When managing GCP firewall policies / rules using terraform - how to know what the ID is?

Question

I've been referring to this guide: https://cloud.google.com/blog/topics/developers-practitioners/hierarchical-firewall-policy-automation-terraform and, unless I'm reading wrong, it seems to start with the assumption I have a folder setup already.

What I've tried so far is:

• Creating a firewall policy manually via the GCP web console (ie - with a mouse etc)
• Creating a resource block in terraform
• Running terraform import

The resource block:

resource "google_compute_firewall_policy" "fw-policy-name" {
}

The terraform command:

terraform import google_compute_firewall_policy.fw-policy-name fw-policy-name

When I run this I get the following error:

Error: Error when reading or editing ComputeFirewallPolicy "locations/global/firewallPolicies/fw-policy-name": googleapi: Error 400: Invalid value for field 'firewallPolicy': 'firewallPolicies/fw-policy-name'. Must be a match of regex '(firewallPolicies/)?[0-9]{0,20}', invalid

I think (though I'm not sure) that this is suggesting that I use the following for the import command:

terraform import google_compute_firewall_policy.fw-policy-name <FOLDER ID INTEGER>

Is that correct?

I don't know how to either create a new folder, or to check which folder the firewall policy I've created sits within.

Context is I want to have network / firewall settings for compute instance managed via terraform.

Answer 1

The document you reference is talking about setting firewall policies that would apply across a complex multi-project organisation. If you are just wanting to control firewall settings for compute instances, then I'd recommend using network-tags.

When creating instances using the google_compute_instance resource type, you would specify one or more network tags using the tags argument, for example web-server:

resource "google_compute_instance" "default" {
  name         = "my-instance"
  machine_type = "n2-standard-2"
  zone         = "us-central1-a"

  tags = ["web-server"]

  ...

You then specify firewall rules using the google_compute_firewall resource:

resource "google_compute_firewall" "rules" {
  project     = "my-project-name"
  name        = "my-firewall-rule"
  network     = "default"
  description = "Creates firewall rule targeting tagged instances"

  allow {
    protocol  = "tcp"
    ports     = ["80", "443",]
  }

  target_tags = ["web-server"]
}

Answer 2

This error is expected as you need to specify the firewall policy ID not the name, that is why the 400: Invalid value for field.

To get the IDs you can run below commands

  $ gcloud compute firewall-policies  list --organization=123456789123
    ID: 987654321012
    DISPLAY_NAME: orgpolicytest
    DESCRIPTION: 

Then to get the selfLink run the below command.

  $ gcloud compute firewall-policies  describe orgpolicytest --organization=123456789123 --format 'value(selfLink)'
    https://www.googleapis.com/compute/v1/locations/global/firewallPolicies/987654321012

And finally to import by running the below command with the Id which is considered the name (I know this is an issue in the documentation, I will need to report this).

$ terraform import google_compute_firewall_policy.default locations/global/firewallPolicies/{{name}}
$ terraform import google_compute_firewall_policy.default locations/global/firewallPolicies/987654321012
Or
$ terraform import google_compute_firewall_policy.default {{name}}
$ terraform import google_compute_firewall_policy.default 987654321012