diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
index f886035ba7..af04343f39 100644
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@@ -136,6 +136,36 @@ module "firewall" {
# tftest modules=0 resources=0
```
+### Including source & destination ranges
+
+Custom rules now support including both source & destination ranges in ingress and egress rules:
+
+```hcl
+module "firewall" {
+ source = "./fabric/modules/net-vpc-firewall"
+ project_id = "my-project"
+ network = "my-network"
+ default_rules_config = {
+ disabled = true
+ }
+ egress_rules = {
+ deny-egress-source-destination-ranges = {
+ description = "Deny egress using source and destination ranges"
+ source_ranges = ["10.132.0.0/20", "10.138.0.0/20"]
+ destination_ranges = ["172.16.0.0/12"]
+ }
+ }
+ ingress_rules = {
+ allow-ingress-source-destination-ranges = {
+ description = "Allow ingress using source and destination ranges"
+ source_ranges = ["172.16.0.0/12"]
+ destination_ranges = ["10.132.0.0/20", "10.138.0.0/20"]
+ }
+ }
+}
+# tftest modules=1 resources=2
+```
+
### Rules Factory
The module includes a rules factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of rules leveraging YaML configuration files. Each configuration file can optionally contain more than one rule which a structure that reflects the `custom_rules` variable.
@@ -202,13 +232,13 @@ healthchecks:
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [network](variables.tf#L108) | Name of the network this set of firewall rules applies to. | string | ✓ | |
-| [project_id](variables.tf#L113) | Project id of the project that holds the network. | string | ✓ | |
+| [network](variables.tf#L110) | Name of the network this set of firewall rules applies to. | string | ✓ | |
+| [project_id](variables.tf#L115) | Project id of the project that holds the network. | string | ✓ | |
| [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | object({…}) | | {} |
-| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | map(object({…})) | | {} |
-| [factories_config](variables.tf#L59) | Paths to data files and folders that enable factory functionality. | object({…}) | | null |
-| [ingress_rules](variables.tf#L68) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | map(object({…})) | | {} |
-| [named_ranges](variables.tf#L91) | Define mapping of names to ranges that can be used in custom rules. | map(list(string)) | | {…} |
+| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | map(object({…})) | | {} |
+| [factories_config](variables.tf#L60) | Paths to data files and folders that enable factory functionality. | object({…}) | | null |
+| [ingress_rules](variables.tf#L69) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | map(object({…})) | | {} |
+| [named_ranges](variables.tf#L93) | Define mapping of names to ranges that can be used in custom rules. | map(list(string)) | | {…} |
## Outputs
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index e525ceb4b4..bd528b029f 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -101,7 +101,8 @@ resource "google_compute_firewall" "custom-rules" {
? ["0.0.0.0/0"]
: each.value.source_ranges
)
- : null
+ #for egress, we will include the source_ranges when provided. Previously, null was forced
+ : each.value.source_ranges
)
destination_ranges = (
each.value.direction == "EGRESS"
@@ -110,7 +111,8 @@ resource "google_compute_firewall" "custom-rules" {
? ["0.0.0.0/0"]
: each.value.destination_ranges
)
- : null
+ #for ingress, we will include the destination_ranges when provided. Previously, null was forced
+ : each.value.destination_ranges
)
source_tags = (
each.value.use_service_accounts || each.value.direction == "EGRESS"
diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf
index 9f750cc839..132f00ed9e 100644
--- a/modules/net-vpc-firewall/variables.tf
+++ b/modules/net-vpc-firewall/variables.tf
@@ -45,6 +45,7 @@ variable "egress_rules" {
include_metadata = optional(bool)
}))
priority = optional(number, 1000)
+ source_ranges = optional(list(string))
targets = optional(list(string))
use_service_accounts = optional(bool, false)
rules = optional(list(object({
@@ -68,9 +69,10 @@ variable "factories_config" {
variable "ingress_rules" {
description = "List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0."
type = map(object({
- deny = optional(bool, false)
- description = optional(string)
- disabled = optional(bool, false)
+ deny = optional(bool, false)
+ description = optional(string)
+ destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270
+ disabled = optional(bool, false)
enable_logging = optional(object({
include_metadata = optional(bool)
}))