diff --git a/modules/net-firewall-policy/README.md b/modules/net-firewall-policy/README.md
index 17381abef6..10d395fe0f 100644
--- a/modules/net-firewall-policy/README.md
+++ b/modules/net-firewall-policy/README.md
@@ -258,14 +258,14 @@ issue-1995:
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L113) | Policy name. | string | ✓ | |
-| [parent_id](variables.tf#L119) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | string | ✓ | |
+| [name](variables.tf#L115) | Policy name. | string | ✓ | |
+| [parent_id](variables.tf#L121) | Parent node where the policy will be created, `folders/nnn` or `organizations/nnn` for hierarchical policy, project id for a network policy. | string | ✓ | |
| [attachments](variables.tf#L17) | Ids of the resources to which this policy will be attached, in descriptive name => self link format. Specify folders or organization for hierarchical policy, VPCs for network policy. | map(string) | | {} |
| [description](variables.tf#L24) | Policy description. | string | | null |
-| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} |
-| [factories_config](variables.tf#L66) | Paths to folders for the optional factories. | object({…}) | | {} |
-| [ingress_rules](variables.tf#L77) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | map(object({…})) | | {} |
-| [region](variables.tf#L125) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | string | | null |
+| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format. | map(object({…})) | | {} |
+| [factories_config](variables.tf#L67) | Paths to folders for the optional factories. | object({…}) | | {} |
+| [ingress_rules](variables.tf#L78) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. | map(object({…})) | | {} |
+| [region](variables.tf#L127) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | string | | null |
## Outputs
diff --git a/modules/net-firewall-policy/factory.tf b/modules/net-firewall-policy/factory.tf
index 4577a06369..74ef28d798 100644
--- a/modules/net-firewall-policy/factory.tf
+++ b/modules/net-firewall-policy/factory.tf
@@ -35,6 +35,7 @@ locals {
description = lookup(v, "description", null)
disabled = lookup(v, "disabled", false)
enable_logging = lookup(v, "enable_logging", null)
+ security_profile_group = lookup(v, "security_profile_group", null)
target_resources = lookup(v, "target_resources", null)
target_service_accounts = lookup(v, "target_service_accounts", null)
target_tags = lookup(v, "target_tags", null)
@@ -80,6 +81,7 @@ locals {
description = lookup(v, "description", null)
disabled = lookup(v, "disabled", false)
enable_logging = lookup(v, "enable_logging", null)
+ security_profile_group = lookup(v, "security_profile_group", null)
target_resources = lookup(v, "target_resources", null)
target_service_accounts = lookup(v, "target_service_accounts", null)
target_tags = lookup(v, "target_tags", null)
diff --git a/modules/net-firewall-policy/hierarchical.tf b/modules/net-firewall-policy/hierarchical.tf
index 450784a90b..48bc9c9e18 100644
--- a/modules/net-firewall-policy/hierarchical.tf
+++ b/modules/net-firewall-policy/hierarchical.tf
@@ -37,6 +37,7 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
action = local.rules[each.key].action
description = local.rules[each.key].description
direction = local.rules[each.key].direction
+ security_profile_group = local.rules[each.key].security_profile_group
disabled = local.rules[each.key].disabled
enable_logging = local.rules[each.key].enable_logging
priority = local.rules[each.key].priority
diff --git a/modules/net-firewall-policy/net-global.tf b/modules/net-firewall-policy/net-global.tf
index 848b317d5a..db15930da9 100644
--- a/modules/net-firewall-policy/net-global.tf
+++ b/modules/net-firewall-policy/net-global.tf
@@ -44,6 +44,7 @@ resource "google_compute_network_firewall_policy_rule" "net-global" {
action = local.rules[each.key].action
description = local.rules[each.key].description
direction = local.rules[each.key].direction
+ security_profile_group = local.rules[each.key].security_profile_group
disabled = local.rules[each.key].disabled
enable_logging = local.rules[each.key].enable_logging
priority = local.rules[each.key].priority
diff --git a/modules/net-firewall-policy/net-regional.tf b/modules/net-firewall-policy/net-regional.tf
index b283ba1bfe..a3d9f53da6 100644
--- a/modules/net-firewall-policy/net-regional.tf
+++ b/modules/net-firewall-policy/net-regional.tf
@@ -47,6 +47,7 @@ resource "google_compute_region_network_firewall_policy_rule" "net-regional" {
action = local.rules[each.key].action
description = local.rules[each.key].description
direction = local.rules[each.key].direction
+ security_profile_group = local.rules[each.key].security_profile_group
disabled = local.rules[each.key].disabled
enable_logging = local.rules[each.key].enable_logging
priority = local.rules[each.key].priority
diff --git a/modules/net-firewall-policy/variables.tf b/modules/net-firewall-policy/variables.tf
index 3a8d16b70f..fad6ab9043 100644
--- a/modules/net-firewall-policy/variables.tf
+++ b/modules/net-firewall-policy/variables.tf
@@ -28,13 +28,14 @@ variable "description" {
}
variable "egress_rules" {
- description = "List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format."
+ description = "List of egress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'. The match.layer4configs map is in protocol => optional [ports] format."
type = map(object({
priority = number
action = optional(string, "deny")
description = optional(string)
disabled = optional(bool, false)
enable_logging = optional(bool)
+ security_profile_group = optional(string)
target_resources = optional(list(string))
target_service_accounts = optional(list(string))
target_tags = optional(list(string))
@@ -57,9 +58,9 @@ variable "egress_rules" {
validation {
condition = alltrue([
for k, v in var.egress_rules :
- contains(["allow", "deny", "goto_next"], v.action)
+ contains(["allow", "deny", "goto_next", "apply_security_profile_group"], v.action)
])
- error_message = "Action can only be one of 'allow', 'deny', 'goto_next'."
+ error_message = "Action can only be one of 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
}
}
@@ -75,13 +76,14 @@ variable "factories_config" {
}
variable "ingress_rules" {
- description = "List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'."
+ description = "List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
type = map(object({
priority = number
action = optional(string, "allow")
description = optional(string)
disabled = optional(bool, false)
enable_logging = optional(bool)
+ security_profile_group = optional(string)
target_resources = optional(list(string))
target_service_accounts = optional(list(string))
target_tags = optional(list(string))
@@ -104,9 +106,9 @@ variable "ingress_rules" {
validation {
condition = alltrue([
for k, v in var.ingress_rules :
- contains(["allow", "deny", "goto_next"], v.action)
+ contains(["allow", "deny", "goto_next", "apply_security_profile_group"], v.action)
])
- error_message = "Action can only be one of 'allow', 'deny', 'goto_next'."
+ error_message = "Action can only be one of 'allow', 'deny', 'goto_next' or 'apply_security_profile_group'."
}
}