I have a firewall rule in my GCP project and the values are read from variables at run time, it works successfully however i now have a use case where i want to add a deny block instead of allow. You cannot have both in there, is there a way to have the allow block be replaced by a deny block based on a condition.
Perhaps if the variable name is X, then use a deny block, or else use allow block. See sample code below.
resource "google_compute_firewall" "fw" {
....
allow {
protocol = var.somevariable[element(keys(var.somevariable), count.index)]["protocol"]
ports = var.somevariable[element(keys(var.somevariable), count.index)]["ports"]
}
...
}
I think it's a job for what they call dynamic blocks
In short: I see it as having two dynamic blocks, one for allow and one for deny. Each of them would use some conditions (might be mutually exclusive). A stub of your code could be:
resource "google_compute_firewall" "fw" {
dynamic "allow" {
for_each = var.allow_entries
...
}
dynamic "block" {
for_each = var.block_entries
...
}
}