feat: add hierarchical firewall policy sub-module (#553)

Author: imrannayer

README.md

@@ -7,20 +7,27 @@ It supports creating:
 - A Google Virtual Private Network (VPC)
 - Subnets within the VPC
 - Secondary ranges for the subnets (if applicable)
-
-Sub modules are provided for creating individual vpc, subnets, and routes. See the modules directory for the various sub modules usage.
+- routes
+- firewall rules
+
+[Sub modules](./modules/) are provided for creating individual vpc, subnets, routes, firewall rules, and firewall policies. See the [modules](./modules/) directory for the various sub modules usage.
+- [vpc](./modules/vpc/)
+- [subnet](./modules/subnets/)
+- [route](./modules/routes/)
+- [firewall rules](./modules/firewall-rules/)
+- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/)
+- [network firewall policy](./modules/network-firewall-policy/)
+- [serverless vpc  access connector](./modules/vpc-serverless-connector-beta/)
+- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/)
 
 ## Compatibility
 
 This module is meant for use with Terraform 1.3+ and tested using Terraform 1.4+.
 If you find incompatibilities using Terraform `>=1.3`, please open an issue.
 
-If you haven't [upgraded][terraform-0.13-upgrade] and need a Terraform
-0.12.x-compatible version of this module, the last released version
-intended for Terraform 0.12.x is [2.6.0].
 
 ## Usage
-You can go to the examples folder, however the usage of the module could be like this in your own main.tf file:
+You can go to the [examples](./examples/) folder, however the usage of the module could be like this in your own main.tf file:
 
 ```hcl
 module "vpc" {

build/int.cloudbuild.yaml

@@ -211,6 +211,21 @@ steps:
     - verify firewall-rule
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage teardown --verbose']
+- id: converge hierarchical-firewall-policy
+  waitFor:
+    - destroy firewall-rule
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestHierarchicalFirewallPolicy --stage apply --verbose']
+- id: verify hierarchical-firewall-policy
+  waitFor:
+    - converge hierarchical-firewall-policy
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestHierarchicalFirewallPolicy --stage verify --verbose']
+- id: destroy hierarchical-firewall-policy
+  waitFor:
+    - verify hierarchical-firewall-policy
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestHierarchicalFirewallPolicy --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/hierarchical-firewall-policy/README.md

@@ -0,0 +1,30 @@
+#  hierarchical Firewall Policy Rule
+
+This example creates a Service Account and 2 hierarchical firewall policy. First policy will have a few rules and will be attached to folders. Second policy will not be attached and any folders/org and will not have any rules.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| folder1 | The folder\_id ID 1 to to create firewall policy in | `any` | n/a | yes |
+| folder2 | The folder\_id ID 2 to attach firewal policy to | `any` | n/a | yes |
+| folder3 | The folder\_id ID 3 to attach firewal policy to | `any` | n/a | yes |
+| org\_id | The org ID attach firewal policy to | `any` | n/a | yes |
+| project\_id | The project ID to host the network in | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| firewal\_policy\_no\_rules\_id | ID of Firewall policy created without any rules and association |
+| firewal\_policy\_no\_rules\_name | Name of Firewall policy created without any rules and association |
+| firewal\_policy\_no\_rules\_parent\_folder | Firewall policy parent |
+| fw\_policy\_id | Firewall policy ID |
+| fw\_policy\_name | Firewall policy name |
+| fw\_policy\_parent\_folder | Firewall policy parent |
+| project\_id | Project ID |
+| rules | Firewall policy rules |
+| target\_associations | Firewall policy association |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/hierarchical-firewall-policy/main.tf

@@ -0,0 +1,190 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  prefix = "hierarchical"
+}
+
+resource "random_string" "random_suffix" {
+  length  = 6
+  special = false
+  lower   = true
+  upper   = false
+}
+
+resource "google_service_account" "service_account" {
+  project      = var.project_id
+  account_id   = "${local.prefix}-fw-test-svc-acct"
+  display_name = "${local.prefix} firewall policy test service account"
+}
+
+resource "google_compute_network" "network" {
+  project = var.project_id
+  name    = "${local.prefix}-network"
+}
+
+resource "google_compute_network" "network_backup" {
+  project = var.project_id
+  name    = "${local.prefix}-network-backup"
+}
+
+module "firewal_policy" {
+  source  = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy"
+  version = "~> 9.0"
+
+  parent_node    = "folders/${var.folder1}"
+  policy_name    = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}"
+  description    = "test ${local.prefix} firewall policy"
+  target_org     = var.org_id
+  target_folders = [var.folder2, var.folder3]
+
+  rules = [
+    {
+      priority       = "1"
+      direction      = "INGRESS"
+      action         = "allow"
+      rule_name      = "ingress-1"
+      description    = "test ingres rule 1"
+      enable_logging = true
+      match = {
+        src_ip_ranges            = ["10.100.0.1/32"]
+        src_fqdns                = ["example.com"]
+        src_region_codes         = ["US"]
+        src_threat_intelligences = ["iplist-public-clouds"]
+        layer4_configs = [
+          {
+            ip_protocol = "all"
+          },
+        ]
+      }
+    },
+    {
+      priority    = "2"
+      direction   = "INGRESS"
+      action      = "deny"
+      rule_name   = "ingress-2"
+      disabled    = true
+      description = "test ingres rule 2"
+      target_resources = [
+        "projects/${var.project_id}/global/networks/${local.prefix}-network-backup",
+      ]
+      match = {
+        src_ip_ranges    = ["10.100.0.2/32"]
+        src_fqdns        = ["example.org"]
+        src_region_codes = ["BE"]
+        layer4_configs = [
+          {
+            ip_protocol = "all"
+          },
+        ]
+      }
+    },
+    {
+      priority                = "3"
+      direction               = "INGRESS"
+      action                  = "allow"
+      rule_name               = "ingress-3"
+      disabled                = true
+      description             = "test ingres rule 3"
+      enable_logging          = true
+      target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"]
+      match = {
+        src_ip_ranges  = ["10.100.0.3/32"]
+        dest_ip_ranges = ["10.100.0.103/32"]
+        layer4_configs = [
+          {
+            ip_protocol = "tcp"
+            ports       = ["80"]
+          },
+        ]
+      }
+    },
+    {
+      priority       = "101"
+      direction      = "EGRESS"
+      action         = "allow"
+      rule_name      = "egress-101"
+      description    = "test egress rule 101"
+      enable_logging = true
+      match = {
+        src_ip_ranges             = ["10.100.0.2/32"]
+        dest_fqdns                = ["example.com"]
+        dest_region_codes         = ["US"]
+        dest_threat_intelligences = ["iplist-public-clouds"]
+        layer4_configs = [
+          {
+            ip_protocol = "all"
+          },
+        ]
+      }
+    },
+    {
+      priority    = "102"
+      direction   = "EGRESS"
+      action      = "deny"
+      rule_name   = "egress-102"
+      disabled    = true
+      description = "test egress rule 102"
+      target_resources = [
+        "projects/${var.project_id}/global/networks/${local.prefix}-network",
+      ]
+      match = {
+        src_ip_ranges     = ["10.100.0.102/32"]
+        dest_ip_ranges    = ["10.100.0.2/32"]
+        dest_region_codes = ["AR"]
+        layer4_configs = [
+          {
+            ip_protocol = "all"
+          },
+        ]
+      }
+    },
+    {
+      priority                = "103"
+      direction               = "EGRESS"
+      action                  = "allow"
+      rule_name               = "egress-103"
+      disabled                = true
+      description             = "test ingres rule 103"
+      enable_logging          = true
+      target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"]
+      match = {
+        dest_ip_ranges = ["10.100.0.103/32"]
+        layer4_configs = [
+          {
+            ip_protocol = "tcp"
+            ports       = ["80", "8080", "8081-8085"]
+          },
+        ]
+      }
+    },
+
+  ]
+  depends_on = [
+    google_compute_network.network,
+    google_compute_network.network_backup,
+  ]
+
+}
+
+module "firewal_policy_no_rule" {
+  source  = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy"
+  version = "~> 9.0"
+
+  parent_node = "folders/${var.folder1}"
+  policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}"
+  description = "${local.prefix} test firewall policy without any rules"
+}

examples/hierarchical-firewall-policy/outputs.tf

@@ -0,0 +1,60 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project ID"
+}
+
+output "fw_policy_id" {
+  value       = module.firewal_policy.fw_policy.name
+  description = "Firewall policy ID"
+}
+
+output "fw_policy_parent_folder" {
+  value       = module.firewal_policy.fw_policy.parent
+  description = "Firewall policy parent"
+}
+
+output "fw_policy_name" {
+  value       = module.firewal_policy.fw_policy.short_name
+  description = "Firewall policy name"
+}
+
+output "target_associations" {
+  value       = module.firewal_policy.target_associations
+  description = "Firewall policy association"
+}
+
+output "rules" {
+  value       = module.firewal_policy.rules
+  description = "Firewall policy rules"
+}
+
+output "firewal_policy_no_rules_id" {
+  value       = module.firewal_policy_no_rule.fw_policy.name
+  description = "ID of Firewall policy created without any rules and association"
+}
+
+output "firewal_policy_no_rules_name" {
+  value       = module.firewal_policy_no_rule.fw_policy.short_name
+  description = "Name of Firewall policy created without any rules and association"
+}
+
+output "firewal_policy_no_rules_parent_folder" {
+  value       = module.firewal_policy.fw_policy.parent
+  description = "Firewall policy parent"
+}

examples/hierarchical-firewall-policy/variables.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the network in"
+}
+
+variable "folder1" {
+  description = "The folder_id ID 1 to to create firewall policy in"
+}
+
+variable "folder2" {
+  description = "The folder_id ID 2 to attach firewal policy to"
+}
+
+variable "folder3" {
+  description = "The folder_id ID 3 to attach firewal policy to"
+}
+
+variable "org_id" {
+  description = "The org ID attach firewal policy to"
+}

modules/fabric-net-firewall/main.tf

@@ -116,7 +116,6 @@ resource "google_compute_firewall" "allow-tag-https" {
 ################################################################################
 
 resource "google_compute_firewall" "custom" {
-  # provider                = "google-beta"
   for_each                = var.custom_rules
   name                    = each.key
   description             = each.value.description