Add support for mirroring rules to modules/net-firewall-policy (#3636)

* Add support for mirroring rules to net-firewall-policy

* Split mirroring rules

* Add schema

* Sort variables

modules/net-firewall-policy/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,37 @@ variable "description" {
   default     = null
 }
 
+variable "egress_mirroring_rules" {
+  description = "List of egress packet mirroring rule definitions, action can be 'mirror', 'do_not_mirror', or 'goto_next'."
+  type = map(object({
+    priority               = number
+    action                 = optional(string, "mirror")
+    description            = optional(string)
+    disabled               = optional(bool, false)
+    security_profile_group = optional(string)
+    target_tags            = optional(list(string))
+    tls_inspect            = optional(bool, null)
+    match = object({
+      destination_ranges = optional(list(string))
+      source_ranges      = optional(list(string))
+      source_tags        = optional(list(string))
+      layer4_configs = optional(list(object({
+        protocol = optional(string, "all")
+        ports    = optional(list(string))
+      })), [{}])
+    })
+  }))
+  default  = {}
+  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.egress_mirroring_rules :
+      contains(["mirror", "do_not_mirror", "goto_next"], v.action)
+    ])
+    error_message = "Action can only be one of 'mirror', 'do_not_mirror' or 'goto_next'."
+  }
+}
+
 variable "egress_rules" {
   description = "List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format."
   type = map(object({
@@ -84,14 +115,47 @@ variable "egress_rules" {
 variable "factories_config" {
   description = "Paths to folders for the optional factories."
   type = object({
-    cidr_file_path          = optional(string)
-    egress_rules_file_path  = optional(string)
-    ingress_rules_file_path = optional(string)
+    cidr_file_path                    = optional(string)
+    egress_rules_file_path            = optional(string)
+    ingress_rules_file_path           = optional(string)
+    ingress_mirroring_rules_file_path = optional(string)
+    egress_mirroring_rules_file_path  = optional(string)
   })
   nullable = false
   default  = {}
 }
 
+variable "ingress_mirroring_rules" {
+  description = "List of ingress packet mirroring rule definitions, action can be 'mirror', 'do_not_mirror', or 'goto_next'."
+  type = map(object({
+    priority               = number
+    action                 = optional(string, "mirror")
+    description            = optional(string)
+    disabled               = optional(bool, false)
+    security_profile_group = optional(string)
+    target_tags            = optional(list(string))
+    tls_inspect            = optional(bool, null)
+    match = object({
+      destination_ranges = optional(list(string))
+      source_ranges      = optional(list(string))
+      source_tags        = optional(list(string))
+      layer4_configs = optional(list(object({
+        protocol = optional(string, "all")
+        ports    = optional(list(string))
+      })), [{}])
+    })
+  }))
+  default  = {}
+  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.ingress_mirroring_rules :
+      contains(["mirror", "do_not_mirror", "goto_next"], v.action)
+    ])
+    error_message = "Action can only be one of 'mirror', 'do_not_mirror' or 'goto_next'."
+  }
+}
+
 variable "ingress_rules" {
   description = "List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
   type = map(object({