feat: add hierarchical firewall policy sub-module #553
Conversation
There was a problem hiding this comment.
Thanks @imrannayer. Can you help me understand this module a bit better? I left a few comments.
| target_org = var.org_id | ||
| target_folders = [var.folder2, var.folder3] | ||
|
|
||
| rules = [ |
There was a problem hiding this comment.
How are you associating rules to the respective containers? Based on this diagram it seems like rules can be specified at org/folder/project level but this rules block doesn't have that association.
Can you explain that a bit for me?
There was a problem hiding this comment.
Firewall policy itself can attach to org or or folder.
Rules can be for specific VMs with service account which are provided as target_service_accounts or you can apply a rule to a specific VPC which is provided as target_resources. These are the only options available for hierarchical firewall policies
example Line 82, 103, 142 and 163.
There was a problem hiding this comment.
I see. So line 51 and 52 are default targets and additionally a target_resources slice in rules adds an additional FW rule for the for those resources specifically. Did I get that right?
There was a problem hiding this comment.
Line 51 and 52 applies whole firewall policy (all rules) to folders or an org. But Line 82, 103, 143 and 163 allow users to apply a firewall rule to VMs of specific VPC network of VM with specific service account instead of all the VMs under the folders/org.
|
@g-awmalik leme know if you need more info? Thanks |
No description provided.