Add support to add rules to a google_compute_security_policy

[maguro]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

It would be nice if it were possible to add rules to google_compute_security_policy. This would mimic

gcloud compute security-policies rules create 1000
  --security-policy internal-users-policy \
  --description "allow traffic from 198.51.100.0/24" \
  --src-ip-ranges "198.51.100.0/24" \
  --action "allow"

This would allow aggregation of reusable sets of rules, security groups, into various Terraform modules.

New or Affected Resource(s)

• google_compute_security_policy - add a data source for rules to reference
• google_compute_security_policy_rule

Potential Terraform Configuration

data "google_compute_security_policy" "http_policy" {
  name    = "http-policy"
  project = var.project
}

resource "google_compute_security_policy_rule" "external_partner_acme" {
  description = "Allow Acme Inc. to access HTTP"
  security_policy = data.google_compute_security_policy.http_policy.name
  action   = "allow"
  priority = "1000"
  match {
    versioned_expr = "SRC_IPS_V1"
    config {
      src_ip_ranges = ["9.9.9.0/24"]
    }
  }
}

b/299683660

[danawillow]

Hey @maguro, just to check- you can already add rules to security policies in the security policy resource itself, so this specific FR is to have a separate resource just for the rule, correct? Can you expand a bit on your proposed use case?

[maguro]

You may be speaking of features of which I am unaware of. I'll flesh out my idea here, in this thread. Once it gels, after community input, I'll update the description above.

Let's say we work for a huge corporation, MegaCorp. There are a number of companies under its umbrella, each with their own IT team. For our various internal websites, we'd like to setup security policies where each IT team contributes the CIDR ranges to be whitelisted for the internal websites. The Terraform mechanics is as follows.

Each company is allocated a small range of priorities, say 10, to prevent collisions of rules via priority. So, each company's IT team creates a Terraform module that can be referenced, passing in the security policy to which they add their rules. Each internal website can choose which company it wishes to provide access to by referencing that company's rules module. The rules module becomes the sole source of authority, with respect to Terraform, of that company's valid CIDR ranges.

[Sreerag74031]

I think this will solve the issue of all rules getting recreated while adding/editing one rule in a security policy.

[rmb938]

Hi All,

Anything I can help out with to get this issue implemented?

Regional policy rules already exist from this PR #15319 so having similar functionality would make sense.

[matheusaleixo-cit]

Hello everyone!
I started working on this enhancement, I will be opening a draft PR as soon as possible.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.