feat: add optional firewall logging configuration

modules/composer_net/README.md

@@ -12,6 +12,8 @@ This example illustrates how to use the `composer-net` module. Please see exampl
 | composer\_sa\_name | Service Account name to be used for running Cloud Composer Environment. | `string` | `"composer-sa"` | no |
 | dns\_name | The DNS name of the managed zone | `string` | `"composer.cloud.google.com."` | no |
 | dns\_zone\_name | Composer DNS private zone name | `string` | `"composer-google-cloud-dns"` | no |
+| enable\_firewall\_logging | Enable logging for firewall rules | `bool` | `true` | no |
+| firewall\_logging\_metadata | The logging metadata to include in firewall logs. Options: INCLUDE\_ALL\_METADATA or EXCLUDE\_ALL\_METADATA | `string` | `"INCLUDE_ALL_METADATA"` | no |
 | gke\_pods\_services\_ip\_ranges | The secondary IP ranges for the GKE Pods and Services IP ranges | `list(string)` | n/a | yes |
 | gke\_subnet\_ip\_range | The GKE subnet IP range | `list(string)` | n/a | yes |
 | master\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for the master. | `string` | `null` | no |

modules/composer_net/fw.tf

@@ -45,8 +45,11 @@ resource "google_compute_firewall" "allow-composer-dns-egress" {
   direction               = "EGRESS"
   destination_ranges      = ["0.0.0.0/0"]
   target_service_accounts = [google_service_account.composer_sa.email]
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }
 /***
@@ -69,8 +72,11 @@ resource "google_compute_firewall" "allow-gke-egress-secondary-ranges" {
   destination_ranges = concat(var.gke_subnet_ip_range, var.gke_pods_services_ip_ranges)
   # destination_ranges = ["10.1.0.0/16","10.4.0.0/16", "10.10.10.0/24","10.10.14.0/24", "10.100.232.0/27"]
   target_service_accounts = [google_service_account.composer_sa.email]
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }
 
@@ -91,8 +97,11 @@ resource "google_compute_firewall" "allow-gkeworkers-egress-master-ip" {
   direction               = "EGRESS"
   destination_ranges      = var.master_ipv4_cidr != null ? [var.master_ipv4_cidr] : []
   target_service_accounts = [google_service_account.composer_sa.email]
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }
 
@@ -112,8 +121,11 @@ resource "google_compute_firewall" "allow-gkeworkers-restricted-vip" {
   direction               = "EGRESS"
   destination_ranges      = local.restricted_vip
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }
 /***
@@ -133,8 +145,11 @@ resource "google_compute_firewall" "allow-healthcheck-ingress-composer-gke" {
   target_service_accounts = [google_service_account.composer_sa.email]
   direction               = "INGRESS"
   source_ranges           = local.load_balancer_ips
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }
 /***
@@ -153,8 +168,11 @@ resource "google_compute_firewall" "allow-healthcheck-egress-composer-gke" {
   direction               = "EGRESS"
   destination_ranges      = local.load_balancer_ips
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }
 
@@ -174,7 +192,10 @@ resource "google_compute_firewall" "allow-gkeworkers-composer-network-ip" {
   direction               = "EGRESS"
   destination_ranges      = var.cloud_composer_network_ipv4_cidr_block != null ? [var.cloud_composer_network_ipv4_cidr_block] : []
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.enable_firewall_logging ? [1] : []
+    content {
+      metadata = var.firewall_logging_metadata
+    }
   }
 }

modules/composer_net/variables.tf

@@ -89,3 +89,20 @@ variable "composer_sa_name" {
   type        = string
   default     = "composer-sa"
 }
+
+variable "enable_firewall_logging" {
+  description = "Enable logging for firewall rules"
+  type        = bool
+  default     = true
+}
+
+variable "firewall_logging_metadata" {
+  description = "The logging metadata to include in firewall logs. Options: INCLUDE_ALL_METADATA or EXCLUDE_ALL_METADATA"
+  type        = string
+  default     = "INCLUDE_ALL_METADATA"
+
+  validation {
+    condition     = contains(["INCLUDE_ALL_METADATA", "EXCLUDE_ALL_METADATA"], var.firewall_logging_metadata)
+    error_message = "firewall_logging_metadata must be either 'INCLUDE_ALL_METADATA' or 'EXCLUDE_ALL_METADATA'."
+  }
+}