Skip to content

Commit

Permalink
fix: network-firewall-policy not able to use target_secure_tags (#514)
Browse files Browse the repository at this point in the history
  • Loading branch information
imrannayer authored Nov 2, 2023
1 parent 4d93465 commit a5418b4
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 4 deletions.
2 changes: 1 addition & 1 deletion modules/network-firewall-policy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ module "firewall_rules" {
| policy\_name | User-provided name of the Network firewall policy | `string` | n/a | yes |
| policy\_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | `string` | `null` | no |
| project\_id | Project ID of the Network firewall policy | `string` | n/a | yes |
| rules | List of Ingress/Egress rules | <pre>list(object({<br> priority = number<br> direction = string<br> action = string<br> rule_name = optional(string)<br> disabled = optional(bool)<br> description = optional(string)<br> enable_logging = optional(bool)<br> target_secure_tags = optional(list(string))<br> target_service_accounts = optional(list(string), [])<br> match = object({<br> src_ip_ranges = optional(list(string), [])<br> src_fqdns = optional(list(string), [])<br> src_region_codes = optional(list(string), [])<br> src_secure_tags = optional(list(string), [])<br> src_address_groups = optional(list(string), [])<br> dest_ip_ranges = optional(list(string), [])<br> dest_fqdns = optional(list(string), [])<br> dest_region_codes = optional(list(string), [])<br> dest_threat_intelligences = optional(list(string), [])<br> dest_address_groups = optional(list(string), [])<br> layer4_configs = optional(list(object({<br> ip_protocol = optional(string, "all")<br> ports = optional(list(string), [])<br> })), [{}])<br> })<br> }))</pre> | `[]` | no |
| rules | List of Ingress/Egress rules | <pre>list(object({<br> priority = number<br> direction = string<br> action = string<br> rule_name = optional(string)<br> disabled = optional(bool)<br> description = optional(string)<br> enable_logging = optional(bool)<br> target_secure_tags = optional(list(string))<br> target_service_accounts = optional(list(string))<br> match = object({<br> src_ip_ranges = optional(list(string), [])<br> src_fqdns = optional(list(string), [])<br> src_region_codes = optional(list(string), [])<br> src_secure_tags = optional(list(string), [])<br> src_address_groups = optional(list(string), [])<br> dest_ip_ranges = optional(list(string), [])<br> dest_fqdns = optional(list(string), [])<br> dest_region_codes = optional(list(string), [])<br> dest_threat_intelligences = optional(list(string), [])<br> dest_address_groups = optional(list(string), [])<br> layer4_configs = optional(list(object({<br> ip_protocol = optional(string, "all")<br> ports = optional(list(string), [])<br> })), [{}])<br> })<br> }))</pre> | `[]` | no |
| target\_vpcs | List of target VPC IDs that the firewall policy will be attached to | `list(string)` | `[]` | no |

## Outputs
Expand Down
2 changes: 1 addition & 1 deletion modules/network-firewall-policy/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ variable "rules" {
description = optional(string)
enable_logging = optional(bool)
target_secure_tags = optional(list(string))
target_service_accounts = optional(list(string), [])
target_service_accounts = optional(list(string))
match = object({
src_ip_ranges = optional(list(string), [])
src_fqdns = optional(list(string), [])
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
assert.Equal("10.100.0.1/32", sp1.Get("match.srcIpRanges").Array()[0].String(), "has expected srcIpRanges")
assert.Equal("US", sp1.Get("match.srcRegionCodes").Array()[0].String(), "has expected srcRegionCodes")
assert.Equal("all", sp1.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
secureTags := sp1.Get("match.srcSecureTags").Array()
assert.Equal(1, len(secureTags), "should have the correct srcSecureTags count")
secureTags1 := sp1.Get("match.srcSecureTags").Array()
assert.Equal(1, len(secureTags1), "should have the correct srcSecureTags count - 1")
srcAddressGroups := sp1.Get("match.srcAddressGroups").Array()
assert.Equal(1, len(srcAddressGroups), "should have the correct srcAddressGroups count")

Expand All @@ -72,6 +72,8 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
assert.Equal("10.100.0.2/32", sp2.Get("match.srcIpRanges").Array()[0].String(), "has expected srcIpRanges")
assert.Equal("BE", sp2.Get("match.srcRegionCodes").Array()[0].String(), "has expected srcRegionCodes")
assert.Equal("all", sp2.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
secureTags2 := sp2.Get("targetSecureTags").Array()
assert.Equal(1, len(secureTags2), "should have the correct targetSecureTags count - 1")

rule3 := gcloud.Runf(t, "compute network-firewall-policies rules describe 3 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId)
sp3 := rule3.Array()[0]
Expand Down Expand Up @@ -116,6 +118,8 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
assert.Equal("10.100.0.2/32", sp102.Get("match.destIpRanges").Array()[0].String(), "has expected destIpRanges")
assert.Equal("AR", sp102.Get("match.destRegionCodes").Array()[0].String(), "has expected destRegionCodes")
assert.Equal("all", sp102.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
secureTags102 := sp2.Get("targetSecureTags").Array()
assert.Equal(1, len(secureTags102), "should have the correct targetSecureTags count - 1")

rule103 := gcloud.Runf(t, "compute network-firewall-policies rules describe 103 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId)
sp103 := rule103.Array()[0]
Expand Down

0 comments on commit a5418b4

Please sign in to comment.