Merge pull request #23 from nick4fake/fix/18

Fixes #18: Add support for service account-based firewall targets

README.md

@@ -58,7 +58,8 @@ Full functional examples are located in the [examples](./examples/) directory.
 | region | Region used for GCP resources. | string | n/a | yes |
 | service\_port | TCP port your service is listening on. | number | n/a | yes |
 | session\_affinity | How to distribute load. Options are `NONE`, `CLIENT_IP` and `CLIENT_IP_PROTO` | string | `"NONE"` | no |
-| target\_tags | List of target tags to allow traffic using firewall rule. | list(string) | n/a | yes |
+| target\_tags | List of target tags to allow traffic using firewall rule. | list(string) | null | no |
+| target\_service\_accounts | List of target service accounts to allow traffic using firewall rule. | list(string) | null | no |
 
 ## Outputs
 

examples/basic/main.tf

@@ -16,6 +16,7 @@
 
 data "template_file" "instance_startup_script" {
   template = file("${path.module}/templates/gceme.sh.tpl")
+
   vars = {
     PROXY_PATH = ""
   }
@@ -32,7 +33,7 @@ module "instance_template" {
   source_image_family  = var.image_family
   source_image_project = var.image_project
   startup_script       = data.template_file.instance_startup_script.rendered
-  tags                 = ["allow-lb-service"]
+
   service_account = {
     email  = google_service_account.instance-group.email
     scopes = ["cloud-platform"]
@@ -46,11 +47,13 @@ module "managed_instance_group" {
   target_size       = 2
   hostname          = "mig-simple"
   instance_template = module.instance_template.self_link
+
   target_pools = [
     module.load_balancer_default.target_pool,
     module.load_balancer_no_hc.target_pool,
     module.load_balancer_custom_hc.target_pool
   ]
+
   named_ports = [{
     name = "http"
     port = 80
@@ -62,26 +65,29 @@ module "load_balancer_default" {
   source       = "../../"
   region       = var.region
   service_port = 80
-  target_tags  = ["allow-lb-service"]
   network      = google_compute_network.network.name
+
+  target_service_accounts = [google_service_account.instance-group.email]
 }
 
 module "load_balancer_no_hc" {
   name                 = "basic-load-balancer-no-hc"
   source               = "../../"
   region               = var.region
   service_port         = 80
-  target_tags          = ["allow-lb-service"]
   network              = google_compute_network.network.name
   disable_health_check = true
+
+  target_service_accounts = [google_service_account.instance-group.email]
 }
 
 module "load_balancer_custom_hc" {
   name         = "basic-load-balancer-custom-hc"
   source       = "../../"
   region       = var.region
   service_port = 8080
-  target_tags  = ["allow-lb-service"]
   network      = google_compute_network.network.name
   health_check = local.health_check
+
+  target_service_accounts = [google_service_account.instance-group.email]
 }

main.tf

@@ -64,7 +64,10 @@ resource "google_compute_firewall" "default-lb-fw" {
   }
 
   source_ranges = ["0.0.0.0/0"]
-  target_tags   = var.target_tags
+
+  target_tags = var.target_tags
+
+  target_service_accounts = var.target_service_accounts
 }
 
 resource "google_compute_firewall" "default-hc-fw" {
@@ -79,5 +82,8 @@ resource "google_compute_firewall" "default-hc-fw" {
   }
 
   source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"]
-  target_tags   = var.target_tags
+
+  target_tags = var.target_tags
+
+  target_service_accounts = var.target_service_accounts
 }

variables.tf

@@ -50,6 +50,13 @@ variable "service_port" {
 variable "target_tags" {
   description = "List of target tags to allow traffic using firewall rule."
   type        = list(string)
+  default     = null
+}
+
+variable "target_service_accounts" {
+  description = "List of target service accounts to allow traffic using firewall rule."
+  type        = list(string)
+  default     = null
 }
 
 variable "session_affinity" {