From 447420f173427c0d2cc8f5f99fa275e9ba3c20bc Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Sat, 24 Jan 2026 10:41:13 +0100
Subject: [PATCH] enable source tag support for hierarchical firewall rules
 (#3673)

---
 modules/net-firewall-policy/README.md       | 6 +++---
 modules/net-firewall-policy/hierarchical.tf | 8 ++++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/modules/net-firewall-policy/README.md b/modules/net-firewall-policy/README.md
index 4c42937d4..2cfae1032 100644
--- a/modules/net-firewall-policy/README.md
+++ b/modules/net-firewall-policy/README.md
@@ -66,8 +66,8 @@ module "firewall-policy" {
       priority       = 1002
       enable_logging = true
       match = {
-        source_ranges = ["10.0.0.0/8"]
-        # source_tags    = ["tagValues/123456"]
+        source_ranges  = ["10.0.0.0/8"]
+        source_tags    = ["tagValues/123456"]
         layer4_configs = [{ protocol = "tcp", ports = ["22"] }]
       }
     }
@@ -173,6 +173,7 @@ module "firewall-policy" {
 ### Packet Mirroring Rules
 
 ### Packet Mirroring Rules
+
 Packet mirroring rules can be defined using the `ingress_mirroring_rules` and `egress_mirroring_rules` variables. This is supported only for Global Network Policies.
 
 ```hcl
@@ -346,7 +347,6 @@ issue-1995:
 # tftest-file id=ingress path=configs/ingress.yaml schema=firewall-policy-rules.schema.json
 ```
 
-
 You might need to reference external security profile groups in your firewall rules, using their Terraform ids. For example, `//networksecurity.googleapis.com/${google_network_security_security_profile_group.security_profile_group.id}`. To do so, list your security profile groups in the `security_profile_group_ids` map variable. Then reference them by key from your factories.
 
 ```hcl
diff --git a/modules/net-firewall-policy/hierarchical.tf b/modules/net-firewall-policy/hierarchical.tf
index c5ea9dcfd..9d65561b4 100644
--- a/modules/net-firewall-policy/hierarchical.tf
+++ b/modules/net-firewall-policy/hierarchical.tf
@@ -123,6 +123,14 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
         ports       = layer4_configs.value.ports
       }
     }
+    dynamic "src_secure_tags" {
+      for_each = toset(coalesce(local.rules[each.key].match.source_tags, []))
+      content {
+        name = lookup(
+          local.ctx.tag_values, src_secure_tags.key, src_secure_tags.key
+        )
+      }
+    }
   }
   dynamic "target_secure_tags" {
     for_each = toset(