diff --git a/CHANGELOG.md b/CHANGELOG.md
index ffc7e603d..5ab336693 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,8 @@ All notable changes to this project will be documented in this file.
### MODULES
+- [[#3424](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3424)] Support CIDR range sets in firewall modules context ([ludoo](https://github.com/ludoo))
+- [[#3421](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3421)] Adds network_id to net-vpc outputs ([sruffilli](https://github.com/sruffilli))
- [[#3420](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3420)] Add support for context to net-vpn-ha module ([ludoo](https://github.com/ludoo))
- [[#3419](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3419)] Add support for context to net-lb-int net-vpc-firewall and net-vpc module ([ludoo](https://github.com/ludoo))
- [[#3414](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3414)] Add support for context to net-cloudnat, net-firewall-policy modules ([ludoo](https://github.com/ludoo))
diff --git a/modules/net-firewall-policy/README.md b/modules/net-firewall-policy/README.md
index fe899cc03..fbc0ff4dd 100644
--- a/modules/net-firewall-policy/README.md
+++ b/modules/net-firewall-policy/README.md
@@ -386,16 +386,16 @@ The following variable is defined at the top level of the rule (not within the `
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L132) | Policy name. | string | ✓ | |
-| [parent_id](variables.tf#L138) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | string | ✓ | |
+| [name](variables.tf#L133) | Policy name. | string | ✓ | |
+| [parent_id](variables.tf#L139) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | string | ✓ | |
| [attachments](variables.tf#L17) | Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. | map(string) | | {} |
-| [context](variables.tf#L24) | Context-specific interpolations. | object({…}) | | {} |
-| [description](variables.tf#L39) | Policy description. | string | | null |
-| [egress_rules](variables.tf#L45) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} |
-| [factories_config](variables.tf#L83) | Paths to folders for the optional factories. | object({…}) | | {} |
-| [ingress_rules](variables.tf#L94) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. | map(object({…})) | | {} |
-| [region](variables.tf#L144) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | string | | null |
-| [security_profile_group_ids](variables.tf#L150) | The optional security groups ids to be referenced in factories. | map(string) | | {} |
+| [context](variables.tf#L24) | Context-specific interpolations. | object({…}) | | {} |
+| [description](variables.tf#L40) | Policy description. | string | | null |
+| [egress_rules](variables.tf#L46) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} |
+| [factories_config](variables.tf#L84) | Paths to folders for the optional factories. | object({…}) | | {} |
+| [ingress_rules](variables.tf#L95) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. | map(object({…})) | | {} |
+| [region](variables.tf#L145) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | string | | null |
+| [security_profile_group_ids](variables.tf#L151) | The optional security groups ids to be referenced in factories. | map(string) | | {} |
## Outputs
diff --git a/modules/net-firewall-policy/hierarchical.tf b/modules/net-firewall-policy/hierarchical.tf
index dffbb7805..9edf559cc 100644
--- a/modules/net-firewall-policy/hierarchical.tf
+++ b/modules/net-firewall-policy/hierarchical.tf
@@ -59,16 +59,22 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
)
match {
dest_ip_ranges = (
- local.rules[each.key].match.destination_ranges == null ? null : [
- for r in local.rules[each.key].match.destination_ranges :
- lookup(local.ctx.cidr_ranges, r, r)
- ]
+ local.rules[each.key].match.destination_ranges == null ? null : distinct(flatten([
+ for r in local.rules[each.key].match.destination_ranges : try(
+ local.ctx.cidr_ranges_sets[r],
+ local.ctx.cidr_ranges[r],
+ r
+ )
+ ]))
)
src_ip_ranges = (
- local.rules[each.key].match.source_ranges == null ? null : [
- for r in local.rules[each.key].match.source_ranges :
- lookup(local.ctx.cidr_ranges, r, r)
- ]
+ local.rules[each.key].match.source_ranges == null ? null : distinct(flatten([
+ for r in local.rules[each.key].match.source_ranges : try(
+ local.ctx.cidr_ranges_sets[r],
+ local.ctx.cidr_ranges[r],
+ r
+ )
+ ]))
)
dest_address_groups = (
local.rules[each.key].direction == "EGRESS"
diff --git a/modules/net-firewall-policy/net-global.tf b/modules/net-firewall-policy/net-global.tf
index 8d9bc4049..a36865a1b 100644
--- a/modules/net-firewall-policy/net-global.tf
+++ b/modules/net-firewall-policy/net-global.tf
@@ -60,16 +60,22 @@ resource "google_compute_network_firewall_policy_rule" "net-global" {
)
match {
dest_ip_ranges = (
- local.rules[each.key].match.destination_ranges == null ? null : [
- for r in local.rules[each.key].match.destination_ranges :
- lookup(local.ctx.cidr_ranges, r, r)
- ]
+ local.rules[each.key].match.destination_ranges == null ? null : distinct(flatten([
+ for r in local.rules[each.key].match.destination_ranges : try(
+ local.ctx.cidr_ranges_sets[r],
+ local.ctx.cidr_ranges[r],
+ r
+ )
+ ]))
)
src_ip_ranges = (
- local.rules[each.key].match.source_ranges == null ? null : [
- for r in local.rules[each.key].match.source_ranges :
- lookup(local.ctx.cidr_ranges, r, r)
- ]
+ local.rules[each.key].match.source_ranges == null ? null : distinct(flatten([
+ for r in local.rules[each.key].match.source_ranges : try(
+ local.ctx.cidr_ranges_sets[r],
+ local.ctx.cidr_ranges[r],
+ r
+ )
+ ]))
)
dest_address_groups = (
local.rules[each.key].direction == "EGRESS"
diff --git a/modules/net-firewall-policy/net-regional.tf b/modules/net-firewall-policy/net-regional.tf
index 9a83a5ef6..9444b5786 100644
--- a/modules/net-firewall-policy/net-regional.tf
+++ b/modules/net-firewall-policy/net-regional.tf
@@ -58,16 +58,22 @@ resource "google_compute_region_network_firewall_policy_rule" "net-regional" {
)
match {
dest_ip_ranges = (
- local.rules[each.key].match.destination_ranges == null ? null : [
- for r in local.rules[each.key].match.destination_ranges :
- lookup(local.ctx.cidr_ranges, r, r)
- ]
+ local.rules[each.key].match.destination_ranges == null ? null : distinct(flatten([
+ for r in local.rules[each.key].match.destination_ranges : try(
+ local.ctx.cidr_ranges_sets[r],
+ local.ctx.cidr_ranges[r],
+ r
+ )
+ ]))
)
src_ip_ranges = (
- local.rules[each.key].match.source_ranges == null ? null : [
- for r in local.rules[each.key].match.source_ranges :
- lookup(local.ctx.cidr_ranges, r, r)
- ]
+ local.rules[each.key].match.source_ranges == null ? null : distinct(flatten([
+ for r in local.rules[each.key].match.source_ranges : try(
+ local.ctx.cidr_ranges_sets[r],
+ local.ctx.cidr_ranges[r],
+ r
+ )
+ ]))
)
dest_address_groups = (
local.rules[each.key].direction == "EGRESS"
diff --git a/modules/net-firewall-policy/variables.tf b/modules/net-firewall-policy/variables.tf
index 9ccc91783..64a35a2d4 100644
--- a/modules/net-firewall-policy/variables.tf
+++ b/modules/net-firewall-policy/variables.tf
@@ -24,13 +24,14 @@ variable "attachments" {
variable "context" {
description = "Context-specific interpolations."
type = object({
- cidr_ranges = optional(map(string), {})
- folder_ids = optional(map(string), {})
- iam_principals = optional(map(string), {})
- locations = optional(map(string), {})
- networks = optional(map(string), {})
- project_ids = optional(map(string), {})
- tag_values = optional(map(string), {})
+ cidr_ranges = optional(map(string), {})
+ cidr_ranges_sets = optional(map(list(string)), {})
+ folder_ids = optional(map(string), {})
+ iam_principals = optional(map(string), {})
+ locations = optional(map(string), {})
+ networks = optional(map(string), {})
+ project_ids = optional(map(string), {})
+ tag_values = optional(map(string), {})
})
default = {}
nullable = false
diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
index f074556e8..9928c906e 100644
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@@ -269,14 +269,14 @@ module "firewall" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [network](variables.tf#L123) | Name of the network this set of firewall rules applies to. | string | ✓ | |
-| [project_id](variables.tf#L128) | Project id of the project that holds the network. | string | ✓ | |
-| [context](variables.tf#L17) | Context-specific interpolations. | object({…}) | | {} |
-| [default_rules_config](variables.tf#L29) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | object({…}) | | {} |
-| [egress_rules](variables.tf#L49) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | map(object({…})) | | {} |
-| [factories_config](variables.tf#L72) | Paths to data files and folders that enable factory functionality. | object({…}) | | {} |
-| [ingress_rules](variables.tf#L82) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | map(object({…})) | | {} |
-| [named_ranges](variables.tf#L106) | Define mapping of names to ranges that can be used in custom rules. | map(list(string)) | | {…} |
+| [network](variables.tf#L124) | Name of the network this set of firewall rules applies to. | string | ✓ | |
+| [project_id](variables.tf#L129) | Project id of the project that holds the network. | string | ✓ | |
+| [context](variables.tf#L17) | Context-specific interpolations. | object({…}) | | {} |
+| [default_rules_config](variables.tf#L30) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | object({…}) | | {} |
+| [egress_rules](variables.tf#L50) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | map(object({…})) | | {} |
+| [factories_config](variables.tf#L73) | Paths to data files and folders that enable factory functionality. | object({…}) | | {} |
+| [ingress_rules](variables.tf#L83) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | map(object({…})) | | {} |
+| [named_ranges](variables.tf#L107) | Define mapping of names to ranges that can be used in custom rules. | map(list(string)) | | {…} |
## Outputs
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index 4a55de8ed..6bcc7ede5 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -47,6 +47,7 @@ locals {
for r in local._factory_rule_list : r.name => r
if contains(["EGRESS", "INGRESS"], r.direction)
}
+ # TODO: deprecate once FAST does not need this anymore
_named_ranges = merge(
(
var.factories_config.cidr_tpl_file != null
@@ -83,19 +84,25 @@ locals {
destination_ranges = (
try(rule.destination_ranges, null) == null
? null
- : flatten([
- for range in rule.destination_ranges :
- try(local._named_ranges[range], range)
- ])
+ : distinct(flatten([
+ for range in rule.destination_ranges : try(
+ local.ctx.cidr_ranges_sets[range],
+ local._named_ranges[range],
+ range
+ )
+ ]))
)
rules = { for k, v in rule.rules : k => v }
source_ranges = (
try(rule.source_ranges, null) == null
? null
- : flatten([
- for range in rule.source_ranges :
- try(local._named_ranges[range], range)
- ])
+ : distinct(flatten([
+ for range in rule.source_ranges : try(
+ local.ctx.cidr_ranges_sets[range],
+ local._named_ranges[range],
+ range
+ )
+ ]))
)
})
}
diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf
index 594492694..87e0db4cb 100644
--- a/modules/net-vpc-firewall/variables.tf
+++ b/modules/net-vpc-firewall/variables.tf
@@ -17,10 +17,11 @@
variable "context" {
description = "Context-specific interpolations."
type = object({
- cidr_ranges = optional(map(string), {})
- iam_principals = optional(map(string), {})
- networks = optional(map(string), {})
- project_ids = optional(map(string), {})
+ cidr_ranges = optional(map(string), {})
+ cidr_ranges_sets = optional(map(list(string)), {})
+ iam_principals = optional(map(string), {})
+ networks = optional(map(string), {})
+ project_ids = optional(map(string), {})
})
default = {}
nullable = false
diff --git a/tests/modules/net_firewall_policy/context-g.tfvars b/tests/modules/net_firewall_policy/context-g.tfvars
index 7acda3c67..e1c888a4e 100644
--- a/tests/modules/net_firewall_policy/context-g.tfvars
+++ b/tests/modules/net_firewall_policy/context-g.tfvars
@@ -1,6 +1,14 @@
context = {
cidr_ranges = {
rfc1918-10 = "10.0.0.0/8"
+ test = "8.8.8.8"
+ }
+ cidr_ranges_sets = {
+ rfc1918 = [
+ "10.0.0.0/8",
+ "172.16.10.0/12",
+ "192.168.0.0/24"
+ ]
}
folder_ids = {
test = "folders/1234567890"
@@ -32,7 +40,7 @@ egress_rules = {
priority = 900
target_service_accounts = ["$iam_principals:test"]
match = {
- destination_ranges = ["$cidr_ranges:rfc1918-10"]
+ destination_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
layer4_configs = [{ protocol = "tcp", ports = ["25"] }]
source_tags = ["$tag_values:test"]
}
@@ -45,7 +53,7 @@ ingress_rules = {
target_resources = ["$networks:test"]
target_tags = ["$tag_values:test"]
match = {
- source_ranges = ["$cidr_ranges:rfc1918-10"]
+ source_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
layer4_configs = [{ protocol = "icmp" }]
}
}
diff --git a/tests/modules/net_firewall_policy/context-g.yaml b/tests/modules/net_firewall_policy/context-g.yaml
index 2a7569356..6928c8730 100644
--- a/tests/modules/net_firewall_policy/context-g.yaml
+++ b/tests/modules/net_firewall_policy/context-g.yaml
@@ -36,6 +36,10 @@ values:
dest_fqdns: null
dest_ip_ranges:
- 10.0.0.0/8
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 10.0.0.1/32
+ - 8.8.8.8
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
@@ -78,6 +82,10 @@ values:
src_fqdns: null
src_ip_ranges:
- 10.0.0.0/8
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 10.0.0.1/32
+ - 8.8.8.8
src_region_codes: null
src_secure_tags: []
src_threat_intelligences: null
diff --git a/tests/modules/net_firewall_policy/context-h.tfvars b/tests/modules/net_firewall_policy/context-h.tfvars
index 80eb44543..ab343a19c 100644
--- a/tests/modules/net_firewall_policy/context-h.tfvars
+++ b/tests/modules/net_firewall_policy/context-h.tfvars
@@ -1,6 +1,14 @@
context = {
cidr_ranges = {
rfc1918-10 = "10.0.0.0/8"
+ test = "8.8.8.8"
+ }
+ cidr_ranges_sets = {
+ rfc1918 = [
+ "10.0.0.0/8",
+ "172.16.10.0/12",
+ "192.168.0.0/24"
+ ]
}
folder_ids = {
test = "folders/1234567890"
@@ -30,7 +38,7 @@ egress_rules = {
smtp = {
priority = 900
match = {
- destination_ranges = ["$cidr_ranges:rfc1918-10"]
+ destination_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
layer4_configs = [{ protocol = "tcp", ports = ["25"] }]
}
}
@@ -42,7 +50,7 @@ ingress_rules = {
target_resources = ["$networks:test"]
target_service_accounts = ["$iam_principals:test"]
match = {
- source_ranges = ["$cidr_ranges:rfc1918-10"]
+ source_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
layer4_configs = [{ protocol = "icmp" }]
}
}
diff --git a/tests/modules/net_firewall_policy/context-h.yaml b/tests/modules/net_firewall_policy/context-h.yaml
index ebcbcc539..0cf3f04d1 100644
--- a/tests/modules/net_firewall_policy/context-h.yaml
+++ b/tests/modules/net_firewall_policy/context-h.yaml
@@ -33,6 +33,10 @@ values:
dest_fqdns: null
dest_ip_ranges:
- 10.0.0.0/8
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 10.0.0.1/32
+ - 8.8.8.8
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
@@ -71,6 +75,10 @@ values:
src_fqdns: null
src_ip_ranges:
- 10.0.0.0/8
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 10.0.0.1/32
+ - 8.8.8.8
src_region_codes: null
src_secure_tags: []
src_threat_intelligences: null
diff --git a/tests/modules/net_firewall_policy/context-r.tfvars b/tests/modules/net_firewall_policy/context-r.tfvars
index 9630d37be..6e437c5f8 100644
--- a/tests/modules/net_firewall_policy/context-r.tfvars
+++ b/tests/modules/net_firewall_policy/context-r.tfvars
@@ -1,6 +1,14 @@
context = {
cidr_ranges = {
rfc1918-10 = "10.0.0.0/8"
+ test = "8.8.8.8"
+ }
+ cidr_ranges_sets = {
+ rfc1918 = [
+ "10.0.0.0/8",
+ "172.16.10.0/12",
+ "192.168.0.0/24"
+ ]
}
folder_ids = {
test = "folders/1234567890"
@@ -32,7 +40,7 @@ egress_rules = {
priority = 900
target_service_accounts = ["$iam_principals:test"]
match = {
- destination_ranges = ["$cidr_ranges:rfc1918-10"]
+ destination_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
layer4_configs = [{ protocol = "tcp", ports = ["25"] }]
source_tags = ["$tag_values:test"]
}
@@ -45,7 +53,7 @@ ingress_rules = {
target_resources = ["$networks:test"]
target_tags = ["$tag_values:test"]
match = {
- source_ranges = ["$cidr_ranges:rfc1918-10"]
+ source_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
layer4_configs = [{ protocol = "icmp" }]
}
}
diff --git a/tests/modules/net_firewall_policy/context-r.yaml b/tests/modules/net_firewall_policy/context-r.yaml
index d68a05777..b65de4cb3 100644
--- a/tests/modules/net_firewall_policy/context-r.yaml
+++ b/tests/modules/net_firewall_policy/context-r.yaml
@@ -38,6 +38,10 @@ values:
dest_fqdns: null
dest_ip_ranges:
- 10.0.0.0/8
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 10.0.0.1/32
+ - 8.8.8.8
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
@@ -81,6 +85,10 @@ values:
src_fqdns: null
src_ip_ranges:
- 10.0.0.0/8
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 10.0.0.1/32
+ - 8.8.8.8
src_region_codes: null
src_secure_tags: []
src_threat_intelligences: null
diff --git a/tests/modules/net_vpc_firewall/context.tfvars b/tests/modules/net_vpc_firewall/context.tfvars
index 782617fe3..556b275b6 100644
--- a/tests/modules/net_vpc_firewall/context.tfvars
+++ b/tests/modules/net_vpc_firewall/context.tfvars
@@ -1,6 +1,14 @@
context = {
cidr_ranges = {
rfc1918-10 = "10.0.0.0/8"
+ test = "8.8.8.8"
+ }
+ cidr_ranges_sets = {
+ rfc1918 = [
+ "10.0.0.0/8",
+ "172.16.10.0/12",
+ "192.168.0.0/24"
+ ]
}
iam_principals = {
test = "serviceAccount:test@test-project.iam.gserviceaccount.com"
@@ -24,22 +32,20 @@ default_rules_config = {
ssh_ranges = ["$cidr_ranges:rfc1918-10"]
}
egress_rules = {
- allow-egress-rfc1918 = {
- deny = false
- description = "Allow egress."
- destination_ranges = [
- "$cidr_ranges:rfc1918-10", "172.16.0.0/12", "192.168.0.0/16"
- ]
- source_ranges = ["$cidr_ranges:rfc1918-10"]
+ egress-test = {
+ deny = false
+ description = "Allow egress."
+ destination_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
+ source_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
targets = ["$iam_principals:test"]
use_service_accounts = true
}
}
ingress_rules = {
- allow-ingress-tag = {
+ ingress-test = {
description = "Allow ingress."
- destination_ranges = ["$cidr_ranges:rfc1918-10"]
- source_ranges = ["$cidr_ranges:rfc1918-10"]
+ destination_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
+ source_ranges = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
sources = ["$iam_principals:test"]
targets = ["$iam_principals:test"]
use_service_accounts = true
diff --git a/tests/modules/net_vpc_firewall/context.yaml b/tests/modules/net_vpc_firewall/context.yaml
index 2ad022a5a..e2e16f234 100644
--- a/tests/modules/net_vpc_firewall/context.yaml
+++ b/tests/modules/net_vpc_firewall/context.yaml
@@ -99,7 +99,7 @@ values:
target_tags:
- ssh
timeouts: null
- google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
+ google_compute_firewall.custom-rules["egress-test"]:
allow:
- ports: []
protocol: all
@@ -107,25 +107,31 @@ values:
description: Allow egress.
destination_ranges:
- 10.0.0.0/8
- - 172.16.0.0/12
- - 192.168.0.0/16
+ - 10.0.0.1/32
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 8.8.8.8
direction: EGRESS
disabled: false
log_config: []
- name: allow-egress-rfc1918
+ name: egress-test
network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
params: []
priority: 1000
project: foo-test-0
source_ranges:
- 10.0.0.0/8
+ - 10.0.0.1/32
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 8.8.8.8
source_service_accounts: null
source_tags: null
target_service_accounts:
- serviceAccount:test@test-project.iam.gserviceaccount.com
target_tags: null
timeouts: null
- google_compute_firewall.custom-rules["allow-ingress-tag"]:
+ google_compute_firewall.custom-rules["ingress-test"]:
allow:
- ports: []
protocol: all
@@ -133,16 +139,24 @@ values:
description: Allow ingress.
destination_ranges:
- 10.0.0.0/8
+ - 10.0.0.1/32
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 8.8.8.8
direction: INGRESS
disabled: false
log_config: []
- name: allow-ingress-tag
+ name: ingress-test
network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
params: []
priority: 1000
project: foo-test-0
source_ranges:
- 10.0.0.0/8
+ - 10.0.0.1/32
+ - 172.16.10.0/12
+ - 192.168.0.0/24
+ - 8.8.8.8
source_service_accounts:
- serviceAccount:test@test-project.iam.gserviceaccount.com
source_tags: null