From ab2b88f585796532c9ec198b5acf3e8abe00391e Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 06:01:23 +0000 Subject: [PATCH 01/10] added packet mirroring firewall policy rule support --- docs/upgrading_to_v11.0.0.md | 5 + .../global-network-firewall-policy/README.md | 3 +- .../global-network-firewall-policy/main.tf | 78 ++++++- .../variables.tf | 4 + metadata.yaml | 37 ++-- modules/fabric-net-firewall/metadata.yaml | 13 ++ modules/fabric-net-svpc-access/metadata.yaml | 13 ++ modules/firewall-rules/metadata.yaml | 13 ++ .../hierarchical-firewall-policy/README.md | 4 +- .../metadata.yaml | 13 ++ .../network-connectivity-center/metadata.yaml | 195 ++++++++++++++++++ modules/network-firewall-policy/README.md | 14 +- modules/network-firewall-policy/main.tf | 45 +++- modules/network-firewall-policy/metadata.yaml | 16 ++ modules/network-firewall-policy/outputs.tf | 4 +- modules/network-firewall-policy/variables.tf | 6 +- modules/network-firewall-policy/versions.tf | 6 +- modules/network-peering/metadata.yaml | 13 ++ modules/private-service-connect/metadata.yaml | 17 ++ modules/routes-beta/metadata.yaml | 13 ++ modules/routes/metadata.yaml | 13 ++ modules/subnets-beta/metadata.yaml | 13 ++ modules/subnets/metadata.yaml | 13 ++ .../metadata.yaml | 13 ++ modules/vpc/metadata.yaml | 21 ++ .../global_firewall_policy_test.go | 12 +- test/setup/iam.tf | 16 +- test/setup/main.tf | 2 +- 28 files changed, 574 insertions(+), 41 deletions(-) create mode 100644 docs/upgrading_to_v11.0.0.md create mode 100644 modules/network-connectivity-center/metadata.yaml diff --git a/docs/upgrading_to_v11.0.0.md b/docs/upgrading_to_v11.0.0.md new file mode 100644 index 000000000..607c0d12d --- /dev/null +++ b/docs/upgrading_to_v11.0.0.md @@ -0,0 +1,5 @@ +# Upgrading to v11.0.0 + +The v11.0 release contains backwards-incompatible changes. + +This update requires upgrading the minimum provider version of `hashicorp/google` to `6.28` and `hashicorp/google-beta` to `6.28` for network-firewall-policy sub-module. diff --git a/examples/global-network-firewall-policy/README.md b/examples/global-network-firewall-policy/README.md index 70edc8690..0229ecc78 100644 --- a/examples/global-network-firewall-policy/README.md +++ b/examples/global-network-firewall-policy/README.md @@ -1,12 +1,13 @@ # Network Firewall Policy Rule -This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. +This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. It also creates a packet mirroring rule. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| org\_id | The project ID to host the network in | `any` | n/a | yes | | project\_id | The project ID to host the network in | `any` | n/a | yes | ## Outputs diff --git a/examples/global-network-firewall-policy/main.tf b/examples/global-network-firewall-policy/main.tf index 4ac4a8390..0dc57e9ef 100644 --- a/examples/global-network-firewall-policy/main.tf +++ b/examples/global-network-firewall-policy/main.tf @@ -74,9 +74,62 @@ resource "google_service_account" "service_account" { display_name = "${local.prefix} firewall policy test service account" } +################################ +# VPC Spoke # +################################ +module "vpc" { + source = "terraform-google-modules/network/google//modules/vpc" + version = "~> 10.0" + + project_id = var.project_id + network_name = "global-sec-policy-test-vpc" + + # shared_vpc_host = false +} + +resource "google_network_security_mirroring_deployment_group" "mirroring_deployment_group" { + project = var.project_id + mirroring_deployment_group_id = "${local.prefix}-mirroring-dg" + location = "global" + description = "suricata mirroring deployment group" + network = module.vpc.network_id +} + +resource "google_network_security_mirroring_endpoint_group" "mirroring_endpoint_group" { + provider = google-beta + project = var.project_id + mirroring_endpoint_group_id = "${local.prefix}-mirroring-eg" + location = "global" + description = "suricata mirroring endpoint group" + mirroring_deployment_group = google_network_security_mirroring_deployment_group.mirroring_deployment_group.id +} + + +resource "google_network_security_security_profile" "security_profile" { + provider = google-beta + name = "${local.prefix}-security-profile" + parent = "organizations/${var.org_id}" + description = "Security profile description" + type = "CUSTOM_MIRRORING" + + custom_mirroring_profile { + mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.mirroring_endpoint_group.id + } +} + +resource "google_network_security_security_profile_group" "security_profile_group" { + provider = google-beta + name = "${local.prefix}-sec-profile-group" + parent = "organizations/${var.org_id}" + description = "Security profile group" + custom_mirroring_profile = google_network_security_security_profile.security_profile.id +} + + + module "firewal_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" project_id = var.project_id policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" @@ -205,6 +258,27 @@ module "firewal_policy" { ] } }, + { + is_mirroring = true + priority = "200" + direction = "EGRESS" + action = "mirror" + rule_name = "egress-200" + disabled = false + description = "test egress mirroring rule 200" + target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"] + match = { + src_ip_ranges = ["0.0.0.0/0"] + dest_ip_ranges = ["0.0.0.0/0"] + layer4_configs = [ + { + ip_protocol = "tcp" + ports = ["80"] + } + ] + } + security_profile_group_id = google_network_security_security_profile_group.security_profile_group.id + }, ] @@ -216,7 +290,7 @@ module "firewal_policy" { module "firewal_policy_no_rule" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" project_id = var.project_id policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}" description = "${local.prefix} test firewall policy without any rules" diff --git a/examples/global-network-firewall-policy/variables.tf b/examples/global-network-firewall-policy/variables.tf index 77bb4303f..1d04a2f76 100644 --- a/examples/global-network-firewall-policy/variables.tf +++ b/examples/global-network-firewall-policy/variables.tf @@ -17,3 +17,7 @@ variable "project_id" { description = "The project ID to host the network in" } + +variable "org_id" { + description = "The project ID to host the network in" +} diff --git a/metadata.yaml b/metadata.yaml index 5c0db5e2f..340279578 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,17 +1,3 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: @@ -39,6 +25,8 @@ spec: location: modules/firewall-rules - name: hierarchical-firewall-policy location: modules/hierarchical-firewall-policy + - name: network-connectivity-center + location: modules/network-connectivity-center - name: network-firewall-policy location: modules/network-firewall-policy - name: network-peering @@ -84,6 +72,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -228,6 +218,14 @@ spec: description: The name of the network being created varType: string required: true + - name: network_profile + description: | + "A full or partial URL of the network profile to apply to this network. + This field can be set only at resource creation time. For example, the + following are valid URLs: + * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} + * projects/{projectId}/global/networkProfiles/{network_profile_name} + varType: string - name: project_id description: The ID of the project where this VPC will be created varType: string @@ -305,6 +303,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -314,6 +313,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -321,4 +324,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/fabric-net-firewall/metadata.yaml b/modules/fabric-net-firewall/metadata.yaml index a8e53aa87..278a2d628 100644 --- a/modules/fabric-net-firewall/metadata.yaml +++ b/modules/fabric-net-firewall/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -190,6 +192,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -199,6 +202,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -206,4 +213,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/fabric-net-svpc-access/metadata.yaml b/modules/fabric-net-svpc-access/metadata.yaml index a2d18191d..f1df16dee 100644 --- a/modules/fabric-net-svpc-access/metadata.yaml +++ b/modules/fabric-net-svpc-access/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -123,6 +125,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -132,6 +135,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -139,4 +146,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/firewall-rules/metadata.yaml b/modules/firewall-rules/metadata.yaml index a27d4282e..d13b7f4f0 100644 --- a/modules/firewall-rules/metadata.yaml +++ b/modules/firewall-rules/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -189,6 +191,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -198,6 +201,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -205,4 +212,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/hierarchical-firewall-policy/README.md b/modules/hierarchical-firewall-policy/README.md index 32eb4e5f4..500f078e2 100644 --- a/modules/hierarchical-firewall-policy/README.md +++ b/modules/hierarchical-firewall-policy/README.md @@ -9,7 +9,7 @@ Variable `rules` details are available [here](#firwall-policy-rules-format). Hig ``` module "hierarchical_firewall_policy" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 9.0" + version = "~> 11.0" parent_node = "folders/123456789012" policy_name = "test-policy" @@ -31,7 +31,7 @@ There are examples included for [hierarchical firewall policy](../../examples/hi ```hcl module "firewal_policy" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" parent_node = "folders/123456789012" policy_name = "test-policy" diff --git a/modules/hierarchical-firewall-policy/metadata.yaml b/modules/hierarchical-firewall-policy/metadata.yaml index 06d47aaa3..3330a0ef3 100644 --- a/modules/hierarchical-firewall-policy/metadata.yaml +++ b/modules/hierarchical-firewall-policy/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -148,6 +150,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -157,6 +160,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -164,4 +171,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/network-connectivity-center/metadata.yaml b/modules/network-connectivity-center/metadata.yaml new file mode 100644 index 000000000..b28a9c54a --- /dev/null +++ b/modules/network-connectivity-center/metadata.yaml @@ -0,0 +1,195 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-network-network-connectivity-center + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Network Connectivity Center Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/network-connectivity-center + version: 10.0.0 + actuationTool: + flavor: Terraform + version: ">= 1.3.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: export_psc + description: Whether Private Service Connect transitivity is enabled for the hub + varType: bool + defaultValue: false + - name: hybrid_spokes + description: VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. + varType: |- + map(object({ + location = string + uris = set(string) + site_to_site_data_transfer = optional(bool, false) + type = string + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + - name: ncc_hub_description + description: The description of the NCC Hub + varType: string + - name: ncc_hub_labels + description: These labels will be added the NCC hub + varType: map(string) + defaultValue: {} + - name: ncc_hub_name + description: The Name of the NCC Hub + varType: string + required: true + - name: project_id + description: Project ID of the project that holds the network. + varType: string + required: true + - name: router_appliance_spokes + description: Router appliance instances that are associated with the spoke. + varType: |- + map(object({ + instances = set(object({ + virtual_machine = string + ip_address = string + })) + location = string + site_to_site_data_transfer = optional(bool, false) + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + - name: spoke_labels + description: These labels will be added to all NCC spokes + varType: map(string) + defaultValue: {} + - name: vpc_spokes + description: VPC network that is associated with the spoke + varType: |- + map(object({ + uri = string + exclude_export_ranges = optional(set(string), []) + include_export_ranges = optional(set(string), []) + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + outputs: + - name: hybrid_spokes + description: All hybrid spoke objects + - name: ncc_hub + description: The NCC Hub object + - name: router_appliance_spokes + description: All router appliance spoke objects + - name: spokes + description: All spoke objects prefixed with the type of spoke (vpc, hybrid, appliance) + - name: vpc_spokes + description: All vpc spoke objects + requirements: + roles: + - level: Project + roles: + - roles/compute.instanceAdmin + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - networkconnectivity.googleapis.com + - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/network-firewall-policy/README.md b/modules/network-firewall-policy/README.md index d0ee545dc..10fbf6f01 100644 --- a/modules/network-firewall-policy/README.md +++ b/modules/network-firewall-policy/README.md @@ -9,7 +9,7 @@ Variable `rules` details are available [here](#firwall-policy-rules-format). Hig ``` module "network_firewall_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + version = "~> 11.0" project_id = var.project_id policy_name = "my-firewall-policy" description = "Test firewall policy" @@ -29,7 +29,7 @@ There are examples included for [global](https://github.com/terraform-google-mod ```hcl module "network_firewall_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + version = "~> 11.0" project_id = var.project_id policy_name = "my-firewall-policy" description = "Test firewall policy" @@ -135,7 +135,7 @@ module "network_firewall_policy" { | policy\_name | User-provided name of the Network firewall policy | `string` | n/a | yes | | policy\_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | `string` | `null` | no | | project\_id | Project ID of the Network firewall policy | `string` | n/a | yes | -| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_secure_tags      = optional(list(string))
    target_service_accounts = optional(list(string))
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_secure_tags           = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
  }))
| `[]` | no | +| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_secure_tags      = optional(list(string))
    target_service_accounts = optional(list(string))
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_secure_tags           = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
    is_mirroring              = optional(bool, false)
    tls_inspect               = optional(bool, false)
    security_profile_group_id = optional(string)
  }))
| `[]` | no | | target\_vpcs | List of target VPC IDs that the firewall policy will be attached to | `list(string)` | `[]` | no | ## Outputs @@ -150,15 +150,18 @@ module "network_firewall_policy" { ## Firwall Policy Rules Format -In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-policies-rule-details), you specify a set of components that define what the rule does. Some of the values are optional and some have default value. See [Inputs](#Inputs). For sample code check [global](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/global-network-firewall-policy) and [regional](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/regional-network-firewall-policy) in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/) folder. +In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-policies-rule-details), you specify a set of components that define what the rule does. Some of the values are optional and some have default value. See [Inputs](#Inputs). For sample code check [global](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/global-network-firewall-policy) and [regional](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/regional-network-firewall-policy) in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/) folders. [Global](https://github.com/terraform-google-modules/terraform-google-network/tree/master/examples/global-network-firewall-policy) folder also contains example for `Out-of-band Network Security Integration` firewall rule. - `priority`: An integer indicating the priority of a rule in the list. The `priority` must be a positive value between 0 and 2147483647 and It has to be unique for every rule. +- `action`: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next", "apply_security_profile_group", "mirror", "do_not_mirror" and "goto_next". "mirror" and "do_not_mirror" can be used only if is_mirroring is set to true. - `dest_fqdns`, `dest_region_codes`, `dest_threat_intelligences` and `dest_address_groups` values are not needed and ignored by the this for `INGRESS` policies. - `src_fqdns`, `src_region_codes`, `src_threat_intelligences` and `src_address_groups` values are not needed and ignored by this module for `EGRESS` policies. - `target_secure_tags` may not be set at the same time as `target_service_accounts`. When both `target_service_accounts` and `target_secure_tags` are provided, this module will generate an error message. - `layer4_configs` is a list of maps. - `ip_protocol`: IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (`tcp`, `udp`, `icmp`, `esp`, `ah`, `ipip`, `sctp`), or the IP protocol number. - `ports`: An optional list of ports to which this rule applies. Field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. +- `tls_inspect`: Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions +- `is_mirroring`: Boolean flag indicating packet mirroring rule. ### Format @@ -191,6 +194,9 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli }, ] } + is_mirroring = false + tls_inspect = null + security_profile_group_id = null } ``` diff --git a/modules/network-firewall-policy/main.tf b/modules/network-firewall-policy/main.tf index 947f7d962..01d883a7e 100644 --- a/modules/network-firewall-policy/main.tf +++ b/modules/network-firewall-policy/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,7 +39,7 @@ resource "google_compute_network_firewall_policy_association" "vpc_associations" resource "google_compute_network_firewall_policy_rule" "rules" { provider = google-beta - for_each = local.global ? { for x in var.rules : x.priority => x } : {} + for_each = local.global ? { for x in var.rules : x.priority => x if x.is_mirroring == false } : {} priority = each.key project = var.project_id action = each.value.action @@ -65,7 +65,7 @@ resource "google_compute_network_firewall_policy_rule" "rules" { src_region_codes = each.value.direction == "INGRESS" ? lookup(each.value.match, "src_region_codes", []) : [] src_threat_intelligences = each.value.direction == "INGRESS" ? lookup(each.value.match, "src_threat_intelligences", []) : [] src_address_groups = each.value.direction == "INGRESS" ? lookup(each.value.match, "src_address_groups", []) : [] - dest_ip_ranges = lookup(each.value.match, "dest_ip_ranges", []) # == null ? [] : lookup(each.value.match, "dest_ip_ranges", []) + dest_ip_ranges = lookup(each.value.match, "dest_ip_ranges", []) dest_fqdns = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_fqdns", []) : [] dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] @@ -90,6 +90,45 @@ resource "google_compute_network_firewall_policy_rule" "rules" { } +# Mirroring rules + +resource "google_compute_network_firewall_policy_packet_mirroring_rule" "rules" { + provider = google-beta + + for_each = local.global ? { for x in var.rules : x.priority => x if x.is_mirroring == true } : {} + priority = each.key + project = var.project_id + action = each.value.action + description = each.value.description + direction = each.value.direction + disabled = each.value.disabled + firewall_policy = google_compute_network_firewall_policy.fw_policy[0].name + rule_name = each.value.rule_name + tls_inspect = lookup(each.value, "tls_inspect", null) + security_profile_group = "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" + + dynamic "target_secure_tags" { + for_each = each.value.target_secure_tags == null ? [] : toset(each.value.target_secure_tags) + content { + name = target_secure_tags.value + } + } + + match { + src_ip_ranges = lookup(each.value.match, "src_ip_ranges", []) + dest_ip_ranges = lookup(each.value.match, "dest_ip_ranges", []) + + dynamic "layer4_configs" { + for_each = each.value.match.layer4_configs + content { + ip_protocol = layer4_configs.value.ip_protocol + ports = layer4_configs.value.ports + } + } + + } + +} ########## Regional ########## diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml index f2268b7d6..9e6fc5ee1 100644 --- a/modules/network-firewall-policy/metadata.yaml +++ b/modules/network-firewall-policy/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -132,6 +134,9 @@ spec: ports = optional(list(string), []) })), [{}]) }) + is_mirroring = optional(bool, false) + tls_inspect = optional(bool, false) + security_profile_group_id = optional(string) })) defaultValue: [] - name: target_vpcs @@ -149,6 +154,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -158,6 +164,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -165,4 +175,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/network-firewall-policy/outputs.tf b/modules/network-firewall-policy/outputs.tf index c3d2a44f6..90fdfe36e 100644 --- a/modules/network-firewall-policy/outputs.tf +++ b/modules/network-firewall-policy/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,6 +25,6 @@ output "vpc_associations" { } output "rules" { - value = merge(google_compute_network_firewall_policy_rule.rules, google_compute_region_network_firewall_policy_rule.rules) + value = merge(google_compute_network_firewall_policy_rule.rules, google_compute_region_network_firewall_policy_rule.rules, google_compute_network_firewall_policy_packet_mirroring_rule.rules) description = "Firewall policy rules created" } diff --git a/modules/network-firewall-policy/variables.tf b/modules/network-firewall-policy/variables.tf index ca74e7536..4cedecd8a 100644 --- a/modules/network-firewall-policy/variables.tf +++ b/modules/network-firewall-policy/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -75,6 +75,9 @@ variable "rules" { ports = optional(list(string), []) })), [{}]) }) + is_mirroring = optional(bool, false) + tls_inspect = optional(bool, false) + security_profile_group_id = optional(string) })) default = [] validation { @@ -83,5 +86,4 @@ variable "rules" { ) error_message = "target_secure_tags may not be set at the same time as target_service_accounts" } - } diff --git a/modules/network-firewall-policy/versions.tf b/modules/network-firewall-policy/versions.tf index f40413f23..ed6de4a25 100644 --- a/modules/network-firewall-policy/versions.tf +++ b/modules/network-firewall-policy/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.64, < 7" + version = ">= 6.28, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.64, < 7" + version = ">= 6.28, < 7" } } diff --git a/modules/network-peering/metadata.yaml b/modules/network-peering/metadata.yaml index 040fe459f..4e551b09b 100644 --- a/modules/network-peering/metadata.yaml +++ b/modules/network-peering/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -135,6 +137,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -144,6 +147,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -151,4 +158,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/private-service-connect/metadata.yaml b/modules/private-service-connect/metadata.yaml index cc2957fc7..a70625b8e 100644 --- a/modules/private-service-connect/metadata.yaml +++ b/modules/private-service-connect/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -116,6 +118,10 @@ spec: description: Project ID for Private Service Connect. varType: string required: true + - name: psc_global_access + description: This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region. Defaults to `false` + varType: bool + defaultValue: false - name: service_directory_namespace description: Service Directory namespace to register the forwarding rule under. varType: string @@ -143,6 +149,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -152,6 +159,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -159,4 +170,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/routes-beta/metadata.yaml b/modules/routes-beta/metadata.yaml index f2d39037e..4d80795ad 100644 --- a/modules/routes-beta/metadata.yaml +++ b/modules/routes-beta/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -115,6 +117,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -124,6 +127,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -131,4 +138,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/routes/metadata.yaml b/modules/routes/metadata.yaml index 2ddd942d9..46784e718 100644 --- a/modules/routes/metadata.yaml +++ b/modules/routes/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -111,6 +113,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -120,6 +123,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -127,4 +134,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/subnets-beta/metadata.yaml b/modules/subnets-beta/metadata.yaml index 0ef20e99c..26dbf1e2d 100644 --- a/modules/subnets-beta/metadata.yaml +++ b/modules/subnets-beta/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -133,6 +135,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -142,6 +145,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -149,4 +156,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.64, < 7" + - source: hashicorp/google + version: ">= 4.64, < 7" diff --git a/modules/subnets/metadata.yaml b/modules/subnets/metadata.yaml index cbaa40d14..7ce5c8faf 100644 --- a/modules/subnets/metadata.yaml +++ b/modules/subnets/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -129,6 +131,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -138,6 +141,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -145,4 +152,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/vpc-serverless-connector-beta/metadata.yaml b/modules/vpc-serverless-connector-beta/metadata.yaml index c0b0a2bb9..9a91598ec 100644 --- a/modules/vpc-serverless-connector-beta/metadata.yaml +++ b/modules/vpc-serverless-connector-beta/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -115,6 +117,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -124,6 +127,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -131,4 +138,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/modules/vpc/metadata.yaml b/modules/vpc/metadata.yaml index 11967825f..d0fce985e 100644 --- a/modules/vpc/metadata.yaml +++ b/modules/vpc/metadata.yaml @@ -58,6 +58,8 @@ spec: location: examples/ilb_routing - name: multi_vpc location: examples/multi_vpc + - name: network_connectivity_center + location: examples/network_connectivity_center - name: network_service_tiers location: examples/network_service_tiers - name: packet_mirroring @@ -118,6 +120,14 @@ spec: description: The name of the network being created varType: string required: true + - name: network_profile + description: | + "A full or partial URL of the network profile to apply to this network. + This field can be set only at resource creation time. For example, the + following are valid URLs: + * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} + * projects/{projectId}/global/networkProfiles/{network_profile_name} + varType: string - name: project_id description: The ID of the project where this VPC will be created varType: string @@ -145,6 +155,7 @@ spec: roles: - level: Project roles: + - roles/compute.instanceAdmin - roles/compute.networkAdmin - roles/compute.securityAdmin - roles/iam.serviceAccountUser @@ -154,6 +165,10 @@ spec: - roles/resourcemanager.tagAdmin - roles/iam.serviceAccountAdmin - roles/compute.orgFirewallPolicyAdmin + - roles/networkconnectivity.hubAdmin + - roles/networksecurity.mirroringDeploymentAdmin + - roles/networksecurity.mirroringEndpointAdmin + - roles/networksecurity.securityProfileAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com @@ -161,4 +176,10 @@ spec: - vpcaccess.googleapis.com - dns.googleapis.com - networksecurity.googleapis.com + - networkconnectivity.googleapis.com - iam.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.64, < 7" + - source: hashicorp/google-beta + version: ">= 4.64, < 7" diff --git a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go index fd9b0d5bb..6d075ccf0 100644 --- a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go +++ b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go @@ -136,6 +136,16 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) { targetServiceAccounts103 := sp103.Get("targetServiceAccounts").Array() assert.Equal(1, len(targetServiceAccounts103), "Rule3should have the correct targetServiceAccounts count") - }) + rule200 := gcloud.Runf(t, "beta compute network-firewall-policies mirroring-rules describe 200 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId) + sp104 := rule200.Array()[0] + assert.Equal("mirror", sp104.Get("action").String(), "Rule200 action should be mirror") + assert.Equal("egress-200", sp104.Get("ruleName").String(), "Rule200 ruleName should be egress-200") + assert.Equal("test egress mirroring rule 200", sp104.Get("description").String(), "Rule200 has expected description") + assert.Equal("EGRESS", sp104.Get("direction").String(), "Rule200 direction should be EGRESS") + assert.Equal( "0.0.0.0/0", sp104.Get("match.destIpRanges").Array()[0].String(), "has expected destIpRanges") + assert.Equal("tcp", sp104.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol") + layer4ConfigsPorts200 := sp104.Get("match.layer4Configs").Array()[0].Get("ports").Array() + assert.Equal(1, len(layer4ConfigsPorts200), "Rule3 should have the correct layer4Configs.ports count") + }) fwp.Test() } diff --git a/test/setup/iam.tf b/test/setup/iam.tf index b9f270c6e..b6bb66bff 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -27,6 +27,9 @@ locals { "roles/iam.serviceAccountAdmin", "roles/compute.orgFirewallPolicyAdmin", "roles/networkconnectivity.hubAdmin", + "roles/networksecurity.mirroringDeploymentAdmin", + "roles/networksecurity.mirroringEndpointAdmin", + "roles/networksecurity.securityProfileAdmin" ] } @@ -52,8 +55,9 @@ resource "google_service_account_key" "int_test" { # b/265054739 resource "google_organization_iam_member" "organization" { + for_each = toset(["roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgSecurityResourceAdmin", "roles/networksecurity.securityProfileAdmin"]) org_id = var.org_id - role = "roles/compute.orgFirewallPolicyAdmin" + role = each.value member = "serviceAccount:${google_service_account.int_test.email}" } @@ -68,11 +72,11 @@ resource "google_folder_iam_member" "folder1" { # Roles needed on folders to create Attach firewall policies to the folders/org -resource "google_organization_iam_member" "org_permission" { - org_id = var.org_id - role = "roles/compute.orgSecurityResourceAdmin" - member = "serviceAccount:${google_service_account.int_test.email}" -} +# resource "google_organization_iam_member" "org_permission" { +# org_id = var.org_id +# role = "roles/compute.orgSecurityResourceAdmin" +# member = "serviceAccount:${google_service_account.int_test.email}" +# } resource "google_folder_iam_member" "folder2" { for_each = toset(["roles/compute.orgSecurityResourceAdmin", "roles/compute.orgFirewallPolicyUser"]) diff --git a/test/setup/main.tf b/test/setup/main.tf index a496440e1..ce15e77b1 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -38,7 +38,7 @@ resource "google_folder" "folder3" { module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = "ci-network" random_project_id = "true" From 101ff0d01e8b4068082c20fbf939c6be32047d9f Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 06:15:08 +0000 Subject: [PATCH 02/10] fixed lint --- docs/upgrading_to_v11.0.0.md | 4 +++- modules/fabric-net-firewall/versions.tf | 1 + modules/fabric-net-svpc-access/versions.tf | 2 +- modules/firewall-rules/versions.tf | 2 +- modules/hierarchical-firewall-policy/versions.tf | 2 +- modules/network-connectivity-center/versions.tf | 2 +- modules/network-firewall-policy/versions.tf | 2 +- modules/network-peering/versions.tf | 2 +- modules/private-service-connect/versions.tf | 2 +- modules/routes-beta/versions.tf | 2 +- modules/routes/versions.tf | 2 +- modules/subnets/versions.tf | 2 +- modules/vpc/main.tf | 4 +--- modules/vpc/outputs.tf | 2 +- modules/vpc/variables.tf | 2 +- modules/vpc/versions.tf | 11 ++--------- test/setup/iam.tf | 6 +++--- 17 files changed, 22 insertions(+), 28 deletions(-) diff --git a/docs/upgrading_to_v11.0.0.md b/docs/upgrading_to_v11.0.0.md index 607c0d12d..6deb1bc47 100644 --- a/docs/upgrading_to_v11.0.0.md +++ b/docs/upgrading_to_v11.0.0.md @@ -2,4 +2,6 @@ The v11.0 release contains backwards-incompatible changes. -This update requires upgrading the minimum provider version of `hashicorp/google` to `6.28` and `hashicorp/google-beta` to `6.28` for network-firewall-policy sub-module. +This update requires upgrading: +- minimum provider version of `hashicorp/google` to `6.28` and `hashicorp/google-beta` to `6.28` for network-firewall-policy sub-module. +- minimum provider version of `hashicorp/google` to `6.19` for vpc sub-module. diff --git a/modules/fabric-net-firewall/versions.tf b/modules/fabric-net-firewall/versions.tf index dc87fbba5..bd583457c 100644 --- a/modules/fabric-net-firewall/versions.tf +++ b/modules/fabric-net-firewall/versions.tf @@ -16,6 +16,7 @@ terraform { required_version = ">= 1.3" + required_providers { google = { source = "hashicorp/google" diff --git a/modules/fabric-net-svpc-access/versions.tf b/modules/fabric-net-svpc-access/versions.tf index 73afdf313..1bfe6b0a9 100644 --- a/modules/fabric-net-svpc-access/versions.tf +++ b/modules/fabric-net-svpc-access/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/firewall-rules/versions.tf b/modules/firewall-rules/versions.tf index 9670feea8..5444854f3 100644 --- a/modules/firewall-rules/versions.tf +++ b/modules/firewall-rules/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/hierarchical-firewall-policy/versions.tf b/modules/hierarchical-firewall-policy/versions.tf index 33786a026..c3fa6ebc7 100644 --- a/modules/hierarchical-firewall-policy/versions.tf +++ b/modules/hierarchical-firewall-policy/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/network-connectivity-center/versions.tf b/modules/network-connectivity-center/versions.tf index 19364f7d3..eea3e6efd 100644 --- a/modules/network-connectivity-center/versions.tf +++ b/modules/network-connectivity-center/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/network-firewall-policy/versions.tf b/modules/network-firewall-policy/versions.tf index ed6de4a25..7b8fa90f6 100644 --- a/modules/network-firewall-policy/versions.tf +++ b/modules/network-firewall-policy/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/network-peering/versions.tf b/modules/network-peering/versions.tf index 59863b2de..e1f34745d 100644 --- a/modules/network-peering/versions.tf +++ b/modules/network-peering/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/private-service-connect/versions.tf b/modules/private-service-connect/versions.tf index 5c0965d7f..7aca98f82 100644 --- a/modules/private-service-connect/versions.tf +++ b/modules/private-service-connect/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google" diff --git a/modules/routes-beta/versions.tf b/modules/routes-beta/versions.tf index c921c8150..bdb4f64f9 100644 --- a/modules/routes-beta/versions.tf +++ b/modules/routes-beta/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google-beta = { diff --git a/modules/routes/versions.tf b/modules/routes/versions.tf index 1c5dc7bf8..b4e680098 100644 --- a/modules/routes/versions.tf +++ b/modules/routes/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/subnets/versions.tf b/modules/subnets/versions.tf index 5eaee0676..e48fd7440 100644 --- a/modules/subnets/versions.tf +++ b/modules/subnets/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 52721b2a4..477c6d20c 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +18,6 @@ VPC configuration *****************************************/ resource "google_compute_network" "network" { - provider = google-beta name = var.network_name auto_create_subnetworks = var.auto_create_subnetworks routing_mode = var.routing_mode @@ -36,7 +35,6 @@ resource "google_compute_network" "network" { Shared VPC *****************************************/ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" { - provider = google-beta count = var.shared_vpc_host ? 1 : 0 project = var.project_id diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index 7ba11cba3..397ca4b70 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index e0755307e..1f2ff18da 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index bb6a94f4e..57846c8e7 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2019 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,18 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.64, < 7" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 6.13, < 7" + version = ">= 6.19, < 7" } } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-network:vpc/v10.0.0" } - provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-network:vpc/v10.0.0" - } } diff --git a/test/setup/iam.tf b/test/setup/iam.tf index b6bb66bff..17b94008f 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -56,9 +56,9 @@ resource "google_service_account_key" "int_test" { resource "google_organization_iam_member" "organization" { for_each = toset(["roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgSecurityResourceAdmin", "roles/networksecurity.securityProfileAdmin"]) - org_id = var.org_id - role = each.value - member = "serviceAccount:${google_service_account.int_test.email}" + org_id = var.org_id + role = each.value + member = "serviceAccount:${google_service_account.int_test.email}" } From 6d772e81776280f7ccc6247dba2be3334faabea5 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 06:17:31 +0000 Subject: [PATCH 03/10] fixed lint --- modules/fabric-net-firewall/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/fabric-net-firewall/versions.tf b/modules/fabric-net-firewall/versions.tf index bd583457c..4bbadfa82 100644 --- a/modules/fabric-net-firewall/versions.tf +++ b/modules/fabric-net-firewall/versions.tf @@ -16,7 +16,7 @@ terraform { required_version = ">= 1.3" - + required_providers { google = { source = "hashicorp/google" From 92b9c8b01e3f748112999b61b3d075880d26b035 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 06:22:51 +0000 Subject: [PATCH 04/10] fixed lint --- metadata.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/metadata.yaml b/metadata.yaml index 340279578..ec4d4fbf9 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,3 +1,17 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: From 92b5bb88182741cd7430d484dec269adc0bd51b2 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 13:10:52 +0000 Subject: [PATCH 05/10] added support for src_networks, src_network_scope, dest_network_scope in hierarchical-firewall-policy --- docs/upgrading_to_v11.0.0.md | 1 + examples/hierarchical-firewall-policy/main.tf | 4 ++-- modules/hierarchical-firewall-policy/README.md | 2 +- modules/hierarchical-firewall-policy/main.tf | 3 +++ modules/hierarchical-firewall-policy/variables.tf | 3 +++ modules/hierarchical-firewall-policy/versions.tf | 4 ++-- .../hierarchical_firewall_policy_test.go | 4 ++-- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/docs/upgrading_to_v11.0.0.md b/docs/upgrading_to_v11.0.0.md index 6deb1bc47..425e6a7b4 100644 --- a/docs/upgrading_to_v11.0.0.md +++ b/docs/upgrading_to_v11.0.0.md @@ -5,3 +5,4 @@ The v11.0 release contains backwards-incompatible changes. This update requires upgrading: - minimum provider version of `hashicorp/google` to `6.28` and `hashicorp/google-beta` to `6.28` for network-firewall-policy sub-module. - minimum provider version of `hashicorp/google` to `6.19` for vpc sub-module. +- minimum provider version of `hashicorp/google` to `6.18` for hierarchical-firewall-policy sub-module. diff --git a/examples/hierarchical-firewall-policy/main.tf b/examples/hierarchical-firewall-policy/main.tf index bf5338d1d..df564ec2f 100644 --- a/examples/hierarchical-firewall-policy/main.tf +++ b/examples/hierarchical-firewall-policy/main.tf @@ -43,7 +43,7 @@ resource "google_compute_network" "network_backup" { module "firewal_policy" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" parent_node = "folders/${var.folder1}" policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" @@ -181,7 +181,7 @@ module "firewal_policy" { module "firewal_policy_no_rule" { source = "terraform-google-modules/network/google//modules/hierarchical-firewall-policy" - version = "~> 10.0" + version = "~> 11.0" parent_node = "folders/${var.folder1}" policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}" diff --git a/modules/hierarchical-firewall-policy/README.md b/modules/hierarchical-firewall-policy/README.md index 500f078e2..a08ad2ef0 100644 --- a/modules/hierarchical-firewall-policy/README.md +++ b/modules/hierarchical-firewall-policy/README.md @@ -167,7 +167,7 @@ module "firewal_policy" { | description | An optional description of this resource. Provide this property when you create the resource | `string` | `null` | no | | parent\_node | The parent of the firewall policy. Parent should be in format organizations/ or folders/ | `string` | n/a | yes | | policy\_name | User-provided name of the hierarchical firewall policy | `string` | n/a | yes | -| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_service_accounts = optional(list(string), [])
    target_resources        = optional(list(string), [])
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
  }))
| `[]` | no | +| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_service_accounts = optional(list(string), [])
    target_resources        = optional(list(string), [])
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
      src_networks       = optional(list(string), [])
      src_network_scope  = optional(string)
      dest_network_scope = optional(string)
    })
  }))
| `[]` | no | | target\_folders | List of target folders IDs that the firewall policy will be attached to | `list(string)` | `[]` | no | | target\_org | Target org id that the firewall policy will be attached to | `string` | `null` | no | diff --git a/modules/hierarchical-firewall-policy/main.tf b/modules/hierarchical-firewall-policy/main.tf index 8fbcca845..a4483b076 100644 --- a/modules/hierarchical-firewall-policy/main.tf +++ b/modules/hierarchical-firewall-policy/main.tf @@ -60,6 +60,9 @@ resource "google_compute_firewall_policy_rule" "rules" { dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] dest_address_groups = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_address_groups", []) : [] + src_networks = lookup(each.value.match, "src_networks", []) + src_network_scope = lookup(each.value.match, "src_network_scope", null) + dest_network_scope = lookup(each.value.match, "dest_network_scope", null) dynamic "layer4_configs" { for_each = each.value.match.layer4_configs diff --git a/modules/hierarchical-firewall-policy/variables.tf b/modules/hierarchical-firewall-policy/variables.tf index e63170c61..34fcb3cba 100644 --- a/modules/hierarchical-firewall-policy/variables.tf +++ b/modules/hierarchical-firewall-policy/variables.tf @@ -73,6 +73,9 @@ variable "rules" { ip_protocol = optional(string, "all") ports = optional(list(string), []) })), [{}]) + src_networks = optional(list(string), []) + src_network_scope = optional(string) + dest_network_scope = optional(string) }) })) default = [] diff --git a/modules/hierarchical-firewall-policy/versions.tf b/modules/hierarchical-firewall-policy/versions.tf index c3fa6ebc7..8457696c9 100644 --- a/modules/hierarchical-firewall-policy/versions.tf +++ b/modules/hierarchical-firewall-policy/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.64, < 7" + version = ">= 6.18, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.64, < 7" + version = ">= 6.18, < 7" } } diff --git a/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go b/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go index a30912f5d..64a1df4d9 100644 --- a/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go +++ b/test/integration/hierarchical-firewall-policy/hierarchical_firewall_policy_test.go @@ -27,8 +27,8 @@ func TestHierarchicalFirewallPolicy(t *testing.T) { fwp.DefineVerify( func(assert *assert.Assertions) { - // Commenting Default Verify because the provider updates rule_tuple_count, results in a permadiff. - fwp.DefaultVerify(assert) + // Commenting Default Verify because the provider updates rule_tuple_count, src_networks results in a permadiff. + // fwp.DefaultVerify(assert) projectId := fwp.GetStringOutput("project_id") policyName := fwp.GetStringOutput("fw_policy_name") policyId := fwp.GetStringOutput("fw_policy_id") From af2baca050235f1c513619a6bd03eff9d46ec819 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 14:04:37 +0000 Subject: [PATCH 06/10] updated --- modules/fabric-net-svpc-access/README.md | 3 ++- modules/hierarchical-firewall-policy/README.md | 4 ++-- modules/network-connectivity-center/README.md | 2 +- modules/network-firewall-policy/README.md | 6 +++--- modules/network-firewall-policy/main.tf | 6 ++++++ modules/network-firewall-policy/variables.tf | 3 +++ modules/network-peering/README.md | 3 ++- modules/private-service-connect/README.md | 3 ++- modules/routes-beta/README.md | 2 +- modules/routes/README.md | 2 +- modules/subnets-beta/README.md | 2 +- modules/subnets-beta/versions.tf | 2 +- modules/subnets/README.md | 2 +- modules/vpc/README.md | 2 +- modules/vpc/versions.tf | 2 +- 15 files changed, 28 insertions(+), 16 deletions(-) diff --git a/modules/fabric-net-svpc-access/README.md b/modules/fabric-net-svpc-access/README.md index 6cc3c9032..02b9f8dcc 100644 --- a/modules/fabric-net-svpc-access/README.md +++ b/modules/fabric-net-svpc-access/README.md @@ -19,7 +19,8 @@ Basic usage of this module is as follows: ```hcl module "net-shared-vpc-access" { source = "terraform-google-modules/network/google//modules/fabric-net-svpc-access" - version = "~> 1.4.0" + version = "~> 11.0" + host_project_id = "my-host-project-id" service_project_num = 1 service_project_ids = ["my-service-project-id"] diff --git a/modules/hierarchical-firewall-policy/README.md b/modules/hierarchical-firewall-policy/README.md index a08ad2ef0..c137c19ee 100644 --- a/modules/hierarchical-firewall-policy/README.md +++ b/modules/hierarchical-firewall-policy/README.md @@ -232,8 +232,8 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli ## Requirements ### Installed Software - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 -- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.64 -- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.64 +- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 6.18 +- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 6.18 ### Configure a Service Account In order to execute this module you must have a Service Account with the following roles: diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md index 3b1e5b6bc..0d2253da9 100644 --- a/modules/network-connectivity-center/README.md +++ b/modules/network-connectivity-center/README.md @@ -9,7 +9,7 @@ Basic usage of this submodule is as follows: ```hcl module "ncc" { source = "terraform-google-modules/network/google//modules/network-connectivity-center" - version = "~> 9.0.0" + version = "~> 11.0" project_id = "" } diff --git a/modules/network-firewall-policy/README.md b/modules/network-firewall-policy/README.md index 10fbf6f01..8fb800bf0 100644 --- a/modules/network-firewall-policy/README.md +++ b/modules/network-firewall-policy/README.md @@ -135,7 +135,7 @@ module "network_firewall_policy" { | policy\_name | User-provided name of the Network firewall policy | `string` | n/a | yes | | policy\_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | `string` | `null` | no | | project\_id | Project ID of the Network firewall policy | `string` | n/a | yes | -| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_secure_tags      = optional(list(string))
    target_service_accounts = optional(list(string))
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_secure_tags           = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
    is_mirroring              = optional(bool, false)
    tls_inspect               = optional(bool, false)
    security_profile_group_id = optional(string)
  }))
| `[]` | no | +| rules | List of Ingress/Egress rules | 
list(object({
    priority                = number
    direction               = string
    action                  = string
    rule_name               = optional(string)
    disabled                = optional(bool)
    description             = optional(string)
    enable_logging          = optional(bool)
    target_secure_tags      = optional(list(string))
    target_service_accounts = optional(list(string))
    match = object({
      src_ip_ranges             = optional(list(string), [])
      src_fqdns                 = optional(list(string), [])
      src_region_codes          = optional(list(string), [])
      src_secure_tags           = optional(list(string), [])
      src_threat_intelligences  = optional(list(string), [])
      src_address_groups        = optional(list(string), [])
      dest_ip_ranges            = optional(list(string), [])
      dest_fqdns                = optional(list(string), [])
      dest_region_codes         = optional(list(string), [])
      dest_threat_intelligences = optional(list(string), [])
      dest_address_groups       = optional(list(string), [])
      layer4_configs = optional(list(object({
        ip_protocol = optional(string, "all")
        ports       = optional(list(string), [])
      })), [{}])
    })
    is_mirroring              = optional(bool, false)
    tls_inspect               = optional(bool, false)
    security_profile_group_id = optional(string)
    src_networks              = optional(list(string), [])
    src_network_scope         = optional(string)
    dest_network_scope        = optional(string)
  }))
| `[]` | no | | target\_vpcs | List of target VPC IDs that the firewall policy will be attached to | `list(string)` | `[]` | no | ## Outputs @@ -203,8 +203,8 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli ## Requirements ### Installed Software - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 -- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.64 -- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.64 +- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 6.28 +- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 6.28 ### Configure a Service Account In order to execute this module you must have a Service Account with the following roles: diff --git a/modules/network-firewall-policy/main.tf b/modules/network-firewall-policy/main.tf index 01d883a7e..5b3229bd4 100644 --- a/modules/network-firewall-policy/main.tf +++ b/modules/network-firewall-policy/main.tf @@ -70,6 +70,9 @@ resource "google_compute_network_firewall_policy_rule" "rules" { dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] dest_address_groups = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_address_groups", []) : [] + src_networks = lookup(each.value.match, "src_networks", []) + src_network_scope = lookup(each.value.match, "src_network_scope", null) + dest_network_scope = lookup(each.value.match, "dest_network_scope", null) dynamic "src_secure_tags" { for_each = each.value.direction != "INGRESS" || each.value.match.src_secure_tags == null ? [] : toset(each.value.match.src_secure_tags) @@ -184,6 +187,9 @@ resource "google_compute_region_network_firewall_policy_rule" "rules" { dest_region_codes = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_region_codes", []) : [] dest_threat_intelligences = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_threat_intelligences", []) : [] dest_address_groups = each.value.direction == "EGRESS" ? lookup(each.value.match, "dest_address_groups", []) : [] + src_networks = lookup(each.value.match, "src_networks", []) + src_network_scope = lookup(each.value.match, "src_network_scope", null) + dest_network_scope = lookup(each.value.match, "dest_network_scope", null) dynamic "src_secure_tags" { for_each = each.value.direction != "INGRESS" || each.value.match.src_secure_tags == null ? [] : toset(each.value.match.src_secure_tags) diff --git a/modules/network-firewall-policy/variables.tf b/modules/network-firewall-policy/variables.tf index 4cedecd8a..94b54762a 100644 --- a/modules/network-firewall-policy/variables.tf +++ b/modules/network-firewall-policy/variables.tf @@ -78,6 +78,9 @@ variable "rules" { is_mirroring = optional(bool, false) tls_inspect = optional(bool, false) security_profile_group_id = optional(string) + src_networks = optional(list(string), []) + src_network_scope = optional(string) + dest_network_scope = optional(string) })) default = [] validation { diff --git a/modules/network-peering/README.md b/modules/network-peering/README.md index c3adad77a..d5a70c1f1 100644 --- a/modules/network-peering/README.md +++ b/modules/network-peering/README.md @@ -13,7 +13,8 @@ Basic usage of this module is as follows: ```hcl module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" + source = "terraform-google-modules/network/google//modules/network-peering" + version = "~> 11.0" prefix = "name-prefix" local_network = "" diff --git a/modules/private-service-connect/README.md b/modules/private-service-connect/README.md index 009c307c3..1741b902f 100644 --- a/modules/private-service-connect/README.md +++ b/modules/private-service-connect/README.md @@ -16,7 +16,8 @@ Basic usage of this module is as follows: ```hcl module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" + source = "terraform-google-modules/network/google//modules/private-service-connect" + version = "~> 11.0" project_id = "" network_self_link = "" diff --git a/modules/routes-beta/README.md b/modules/routes-beta/README.md index 81b4cabc9..df9b52efb 100644 --- a/modules/routes-beta/README.md +++ b/modules/routes-beta/README.md @@ -18,7 +18,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/routes-beta" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/routes/README.md b/modules/routes/README.md index 376554ab7..3075c8243 100644 --- a/modules/routes/README.md +++ b/modules/routes/README.md @@ -14,7 +14,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/routes" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/subnets-beta/README.md b/modules/subnets-beta/README.md index 5a0617c1a..ee95a9f58 100644 --- a/modules/subnets-beta/README.md +++ b/modules/subnets-beta/README.md @@ -13,7 +13,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/subnets-beta" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/subnets-beta/versions.tf b/modules/subnets-beta/versions.tf index 9566e78c5..2a82b825e 100644 --- a/modules/subnets-beta/versions.tf +++ b/modules/subnets-beta/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google-beta = { diff --git a/modules/subnets/README.md b/modules/subnets/README.md index 7537ce729..cd39cc6f8 100644 --- a/modules/subnets/README.md +++ b/modules/subnets/README.md @@ -13,7 +13,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/subnets" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 17711c1b1..e39a3f5ed 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -14,7 +14,7 @@ Basic usage of this submodule is as follows: ```hcl module "vpc" { source = "terraform-google-modules/network/google//modules/vpc" - version = "~> 2.0.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index 57846c8e7..ac401d102 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { From 9ee07f3a7c720d634e79e61e95c4adbbd12182e4 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 14:09:28 +0000 Subject: [PATCH 07/10] updated --- modules/fabric-net-svpc-access/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/fabric-net-svpc-access/README.md b/modules/fabric-net-svpc-access/README.md index 02b9f8dcc..0998bc0ea 100644 --- a/modules/fabric-net-svpc-access/README.md +++ b/modules/fabric-net-svpc-access/README.md @@ -20,7 +20,7 @@ Basic usage of this module is as follows: module "net-shared-vpc-access" { source = "terraform-google-modules/network/google//modules/fabric-net-svpc-access" version = "~> 11.0" - + host_project_id = "my-host-project-id" service_project_num = 1 service_project_ids = ["my-service-project-id"] From 3444cb20181d67315455bfc19df751a449d0fc1e Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 10 Apr 2025 20:44:06 +0000 Subject: [PATCH 08/10] updated --- README.md | 36 +++++++++---------- .../global-network-firewall-policy/README.md | 2 +- test/setup/iam.tf | 10 +----- test/setup/versions.tf | 2 +- 4 files changed, 20 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 6517a4859..79357fd0b 100644 --- a/README.md +++ b/README.md @@ -9,30 +9,34 @@ It supports creating: - Secondary ranges for the subnets (if applicable) - routes - firewall rules - -[Sub modules](./modules/) are provided for creating individual vpc, subnets, routes, firewall rules, and firewall policies. See the [modules](./modules/) directory for the various sub modules usage. -- [vpc](./modules/vpc/) -- [subnet](./modules/subnets/) -- [route](./modules/routes/) -- [firewall rules](./modules/firewall-rules/) -- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/) -- [network firewall policy](./modules/network-firewall-policy/) -- [serverless vpc access connector](./modules/vpc-serverless-connector-beta/) -- [hierarchical firewall policy](./modules/hierarchical-firewall-policy/) +- network firewall policy +- hierarchical firewall policy +- serverless vpc access connector +- network connectivity center + +[Sub modules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules) are provided for creating individual vpc, subnets, routes, firewall rules, network firewall policies, hierarchical firewall policy, serverless vpc access connector and network connectivity center. See the [modules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules) directory for the various sub modules usage. +- [vpc](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/vpc) +- [subnet](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/subnets/) +- [route](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/routes) +- [firewall rules](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/firewall-rules) +- [network firewall policy](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-firewall-policy) +- [hierarchical firewall policy](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/hierarchical-firewall-policy) +- [serverless vpc access connector](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/vpc-serverless-connector-beta) +- [network connectivity center](https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-connectivity-center) ## Compatibility -This module is meant for use with Terraform 1.3+ and tested using Terraform 1.4+. +This module is meant for use with Terraform 1.3+. If you find incompatibilities using Terraform `>=1.3`, please open an issue. ## Usage -You can go to the [examples](./examples/) folder, however the usage of the module could be like this in your own main.tf file: +Comprehensive examples are available in [examples](https://github.com/terraform-google-modules/terraform-google-network/tree/main/examples) folder. Simple usage: ```hcl module "vpc" { source = "terraform-google-modules/network/google" - version = "~> 10.0" + version = "~> 11.0" project_id = "" network_name = "example-vpc" @@ -191,9 +195,6 @@ The routes list contains maps, where each object represents a route. For the nex ## Requirements ### Installed Software - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 -- [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) >= 4.25 -- [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 4.25 -- [gcloud](https://cloud.google.com/sdk/gcloud/) >243.0.0 ### Configure a Service Account In order to execute this module you must have a Service Account with the following roles: @@ -214,6 +215,3 @@ In order to operate with the Service Account you must activate the following API Refer to the [contribution guidelines](./CONTRIBUTING.md) for information on contributing to this module. - -[terraform-0.13-upgrade]: https://www.terraform.io/upgrade-guides/0-13.html -[2.6.0]: https://registry.terraform.io/modules/terraform-google-modules/network/google/2.6.0 diff --git a/examples/global-network-firewall-policy/README.md b/examples/global-network-firewall-policy/README.md index 0229ecc78..02922c1c9 100644 --- a/examples/global-network-firewall-policy/README.md +++ b/examples/global-network-firewall-policy/README.md @@ -1,6 +1,6 @@ # Network Firewall Policy Rule -This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. It also creates a packet mirroring rule. +This example creates a VPC network, Service Account, tag, address group and 2 `global` network firewall policy. First policy will have a few rules and will be attached to a VPC network. Second policy will not be attached and any VPC and will not have any rules. It also creates a packet mirroring rule for out of band network service integration. ## Inputs diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 17b94008f..89d2390ec 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -51,7 +51,7 @@ resource "google_service_account_key" "int_test" { service_account_id = google_service_account.int_test.id } -# due to limitation we need to assign this role at org level otherwise TF throws an error. Issue is only happening when deployedusing APIs like in TF. Console works fine +# due to limitation we need to assign this role at org level otherwise TF throws an error. Issue is only happening when deployed using APIs like in TF. Console works fine # b/265054739 resource "google_organization_iam_member" "organization" { @@ -70,14 +70,6 @@ resource "google_folder_iam_member" "folder1" { member = "serviceAccount:${google_service_account.int_test.email}" } -# Roles needed on folders to create Attach firewall policies to the folders/org - -# resource "google_organization_iam_member" "org_permission" { -# org_id = var.org_id -# role = "roles/compute.orgSecurityResourceAdmin" -# member = "serviceAccount:${google_service_account.int_test.email}" -# } - resource "google_folder_iam_member" "folder2" { for_each = toset(["roles/compute.orgSecurityResourceAdmin", "roles/compute.orgFirewallPolicyUser"]) folder = google_folder.folder2.id diff --git a/test/setup/versions.tf b/test/setup/versions.tf index 1dfe4d0f3..92fd2a3e6 100644 --- a/test/setup/versions.tf +++ b/test/setup/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">=0.13.0" + required_version = ">= 1.3" required_providers { google = { From adf9faec3d0ba2a08dcfc124db3df9f852f4a8e2 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Fri, 18 Apr 2025 21:51:51 +0000 Subject: [PATCH 09/10] fixed minor issues --- modules/hierarchical-firewall-policy/metadata.yaml | 4 ++-- modules/network-connectivity-center/metadata.yaml | 4 ++-- modules/network-connectivity-center/versions.tf | 2 +- modules/network-firewall-policy/metadata.yaml | 4 ++-- modules/subnets/metadata.yaml | 2 +- modules/vpc/main.tf | 1 + modules/vpc/metadata.yaml | 6 +++--- modules/vpc/versions.tf | 4 ++++ 8 files changed, 16 insertions(+), 11 deletions(-) diff --git a/modules/hierarchical-firewall-policy/metadata.yaml b/modules/hierarchical-firewall-policy/metadata.yaml index 3330a0ef3..953187a75 100644 --- a/modules/hierarchical-firewall-policy/metadata.yaml +++ b/modules/hierarchical-firewall-policy/metadata.yaml @@ -175,6 +175,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 6.18, < 7" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 6.18, < 7" diff --git a/modules/network-connectivity-center/metadata.yaml b/modules/network-connectivity-center/metadata.yaml index b28a9c54a..7fc20bf67 100644 --- a/modules/network-connectivity-center/metadata.yaml +++ b/modules/network-connectivity-center/metadata.yaml @@ -190,6 +190,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 6.2, < 7" - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 6.2, < 7" diff --git a/modules/network-connectivity-center/versions.tf b/modules/network-connectivity-center/versions.tf index eea3e6efd..18a757ec3 100644 --- a/modules/network-connectivity-center/versions.tf +++ b/modules/network-connectivity-center/versions.tf @@ -20,7 +20,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.2.0, < 7" + version = ">= 6.2, < 7" } } diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml index 9e6fc5ee1..e604bc57d 100644 --- a/modules/network-firewall-policy/metadata.yaml +++ b/modules/network-firewall-policy/metadata.yaml @@ -179,6 +179,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 6.28, < 7" - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 6.28, < 7" diff --git a/modules/subnets/metadata.yaml b/modules/subnets/metadata.yaml index 7ce5c8faf..42d617c09 100644 --- a/modules/subnets/metadata.yaml +++ b/modules/subnets/metadata.yaml @@ -28,7 +28,7 @@ spec: version: 10.0.0 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 477c6d20c..b66de5e42 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -18,6 +18,7 @@ VPC configuration *****************************************/ resource "google_compute_network" "network" { + provider = google-beta name = var.network_name auto_create_subnetworks = var.auto_create_subnetworks routing_mode = var.routing_mode diff --git a/modules/vpc/metadata.yaml b/modules/vpc/metadata.yaml index d0fce985e..3c9182ba5 100644 --- a/modules/vpc/metadata.yaml +++ b/modules/vpc/metadata.yaml @@ -28,7 +28,7 @@ spec: version: 10.0.0 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -180,6 +180,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 6.19, < 7" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 6.19, < 7" diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index ac401d102..2acefd507 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -22,6 +22,10 @@ terraform { source = "hashicorp/google" version = ">= 6.19, < 7" } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 6.19, < 7" + } } provider_meta "google" { From 924c1b4f242a51e94a27369f66d302f1643f281f Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Fri, 18 Apr 2025 21:54:29 +0000 Subject: [PATCH 10/10] fixed minor issues --- modules/vpc/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index b66de5e42..711a55bf9 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -18,7 +18,7 @@ VPC configuration *****************************************/ resource "google_compute_network" "network" { - provider = google-beta + provider = google-beta name = var.network_name auto_create_subnetworks = var.auto_create_subnetworks routing_mode = var.routing_mode