PaloAltoNetworks · horiagunica · Oct 14, 2024 · Oct 2, 2024 · Oct 2, 2024 · Oct 8, 2024
@@ -137,7 +137,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name of the created or already existing VPC Network. | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project in which to create or look for VPCs and subnets | `string` | `null` | no |
 | <a name="input_routing_mode"></a> [routing\_mode](#input\_routing\_mode) | Type of network-wide routing mode to use. Possible types are: REGIONAL and GLOBAL.<br>REGIONAL routing mode will set the cloud routers to only advertise subnetworks within the same region as the router.<br>GLOBAL routing mode will set the cloud routers to advertise all the subnetworks that belong to this network. | `string` | `"REGIONAL"` | no |
-| <a name="input_subnetworks"></a> [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.<br>List of available attributes of each subnetwork entry:<br>- `name` : Name of the subnetwork.<br>- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.<br>- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.<br>- `region` : Region where to configure or import the subnet.<br>- `stack_type` : IP stack type. IPV4\_ONLY (default) and IPV4\_IPV6 are supported.<br>- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4\_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.<br><br>Example:<pre>subnetworks = {<br>  my-sub = {<br>    name = "my-sub"<br>    create_subnetwork = true<br>    ip_cidr_range = "192.168.0.0/24"<br>    region = "us-east1"<br>  }<br>}</pre> | <pre>map(object({<br>    name              = string<br>    create_subnetwork = optional(bool, true)<br>    ip_cidr_range     = string<br>    region            = string<br>    stack_type        = optional(string)<br>    ipv6_access_type  = optional(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_subnetworks"></a> [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.<br>List of available attributes of each subnetwork entry:<br>- `name` : Name of the subnetwork.<br>- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.<br>- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.<br>- `region` : Region where to configure or import the subnet.<br>- `stack_type` : IP stack type. IPV4\_ONLY (default) and IPV4\_IPV6 are supported.<br>- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4\_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.<br>- `log_config` : (Optional) A map containing the logging configuration for the subnetwork.<br>  - `aggregation_interval` : (Optional) The interval at which logs are aggregated for the subnetwork. Possible values are: `INTERVAL_5_SEC`, `INTERVAL_30_SEC`, `INTERVAL_1_MIN`, `INTERVAL_5_MIN`, `INTERVAL_10_MIN`, `INTERVAL_15_MIN`.<br>  - `flow_sampling` : (Optional) The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported.<br>  - `metadata` : (Optional) Configures whether metadata fields should be added to the reported VPC flow logs. Default value is `INCLUDE_ALL_METADATA`. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`, `CUSTOM_METADATA`.<br>  - `metadata_fields` : (Optional) List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and `metadata` is set to `CUSTOM_METADATA`.<br>  - `filter_expr` : (Optional) Export filter used to define which VPC flow logs should be logged, as as CEL expression.<br><br>Example:<pre>subnetworks = {<br>  my-sub = {<br>    name = "my-sub"<br>    create_subnetwork = true<br>    ip_cidr_range = "192.168.0.0/24"<br>    region = "us-east1"<br>  }<br>}</pre> | <pre>map(object({<br>    name              = string<br>    create_subnetwork = optional(bool, true)<br>    ip_cidr_range     = string<br>    region            = string<br>    stack_type        = optional(string)<br>    ipv6_access_type  = optional(string)<br>    log_config = optional(object({<br>      aggregation_interval = optional(string)<br>      flow_sampling        = optional(string)<br>      metadata             = optional(string)<br>      metadata_fields      = optional(list(string))<br>      filter_expr          = optional(string)<br>    }))<br>  }))</pre> | `{}` | no |
 
 ### Outputs
 

@@ -51,6 +51,18 @@ resource "google_compute_subnetwork" "this" {
   project          = var.project_id
   stack_type       = each.value.stack_type
   ipv6_access_type = each.value.ipv6_access_type
+
+  dynamic "log_config" {
+    for_each = each.value.log_config != null ? [each.value.log_config] : []
+
+    content {
+      aggregation_interval = log_config.value.aggregation_interval
+      flow_sampling        = log_config.value.flow_sampling
+      metadata             = log_config.value.metadata
+      metadata_fields      = log_config.value.metadata_fields
+      filter_expr          = log_config.value.filter_expr
+    }
+  }
 }
 
 resource "google_compute_firewall" "this" {
@@ -80,4 +92,4 @@ resource "google_compute_firewall" "this" {
       metadata = log_config.value
     }
   }
-}
+}
@@ -29,6 +29,12 @@ variable "subnetworks" {
   - `region` : Region where to configure or import the subnet.
   - `stack_type` : IP stack type. IPV4_ONLY (default) and IPV4_IPV6 are supported.
   - `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.
+  - `log_config` : (Optional) A map containing the logging configuration for the subnetwork.
+    - `aggregation_interval` : (Optional) The interval at which logs are aggregated for the subnetwork. Possible values are: `INTERVAL_5_SEC`, `INTERVAL_30_SEC`, `INTERVAL_1_MIN`, `INTERVAL_5_MIN`, `INTERVAL_10_MIN`, `INTERVAL_15_MIN`.
+    - `flow_sampling` : (Optional) The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported.
+    - `metadata` : (Optional) Configures whether metadata fields should be added to the reported VPC flow logs. Default value is `INCLUDE_ALL_METADATA`. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`, `CUSTOM_METADATA`.
+    - `metadata_fields` : (Optional) List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and `metadata` is set to `CUSTOM_METADATA`.
+    - `filter_expr` : (Optional) Export filter used to define which VPC flow logs should be logged, as as CEL expression.
 
   Example:
   ```
@@ -50,7 +56,26 @@ variable "subnetworks" {
     region            = string
     stack_type        = optional(string)
     ipv6_access_type  = optional(string)
+    log_config = optional(object({
+      aggregation_interval = optional(string)
+      flow_sampling        = optional(string)
+      metadata             = optional(string)
+      metadata_fields      = optional(list(string))
+      filter_expr          = optional(string)
+    }))
   }))
+  validation {
+    condition = alltrue([
+      for subnet in var.subnetworks :
+      subnet.log_config != null ? (anytrue([
+        (subnet.log_config.aggregation_interval != null && can(regex("^INTERVAL_(5_SEC|30_SEC|1_MIN|5_MIN|10_MIN|15_MIN)$", subnet.log_config.aggregation_interval)) ? true : false),
+        (subnet.log_config.metadata != null && can(regex("^(EXCLUDE_ALL_METADATA|INCLUDE_ALL_METADATA|CUSTOM_METADATA)$", subnet.log_config.metadata)) ? true : false),
+        (subnet.log_config.flow_sampling != null && can(subnet.log_config.flow_sampling >= 0 && subnet.log_config.flow_sampling <= 1) ? true : false),
+        (subnet.log_config.filter_expr != null ? true : false)
+      ])) : true
+    ])
+    error_message = "If log_config is specified, at least one of the following must be specified : aggregation_interval, metadata, flow_sampling, filter_expr."
+  }
 }
 
 variable "firewall_rules" {
@@ -180,4 +205,4 @@ variable "internal_ipv6_range" {
   EOF
   type        = string
   default     = ""
-}
+}