diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf index ec4670cd31..695e75cf33 100644 --- a/fast/stages/2-networking-a-simple/main.tf +++ b/fast/stages/2-networking-a-simple/main.tf @@ -51,19 +51,4 @@ module "folder" { ? {} : { (var.essential_contacts) = ["ALL"] } ) - firewall_policy = { - name = "default" - policy = module.firewall-policy-default.id - } } - -module "firewall-policy-default" { - source = "../../../modules/net-firewall-policy" - name = var.factories_config.firewall_policy_name - parent_id = module.folder.id - factories_config = { - cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml" - ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml" - } -} - diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf index 48901a5d6d..43686fd4cc 100644 --- a/fast/stages/2-networking-a-simple/net-dev.tf +++ b/fast/stages/2-networking-a-simple/net-dev.tf @@ -33,11 +33,6 @@ module "dev-spoke-project" { "stackdriver.googleapis.com", "vpcaccess.googleapis.com" ], - ( - var.ngfw_enterprise_config.enabled - ? ["networksecurity.googleapis.com"] - : [] - ), ( var.fast_features.gcve ? ["vmwareengine.googleapis.com"] @@ -107,67 +102,6 @@ module "dev-spoke-vpc" { } } -resource "google_network_security_security_profile" "dev_sec_profile" { - count = var.ngfw_enterprise_config.enabled ? 1 : 0 - name = "${var.prefix}-dev-sp-0" - type = "THREAT_PREVENTION" - parent = "organizations/${var.organization.id}" - location = "global" -} - -resource "google_network_security_security_profile_group" "dev_sec_profile_group" { - count = var.ngfw_enterprise_config.enabled ? 1 : 0 - name = "${var.prefix}-dev-spg-0" - parent = "organizations/${var.organization.id}" - location = "global" - description = "Dev security profile group." - threat_prevention_profile = try(google_network_security_security_profile.dev_sec_profile[0].id) -} - -resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_association" { - for_each = ( - var.ngfw_enterprise_config.enabled - ? toset(local.ngfw_endpoint_locations) - : toset([]) - ) - name = "${var.prefix}-dev-endpoint-association-${each.key}" - parent = module.dev-spoke-project.project_id - location = each.value.zone - firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id - network = module.dev-spoke-vpc.self_link -} - -module "dev-firewall-policy" { - source = "../../../modules/net-firewall-policy" - name = "${var.prefix}-dev-fw-policy" - parent_id = module.dev-spoke-project.project_id - security_profile_group_ids = { - dev = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.dev_sec_profile_group[0].id, "")}" - } - attachments = { - dev-spoke = module.dev-spoke-vpc.self_link - } - factories_config = { - cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml" - egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/egress.yaml" - ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/ingress.yaml" - } -} - -module "dev-spoke-firewall" { - count = var.ngfw_enterprise_config.enabled ? 0 : 1 - source = "../../../modules/net-vpc-firewall" - project_id = module.dev-spoke-project.project_id - network = module.dev-spoke-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/dev" - } -} - module "dev-spoke-cloudnat" { source = "../../../modules/net-cloudnat" for_each = toset(var.enable_cloud_nat ? values(module.dev-spoke-vpc.subnet_regions) : []) diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf index 7cb1376ade..088ec9065b 100644 --- a/fast/stages/2-networking-a-simple/net-landing.tf +++ b/fast/stages/2-networking-a-simple/net-landing.tf @@ -74,19 +74,6 @@ module "landing-vpc" { } } -module "landing-firewall" { - source = "../../../modules/net-vpc-firewall" - project_id = module.landing-project.project_id - network = module.landing-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing" - } -} - module "landing-nat-primary" { source = "../../../modules/net-cloudnat" count = var.enable_cloud_nat ? 1 : 0 diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf index fe2d0b6b55..126ad720f1 100644 --- a/fast/stages/2-networking-a-simple/net-prod.tf +++ b/fast/stages/2-networking-a-simple/net-prod.tf @@ -95,19 +95,6 @@ module "prod-spoke-vpc" { } } -module "prod-spoke-firewall" { - source = "../../../modules/net-vpc-firewall" - project_id = module.prod-spoke-project.project_id - network = module.prod-spoke-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/prod" - } -} - module "prod-spoke-cloudnat" { source = "../../../modules/net-cloudnat" for_each = toset(var.enable_cloud_nat ? values(module.prod-spoke-vpc.subnet_regions) : []) diff --git a/fast/stages/2-networking-a-simple/variables.tf b/fast/stages/2-networking-a-simple/variables.tf index 3a89c155f2..a4255d630d 100644 --- a/fast/stages/2-networking-a-simple/variables.tf +++ b/fast/stages/2-networking-a-simple/variables.tf @@ -87,17 +87,6 @@ variable "factories_config" { } } -variable "ngfw_enterprise_config" { - description = "NGFW Enterprise configuration." - type = object({ - enabled = optional(bool, false) - endpoint_primary_region_zones = optional(set(string), ["a", "b", "c"]) - endpoint_secondary_region_zones = optional(set(string), ["a", "b", "c"]) - }) - nullable = false - default = {} -} - variable "outputs_location" { description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable." type = string diff --git a/fast/stages/3-ngfw-enterprise/README.md b/fast/stages/3-ngfw-enterprise/README.md new file mode 100644 index 0000000000..fed0b85c90 --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/README.md @@ -0,0 +1,8 @@ +# Network Security + +This stage sets up the network firewall, including hierarchical firewall policies, network firewall policies and -optionally- NGFW Enterprise. + +... + + + diff --git a/fast/stages/3-ngfw-enterprise/data/cidrs.yaml b/fast/stages/3-ngfw-enterprise/data/cidrs.yaml new file mode 100644 index 0000000000..3591e95a0a --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/data/cidrs.yaml @@ -0,0 +1,18 @@ +# skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + +healthchecks: + - 35.191.0.0/16 + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + +rfc1918: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + +onprem_probes: + - 10.255.255.254/32 diff --git a/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/egress.yaml b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/egress.yaml new file mode 100644 index 0000000000..1f544949bb --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/egress.yaml @@ -0,0 +1,18 @@ +# skip boilerplate check + +egress-allow-rfc1918: + description: "Allow all hosts to RFC-1918" + priority: 2147483642 + match: + destination_ranges: + - rfc1918 + action: "allow" + +egress-inspect-internet: + description: "Inspect egress traffic from all dev hosts to Internet" + priority: 2147483643 + match: + destination_ranges: + - "0.0.0.0/0" + action: "apply_security_profile_group" + security_profile_group: "dev" diff --git a/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/ingress.yaml b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/ingress.yaml new file mode 100644 index 0000000000..ee28dfc47c --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/ingress.yaml @@ -0,0 +1,21 @@ +# skip boilerplate check + +# Following are some NGFW Enterprise ingress rules examples + +# ingress-allow-inspect-cross: +# description: "Allow and inspect cross-env traffic from prod." +# priority: 1 +# match: +# source_ranges: +# - prod (to be defined) +# action: "apply_security_profile_group" +# security_profile_group: "dev" + +# ingress-allow-inspect-intra: +# description: "Allow and inspect same-env (intra-vpc) traffic." +# priority: 2 +# match: +# source_ranges: +# - dev (to be defined) +# action: "apply_security_profile_group" +# security_profile_group: "dev" diff --git a/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/egress.yaml b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/egress.yaml new file mode 100644 index 0000000000..6d23be3211 --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/egress.yaml @@ -0,0 +1,18 @@ +# skip boilerplate check + +egress-allow-rfc1918: + description: "Allow all hosts to RFC-1918" + priority: 2147483642 + match: + destination_ranges: + - rfc1918 + action: "allow" + +egress-inspect-internet: + description: "Inspect egress traffic from all prod hosts to Internet" + priority: 2147483643 + match: + destination_ranges: + - "0.0.0.0/0" + action: "apply_security_profile_group" + security_profile_group: "prod" diff --git a/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/ingress.yaml b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/ingress.yaml new file mode 100644 index 0000000000..f8a2f78ac6 --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/ingress.yaml @@ -0,0 +1,21 @@ +# skip boilerplate check + +# Following are some NGFW Enterprise ingress rules examples + +# ingress-allow-inspect-cross: +# description: "Allow and inspect cross-env traffic." +# priority: 1 +# match: +# source_ranges: +# - dev (to be defined) +# action: "apply_security_profile_group" +# security_profile_group: "prod" + +# ingress-allow-inspect-intra: +# description: "Allow and inspect intra-VPC traffic." +# priority: 2 +# match: +# source_ranges: +# - prod (to be defined) +# action: "apply_security_profile_group" +# security_profile_group: "prod" diff --git a/fast/stages/2-networking-a-simple/ngfw-enterprise.tf b/fast/stages/3-ngfw-enterprise/main.tf similarity index 56% rename from fast/stages/2-networking-a-simple/ngfw-enterprise.tf rename to fast/stages/3-ngfw-enterprise/main.tf index 1b01f2f48e..2c6791d0d9 100644 --- a/fast/stages/2-networking-a-simple/ngfw-enterprise.tf +++ b/fast/stages/3-ngfw-enterprise/main.tf @@ -17,34 +17,24 @@ # tfdoc:file:description Next-Generation Firewall Enterprise configuration. locals { - # Renders to - # { - # euw1a = { - # region = europe-west1 - # zone = europe-west1-a - # }, - # ... - # } - ngfw_endpoint_locations = merge( - { - for zone in var.ngfw_enterprise_config.endpoint_primary_region_zones - : "${local.region_shortnames[var.regions.primary]}${zone}" - => { region = var.regions.primary, zone = "${var.regions.primary}-${zone}" } - }, - { - for zone in var.ngfw_enterprise_config.endpoint_secondary_region_zones - : "${local.region_shortnames[var.regions.secondary]}${zone}" - => { region = var.regions.secondary, zone = "${var.regions.secondary}-${zone}" } - } - ) + enabled_vpcs = { + dev-spoke-0 = try(var.vpc_self_links.dev-spoke0, null) != null + prod-spoke-0 = try(var.vpc_self_links.prod-spoke0, null) != null + } +} + +module "landing-project" { + source = "../../../modules/project" + billing_account = var.billing_account.id + name = "prod-net-landing-0" + parent = var.folder_ids.networking-prod + prefix = var.prefix + project_create = false + services = ["networksecurity.googleapis.com"] } resource "google_network_security_firewall_endpoint" "firewall_endpoint" { - for_each = ( - var.ngfw_enterprise_config.enabled - ? toset(local.ngfw_endpoint_locations) - : toset([]) - ) + for_each = toset(var.ngfw_enterprise_config.endpoint_zones) name = "${var.prefix}-ngfw-endpoint-${each.key}" parent = "organizations/${var.organization.id}" location = each.value.zone diff --git a/fast/stages/3-ngfw-enterprise/net-dev.tf b/fast/stages/3-ngfw-enterprise/net-dev.tf new file mode 100644 index 0000000000..27dbb28cec --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/net-dev.tf @@ -0,0 +1,72 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# tfdoc:file:description Security components for dev spoke VPC. + +module "dev-spoke-project" { + count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 + source = "../../../modules/project" + billing_account = var.billing_account.id + name = "dev-net-spoke-0" + parent = var.folder_ids.networking-dev + prefix = var.prefix + project_create = false + services = ["networksecurity.googleapis.com"] +} + +resource "google_network_security_security_profile" "dev_sec_profile" { + count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 + name = "${var.prefix}-dev-sp-0" + type = "THREAT_PREVENTION" + parent = "organizations/${var.organization.id}" + location = "global" +} + +resource "google_network_security_security_profile_group" "dev_sec_profile_group" { + count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 + name = "${var.prefix}-dev-spg-0" + parent = "organizations/${var.organization.id}" + location = "global" + description = "Dev security profile group." + threat_prevention_profile = try(google_network_security_security_profile.dev_sec_profile[0].id, null) +} + +resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_association" { + for_each = toset(var.ngfw_enterprise_config.endpoint_zones) + name = "${var.prefix}-dev-epa-${each.key}" + parent = try(module.dev-spoke-project[0].project_id, null) + location = each.value.zone + firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id + network = try(var.vpc_self_links.dev-spoke-0, null) +} + +module "dev-spoke-firewall-policy" { + count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 + source = "../../../modules/net-firewall-policy" + name = "${var.prefix}-dev-fw-policy" + parent_id = try(module.dev-spoke-project[0].project_id, null) + security_profile_group_ids = { + dev = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.dev_sec_profile_group[0].id, "")}" + } + attachments = { + dev-spoke = try(var.vpc_self_links.dev-spoke-0, null) + } + factories_config = { + cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml" + egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/egress.yaml" + ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/ingress.yaml" + } +} diff --git a/fast/stages/3-ngfw-enterprise/net-prod.tf b/fast/stages/3-ngfw-enterprise/net-prod.tf new file mode 100644 index 0000000000..37411cf43d --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/net-prod.tf @@ -0,0 +1,72 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# tfdoc:file:description Security components for prod spoke VPC. + +module "prod-spoke-project" { + count = local.enabled_vpcs.prod-spoke-0 ? 1 : 0 + source = "../../../modules/project" + billing_account = var.billing_account.id + name = "prod-net-spoke-0" + parent = var.folder_ids.networking-prod + prefix = var.prefix + project_create = false + services = ["networksecurity.googleapis.com"] +} + +resource "google_network_security_security_profile" "prod_sec_profile" { + count = local.enabled_vpcs.prod-spoke-0 ? 1 : 0 + name = "${var.prefix}-prod-sp-0" + type = "THREAT_PREVENTION" + parent = "organizations/${var.organization.id}" + location = "global" +} + +resource "google_network_security_security_profile_group" "prod_sec_profile_group" { + count = local.enabled_vpcs.prod-spoke-0 ? 1 : 0 + name = "${var.prefix}-prod-spg-0" + parent = "organizations/${var.organization.id}" + location = "global" + description = "prod security profile group." + threat_prevention_profile = try(google_network_security_security_profile.prod_sec_profile[0].id, null) +} + +resource "google_network_security_firewall_endpoint_association" "prod_fw_ep_association" { + for_each = toset(var.ngfw_enterprise_config.endpoint_zones) + name = "${var.prefix}-prod-epa-${each.key}" + parent = try(module.prod-spoke-project[0].project_id, null) + location = each.value.zone + firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id + network = try(var.vpc_self_links.prod-spoke-0, null) +} + +module "prod-spoke-firewall-policy" { + count = local.enabled_vpcs.prod-spoke-0 ? 1 : 0 + source = "../../../modules/net-firewall-policy" + name = "${var.prefix}-prod-fw-policy" + parent_id = try(module.prod-spoke-project[0].project_id, null) + security_profile_group_ids = { + prod = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.prod_sec_profile_group[0].id, "")}" + } + attachments = { + prod-spoke = try(var.vpc_self_links.prod-spoke-0, null) + } + factories_config = { + cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml" + egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/prod/egress.yaml" + ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/prod/ingress.yaml" + } +} diff --git a/fast/stages/3-ngfw-enterprise/outputs.tf b/fast/stages/3-ngfw-enterprise/outputs.tf new file mode 100644 index 0000000000..e55cc678c7 --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/outputs.tf @@ -0,0 +1,36 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + ngfw_enterprise_endpoint_ids = { + for _, v in google_network_security_firewall_endpoint.firewall_endpoint + : v.location => v.id + } + ngfw_enterprise_endpoint_self_links = { + for _, v in google_network_security_firewall_endpoint.firewall_endpoint + : v.location => v.self_link + } +} + +output "ngfw_enterprise_endpoint_ids" { + description = "The NGFW Enterprise endpoint ids." + value = local.ngfw_enterprise_endpoint_ids +} + +output "ngfw_enterprise_endpoint_self_links" { + description = "The NGFW Enterprise endpoint self_links." + value = local.ngfw_enterprise_endpoint_self_links +} diff --git a/fast/stages/3-ngfw-enterprise/variables-fast.tf b/fast/stages/3-ngfw-enterprise/variables-fast.tf new file mode 100644 index 0000000000..2b937eddd3 --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/variables-fast.tf @@ -0,0 +1,66 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + networking-dev = string + networking-prod = string + }) +} + +variable "organization" { + # tfdoc:variable:source 00-globals + description = "Organization details." + type = object({ + domain = string + id = number + customer_id = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "vpc_self_links" { + # tfdoc:variable:source 2-networking + description = "Self link for the shared VPC." + type = object({ + dev-spoke-0 = string + prod-spoke-0 = string + }) +} diff --git a/fast/stages/3-ngfw-enterprise/variables.tf b/fast/stages/3-ngfw-enterprise/variables.tf new file mode 100644 index 0000000000..87758493fc --- /dev/null +++ b/fast/stages/3-ngfw-enterprise/variables.tf @@ -0,0 +1,37 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "factories_config" { + description = "Configuration for network resource factories." + type = object({ + data_dir = optional(string, "data") + }) + default = {} + nullable = false + validation { + condition = var.factories_config.data_dir != null + error_message = "Data folder needs to be non-null." + } +} + +variable "ngfw_enterprise_config" { + description = "NGFW Enterprise configuration." + type = object({ + endpoint_zones = optional(list(string), ["europe-west1-a", "europe-west1-b", "europe-west1-c"]) + }) + nullable = false + default = {} +}