Firewall rules do not allow specifying protocol "all"
drebes opened this issue · 8 comments
default-ilb-fw cannot create a firewall with protocol "all". This is a requirement when the ILB backends are acting as ILB-as-next-hop for network appliances. Alternatively, the creation of the default-ilb-fw rule should be optional, so the firewall gets created by other means.
If you set a protocol of "all" what happens?
Also, what would stop creating the additional firewall outside the module in addition to the one auto-created here?
It fails Terraform ValidateFunc resource validation:
expected protocol to be one of [HTTP HTTPS HTTP2 SSL TCP UDP GRPC ], got all
There's no problem creating the firewall rule outside on the auto-created here, but then the user ends up with duplicate firewall rules where one is an superset of the other (and additionally you need to specify source_ranges which are redundant since you also need to specify them again on the external firewall rule. Would be fine making the firewall rule creation conditional on var.ports being != null.
Do you know how all would be done with the underlying Terraform resource? Seems like a good addition.
IIRC there is support for all in the firewall resource https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#protocol but we would still be limited by google_compute_forwarding_rule which also uses ip_protocol and can only be TCP/UDP.
allow {
protocol = "all"
}
But I really would prefer we decouple firewall from the ilb module (make it optional), since for the secure foundations we also need egress firewall rules which would be adding too much complexity to include here, no?
ack, making it optional sgtm
Any idea when we can have this? Otherwise we should stick with the non CFT module for the ILB of the secure foundations.