-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
main.tf
101 lines (92 loc) · 3.59 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
ingress_rules = { for rule in var.ingress_rules : rule.name => merge(rule, { direction = "INGRESS" }) }
egress_rules = { for rule in var.egress_rules : rule.name => merge(rule, { direction = "EGRESS" }) }
rules_all = merge(local.ingress_rules, local.egress_rules)
}
resource "google_compute_firewall" "rules" {
for_each = length(var.rules) > 0 ? { for r in var.rules : r.name => r } : {}
name = each.value.name
description = each.value.description
direction = each.value.direction
disabled = each.value.disabled
network = var.network_name
project = var.project_id
source_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
destination_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
source_tags = each.value.source_tags
source_service_accounts = each.value.source_service_accounts
target_tags = each.value.target_tags
target_service_accounts = each.value.target_service_accounts
priority = each.value.priority
dynamic "log_config" {
for_each = lookup(each.value, "log_config") == null ? [] : [each.value.log_config]
content {
metadata = log_config.value.metadata
}
}
dynamic "allow" {
for_each = lookup(each.value, "allow", [])
content {
protocol = allow.value.protocol
ports = lookup(allow.value, "ports", null)
}
}
dynamic "deny" {
for_each = lookup(each.value, "deny", [])
content {
protocol = deny.value.protocol
ports = lookup(deny.value, "ports", null)
}
}
}
resource "google_compute_firewall" "rules_ingress_egress" {
for_each = length(var.rules) > 0 ? {} : local.rules_all
name = each.value.name
description = each.value.description
direction = each.value.direction
disabled = each.value.disabled
network = var.network_name
project = var.project_id
source_ranges = lookup(each.value, "source_ranges", null)
destination_ranges = lookup(each.value, "destination_ranges", null)
source_tags = each.value.source_tags
source_service_accounts = each.value.source_service_accounts
target_tags = each.value.target_tags
target_service_accounts = each.value.target_service_accounts
priority = each.value.priority
dynamic "log_config" {
for_each = lookup(each.value, "log_config") == null ? [] : [each.value.log_config]
content {
metadata = log_config.value.metadata
}
}
dynamic "allow" {
for_each = lookup(each.value, "allow", [])
content {
protocol = allow.value.protocol
ports = lookup(allow.value, "ports", null)
}
}
dynamic "deny" {
for_each = lookup(each.value, "deny", [])
content {
protocol = deny.value.protocol
ports = lookup(deny.value, "ports", null)
}
}
}