feat(TPG>6.42)!: Add policy_type variable to network firewall policy (#657)

SwarnaBharathiMantena · imrannayer · web-flow · commit 3ca6e5ecbee6 · 2026-01-28T11:12:19.000-06:00
Co-authored-by: Imran Nayer &lt;imrannayer@google.com&gt;
diff --git a/docs/upgrading_to_v14.0.0.md b/docs/upgrading_to_v14.0.0.md
@@ -0,0 +1,6 @@
+# Upgrading to v14.0.0
+
+The v14.0 release contains backwards-incompatible changes.
+
+This update requires upgrading:
+- minimum provider version of `hashicorp/google` to `6.42` for network-firewall-policy sub-module.
diff --git a/modules/network-connectivity-center/metadata.display.yaml b/modules/network-connectivity-center/metadata.display.yaml
@@ -34,6 +34,9 @@ spec:
         hybrid_spokes:
           name: hybrid_spokes
           title: Hybrid Spokes
+        ncc_groups:
+          name: ncc_groups
+          title: Ncc Groups
         ncc_hub_description:
           name: ncc_hub_description
           title: Ncc Hub Description
@@ -43,6 +46,12 @@ spec:
         ncc_hub_name:
           name: ncc_hub_name
           title: Ncc Hub Name
+        ncc_hub_policy_mode:
+          name: ncc_hub_policy_mode
+          title: Ncc Hub Policy Mode
+        ncc_hub_preset_topology:
+          name: ncc_hub_preset_topology
+          title: Ncc Hub Preset Topology
         project_id:
           name: project_id
           title: Project Id
diff --git a/modules/network-firewall-policy/README.md b/modules/network-firewall-policy/README.md
@@ -134,6 +134,7 @@ module "network_firewall_policy" {
 | description | An optional description of this resource. Provide this property when you create the resource | `string` | `null` | no |
 | policy\_name | User-provided name of the Network firewall policy | `string` | n/a | yes |
 | policy\_region | Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) | `string` | `null` | no |
+| policy\_type | Policy type is used to determine which resources (networks) the policy can be associated with. A policy can be associated with a network only if the network has the matching policyType in its network profile. Different policy types may support some of the Firewall Rules features. Possible values are: VPC\_POLICY, RDMA\_ROCE\_POLICY. | `string` | `null` | no |
 | project\_id | Project ID of the Network firewall policy | `string` | n/a | yes |
 | rules | List of Ingress/Egress rules | <pre>list(object({<br>    priority                = number<br>    direction               = string<br>    action                  = string<br>    rule_name               = optional(string)<br>    disabled                = optional(bool)<br>    description             = optional(string)<br>    enable_logging          = optional(bool)<br>    target_secure_tags      = optional(list(string))<br>    target_service_accounts = optional(list(string))<br>    match = object({<br>      src_ip_ranges             = optional(list(string), [])<br>      src_fqdns                 = optional(list(string), [])<br>      src_region_codes          = optional(list(string), [])<br>      src_secure_tags           = optional(list(string), [])<br>      src_threat_intelligences  = optional(list(string), [])<br>      src_address_groups        = optional(list(string), [])<br>      dest_ip_ranges            = optional(list(string), [])<br>      dest_fqdns                = optional(list(string), [])<br>      dest_region_codes         = optional(list(string), [])<br>      dest_threat_intelligences = optional(list(string), [])<br>      dest_address_groups       = optional(list(string), [])<br>      layer4_configs = optional(list(object({<br>        ip_protocol = optional(string, "all")<br>        ports       = optional(list(string), [])<br>      })), [{}])<br>    })<br>    is_mirroring              = optional(bool, false)<br>    tls_inspect               = optional(bool, false)<br>    security_profile_group_id = optional(string)<br>    src_networks              = optional(list(string), [])<br>    src_network_scope         = optional(string)<br>    dest_network_scope        = optional(string)<br>  }))</pre> | `[]` | no |
 | target\_vpcs | List of target VPC IDs that the firewall policy will be attached to | `list(string)` | `[]` | no |
diff --git a/modules/network-firewall-policy/main.tf b/modules/network-firewall-policy/main.tf
@@ -26,6 +26,7 @@ resource "google_compute_network_firewall_policy" "fw_policy" {
   name        = var.policy_name
   project     = var.project_id
   description = var.description
+  policy_type = var.policy_type
 }
 
 resource "google_compute_network_firewall_policy_association" "vpc_associations" {
@@ -143,6 +144,7 @@ resource "google_compute_region_network_firewall_policy" "fw_policy" {
   project     = var.project_id
   description = var.description
   region      = var.policy_region
+  policy_type = var.policy_type
 }
 
 resource "google_compute_region_network_firewall_policy_association" "vpc_associations" {
diff --git a/modules/network-firewall-policy/metadata.display.yaml b/modules/network-firewall-policy/metadata.display.yaml
@@ -37,6 +37,9 @@ spec:
         policy_region:
           name: policy_region
           title: Policy Region
+        policy_type:
+          name: policy_type
+          title: Policy Type
         project_id:
           name: project_id
           title: Project Id
diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml
@@ -114,6 +114,9 @@ spec:
       - name: policy_region
         description: Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy)
         varType: string
+      - name: policy_type
+        description: "Policy type is used to determine which resources (networks) the policy can be associated with. A policy can be associated with a network only if the network has the matching policyType in its network profile. Different policy types may support some of the Firewall Rules features. Possible values are: VPC_POLICY, RDMA_ROCE_POLICY."
+        varType: string
       - name: rules
         description: List of Ingress/Egress rules
         varType: |-
diff --git a/modules/network-firewall-policy/variables.tf b/modules/network-firewall-policy/variables.tf
@@ -46,6 +46,12 @@ variable "policy_region" {
   default     = null
 }
 
+variable "policy_type" {
+  description = "Policy type is used to determine which resources (networks) the policy can be associated with. A policy can be associated with a network only if the network has the matching policyType in its network profile. Different policy types may support some of the Firewall Rules features. Possible values are: VPC_POLICY, RDMA_ROCE_POLICY."
+  type        = string
+  default     = null
+}
+
 variable "rules" {
   description = "List of Ingress/Egress rules"
   type = list(object({
diff --git a/modules/network-firewall-policy/versions.tf b/modules/network-firewall-policy/versions.tf
@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.28, < 8"
+      version = ">= 6.42, < 8"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.28, < 8"
+      version = ">= 6.42, < 8"
     }
   }
 
diff --git a/modules/private-service-connect-producer/metadata.display.yaml b/modules/private-service-connect-producer/metadata.display.yaml
@@ -40,17 +40,17 @@ spec:
           name: consumer_accept_lists
           title: Consumer Accept Lists
           properties:
+            connection_limit:
+              name: connection_limit
+              title: Connection Limit
+            network_url:
+              name: network_url
+              title: Network URL
             project_id_or_num:
               name: project_id_or_num
               title: Project ID or Number
               regexValidation: (^[a-z]([-a-z0-9]*[a-z0-9])?)|(^[0-9]{1,12}$)
               validation: Must be a valid Google Cloud project ID or number.
-            network_url:
-              name: network_url
-              title: Network URL
-            connection_limit:
-              name: connection_limit
-              title: Connection Limit
         consumer_reject_lists:
           name: consumer_reject_lists
           title: Consumer Reject Lists
@@ -69,11 +69,6 @@ spec:
           name: nat_subnets
           title: Nat Subnets
           properties:
-            subnet_name:
-              name: subnet_name
-              title: Subnet Name
-              regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?
-              validation: Use lowercase letters, numbers, and hyphens. Must start with a letter. If longer than 1 character, it must end with a letter or number. Maximum length is 63 characters.
             ipv4_range:
               name: ipv4_range
               title: IPv4 Range

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ resource "google_compute_network_firewall_policy" "fw_policy" {`
`26`	`26`	`name = var.policy_name`
`27`	`27`	`project = var.project_id`
`28`	`28`	`description = var.description`
	`29`	`+ policy_type = var.policy_type`
`29`	`30`	`}`
`30`	`31`
`31`	`32`	`resource "google_compute_network_firewall_policy_association" "vpc_associations" {`
`@@ -143,6 +144,7 @@ resource "google_compute_region_network_firewall_policy" "fw_policy" {`
`143`	`144`	`project = var.project_id`
`144`	`145`	`description = var.description`
`145`	`146`	`region = var.policy_region`
	`147`	`+ policy_type = var.policy_type`
`146`	`148`	`}`
`147`	`149`
`148`	`150`	`resource "google_compute_region_network_firewall_policy_association" "vpc_associations" {`
Original file line number	Diff line number	Diff line change
`@@ -20,11 +20,11 @@ terraform {`
`20`	`20`	`required_providers {`
`21`	`21`	`google = {`
`22`	`22`	`source = "hashicorp/google"`
`23`		`- version = ">= 6.28, < 8"`
	`23`	`+ version = ">= 6.42, < 8"`
`24`	`24`	`}`
`25`	`25`	`google-beta = {`
`26`	`26`	`source = "hashicorp/google-beta"`
`27`		`- version = ">= 6.28, < 8"`
	`27`	`+ version = ">= 6.42, < 8"`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`