kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
748684dd9c0460b32030e6067fcb6c36b7370118
hunfabric/modules/net-firewall-policy/net-global.tf
Simon Roberts 26dbaa2d6e Enable terraform_naming_convention in tflint (#3930) 
* Draft terraform_naming_convention

* Two fast/stages fixes for terraform_naming_convention

* Disable terraform_naming_convention for resources for now

* module fixes for terraform_naming_convention

* tfdoc

* Remove "moved" from recipe and needs-fixing

* Fix moved for spoke_ra

* fix tests

* Use default (snake_case) for resources

* factory.terraform_data.project-preconditions

* First-pass migration of resources + tests

* Fix tests/modules/organization

* Require snake_case for variables; Add annotations for _testing

* permit _fast_debug variable

* Fix net_vpc_factory and net_vpc_firewall tests

* tfdoc addons and recipe

* Fix more tests

* Fix some net-global -> net_global tests

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2026-05-06 06:06:26 +00:00

237 lines
7.7 KiB
HCL
Raw Blame History

/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
moved {
from = google_compute_network_firewall_policy.net-global
to = google_compute_network_firewall_policy.net_global
}
resource "google_compute_network_firewall_policy" "net_global" {
count = !local.use_hierarchical && !local.use_regional ? 1 : 0
project = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
name = var.name
description = var.description
}
moved {
from = google_compute_network_firewall_policy_association.net-global
to = google_compute_network_firewall_policy_association.net_global
}
resource "google_compute_network_firewall_policy_association" "net_global" {
for_each = (
!local.use_hierarchical && !local.use_regional ? var.attachments : {}
)
project = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
name = "${var.name}-${each.key}"
attachment_target = lookup(local.ctx.networks, each.value, each.value)
firewall_policy = google_compute_network_firewall_policy.net_global[0].name
}
moved {
from = google_compute_network_firewall_policy_rule.net-global
to = google_compute_network_firewall_policy_rule.net_global
}
resource "google_compute_network_firewall_policy_rule" "net_global" {
# Terraform's type system barfs in the condition if we use the locals map
for_each = toset(
!local.use_hierarchical && !local.use_regional
? keys(local.rules)
: []
)
project = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
firewall_policy = google_compute_network_firewall_policy.net_global[0].name
rule_name = local.rules[each.key].name
action = local.rules[each.key].action
description = local.rules[each.key].description
direction = local.rules[each.key].direction
disabled = local.rules[each.key].disabled
enable_logging = local.rules[each.key].enable_logging
priority = local.rules[each.key].priority
target_service_accounts = (
local.rules[each.key].target_service_accounts == null ? null : [
for n in local.rules[each.key].target_service_accounts :
lookup(local.ctx.iam_principals, n, n)
]
)
tls_inspect = local.rules[each.key].tls_inspect
security_profile_group = try(
var.security_profile_group_ids[local.rules[each.key].security_profile_group],
local.rules[each.key].security_profile_group
)
match {
dest_ip_ranges = (
local.rules[each.key].match.destination_ranges == null ? null : distinct(flatten([
for r in local.rules[each.key].match.destination_ranges : try(
local.ctx.cidr_ranges_sets[r],
local.ctx.cidr_ranges[r],
r
)
]))
)
src_ip_ranges = (
local.rules[each.key].match.source_ranges == null ? null : distinct(flatten([
for r in local.rules[each.key].match.source_ranges : try(
local.ctx.cidr_ranges_sets[r],
local.ctx.cidr_ranges[r],
r
)
]))
)
dest_address_groups = (
local.rules[each.key].direction == "EGRESS"
? local.rules[each.key].match.address_groups
: null
)
dest_fqdns = (
local.rules[each.key].direction == "EGRESS"
? local.rules[each.key].match.fqdns
: null
)
dest_region_codes = (
local.rules[each.key].direction == "EGRESS"
? local.rules[each.key].match.region_codes
: null
)
dest_threat_intelligences = (
local.rules[each.key].direction == "EGRESS"
? local.rules[each.key].match.threat_intelligences
: null
)
src_address_groups = (
local.rules[each.key].direction == "INGRESS"
? local.rules[each.key].match.address_groups
: null
)
src_fqdns = (
local.rules[each.key].direction == "INGRESS"
? local.rules[each.key].match.fqdns
: null
)
src_region_codes = (
local.rules[each.key].direction == "INGRESS"
? local.rules[each.key].match.region_codes
: null
)
src_threat_intelligences = (
local.rules[each.key].direction == "INGRESS"
? local.rules[each.key].match.threat_intelligences
: null
)
dynamic "layer4_configs" {
for_each = local.rules[each.key].match.layer4_configs
content {
ip_protocol = layer4_configs.value.protocol
ports = layer4_configs.value.ports
}
}
dynamic "src_secure_tags" {
for_each = toset(coalesce(local.rules[each.key].match.source_tags, []))
content {
name = lookup(
local.ctx.tag_values, src_secure_tags.key, src_secure_tags.key
)
}
}
}
dynamic "target_secure_tags" {
for_each = toset(
local.rules[each.key].target_tags == null
? []
: local.rules[each.key].target_tags
)
content {
name = lookup(
local.ctx.tag_values, target_secure_tags.value, target_secure_tags.value
)
}
}
}
moved {
from = google_compute_network_firewall_policy_packet_mirroring_rule.net-global
to = google_compute_network_firewall_policy_packet_mirroring_rule.net_global
}
resource "google_compute_network_firewall_policy_packet_mirroring_rule" "net_global" {
provider = google-beta
for_each = toset(
!local.use_hierarchical && !local.use_regional
? keys(local.mirroring_rules)
: []
)
project = lookup(local.ctx.project_ids, var.parent_id, var.parent_id)
firewall_policy = google_compute_network_firewall_policy.net_global[0].name
rule_name = local.mirroring_rules[each.key].name
action = local.mirroring_rules[each.key].action
description = local.mirroring_rules[each.key].description
direction = local.mirroring_rules[each.key].direction
disabled = local.mirroring_rules[each.key].disabled
priority = local.mirroring_rules[each.key].priority
tls_inspect = local.mirroring_rules[each.key].tls_inspect
security_profile_group = try(
var.security_profile_group_ids[local.mirroring_rules[each.key].security_profile_group],
local.mirroring_rules[each.key].security_profile_group
)
match {
dest_ip_ranges = (
local.mirroring_rules[each.key].match.destination_ranges == null
? null
: distinct(flatten([
for r in local.mirroring_rules[each.key].match.destination_ranges : try(
local.ctx.cidr_ranges_sets[r],
local.ctx.cidr_ranges[r],
r
)
]))
)
src_ip_ranges = (
local.mirroring_rules[each.key].match.source_ranges == null
? null
: distinct(flatten([
for r in local.mirroring_rules[each.key].match.source_ranges : try(
local.ctx.cidr_ranges_sets[r],
local.ctx.cidr_ranges[r],
r
)
]))
)
dynamic "layer4_configs" {
for_each = local.mirroring_rules[each.key].match.layer4_configs
content {
ip_protocol = layer4_configs.value.protocol
ports = layer4_configs.value.ports
}
}
}
dynamic "target_secure_tags" {
for_each = toset(
local.mirroring_rules[each.key].target_tags == null
? []
: local.mirroring_rules[each.key].target_tags
)
content {
name = lookup(
local.ctx.tag_values, target_secure_tags.value, target_secure_tags.value
)
}
}
}
Reference in New Issue View Git Blame Copy Permalink