From d0b1ced28053fe7546eb3b7d726b51f1bd8e0938 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 26 Oct 2023 17:25:36 +0200 Subject: [PATCH] fix logic for default source range in firewall ingress rules (#1815) --- modules/net-vpc-firewall/README.md | 13 +++++++++++++ modules/net-vpc-firewall/main.tf | 2 +- .../modules/net_vpc_firewall/examples/factory.yaml | 2 -- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 235f1ebc41..8198b100e6 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -7,6 +7,19 @@ This module allows creation and management of different types of firewall rules The predefined rules are enabled by default and set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. See the relevant section below on how to configure or disable them. + +- [Examples](#examples) + - [Minimal open firewall](#minimal-open-firewall) + - [Custom rules](#custom-rules) + - [Controlling or turning off default rules](#controlling-or-turning-off-default-rules) + - [Overriding default tags and ranges](#overriding-default-tags-and-ranges) + - [Disabling predefined rules](#disabling-predefined-rules) + - [Including source & destination ranges](#including-source-destination-ranges) + - [Rules Factory](#rules-factory) +- [Variables](#variables) +- [Outputs](#outputs) + + ## Examples ### Minimal open firewall diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf index 5f7a95b549..f3faac9f05 100644 --- a/modules/net-vpc-firewall/main.tf +++ b/modules/net-vpc-firewall/main.tf @@ -97,7 +97,7 @@ resource "google_compute_firewall" "custom-rules" { source_ranges = ( each.value.direction == "INGRESS" ? ( - each.value.source_ranges == null + each.value.source_ranges == null && each.value.sources == null ? ["0.0.0.0/0"] : each.value.source_ranges ) diff --git a/tests/modules/net_vpc_firewall/examples/factory.yaml b/tests/modules/net_vpc_firewall/examples/factory.yaml index 389fb52a25..73a095dd0d 100644 --- a/tests/modules/net_vpc_firewall/examples/factory.yaml +++ b/tests/modules/net_vpc_firewall/examples/factory.yaml @@ -53,8 +53,6 @@ values: network: my-network priority: 1000 project: my-project - source_ranges: - - 0.0.0.0/0 source_service_accounts: - service-1@my-project.iam.gserviceaccount.com source_tags: null