How to correctly pass firewall rules to the google-terraform-network module?

mångata

4/15/24, 3:25 PM

I want to create a network using the google-terraform-network module. Additionally, I want to pass the firewall rules I made as a parameter to the module so that the created network contains these two rules.

When I pass the firewall rules directly, i.e.:

firewall_rules = [google_compute_firewall.allow_ssh, google_compute_firewall.allow_http]

I receive the following error: The given value is not suitable for module.vpc.module.firewall_rules.var.rules declared at .terraform/modules/vpc/modules/firewall-rules/variables.tf:27,1-17: element 0: attribute "log_config": object required..

On the other hand, when I pass the self_link, i.e.:

firewall_rules = [google_compute_firewall.allow_ssh.self_link, google_compute_firewall.allow_http.self_link]

I get numerous errors of the following form:

 Error: Invalid function argument
│ 
│   on .terraform/modules/vpc/main.tf line 70, in locals:
│   70:       deny                    = lookup(f, "deny", [])
│ 
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

Here's the complete main.tf:

provider "google" {
  project = var.project
  region  = var.region
  zone    = var.zone
}

// firewall rule to allow ssh
resource "google_compute_firewall" "allow_ssh" {
  name    = "allow-ssh"
  network = var.network_name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["0.0.0.0/0"]
}

// firewall rule to allow http
resource "google_compute_firewall" "allow_http" {
  name    = "allow-http"
  network = var.network_name

  allow {
    protocol = "tcp"
    ports    = ["80"]
  }

  source_ranges = [""]
}

module "vpc" {
    source  = "terraform-google-modules/network/google"
    version = "~> 7.0"

    project_id   = var.project
    network_name = var.network_name
    routing_mode = "GLOBAL"

    subnets = [
        {
            subnet_name   = var.subnet_name
            subnet_ip     = var.subnet_ip
            subnet_region = var.region
        },
    ]

    firewall_rules = [google_compute_firewall.allow_ssh.self_link, google_compute_firewall.allow_http.self_link]
}

481

1 + 0

firewall

google-cloud-platform

terraform

Score:0

Server

mångata

4/15/24, 5:34 PM

Ok, I found a solution. The firewall_rules parameter demands a list of objects that follow a specific structure. Adding the following variable and assigning it to the firewall_rules parameter solves the problem:

variable "rules" {
    description = "List of rule definitions"
    default     = [
        {
        name                    = "allow-ssh-ingress"
        direction               = "INGRESS"
        ranges                  = ["0.0.0.0/0"]
        allow = [{
            protocol = "tcp"
            ports    = ["22"]
        }]
        deny = []
        log_config = {
            metadata = "INCLUDE_ALL_METADATA"
        }
        },

        {
            name                    = "allow-http-ingress"
            direction               = "INGRESS"
            ranges                  = ["0.0.0.0/0"]
            allow = [{
                protocol = "tcp"
                ports    = ["80"]
            }]
            deny = []
            log_config = {
                metadata = "INCLUDE_ALL_METADATA"
            }
        }
    ]

    type = list(object({
        name                    = string
        description             = optional(string)
        direction               = optional(string)
        priority                = optional(number)
        ranges                  = optional(list(string))
        source_tags             = optional(list(string))
        source_service_accounts = optional(list(string))
        target_tags             = optional(list(string))
        target_service_accounts = optional(list(string))
        allow = optional(list(object({
            protocol = string
            ports    = optional(list(string))
        })))
        deny = optional(list(object({
            protocol = string
            ports    = optional(list(string))
        })))
        log_config = optional(object({
            metadata = string
        }))
    }))
}

Afterwards:

firewall_rules = var.rules

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to correctly pass firewall rules to the google-terraform-network module?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.