feat: add network_firewall_policy_enforcement_order network argument

mineiros-io · Mar 1, 2024 · 4966155 · 4966155
1 parent 6e49cfa
commit 4966155
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -96,6 +96,12 @@ See [variables.tf] and [examples/] for details and use-cases.
 
   Default is `"1460"`.
 
+- [**`network_firewall_policy_enforcement_order`**](#var-network_firewall_policy_enforcement_order): *(Optional `string`)*<a name="var-network_firewall_policy_enforcement_order"></a>
+
+  Set the order that Firewall Rules and Firewall Policies are evaluated. Default value is AFTER_CLASSIC_FIREWALL. Possible values are: BEFORE_CLASSIC_FIREWALL, AFTER_CLASSIC_FIREWALL.
+
+  Default is `null`.
+
 - [**`enable_ula_internal_ipv6`**](#var-enable_ula_internal_ipv6): *(Optional `bool`)*<a name="var-enable_ula_internal_ipv6"></a>
 
   Enable ULA internal ipv6 on this network. Enabling this feature will assign a `/48` from Google defined ULA prefix `fd20::/20`.

diff --git a/README.tfdoc.hcl b/README.tfdoc.hcl
@@ -134,6 +134,14 @@ section {
           END
         }
 
+        variable "network_firewall_policy_enforcement_order" {
+          type        = string
+          default     = null
+          description = <<-END
+            Set the order that Firewall Rules and Firewall Policies are evaluated. Default value is AFTER_CLASSIC_FIREWALL. Possible values are: BEFORE_CLASSIC_FIREWALL, AFTER_CLASSIC_FIREWALL.
+          END
+        }
+
         variable "enable_ula_internal_ipv6" {
           type        = bool
           default     = false

diff --git a/main.tf b/main.tf
@@ -5,12 +5,13 @@ resource "google_compute_network" "vpc" {
   description = var.description
   project     = var.project
 
-  auto_create_subnetworks         = var.auto_create_subnetworks
-  routing_mode                    = var.routing_mode
-  mtu                             = var.mtu
-  delete_default_routes_on_create = var.delete_default_routes_on_create
-  enable_ula_internal_ipv6        = var.enable_ula_internal_ipv6
-  internal_ipv6_range             = var.internal_ipv6_range
+  auto_create_subnetworks                   = var.auto_create_subnetworks
+  routing_mode                              = var.routing_mode
+  mtu                                       = var.mtu
+  delete_default_routes_on_create           = var.delete_default_routes_on_create
+  enable_ula_internal_ipv6                  = var.enable_ula_internal_ipv6
+  internal_ipv6_range                       = var.internal_ipv6_range
+  network_firewall_policy_enforcement_order = var.network_firewall_policy_enforcement_order
 
   depends_on = [var.module_depends_on]
 }
diff --git a/test/unit-complete/main.tf b/test/unit-complete/main.tf
@@ -1,13 +1,14 @@
 module "test" {
   source = "../.."
 
-  project                         = local.project_id
-  name                            = "vpc-unit-complete"
-  description                     = "This is a unit test"
-  routing_mode                    = "GLOBAL"
-  delete_default_routes_on_create = true
-  auto_create_subnetworks         = true
-  mtu                             = 1500
-  enable_ula_internal_ipv6        = true
-  internal_ipv6_range             = "fd20:fff:ffff:ffff:ffff:ffff:ffff:ffff"
+  project                                   = local.project_id
+  name                                      = "vpc-unit-complete"
+  description                               = "This is a unit test"
+  routing_mode                              = "GLOBAL"
+  delete_default_routes_on_create           = true
+  auto_create_subnetworks                   = true
+  mtu                                       = 1500
+  enable_ula_internal_ipv6                  = true
+  internal_ipv6_range                       = "fd20:fff:ffff:ffff:ffff:ffff:ffff:ffff"
+  network_firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL"
 }
diff --git a/variables.tf b/variables.tf
@@ -54,6 +54,12 @@ variable "auto_create_subnetworks" {
   default     = false
 }
 
+variable "network_firewall_policy_enforcement_order" {
+  description = "(Optional) Set the order that Firewall Rules and Firewall Policies are evaluated. Default value is AFTER_CLASSIC_FIREWALL. Possible values are: BEFORE_CLASSIC_FIREWALL, AFTER_CLASSIC_FIREWALL."
+  type        = string
+  default     = null
+}
+
 variable "mtu" {
   description = "(Optional) Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. Default is '1460'."
   type        = string