diff --git a/README.md b/README.md index d30bc791..6466b2af 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ If the user does not share the same domain as the org the bastion is in, you wil |------|-------------|------|---------|:--------:| | access\_config | Access configs for network, nat\_ip and DNS |
list(object({|
network_tier = string
nat_ip = string
public_ptr_domain_name = string
}))
[| no | | additional\_ports | A list of additional ports/ranges to open access to on the instances from IAP. | `list(string)` | `[]` | no | +| create\_firewall\_rule | If we need to create the firewall rule or not. | `bool` | `true` | no | | create\_instance\_from\_template | Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG | `bool` | `true` | no | | disk\_size\_gb | Boot disk size in GB | `number` | `100` | no | | disk\_type | Boot disk type, can be either pd-ssd, local-ssd, or pd-standard | `string` | `"pd-standard"` | no | diff --git a/main.tf b/main.tf index 0559332f..eb035f67 100644 --- a/main.tf +++ b/main.tf @@ -102,7 +102,8 @@ module "iap_tunneling" { name = try(google_compute_instance_from_template.bastion_vm[0].name, "") zone = var.zone }] : [] - members = var.members + members = var.members + create_firewall_rule = var.create_firewall_rule } resource "google_service_account_iam_binding" "bastion_sa_user" { diff --git a/modules/iap-tunneling/README.md b/modules/iap-tunneling/README.md index f900dc9d..8c4fb633 100644 --- a/modules/iap-tunneling/README.md +++ b/modules/iap-tunneling/README.md @@ -87,6 +87,7 @@ the necessary APIs enabled. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | additional\_ports | A list of additional ports/ranges to open access to on the instances from IAP. | `list(string)` | `[]` | no | +| create\_firewall\_rule | If we need to create the firewall rule or not. | `bool` | `true` | no | | fw\_name\_allow\_ssh\_from\_iap | Firewall rule name for allowing SSH from IAP. | `string` | `"allow-ssh-from-iap-to-tunnel"` | no | | host\_project | The network host project ID. | `string` | `""` | no | | instances | Names and zones of the instances to allow SSH from IAP. |
{
"nat_ip": "",
"network_tier": "PREMIUM",
"public_ptr_domain_name": ""
}
]
list(object({| n/a | yes | diff --git a/modules/iap-tunneling/main.tf b/modules/iap-tunneling/main.tf index bfa48f26..568a5e43 100644 --- a/modules/iap-tunneling/main.tf +++ b/modules/iap-tunneling/main.tf @@ -15,6 +15,7 @@ */ resource "google_compute_firewall" "allow_from_iap_to_instances" { + count = var.create_firewall_rule ? 1 : 0 project = var.host_project != "" ? var.host_project : var.project name = var.fw_name_allow_ssh_from_iap network = var.network diff --git a/modules/iap-tunneling/variables.tf b/modules/iap-tunneling/variables.tf index 8b25c440..0a3d269b 100644 --- a/modules/iap-tunneling/variables.tf +++ b/modules/iap-tunneling/variables.tf @@ -62,3 +62,9 @@ variable "additional_ports" { type = list(string) default = [] } + +variable "create_firewall_rule" { + type = bool + description = "If we need to create the firewall rule or not." + default = true +} diff --git a/variables.tf b/variables.tf index 9310bd0f..6b0e0da4 100644 --- a/variables.tf +++ b/variables.tf @@ -223,3 +223,9 @@ variable "access_config" { public_ptr_domain_name = "" }] } + +variable "create_firewall_rule" { + type = bool + description = "If we need to create the firewall rule or not." + default = true +}
name = string
zone = string
}))