From 1d05920abf973bc1f58a7e187527f95782ea150a Mon Sep 17 00:00:00 2001
From: Bohdan Yurov <bohdan@yurov.me>
Date: Fri, 6 Dec 2019 16:29:02 +0200
Subject: [PATCH] Fixes #18: Add support for service account-based firewall
 targets
 https://github.com/terraform-google-modules/terraform-google-lb/issues/18

Added support for service account-based firewall targets.
---
 README.md              |  3 ++-
 examples/basic/main.tf | 14 ++++++++++----
 main.tf                | 10 ++++++++--
 variables.tf           |  7 +++++++
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 8a0b50a..5650461 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,8 @@ Full functional examples are located in the [examples](./examples/) directory.
 | region | Region used for GCP resources. | string | n/a | yes |
 | service\_port | TCP port your service is listening on. | number | n/a | yes |
 | session\_affinity | How to distribute load. Options are `NONE`, `CLIENT_IP` and `CLIENT_IP_PROTO` | string | `"NONE"` | no |
-| target\_tags | List of target tags to allow traffic using firewall rule. | list(string) | n/a | yes |
+| target\_tags | List of target tags to allow traffic using firewall rule. | list(string) | null | no |
+| target\_service\_accounts | List of target service accounts to allow traffic using firewall rule. | list(string) | null | no |
 
 ## Outputs
 
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index fcd96df..f94f807 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -16,6 +16,7 @@
 
 data "template_file" "instance_startup_script" {
   template = file("${path.module}/templates/gceme.sh.tpl")
+
   vars = {
     PROXY_PATH = ""
   }
@@ -32,7 +33,7 @@ module "instance_template" {
   source_image_family  = var.image_family
   source_image_project = var.image_project
   startup_script       = data.template_file.instance_startup_script.rendered
-  tags                 = ["allow-lb-service"]
+
   service_account = {
     email  = google_service_account.instance-group.email
     scopes = ["cloud-platform"]
@@ -46,11 +47,13 @@ module "managed_instance_group" {
   target_size       = 2
   hostname          = "mig-simple"
   instance_template = module.instance_template.self_link
+
   target_pools = [
     module.load_balancer_default.target_pool,
     module.load_balancer_no_hc.target_pool,
     module.load_balancer_custom_hc.target_pool
   ]
+
   named_ports = [{
     name = "http"
     port = 80
@@ -62,8 +65,9 @@ module "load_balancer_default" {
   source       = "../../"
   region       = var.region
   service_port = 80
-  target_tags  = ["allow-lb-service"]
   network      = google_compute_network.network.name
+
+  target_service_accounts = [google_service_account.instance-group.email]
 }
 
 module "load_balancer_no_hc" {
@@ -71,9 +75,10 @@ module "load_balancer_no_hc" {
   source               = "../../"
   region               = var.region
   service_port         = 80
-  target_tags          = ["allow-lb-service"]
   network              = google_compute_network.network.name
   disable_health_check = true
+
+  target_service_accounts = [google_service_account.instance-group.email]
 }
 
 module "load_balancer_custom_hc" {
@@ -81,7 +86,8 @@ module "load_balancer_custom_hc" {
   source       = "../../"
   region       = var.region
   service_port = 8080
-  target_tags  = ["allow-lb-service"]
   network      = google_compute_network.network.name
   health_check = local.health_check
+
+  target_service_accounts = [google_service_account.instance-group.email]
 }
diff --git a/main.tf b/main.tf
index a041da3..e33d3eb 100644
--- a/main.tf
+++ b/main.tf
@@ -64,7 +64,10 @@ resource "google_compute_firewall" "default-lb-fw" {
   }
 
   source_ranges = ["0.0.0.0/0"]
-  target_tags   = var.target_tags
+
+  target_tags = var.target_tags
+
+  target_service_accounts = var.target_service_accounts
 }
 
 resource "google_compute_firewall" "default-hc-fw" {
@@ -79,5 +82,8 @@ resource "google_compute_firewall" "default-hc-fw" {
   }
 
   source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"]
-  target_tags   = var.target_tags
+
+  target_tags = var.target_tags
+
+  target_service_accounts = var.target_service_accounts
 }
diff --git a/variables.tf b/variables.tf
index ca02d57..a324ec4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -50,6 +50,13 @@ variable "service_port" {
 variable "target_tags" {
   description = "List of target tags to allow traffic using firewall rule."
   type        = list(string)
+  default     = null
+}
+
+variable "target_service_accounts" {
+  description = "List of target service accounts to allow traffic using firewall rule."
+  type        = list(string)
+  default     = null
 }
 
 variable "session_affinity" {