From 2dde9d83cba253148a37621cfbe69d2a1f2b9a14 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Wed, 2 Aug 2023 12:22:57 -0500 Subject: [PATCH] fix: network attachment error in firewall policy sub-module (#478) --- build/int.cloudbuild.yaml | 6 +++--- .../global-network-firewall-policy/main.tf | 10 +++++++++- .../regional-network-firewall-policy/main.tf | 19 ++++++++++++++----- modules/network-firewall-policy/README.md | 4 ++-- modules/network-firewall-policy/main.tf | 4 ++-- 5 files changed, 30 insertions(+), 13 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index efbb172f..66c52169 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -168,7 +168,7 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestPrivateServiceConnect --stage teardown --verbose'] - id: converge global-firewall-policy waitFor: - - create all + - destroy private-service-connect name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestGlobalNetworkFirewallPolicy --stage apply --verbose'] - id: verify global-firewall-policy @@ -183,7 +183,7 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGlobalNetworkFirewallPolicy --stage teardown --verbose'] - id: converge regional-firewall-policy waitFor: - - create all + - destroy global-firewall-policy name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkFirewallPolicy --stage apply --verbose'] - id: verify regional-firewall-policy @@ -198,7 +198,7 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkFirewallPolicy --stage teardown --verbose'] - id: converge firewall-rule waitFor: - - create all + - destroy regional-firewall-policy name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage apply --verbose'] - id: verify firewall-rule diff --git a/examples/global-network-firewall-policy/main.tf b/examples/global-network-firewall-policy/main.tf index bc5fb9fa..59c9315b 100644 --- a/examples/global-network-firewall-policy/main.tf +++ b/examples/global-network-firewall-policy/main.tf @@ -34,6 +34,11 @@ resource "google_compute_network" "network" { name = "${local.prefix}-network" } +resource "google_compute_network" "network_backup" { + project = var.project_id + name = "${local.prefix}-network-backup" +} + resource "google_tags_tag_key" "tag_key" { description = "For keyname resources." @@ -74,7 +79,10 @@ module "firewal_policy" { project_id = var.project_id policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" description = "test ${local.prefix} firewall policy" - target_vpcs = ["projects/${var.project_id}/global/networks/${local.prefix}-network"] + target_vpcs = [ + "projects/${var.project_id}/global/networks/${local.prefix}-network", + "projects/${var.project_id}/global/networks/${local.prefix}-network-backup", + ] rules = [ { diff --git a/examples/regional-network-firewall-policy/main.tf b/examples/regional-network-firewall-policy/main.tf index 73323388..730e12f5 100644 --- a/examples/regional-network-firewall-policy/main.tf +++ b/examples/regional-network-firewall-policy/main.tf @@ -36,6 +36,11 @@ resource "google_compute_network" "network" { name = "${local.prefix}-network" } +resource "google_compute_network" "network_backup" { + project = var.project_id + name = "${local.prefix}-network-backup" +} + resource "google_tags_tag_key" "tag_key" { description = "For keyname resources." @@ -73,11 +78,15 @@ resource "google_service_account" "service_account" { } module "firewal_policy" { - source = "../../modules/network-firewall-policy" - project_id = var.project_id - policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" - description = "test ${local.prefix} firewall policy" - target_vpcs = ["projects/${var.project_id}/global/networks/${local.prefix}-network"] + source = "../../modules/network-firewall-policy" + project_id = var.project_id + policy_name = "${local.prefix}-firewall-policy-${random_string.random_suffix.result}" + description = "test ${local.prefix} firewall policy" + target_vpcs = [ + "projects/${var.project_id}/global/networks/${local.prefix}-network", + "projects/${var.project_id}/global/networks/${local.prefix}-network-backup", + ] + policy_region = local.location rules = [ diff --git a/modules/network-firewall-policy/README.md b/modules/network-firewall-policy/README.md index df95057b..c88a9b3d 100644 --- a/modules/network-firewall-policy/README.md +++ b/modules/network-firewall-policy/README.md @@ -29,7 +29,7 @@ There are examples included for [global](https://github.com/terraform-google-mod ```hcl module "firewall_rules" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 8.0" + version = "~> 7.2" project_id = var.project_id policy_name = "my-firewall-policy" description = "Test firewall policy" @@ -173,7 +173,7 @@ In a [firewall policy rule](https://cloud.google.com/firewall/docs/firewall-poli enable_logging = true target_secure_tags = ["tagValues/${google_tags_tag_value.tag_value.name}",] target_service_accounts = ["fw-test-svc-acct@$my-project-id.iam.gserviceaccount.com"] - match = object({ + match = { src_ip_ranges = ["10.100.0.2"] src_fqdns = [] src_region_codes = [] diff --git a/modules/network-firewall-policy/main.tf b/modules/network-firewall-policy/main.tf index 58efcbdf..947f7d96 100644 --- a/modules/network-firewall-policy/main.tf +++ b/modules/network-firewall-policy/main.tf @@ -30,7 +30,7 @@ resource "google_compute_network_firewall_policy" "fw_policy" { resource "google_compute_network_firewall_policy_association" "vpc_associations" { for_each = local.global && length(var.target_vpcs) > 0 ? { for x in var.target_vpcs : base64encode(x) => x } : {} - name = local.prefix + name = "${local.prefix}-${element(split("/", each.value), length(split("/", each.value)) - 1)}" attachment_target = each.value firewall_policy = google_compute_network_firewall_policy.fw_policy[0].name project = var.project_id @@ -103,7 +103,7 @@ resource "google_compute_region_network_firewall_policy" "fw_policy" { resource "google_compute_region_network_firewall_policy_association" "vpc_associations" { for_each = !local.global && length(var.target_vpcs) > 0 ? { for x in var.target_vpcs : base64encode(x) => x } : {} - name = local.prefix + name = "${local.prefix}-${element(split("/", each.value), length(split("/", each.value)) - 1)}" attachment_target = each.value firewall_policy = google_compute_region_network_firewall_policy.fw_policy[0].name project = var.project_id