egress_rules = var.egress_rules
8183
}

variables.tf

Lines changed: 80 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,8 +71,30 @@ variable "routes" {
7171
}
7272

7373
variable "firewall_rules" {
74-
type = any
75-
description = "List of firewall rules"
74+
type = list(object({
75+
name = string
76+
description = optional(string, null)
77+
direction = optional(string, "INGRESS")
78+
priority = optional(number, null)
79+
ranges = optional(list(string), [])
80+
source_tags = optional(list(string))
81+
source_service_accounts = optional(list(string))
82+
target_tags = optional(list(string))
83+
target_service_accounts = optional(list(string))
84+
85+
allow = optional(list(object({
86+
protocol = string
87+
ports = optional(list(string))
88+
})), [])
89+
deny = optional(list(object({
90+
protocol = string
91+
ports = optional(list(string))
92+
})), [])
93+
log_config = optional(object({
94+
metadata = string
95+
}))
96+
}))
97+
description = "This is DEPRICATED and available for backward compatiblity. Use ingress_rules and egress_rules variables. List of firewall rules"
7698
default = []
7799
}
78100

@@ -100,3 +122,59 @@ variable "mtu" {
100122
description = "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively."
101123
default = 0
102124
}
125+
126+
variable "ingress_rules" {
127+
description = "List of ingress rules. This will be ignored if variable 'rules' is non-empty"
128+
default = []
129+
type = list(object({
130+
name = string
131+
description = optional(string, null)
132+
priority = optional(number, null)
133+
destination_ranges = optional(list(string), [])
134+
source_ranges = optional(list(string), [])
135+
source_tags = optional(list(string))
136+
source_service_accounts = optional(list(string))
137+
target_tags = optional(list(string))
138+
target_service_accounts = optional(list(string))
139+
140+
allow = optional(list(object({
141+
protocol = string
142+
ports = optional(list(string))
143+
})), [])
144+
deny = optional(list(object({
145+
protocol = string
146+
ports = optional(list(string))
147+
})), [])
148+
log_config = optional(object({
149+
metadata = string
150+
}))
151+
}))
152+
}
153+
154+
variable "egress_rules" {
155+
description = "List of egress rules. This will be ignored if variable 'rules' is non-empty"
156+
default = []
157+
type = list(object({
158+
name = string
159+
description = optional(string, null)
160+
priority = optional(number, null)
161+
destination_ranges = optional(list(string), [])
162+
source_ranges = optional(list(string), [])
163+
source_tags = optional(list(string))
164+
source_service_accounts = optional(list(string))
165+
target_tags = optional(list(string))
166+
target_service_accounts = optional(list(string))
167+
168+
allow = optional(list(object({
169+
protocol = string
170+
ports = optional(list(string))
171+
})), [])
172+
deny = optional(list(object({
173+
protocol = string
174+
ports = optional(list(string))
175+
})), [])
176+
log_config = optional(object({
177+
metadata = string
178+
}))
179+
}))
180+
}

versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
*/
1616

1717
terraform {
18-
required_version = ">= 0.13.0"
18+
required_version = ">= 1.3"
1919
required_providers {
2020
google = {
2121
source = "hashicorp/google"

0 commit comments

Comments
 (0)