feat: add ingress and egress firewall rules to main module (#485)

terraform-google-modules · Aug 9, 2023 · 663f1d8 · 663f1d8
1 parent a2d1d9b
commit 663f1d8
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -102,7 +102,9 @@ Then perform the following commands on the root folder:
 | auto\_create\_subnetworks | When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. | `bool` | `false` | no |
 | delete\_default\_internet\_gateway\_routes | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no |
 | description | An optional description of this resource. The resource must be recreated to modify this field. | `string` | `""` | no |
-| firewall\_rules | List of firewall rules | `any` | `[]` | no |
+| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty | <pre>list(object({<br>    name                    = string<br>    description             = optional(string, null)<br>    priority                = optional(number, null)<br>    destination_ranges      = optional(list(string), [])<br>    source_ranges           = optional(list(string), [])<br>    source_tags             = optional(list(string))<br>    source_service_accounts = optional(list(string))<br>    target_tags             = optional(list(string))<br>    target_service_accounts = optional(list(string))<br><br>    allow = optional(list(object({<br>      protocol = string<br>      ports    = optional(list(string))<br>    })), [])<br>    deny = optional(list(object({<br>      protocol = string<br>      ports    = optional(list(string))<br>    })), [])<br>    log_config = optional(object({<br>      metadata = string<br>    }))<br>  }))</pre> | `[]` | no |
+| firewall\_rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of firewall rules | <pre>list(object({<br>    name                    = string<br>    description             = optional(string, null)<br>    direction               = optional(string, "INGRESS")<br>    priority                = optional(number, null)<br>    ranges                  = optional(list(string), [])<br>    source_tags             = optional(list(string))<br>    source_service_accounts = optional(list(string))<br>    target_tags             = optional(list(string))<br>    target_service_accounts = optional(list(string))<br><br>    allow = optional(list(object({<br>      protocol = string<br>      ports    = optional(list(string))<br>    })), [])<br>    deny = optional(list(object({<br>      protocol = string<br>      ports    = optional(list(string))<br>    })), [])<br>    log_config = optional(object({<br>      metadata = string<br>    }))<br>  }))</pre> | `[]` | no |
+| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty | <pre>list(object({<br>    name                    = string<br>    description             = optional(string, null)<br>    priority                = optional(number, null)<br>    destination_ranges      = optional(list(string), [])<br>    source_ranges           = optional(list(string), [])<br>    source_tags             = optional(list(string))<br>    source_service_accounts = optional(list(string))<br>    target_tags             = optional(list(string))<br>    target_service_accounts = optional(list(string))<br><br>    allow = optional(list(object({<br>      protocol = string<br>      ports    = optional(list(string))<br>    })), [])<br>    deny = optional(list(object({<br>      protocol = string<br>      ports    = optional(list(string))<br>    })), [])<br>    log_config = optional(object({<br>      metadata = string<br>    }))<br>  }))</pre> | `[]` | no |
 | mtu | The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively. | `number` | `0` | no |
 | network\_name | The name of the network being created | `string` | n/a | yes |
 | project\_id | The ID of the project where this VPC will be created | `string` | n/a | yes |

diff --git a/main.tf b/main.tf
@@ -74,8 +74,10 @@ locals {
 }
 
 module "firewall_rules" {
-  source       = "./modules/firewall-rules"
-  project_id   = var.project_id
-  network_name = module.vpc.network_name
-  rules        = local.rules
+  source        = "./modules/firewall-rules"
+  project_id    = var.project_id
+  network_name  = module.vpc.network_name
+  rules         = local.rules
+  ingress_rules = var.ingress_rules
+  egress_rules  = var.egress_rules
 }
diff --git a/variables.tf b/variables.tf
@@ -71,8 +71,30 @@ variable "routes" {
 }
 
 variable "firewall_rules" {
-  type        = any
-  description = "List of firewall rules"
+  type = list(object({
+    name                    = string
+    description             = optional(string, null)
+    direction               = optional(string, "INGRESS")
+    priority                = optional(number, null)
+    ranges                  = optional(list(string), [])
+    source_tags             = optional(list(string))
+    source_service_accounts = optional(list(string))
+    target_tags             = optional(list(string))
+    target_service_accounts = optional(list(string))
+
+    allow = optional(list(object({
+      protocol = string
+      ports    = optional(list(string))
+    })), [])
+    deny = optional(list(object({
+      protocol = string
+      ports    = optional(list(string))
+    })), [])
+    log_config = optional(object({
+      metadata = string
+    }))
+  }))
+  description = "This is DEPRICATED and available for backward compatiblity. Use ingress_rules and egress_rules variables. List of firewall rules"
   default     = []
 }
 
@@ -100,3 +122,59 @@ variable "mtu" {
   description = "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively."
   default     = 0
 }
+
+variable "ingress_rules" {
+  description = "List of ingress rules. This will be ignored if variable 'rules' is non-empty"
+  default     = []
+  type = list(object({
+    name                    = string
+    description             = optional(string, null)
+    priority                = optional(number, null)
+    destination_ranges      = optional(list(string), [])
+    source_ranges           = optional(list(string), [])
+    source_tags             = optional(list(string))
+    source_service_accounts = optional(list(string))
+    target_tags             = optional(list(string))
+    target_service_accounts = optional(list(string))
+
+    allow = optional(list(object({
+      protocol = string
+      ports    = optional(list(string))
+    })), [])
+    deny = optional(list(object({
+      protocol = string
+      ports    = optional(list(string))
+    })), [])
+    log_config = optional(object({
+      metadata = string
+    }))
+  }))
+}
+
+variable "egress_rules" {
+  description = "List of egress rules. This will be ignored if variable 'rules' is non-empty"
+  default     = []
+  type = list(object({
+    name                    = string
+    description             = optional(string, null)
+    priority                = optional(number, null)
+    destination_ranges      = optional(list(string), [])
+    source_ranges           = optional(list(string), [])
+    source_tags             = optional(list(string))
+    source_service_accounts = optional(list(string))
+    target_tags             = optional(list(string))
+    target_service_accounts = optional(list(string))
+
+    allow = optional(list(object({
+      protocol = string
+      ports    = optional(list(string))
+    })), [])
+    deny = optional(list(object({
+      protocol = string
+      ports    = optional(list(string))
+    })), [])
+    log_config = optional(object({
+      metadata = string
+    }))
+  }))
+}
diff --git a/versions.tf b/versions.tf
@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.3"
   required_providers {
     google = {
       source  = "hashicorp/google"