Skip to content

Latest commit

 

History

History
 
 

net-vpc-firewall-policy

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Google Cloud Network Firewall Policies

This module allows creation and management of a global or regional network firewall policy, including its associations and rules.

The module interface deviates slightly from the net-vpc-firewall module since the underlying resources and API objects are different.

It also makes fewer assumptions about implicit defaults, only using one to set match.layer4_configs to [{ protocol = "all" }] if no explicit set of protocols and ports has been specified.

A factory implementation will be added in a subsequent release.

Example

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
}

module "firewall-policy" {
  source     = "./fabric/modules/net-vpc-firewall-policy"
  name       = "test-1"
  project_id = "my-project"
  # specify a region to create and manage a regional policy
  # region     = "europe-west8"
  target_vpcs = {
    my-vpc = module.vpc.self_link
  }
  egress_rules = {
    smtp = {
      priority = 900
      match = {
        destination_ranges = ["0.0.0.0/0"]
        layer4_configs     = [{ protocol = "tcp", ports = ["25"] }]
      }
    }
  }
  ingress_rules = {
    icmp = {
      priority = 1000
      match = {
        source_ranges  = ["0.0.0.0/0"]
        layer4_configs = [{ protocol = "icmp" }]
      }
    }
    mgmt = {
      priority = 1001
      match = {
        source_ranges = ["10.1.1.0/24"]
      }
    }
    ssh = {
      priority = 1002
      match = {
        source_ranges = ["10.0.0.0/8"]
        # source_tags    = ["tagValues/123456"]
        layer4_configs = [{ protocol = "tcp", ports = ["22"] }]
      }
    }
  }
}
# tftest modules=2 resources=7

Variables

name description type required default
name Policy name. string
project_id Project id of the project that holds the network. string
description Policy description. string null
egress_rules List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. map(object({…})) {}
ingress_rules List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. map(object({…})) {}
region Policy region. Leave null for global policy. string null
target_vpcs VPC ids to which this policy will be attached, in descriptive name => self link format. map(string) {}