This module allows creation of Global, Regional Network Firewall Policy and Rules. It can also attach network firewall policy to multiple VPCs. Module will create a Regional network firewall policy if a value is provided for the variable policy_region, otherwise a Global network firewall policy will be created. Module can create both Cloud Firewall Essentials and Cloud Firewall Standard tier rules. Firewall Rules and Target VPC attachment is optional.
Variable rules details are available here. High level format of this module is as follows:
module "network_firewall_policy" {
source = "terraform-google-modules/network/google//modules/network-firewall-policy"
version = "~> 11.0"
project_id = var.project_id
policy_name = "my-firewall-policy"
description = "Test firewall policy"
target_vpcs = [var.vpc1_id, var.vpc2_id]
rules = [
{},
{},
]
}
There are examples included for global and regional firewall policies in the examples folder. Basic usage of this module is as follows:
module "network_firewall_policy" {
source = "terraform-google-modules/network/google//modules/network-firewall-policy"
version = "~> 11.0"
project_id = var.project_id
policy_name = "my-firewall-policy"
description = "Test firewall policy"
target_vpcs = [var.vpc1_id, var.vpc2_id]
rules = [
{
priority = "1"
direction = "INGRESS"
action = "allow"
rule_name = "ingress-1"
description = "test ingres rule 1"
enable_logging = true
match = {
src_ip_ranges = ["10.100.0.1/32"]
src_fqdns = ["google.com"]
src_region_codes = ["US"]
src_threat_intelligences = ["iplist-public-clouds"]
src_secure_tags = ["tagValues/${google_tags_tag_value.tag_value.name}"]
src_address_groups = [google_network_security_address_group.networksecurity_address_group.id]
layer4_configs = [
{
ip_protocol = "all"
},
]
}
},
{
priority = "3"
direction = "INGRESS"
action = "allow"
rule_name = "ingress-3"
disabled = true
description = "test ingres rule 3"
enable_logging = true
target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"]
match = {
src_ip_ranges = ["10.100.0.3/32"]
dest_ip_ranges = ["10.100.0.103/32"]
layer4_configs = [
{
ip_protocol = "tcp"
ports = ["80"]
},
]
}
},
{
priority = "101"
direction = "EGRESS"
action = "allow"
rule_name = "egress-101"
description = "test egress rule 101"
enable_logging = true
match = {
src_ip_ranges = ["10.100.0.2/32"]
dest_fqdns = ["google.org"]
dest_region_codes = ["US"]
dest_threat_intelligences = ["iplist-public-clouds"]
dest_address_groups = [google_network_security_address_group.networksecurity_address_group.id]
layer4_configs = [
{
ip_protocol = "all"
},
]
}
},
{
priority = "103"
direction = "EGRESS"
action = "allow"
rule_name = "egress-103"
disabled = true
description = "test ingres rule 103"
enable_logging = true
target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"]
match = {
dest_ip_ranges = ["10.100.0.103/32"]
layer4_configs = [
{
ip_protocol = "tcp"
ports = ["80", "8080", "8081-8085"]
},
]
}
},
]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| description | An optional description of this resource. Provide this property when you create the resource | string |
null |
no |
| policy_name | User-provided name of the Network firewall policy | string |
n/a | yes |
| policy_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | string |
null |
no |
| project_id | Project ID of the Network firewall policy | string |
n/a | yes |
| rules | List of Ingress/Egress rules | list(object({ |
[] |
no |
| target_vpcs | List of target VPC IDs that the firewall policy will be attached to | list(string) |
[] |
no |
| Name | Description |
|---|---|
| fw_policy | Firewall policy created |
| rules | Firewall policy rules created |
| vpc_associations | VPC associations created |
In a firewall policy rule, you specify a set of components that define what the rule does. Some of the values are optional and some have default value. See Inputs. For sample code check global and regional in examples folders. Global folder also contains example for Out-of-band Network Security Integration firewall rule.
priority: An integer indicating the priority of a rule in the list. Theprioritymust be a positive value between 0 and 2147483647 and It has to be unique for every rule.action: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next", "apply_security_profile_group", "mirror", "do_not_mirror" and "goto_next". "mirror" and "do_not_mirror" can be used only if is_mirroring is set to true.dest_fqdns,dest_region_codes,dest_threat_intelligencesanddest_address_groupsvalues are not needed and ignored by the this forINGRESSpolicies.src_fqdns,src_region_codes,src_threat_intelligencesandsrc_address_groupsvalues are not needed and ignored by this module forEGRESSpolicies.target_secure_tagsmay not be set at the same time astarget_service_accounts. When bothtarget_service_accountsandtarget_secure_tagsare provided, this module will generate an error message.layer4_configsis a list of maps.ip_protocol: IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.ports: An optional list of ports to which this rule applies. Field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port.
tls_inspect: Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actionsis_mirroring: Boolean flag indicating packet mirroring rule.
{
priority = 1
direction = "INGRESS"
action = allow
rule_name = "my-test-policy"
disabled = false
description = "My test firewall policy"
enable_logging = true
target_secure_tags = ["tagValues/${google_tags_tag_value.tag_value.name}",]
target_service_accounts = ["fw-test-svc-acct@$my-project-id.iam.gserviceaccount.com"]
match = {
src_ip_ranges = ["10.100.0.2"]
src_fqdns = []
src_region_codes = []
src_secure_tags = []
src_address_groups = []
dest_ip_ranges = ["10.100.100.2"]
dest_fqdns = []
dest_region_codes = []
dest_threat_intelligences = []
dest_address_groups = []
layer4_configs = [
{
ip_protocol = "tcp"
ports = ["80", "8080", "8081-8085"]
},
]
}
is_mirroring = false
tls_inspect = null
security_profile_group_id = null
}
- Terraform >= 1.3
- Terraform Provider for GCP >= 6.28
- Terraform Provider for GCP Beta >= 6.28
In order to execute this module you must have a Service Account with the following roles:
- roles/compute.securityAdmin
- roles/compute.networkAdmin
In order to operate with the Service Account you must activate the following API on the project where the Service Account was created:
- compute.googleapis.com
- networksecurity.googleapis.com