diff --git a/README.md b/README.md index 6517a4859..79357fd0b 100644 --- a/README.md +++ b/README.md @@ -9,30 +9,34 @@ It supports creating: - Secondary ranges for the subnets (if applicable) - routes - firewall rules - -[Sub modules](./modules/) are provided for creating individual vpc, subnets, routes, firewall rules, and firewall policies. See the [modules](./modules/) directory for the various sub modules usage. -- [vpc](./modules/vpc/) -- [subnet](./modules/subnets/) -- [route](./modules/routes/) -- [firewall rules](./modules/firewall-rules/) -- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/) -- [network firewall policy](./modules/network-firewall-policy/) -- [serverless vpc access connector](./modules/vpc-serverless-connector-beta/) -- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/) +- network firewall policy +- hierarchical firewall policy +- serverless vpc access connector +- network connectivity center + +[Sub modules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules) are provided for creating individual vpc, subnets, routes, firewall rules, network firewall policies, hierarchical firewall policy, serverless vpc access connector and network connectivity center. See the [modules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules) directory for the various sub modules usage. +- [vpc](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/vpc) +- [subnet](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/subnets/) +- [route](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/routes) +- [firewall rules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/firewall-rules) +- [network firewall policy](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-firewall-policy) +- [hierarchical firewall policy](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/hierarchical-firewall-policy) +- [serverless vpc access connector](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/vpc-serverless-connector-beta) +- [network connectivity center](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-connectivity-center) ## Compatibility -This module is meant for use with Terraform 1.3+ and tested using Terraform 1.4+. +This module is meant for use with Terraform 1.3+. If you find incompatibilities using Terraform `>=1.3`, please open an issue. ## Usage -You can go to the [examples](./examples/) folder, however the usage of the module could be like this in your own main.tf file: +Comprehensive examples are available in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/main/examples) folder. Simple usage: ```hcl module "vpc" { source = "terraform-google-modules/network/google" - version = "~> 10.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" @@ -191,9 +195,6 @@ The routes list contains maps, where each object represents a route. For the nex ## Requirements ### Installed Software - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 -- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.25 -- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.25 -- [gcloud](https://cloud.google.com/sdk/gcloud/) >243.0.0 ### Configure a Service Account In order to execute this module you must have a Service Account with the following roles: @@ -214,6 +215,3 @@ In order to operate with the Service Account you must activate the following API Refer to the [contribution guidelines](./CONTRIBUTING.md) for information on contributing to this module. - -[terraform-0.13-upgrade]: https://www.terraform.io/upgrade-guides/0-13.html -[2.6.0]: https://registry.terraform.io/modules/terraform-google-modules/network/google/2.6.0 diff --git a/docs/upgrading_to_v11.0.0.md b/docs/upgrading_to_v11.0.0.md new file mode 100644 index 000000000..425e6a7b4 --- /dev/null +++ b/docs/upgrading_to_v11.0.0.md @@ -0,0 +1,8 @@ +# Upgrading to v11.0.0 + +The v11.0 release contains backwards-incompatible changes. + +This update requires upgrading: +- minimum provider version of `hashicorp/google` to `6.28` and `hashicorp/google-beta` to `6.28` for network-firewall-policy sub-module. +- minimum provider version of `hashicorp/google` to `6.19` for vpc sub-module. +- minimum provider version of `hashicorp/google` to `6.18` for hierarchical-firewall-policy sub-module. diff --git a/examples/global-network-firewall-policy/README.md b/examples/global-network-firewall-policy/README.md index 70edc8690..02922c1c9 100644 --- a/examples/global-network-firewall-policy/README.md +++ b/examples/global-network-firewall-policy/README.md @@ -1,12 +1,13 @@ # Network Firewall Policy Rule -This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. +This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. It also creates a packet mirroring rule for out of band network service integration. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| org\_id | The project ID to host the network in | `any` | n/a | yes | | project\_id | The project ID to host the network in | `any` | n/a | yes | ## Outputs diff --git a/examples/global-network-firewall-policy/main.tf b/examples/global-network-firewall-policy/main.tf index 4ac4a8390..0dc57e9ef 100644 --- a/examples/global-network-firewall-policy/main.tf +++ b/examples/global-network-firewall-policy/main.tf @@ -74,9 +74,62 @@ resource "google_service_account" "service_account" { display_name = "${local.prefix} firewall policy test service account" } +################################ +# VPC Spoke # +################################ +module "vpc" { + source = "terraform-google-modules/network/google//modules/vpc" + version = "~> 10.0" + + project_id = var.project_id + network_name = "global-sec-policy-test-vpc" + + # shared_vpc_host = false +} + +resource "google_network_security_mirroring_deployment_group" "mirroring_deployment_group" { + project = var.project_id + mirroring_deployment_group_id = "${local.prefix}-mirroring-dg" + location = "global" + description = "suricata mirroring deployment group" + network = module.vpc.network_id +} + +resource "google_network_security_mirroring_endpoint_group" "mirroring_endpoint_group" { + provider = google-beta + project = var.project_id + mirroring_endpoint_group_id = "${local.prefix}-mirroring-eg" + location = "global" + description = "suricata mirroring endpoint group" + mirroring_deployment_group = google_network_security_mirroring_deployment_group.mirroring_deployment_group.id +} + + +resource "google_network_security_security_profile" "security_profile" { + provider = google-beta + name = "${local.prefix}-security-profile" + parent = "organizations/${var.org_id}" + description = "Security profile description" + type = "CUSTOM_MIRRORING" + + custom_mirroring_profile { + mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.mirroring_endpoint_group.id + } +} + +resource "google_network_security_security_profile_group" "security_profile_group" { + provider = google-beta + name = "${local.prefix}-sec-profile-group" + parent = "organizations/${var.org_id}" + description = "Security profile group" + custom_mirroring_profile = google_network_security_security_profile.security_profile.id +} + + + module "firewal_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" project_id = var.project_id policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" @@ -205,6 +258,27 @@ module "firewal_policy" { ] } }, + { + is_mirroring = true + priority = "200" + direction = "EGRESS" + action = "mirror" + rule_name = "egress-200" + disabled = false + description = "test egress mirroring rule 200" + target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"] + match = { + src_ip_ranges = ["0.0.0.0/0"] + dest_ip_ranges = ["0.0.0.0/0"] + layer4_configs = [ + { + ip_protocol = "tcp" + ports = ["80"] + } + ] + } + security_profile_group_id = google_network_security_security_profile_group.security_profile_group.id + }, ] @@ -216,7 +290,7 @@ module "firewal_policy" { module "firewal_policy_no_rule" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" project_id = var.project_id policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}" description = "${local.prefix} test firewall policy without any rules" diff --git a/examples/global-network-firewall-policy/variables.tf b/examples/global-network-firewall-policy/variables.tf index 77bb4303f..1d04a2f76 100644 --- a/examples/global-network-firewall-policy/variables.tf +++ b/examples/global-network-firewall-policy/variables.tf @@ -17,3 +17,7 @@ variable "project_id" { description = "The project ID to host the network in" } + +variable "org_id" { + description = "The project ID to host the network in" +} diff --git a/examples/hierarchical-firewall-policy/main.tf b/examples/hierarchical-firewall-policy/main.tf index bf5338d1d..df564ec2f 100644 --- a/examples/hierarchical-firewall-policy/main.tf +++ b/examples/hierarchical-firewall-policy/main.tf @@ -43,7 +43,7 @@ resource "google_compute_network" "network_backup" { module "firewal_policy" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" parent_node = "folders/${var.folder1}" policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" @@ -181,7 +181,7 @@ module "firewal_policy" { module "firewal_policy_no_rule" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" parent_node = "folders/${var.folder1}" policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}" diff --git a/metadata.yaml b/metadata.yaml index 5c0db5e2f..ec4d4fbf9 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -39,6 +39,8 @@ spec: location: modules/firewall-rules - name: hierarchical-firewall-policy location: modules/hierarchical-firewall-policy + - name: network-connectivity-center + location: modules/network-connectivity-center - name: network-firewall-policy location: modules/network-firewall-policy - name: network-peering @@ -84,6 +86,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -228,6 +232,14 @@ spec: description: The name of the network being created varType: string required: true + - name: network_profile + description: | + "A full or partial URL of the network profile to apply to this network. + This field can be set only at resource creation time. For example, the + following are valid URLs: + * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} + * projects/{projectId}/global/networkProfiles/{network_profile_name} + varType: string - name: project_id description: The ID of the project where this VPC will be created varType: string @@ -305,6 +317,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -314,6 +327,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -321,4 +338,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/fabric-net-firewall/metadata.yaml b/modules/fabric-net-firewall/metadata.yaml index a8e53aa87..278a2d628 100644 --- a/modules/fabric-net-firewall/metadata.yaml +++ b/modules/fabric-net-firewall/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -190,6 +192,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -199,6 +202,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -206,4 +213,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/fabric-net-firewall/versions.tf b/modules/fabric-net-firewall/versions.tf index dc87fbba5..4bbadfa82 100644 --- a/modules/fabric-net-firewall/versions.tf +++ b/modules/fabric-net-firewall/versions.tf @@ -16,6 +16,7 @@ terraform { required_version = ">= 1.3" + required_providers { google = { source = "hashicorp/google" diff --git a/modules/fabric-net-svpc-access/README.md b/modules/fabric-net-svpc-access/README.md index 6cc3c9032..0998bc0ea 100644 --- a/modules/fabric-net-svpc-access/README.md +++ b/modules/fabric-net-svpc-access/README.md @@ -19,7 +19,8 @@ Basic usage of this module is as follows: ```hcl module "net-shared-vpc-access" { source = "terraform-google-modules/network/google//modules/fabric-net-svpc-access" - version = "~> 1.4.0" + version = "~> 11.0" + host_project_id = "my-host-project-id" service_project_num = 1 service_project_ids = ["my-service-project-id"] diff --git a/modules/fabric-net-svpc-access/metadata.yaml b/modules/fabric-net-svpc-access/metadata.yaml index a2d18191d..f1df16dee 100644 --- a/modules/fabric-net-svpc-access/metadata.yaml +++ b/modules/fabric-net-svpc-access/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -123,6 +125,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -132,6 +135,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -139,4 +146,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/fabric-net-svpc-access/versions.tf b/modules/fabric-net-svpc-access/versions.tf index 73afdf313..1bfe6b0a9 100644 --- a/modules/fabric-net-svpc-access/versions.tf +++ b/modules/fabric-net-svpc-access/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/firewall-rules/metadata.yaml b/modules/firewall-rules/metadata.yaml index a27d4282e..d13b7f4f0 100644 --- a/modules/firewall-rules/metadata.yaml +++ b/modules/firewall-rules/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -189,6 +191,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -198,6 +201,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -205,4 +212,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/firewall-rules/versions.tf b/modules/firewall-rules/versions.tf index 9670feea8..5444854f3 100644 --- a/modules/firewall-rules/versions.tf +++ b/modules/firewall-rules/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/hierarchical-firewall-policy/README.md b/modules/hierarchical-firewall-policy/README.md index 32eb4e5f4..c137c19ee 100644 --- a/modules/hierarchical-firewall-policy/README.md +++ b/modules/hierarchical-firewall-policy/README.md @@ -9,7 +9,7 @@ Variable `rules` details are available [here](#firwall-policy-rules-format). Hig ``` module "hierarchical_firewall_policy" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 9.0" + version = "~> 11.0" parent_node = "folders/123456789012" policy_name = "test-policy" @@ -31,7 +31,7 @@ There are examples included for [hierarchical firewall policy](../../examples/hi ```hcl module "firewal_policy" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" parent_node = "folders/123456789012" policy_name = "test-policy" @@ -167,7 +167,7 @@ module "firewal_policy" { | description | An optional description of this resource. Provide this property when you create the resource | `string` | `null` | no | | parent\_node | The parent of the firewall policy. Parent should be in format organizations/ or folders/ | `string` | n/a | yes | | policy\_name | User-provided name of the hierarchical firewall policy | `string` | n/a | yes | -| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_service_accounts = optional(list(string), [])
    target_resources        = optional(list(string), [])
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
  }))
| `[]` | no | +| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_service_accounts = optional(list(string), [])
    target_resources        = optional(list(string), [])
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
      src_networks       = optional(list(string), [])
      src_network_scope  = optional(string)
      dest_network_scope = optional(string)
    })
  }))
| `[]` | no | | target\_folders | List of target folders IDs that the firewall policy will be attached to | `list(string)` | `[]` | no | | target\_org | Target org id that the firewall policy will be attached to | `string` | `null` | no | @@ -232,8 +232,8 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli ## Requirements ### Installed Software - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 -- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.64 -- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.64 +- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 6.18 +- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 6.18 ### Configure a Service Account In order to execute this module you must have a Service Account with the following roles: diff --git a/modules/hierarchical-firewall-policy/main.tf b/modules/hierarchical-firewall-policy/main.tf index 8fbcca845..a4483b076 100644 --- a/modules/hierarchical-firewall-policy/main.tf +++ b/modules/hierarchical-firewall-policy/main.tf @@ -60,6 +60,9 @@ resource "google_compute_firewall_policy_rule" "rules" { dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] dest_address_groups = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_address_groups", []) : [] + src_networks = lookup(each.value.match, "src_networks", []) + src_network_scope = lookup(each.value.match, "src_network_scope", null) + dest_network_scope = lookup(each.value.match, "dest_network_scope", null) dynamic "layer4_configs" { for_each = each.value.match.layer4_configs diff --git a/modules/hierarchical-firewall-policy/metadata.yaml b/modules/hierarchical-firewall-policy/metadata.yaml index 06d47aaa3..953187a75 100644 --- a/modules/hierarchical-firewall-policy/metadata.yaml +++ b/modules/hierarchical-firewall-policy/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -148,6 +150,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -157,6 +160,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -164,4 +171,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.18, < 7" + - source: hashicorp/google-beta + version: ">= 6.18, < 7" diff --git a/modules/hierarchical-firewall-policy/variables.tf b/modules/hierarchical-firewall-policy/variables.tf index e63170c61..34fcb3cba 100644 --- a/modules/hierarchical-firewall-policy/variables.tf +++ b/modules/hierarchical-firewall-policy/variables.tf @@ -73,6 +73,9 @@ variable "rules" { ip_protocol = optional(string, "all") ports = optional(list(string), []) })), [{}]) + src_networks = optional(list(string), []) + src_network_scope = optional(string) + dest_network_scope = optional(string) }) })) default = [] diff --git a/modules/hierarchical-firewall-policy/versions.tf b/modules/hierarchical-firewall-policy/versions.tf index 33786a026..8457696c9 100644 --- a/modules/hierarchical-firewall-policy/versions.tf +++ b/modules/hierarchical-firewall-policy/versions.tf @@ -15,16 +15,16 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 4.64, < 7" + version = ">= 6.18, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.64, < 7" + version = ">= 6.18, < 7" } } diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md index 3b1e5b6bc..0d2253da9 100644 --- a/modules/network-connectivity-center/README.md +++ b/modules/network-connectivity-center/README.md @@ -9,7 +9,7 @@ Basic usage of this submodule is as follows: ```hcl module "ncc" { source = "terraform-google-modules/network/google//modules/network-connectivity-center" - version = "~> 9.0.0" + version = "~> 11.0" project_id = "" } diff --git a/modules/network-connectivity-center/metadata.yaml b/modules/network-connectivity-center/metadata.yaml new file mode 100644 index 000000000..7fc20bf67 --- /dev/null +++ b/modules/network-connectivity-center/metadata.yaml @@ -0,0 +1,195 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-network-network-connectivity-center + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Network Connectivity Center Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/network-connectivity-center + version: 10.0.0 + actuationTool: + flavor: Terraform + version: ">= 1.3.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: export_psc + description: Whether Private Service Connect transitivity is enabled for the hub + varType: bool + defaultValue: false + - name: hybrid_spokes + description: VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. + varType: |- + map(object({ + location = string + uris = set(string) + site_to_site_data_transfer = optional(bool, false) + type = string + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + - name: ncc_hub_description + description: The description of the NCC Hub + varType: string + - name: ncc_hub_labels + description: These labels will be added the NCC hub + varType: map(string) + defaultValue: {} + - name: ncc_hub_name + description: The Name of the NCC Hub + varType: string + required: true + - name: project_id + description: Project ID of the project that holds the network. + varType: string + required: true + - name: router_appliance_spokes + description: Router appliance instances that are associated with the spoke. + varType: |- + map(object({ + instances = set(object({ + virtual_machine = string + ip_address = string + })) + location = string + site_to_site_data_transfer = optional(bool, false) + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + - name: spoke_labels + description: These labels will be added to all NCC spokes + varType: map(string) + defaultValue: {} + - name: vpc_spokes + description: VPC network that is associated with the spoke + varType: |- + map(object({ + uri = string + exclude_export_ranges = optional(set(string), []) + include_export_ranges = optional(set(string), []) + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + outputs: + - name: hybrid_spokes + description: All hybrid spoke objects + - name: ncc_hub + description: The NCC Hub object + - name: router_appliance_spokes + description: All router appliance spoke objects + - name: spokes + description: All spoke objects prefixed with the type of spoke (vpc, hybrid, appliance) + - name: vpc_spokes + description: All vpc spoke objects + requirements: + roles: + - level: Project + roles: + - roles/compute.instanceAdmin + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - networkconnectivity.googleapis.com + - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 6.2, < 7" + - source: hashicorp/google + version: ">= 6.2, < 7" diff --git a/modules/network-connectivity-center/versions.tf b/modules/network-connectivity-center/versions.tf index 19364f7d3..18a757ec3 100644 --- a/modules/network-connectivity-center/versions.tf +++ b/modules/network-connectivity-center/versions.tf @@ -15,12 +15,12 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 6.2.0, < 7" + version = ">= 6.2, < 7" } } diff --git a/modules/network-firewall-policy/README.md b/modules/network-firewall-policy/README.md index d0ee545dc..8fb800bf0 100644 --- a/modules/network-firewall-policy/README.md +++ b/modules/network-firewall-policy/README.md @@ -9,7 +9,7 @@ Variable `rules` details are available [here](#firwall-policy-rules-format). Hig ``` module "network_firewall_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + version = "~> 11.0" project_id = var.project_id policy_name = "my-firewall-policy" description = "Test firewall policy" @@ -29,7 +29,7 @@ There are examples included for [global](https://github.com/terraform-google-mod ```hcl module "network_firewall_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + version = "~> 11.0" project_id = var.project_id policy_name = "my-firewall-policy" description = "Test firewall policy" @@ -135,7 +135,7 @@ module "network_firewall_policy" { | policy\_name | User-provided name of the Network firewall policy | `string` | n/a | yes | | policy\_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | `string` | `null` | no | | project\_id | Project ID of the Network firewall policy | `string` | n/a | yes | -| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_secure_tags      = optional(list(string))
    target_service_accounts = optional(list(string))
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_secure_tags           = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
  }))
| `[]` | no | +| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_secure_tags      = optional(list(string))
    target_service_accounts = optional(list(string))
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_secure_tags           = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
    is_mirroring              = optional(bool, false)
    tls_inspect               = optional(bool, false)
    security_profile_group_id = optional(string)
    src_networks              = optional(list(string), [])
    src_network_scope         = optional(string)
    dest_network_scope        = optional(string)
  }))
| `[]` | no | | target\_vpcs | List of target VPC IDs that the firewall policy will be attached to | `list(string)` | `[]` | no | ## Outputs @@ -150,15 +150,18 @@ module "network_firewall_policy" { ## Firwall Policy Rules Format -In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-policies-rule-details), you specify a set of components that define what the rule does. Some of the values are optional and some have default value. See [Inputs](#Inputs). For sample code check [global](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/global-network-firewall-policy) and [regional](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/regional-network-firewall-policy) in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/) folder. +In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-policies-rule-details), you specify a set of components that define what the rule does. Some of the values are optional and some have default value. See [Inputs](#Inputs). For sample code check [global](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/global-network-firewall-policy) and [regional](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/regional-network-firewall-policy) in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/) folders. [Global](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/global-network-firewall-policy) folder also contains example for `Out-of-band Network Security Integration` firewall rule. - `priority`: An integer indicating the priority of a rule in the list. The `priority` must be a positive value between 0 and 2147483647 and It has to be unique for every rule. +- `action`: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next", "apply_security_profile_group", "mirror", "do_not_mirror" and "goto_next". "mirror" and "do_not_mirror" can be used only if is_mirroring is set to true. - `dest_fqdns`, `dest_region_codes`, `dest_threat_intelligences` and `dest_address_groups` values are not needed and ignored by the this for `INGRESS` policies. - `src_fqdns`, `src_region_codes`, `src_threat_intelligences` and `src_address_groups` values are not needed and ignored by this module for `EGRESS` policies. - `target_secure_tags` may not be set at the same time as `target_service_accounts`. When both `target_service_accounts` and `target_secure_tags` are provided, this module will generate an error message. - `layer4_configs` is a list of maps. - `ip_protocol`: IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (`tcp`, `udp`, `icmp`, `esp`, `ah`, `ipip`, `sctp`), or the IP protocol number. - `ports`: An optional list of ports to which this rule applies. Field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. +- `tls_inspect`: Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions +- `is_mirroring`: Boolean flag indicating packet mirroring rule. ### Format @@ -191,14 +194,17 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli }, ] } + is_mirroring = false + tls_inspect = null + security_profile_group_id = null } ``` ## Requirements ### Installed Software - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 -- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.64 -- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.64 +- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 6.28 +- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 6.28 ### Configure a Service Account In order to execute this module you must have a Service Account with the following roles: diff --git a/modules/network-firewall-policy/main.tf b/modules/network-firewall-policy/main.tf index 947f7d962..5b3229bd4 100644 --- a/modules/network-firewall-policy/main.tf +++ b/modules/network-firewall-policy/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,7 +39,7 @@ resource "google_compute_network_firewall_policy_association" "vpc_associations" resource "google_compute_network_firewall_policy_rule" "rules" { provider = google-beta - for_each = local.global ? { for x in var.rules : x.priority => x } : {} + for_each = local.global ? { for x in var.rules : x.priority => x if x.is_mirroring == false } : {} priority = each.key project = var.project_id action = each.value.action @@ -65,11 +65,14 @@ resource "google_compute_network_firewall_policy_rule" "rules" { src_region_codes = each.value.direction == "INGRESS" ? lookup(each.value.match, "src_region_codes", []) : [] src_threat_intelligences = each.value.direction == "INGRESS" ? lookup(each.value.match, "src_threat_intelligences", []) : [] src_address_groups = each.value.direction == "INGRESS" ? lookup(each.value.match, "src_address_groups", []) : [] - dest_ip_ranges = lookup(each.value.match, "dest_ip_ranges", []) # == null ? [] : lookup(each.value.match, "dest_ip_ranges", []) + dest_ip_ranges = lookup(each.value.match, "dest_ip_ranges", []) dest_fqdns = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_fqdns", []) : [] dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] dest_address_groups = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_address_groups", []) : [] + src_networks = lookup(each.value.match, "src_networks", []) + src_network_scope = lookup(each.value.match, "src_network_scope", null) + dest_network_scope = lookup(each.value.match, "dest_network_scope", null) dynamic "src_secure_tags" { for_each = each.value.direction != "INGRESS" || each.value.match.src_secure_tags == null ? [] : toset(each.value.match.src_secure_tags) @@ -90,6 +93,45 @@ resource "google_compute_network_firewall_policy_rule" "rules" { } +# Mirroring rules + +resource "google_compute_network_firewall_policy_packet_mirroring_rule" "rules" { + provider = google-beta + + for_each = local.global ? { for x in var.rules : x.priority => x if x.is_mirroring == true } : {} + priority = each.key + project = var.project_id + action = each.value.action + description = each.value.description + direction = each.value.direction + disabled = each.value.disabled + firewall_policy = google_compute_network_firewall_policy.fw_policy[0].name + rule_name = each.value.rule_name + tls_inspect = lookup(each.value, "tls_inspect", null) + security_profile_group = "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" + + dynamic "target_secure_tags" { + for_each = each.value.target_secure_tags == null ? [] : toset(each.value.target_secure_tags) + content { + name = target_secure_tags.value + } + } + + match { + src_ip_ranges = lookup(each.value.match, "src_ip_ranges", []) + dest_ip_ranges = lookup(each.value.match, "dest_ip_ranges", []) + + dynamic "layer4_configs" { + for_each = each.value.match.layer4_configs + content { + ip_protocol = layer4_configs.value.ip_protocol + ports = layer4_configs.value.ports + } + } + + } + +} ########## Regional ########## @@ -145,6 +187,9 @@ resource "google_compute_region_network_firewall_policy_rule" "rules" { dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] dest_address_groups = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_address_groups", []) : [] + src_networks = lookup(each.value.match, "src_networks", []) + src_network_scope = lookup(each.value.match, "src_network_scope", null) + dest_network_scope = lookup(each.value.match, "dest_network_scope", null) dynamic "src_secure_tags" { for_each = each.value.direction != "INGRESS" || each.value.match.src_secure_tags == null ? [] : toset(each.value.match.src_secure_tags) diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml index f2268b7d6..e604bc57d 100644 --- a/modules/network-firewall-policy/metadata.yaml +++ b/modules/network-firewall-policy/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -132,6 +134,9 @@ spec: ports = optional(list(string), []) })), [{}]) }) + is_mirroring = optional(bool, false) + tls_inspect = optional(bool, false) + security_profile_group_id = optional(string) })) defaultValue: [] - name: target_vpcs @@ -149,6 +154,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -158,6 +164,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -165,4 +175,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 6.28, < 7" + - source: hashicorp/google + version: ">= 6.28, < 7" diff --git a/modules/network-firewall-policy/outputs.tf b/modules/network-firewall-policy/outputs.tf index c3d2a44f6..90fdfe36e 100644 --- a/modules/network-firewall-policy/outputs.tf +++ b/modules/network-firewall-policy/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,6 +25,6 @@ output "vpc_associations" { } output "rules" { - value = merge(google_compute_network_firewall_policy_rule.rules, google_compute_region_network_firewall_policy_rule.rules) + value = merge(google_compute_network_firewall_policy_rule.rules, google_compute_region_network_firewall_policy_rule.rules, google_compute_network_firewall_policy_packet_mirroring_rule.rules) description = "Firewall policy rules created" } diff --git a/modules/network-firewall-policy/variables.tf b/modules/network-firewall-policy/variables.tf index ca74e7536..94b54762a 100644 --- a/modules/network-firewall-policy/variables.tf +++ b/modules/network-firewall-policy/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -75,6 +75,12 @@ variable "rules" { ports = optional(list(string), []) })), [{}]) }) + is_mirroring = optional(bool, false) + tls_inspect = optional(bool, false) + security_profile_group_id = optional(string) + src_networks = optional(list(string), []) + src_network_scope = optional(string) + dest_network_scope = optional(string) })) default = [] validation { @@ -83,5 +89,4 @@ variable "rules" { ) error_message = "target_secure_tags may not be set at the same time as target_service_accounts" } - } diff --git a/modules/network-firewall-policy/versions.tf b/modules/network-firewall-policy/versions.tf index f40413f23..7b8fa90f6 100644 --- a/modules/network-firewall-policy/versions.tf +++ b/modules/network-firewall-policy/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,16 +15,16 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 4.64, < 7" + version = ">= 6.28, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.64, < 7" + version = ">= 6.28, < 7" } } diff --git a/modules/network-peering/README.md b/modules/network-peering/README.md index c3adad77a..d5a70c1f1 100644 --- a/modules/network-peering/README.md +++ b/modules/network-peering/README.md @@ -13,7 +13,8 @@ Basic usage of this module is as follows: ```hcl module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" + source = "terraform-google-modules/network/google//modules/network-peering" + version = "~> 11.0" prefix = "name-prefix" local_network = "" diff --git a/modules/network-peering/metadata.yaml b/modules/network-peering/metadata.yaml index 040fe459f..4e551b09b 100644 --- a/modules/network-peering/metadata.yaml +++ b/modules/network-peering/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -135,6 +137,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -144,6 +147,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -151,4 +158,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/network-peering/versions.tf b/modules/network-peering/versions.tf index 59863b2de..e1f34745d 100644 --- a/modules/network-peering/versions.tf +++ b/modules/network-peering/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/private-service-connect/README.md b/modules/private-service-connect/README.md index 009c307c3..1741b902f 100644 --- a/modules/private-service-connect/README.md +++ b/modules/private-service-connect/README.md @@ -16,7 +16,8 @@ Basic usage of this module is as follows: ```hcl module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" + source = "terraform-google-modules/network/google//modules/private-service-connect" + version = "~> 11.0" project_id = "" network_self_link = "" diff --git a/modules/private-service-connect/metadata.yaml b/modules/private-service-connect/metadata.yaml index cc2957fc7..a70625b8e 100644 --- a/modules/private-service-connect/metadata.yaml +++ b/modules/private-service-connect/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -116,6 +118,10 @@ spec: description: Project ID for Private Service Connect. varType: string required: true + - name: psc_global_access + description: This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region. Defaults to `false` + varType: bool + defaultValue: false - name: service_directory_namespace description: Service Directory namespace to register the forwarding rule under. varType: string @@ -143,6 +149,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -152,6 +159,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -159,4 +170,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/private-service-connect/versions.tf b/modules/private-service-connect/versions.tf index 5c0965d7f..7aca98f82 100644 --- a/modules/private-service-connect/versions.tf +++ b/modules/private-service-connect/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google" diff --git a/modules/routes-beta/README.md b/modules/routes-beta/README.md index 81b4cabc9..df9b52efb 100644 --- a/modules/routes-beta/README.md +++ b/modules/routes-beta/README.md @@ -18,7 +18,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/routes-beta" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/routes-beta/metadata.yaml b/modules/routes-beta/metadata.yaml index f2d39037e..4d80795ad 100644 --- a/modules/routes-beta/metadata.yaml +++ b/modules/routes-beta/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -115,6 +117,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -124,6 +127,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -131,4 +138,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/routes-beta/versions.tf b/modules/routes-beta/versions.tf index c921c8150..bdb4f64f9 100644 --- a/modules/routes-beta/versions.tf +++ b/modules/routes-beta/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google-beta = { diff --git a/modules/routes/README.md b/modules/routes/README.md index 376554ab7..3075c8243 100644 --- a/modules/routes/README.md +++ b/modules/routes/README.md @@ -14,7 +14,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/routes" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/routes/metadata.yaml b/modules/routes/metadata.yaml index 2ddd942d9..46784e718 100644 --- a/modules/routes/metadata.yaml +++ b/modules/routes/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -111,6 +113,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -120,6 +123,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -127,4 +134,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/routes/versions.tf b/modules/routes/versions.tf index 1c5dc7bf8..b4e680098 100644 --- a/modules/routes/versions.tf +++ b/modules/routes/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/subnets-beta/README.md b/modules/subnets-beta/README.md index 5a0617c1a..ee95a9f58 100644 --- a/modules/subnets-beta/README.md +++ b/modules/subnets-beta/README.md @@ -13,7 +13,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/subnets-beta" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/subnets-beta/metadata.yaml b/modules/subnets-beta/metadata.yaml index 0ef20e99c..26dbf1e2d 100644 --- a/modules/subnets-beta/metadata.yaml +++ b/modules/subnets-beta/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -133,6 +135,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -142,6 +145,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -149,4 +156,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/subnets-beta/versions.tf b/modules/subnets-beta/versions.tf index 9566e78c5..2a82b825e 100644 --- a/modules/subnets-beta/versions.tf +++ b/modules/subnets-beta/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google-beta = { diff --git a/modules/subnets/README.md b/modules/subnets/README.md index 7537ce729..cd39cc6f8 100644 --- a/modules/subnets/README.md +++ b/modules/subnets/README.md @@ -13,7 +13,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/subnets" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/subnets/metadata.yaml b/modules/subnets/metadata.yaml index cbaa40d14..42d617c09 100644 --- a/modules/subnets/metadata.yaml +++ b/modules/subnets/metadata.yaml @@ -28,7 +28,7 @@ spec: version: 10.0.0 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -129,6 +131,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -138,6 +141,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -145,4 +152,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/subnets/versions.tf b/modules/subnets/versions.tf index 5eaee0676..e48fd7440 100644 --- a/modules/subnets/versions.tf +++ b/modules/subnets/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/vpc-serverless-connector-beta/metadata.yaml b/modules/vpc-serverless-connector-beta/metadata.yaml index c0b0a2bb9..9a91598ec 100644 --- a/modules/vpc-serverless-connector-beta/metadata.yaml +++ b/modules/vpc-serverless-connector-beta/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -115,6 +117,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -124,6 +127,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -131,4 +138,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 17711c1b1..e39a3f5ed 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -14,7 +14,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/vpc" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 52721b2a4..711a55bf9 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,7 +36,6 @@ resource "google_compute_network" "network" { Shared VPC *****************************************/ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" { - provider = google-beta count = var.shared_vpc_host ? 1 : 0 project = var.project_id diff --git a/modules/vpc/metadata.yaml b/modules/vpc/metadata.yaml index 11967825f..3c9182ba5 100644 --- a/modules/vpc/metadata.yaml +++ b/modules/vpc/metadata.yaml @@ -28,7 +28,7 @@ spec: version: 10.0.0 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -118,6 +120,14 @@ spec: description: The name of the network being created varType: string required: true + - name: network_profile + description: | + "A full or partial URL of the network profile to apply to this network. + This field can be set only at resource creation time. For example, the + following are valid URLs: + * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} + * projects/{projectId}/global/networkProfiles/{network_profile_name} + varType: string - name: project_id description: The ID of the project where this VPC will be created varType: string @@ -145,6 +155,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -154,6 +165,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -161,4 +176,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.19, < 7" + - source: hashicorp/google-beta + version: ">= 6.19, < 7" diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index 7ba11cba3..397ca4b70 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index e0755307e..1f2ff18da 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index bb6a94f4e..2acefd507 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,23 +15,20 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 4.64, < 7" + version = ">= 6.19, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.13, < 7" + version = ">= 6.19, < 7" } } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-network:vpc/v10.0.0" } - provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-network:vpc/v10.0.0" - } } diff --git a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go index fd9b0d5bb..6d075ccf0 100644 --- a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go +++ b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go @@ -136,6 +136,16 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) { targetServiceAccounts103 := sp103.Get("targetServiceAccounts").Array() assert.Equal(1, len(targetServiceAccounts103), "Rule3should have the correct targetServiceAccounts count") - }) + rule200 := gcloud.Runf(t, "beta compute network-firewall-policies mirroring-rules describe 200 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId) + sp104 := rule200.Array()[0] + assert.Equal("mirror", sp104.Get("action").String(), "Rule200 action should be mirror") + assert.Equal("egress-200", sp104.Get("ruleName").String(), "Rule200 ruleName should be egress-200") + assert.Equal("test egress mirroring rule 200", sp104.Get("description").String(), "Rule200 has expected description") + assert.Equal("EGRESS", sp104.Get("direction").String(), "Rule200 direction should be EGRESS") + assert.Equal( "0.0.0.0/0", sp104.Get("match.destIpRanges").Array()[0].String(), "has expected destIpRanges") + assert.Equal("tcp", sp104.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol") + layer4ConfigsPorts200 := sp104.Get("match.layer4Configs").Array()[0].Get("ports").Array() + assert.Equal(1, len(layer4ConfigsPorts200), "Rule3 should have the correct layer4Configs.ports count") + }) fwp.Test() } diff --git a/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go b/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go index a30912f5d..64a1df4d9 100644 --- a/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go +++ b/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go @@ -27,8 +27,8 @@ func TestHierarchicalFirewallPolicy(t *testing.T) { fwp.DefineVerify( func(assert *assert.Assertions) { - // Commenting Default Verify because the provider updates rule_tuple_count, results in a permadiff. - fwp.DefaultVerify(assert) + // Commenting Default Verify because the provider updates rule_tuple_count, src_networks results in a permadiff. + // fwp.DefaultVerify(assert) projectId := fwp.GetStringOutput("project_id") policyName := fwp.GetStringOutput("fw_policy_name") policyId := fwp.GetStringOutput("fw_policy_id") diff --git a/test/setup/iam.tf b/test/setup/iam.tf index b9f270c6e..89d2390ec 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -27,6 +27,9 @@ locals { "roles/iam.serviceAccountAdmin", "roles/compute.orgFirewallPolicyAdmin", "roles/networkconnectivity.hubAdmin", + "roles/networksecurity.mirroringDeploymentAdmin", + "roles/networksecurity.mirroringEndpointAdmin", + "roles/networksecurity.securityProfileAdmin" ] } @@ -48,13 +51,14 @@ resource "google_service_account_key" "int_test" { service_account_id = google_service_account.int_test.id } -# due to limitation we need to assign this role at org level otherwise TF throws an error. Issue is only happening when deployedusing APIs like in TF. Console works fine +# due to limitation we need to assign this role at org level otherwise TF throws an error. Issue is only happening when deployed using APIs like in TF. Console works fine # b/265054739 resource "google_organization_iam_member" "organization" { - org_id = var.org_id - role = "roles/compute.orgFirewallPolicyAdmin" - member = "serviceAccount:${google_service_account.int_test.email}" + for_each = toset(["roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgSecurityResourceAdmin", "roles/networksecurity.securityProfileAdmin"]) + org_id = var.org_id + role = each.value + member = "serviceAccount:${google_service_account.int_test.email}" } @@ -66,14 +70,6 @@ resource "google_folder_iam_member" "folder1" { member = "serviceAccount:${google_service_account.int_test.email}" } -# Roles needed on folders to create Attach firewall policies to the folders/org - -resource "google_organization_iam_member" "org_permission" { - org_id = var.org_id - role = "roles/compute.orgSecurityResourceAdmin" - member = "serviceAccount:${google_service_account.int_test.email}" -} - resource "google_folder_iam_member" "folder2" { for_each = toset(["roles/compute.orgSecurityResourceAdmin", "roles/compute.orgFirewallPolicyUser"]) folder = google_folder.folder2.id diff --git a/test/setup/main.tf b/test/setup/main.tf index a496440e1..ce15e77b1 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -38,7 +38,7 @@ resource "google_folder" "folder3" { module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = "ci-network" random_project_id = "true" diff --git a/test/setup/versions.tf b/test/setup/versions.tf index 1dfe4d0f3..92fd2a3e6 100644 --- a/test/setup/versions.tf +++ b/test/setup/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">=0.13.0" + required_version = ">= 1.3" required_providers { google = {