From f851f06cf5b8a1a5400a51a0bdd659a35395b057 Mon Sep 17 00:00:00 2001
From: NA2047 <12290725+NA2047@users.noreply.github.com>
Date: Mon, 4 Dec 2023 14:27:05 -0500
Subject: [PATCH] feat: Add in disabled field to firewall-rules (#524)
---
README.md | 6 +++---
main.tf | 1 +
modules/firewall-rules/README.md | 6 +++---
modules/firewall-rules/main.tf | 2 ++
modules/firewall-rules/variables.tf | 3 +++
variables.tf | 3 +++
6 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/README.md b/README.md
index eb05398d..266c6851 100644
--- a/README.md
+++ b/README.md
@@ -102,10 +102,10 @@ Then perform the following commands on the root folder:
| auto\_create\_subnetworks | When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. | `bool` | `false` | no |
| delete\_default\_internet\_gateway\_routes | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no |
| description | An optional description of this resource. The resource must be recreated to modify this field. | `string` | `""` | no |
-| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
+| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
| enable\_ipv6\_ula | Enabled IPv6 ULA, this is a permenant change and cannot be undone! (default 'false') | `bool` | `false` | no |
-| firewall\_rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of firewall rules | list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
-| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
+| firewall\_rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of firewall rules | list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
disabled = optional(bool, null)
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
+| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
| internal\_ipv6\_range | When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null) | `string` | `null` | no |
| mtu | The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively. | `number` | `0` | no |
| network\_firewall\_policy\_enforcement\_order | Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are `BEFORE_CLASSIC_FIREWALL` and `AFTER_CLASSIC_FIREWALL`. (default null or equivalent to `AFTER_CLASSIC_FIREWALL`) | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index e52852f0..2dcb49bb 100644
--- a/main.tf
+++ b/main.tf
@@ -62,6 +62,7 @@ locals {
for f in var.firewall_rules : {
name = f.name
direction = f.direction
+ disabled = lookup(f, "disabled", null)
priority = lookup(f, "priority", null)
description = lookup(f, "description", null)
ranges = lookup(f, "ranges", null)
diff --git a/modules/firewall-rules/README.md b/modules/firewall-rules/README.md
index 9a281a55..e08aafbd 100644
--- a/modules/firewall-rules/README.md
+++ b/modules/firewall-rules/README.md
@@ -40,11 +40,11 @@ module "firewall_rules" {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
-| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
+| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
+| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty | list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
| network\_name | Name of the network this set of firewall rules applies to. | `string` | n/a | yes |
| project\_id | Project id of the project that holds the network. | `string` | n/a | yes |
-| rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of custom rule definitions | list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
+| rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of custom rule definitions | list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
disabled = optional(bool, null)
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
})) | `[]` | no |
## Outputs
diff --git a/modules/firewall-rules/main.tf b/modules/firewall-rules/main.tf
index 83159be4..f37b0152 100644
--- a/modules/firewall-rules/main.tf
+++ b/modules/firewall-rules/main.tf
@@ -25,6 +25,7 @@ resource "google_compute_firewall" "rules" {
name = each.value.name
description = each.value.description
direction = each.value.direction
+ disabled = each.value.disabled
network = var.network_name
project = var.project_id
source_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
@@ -64,6 +65,7 @@ resource "google_compute_firewall" "rules_ingress_egress" {
name = each.value.name
description = each.value.description
direction = each.value.direction
+ disabled = each.value.disabled
network = var.network_name
project = var.project_id
source_ranges = lookup(each.value, "source_ranges", null)
diff --git a/modules/firewall-rules/variables.tf b/modules/firewall-rules/variables.tf
index 1b42d4d3..3072801e 100644
--- a/modules/firewall-rules/variables.tf
+++ b/modules/firewall-rules/variables.tf
@@ -31,6 +31,7 @@ variable "rules" {
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
+ disabled = optional(bool, null)
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
@@ -58,6 +59,7 @@ variable "ingress_rules" {
type = list(object({
name = string
description = optional(string, null)
+ disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
@@ -86,6 +88,7 @@ variable "egress_rules" {
type = list(object({
name = string
description = optional(string, null)
+ disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
diff --git a/variables.tf b/variables.tf
index 0514e636..76c0bdc3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -75,6 +75,7 @@ variable "firewall_rules" {
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
+ disabled = optional(bool, null)
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
@@ -129,6 +130,7 @@ variable "ingress_rules" {
type = list(object({
name = string
description = optional(string, null)
+ disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
@@ -157,6 +159,7 @@ variable "egress_rules" {
type = list(object({
name = string
description = optional(string, null)
+ disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])