feat(dynamic_backends): Add enable_firewall variable for health check

[namcxn]

Description

This PR adds support for enabling/disabling the creation of firewall rules for health checks, addressing use cases where users manage firewall rules externally (e.g., in shared VPC host projects).

Problem Statement

When using a shared VPC architecture, firewall rules are typically created and managed in the host project rather than the service project. The module currently creates health check firewall rules automatically when firewall_networks is specified, which can cause conflicts or duplicate rules when users already have dedicated firewall rules for health checks in their host project.

Solution

This PR introduces a new variable enable_firewall (or similar naming) that allows users to opt-in or opt-out of health check firewall rule creation. This provides flexibility for:

• Shared VPC scenarios: Users who manage firewall rules in the host project can disable automatic rule creation
• Existing firewall rules: Users who already have health check firewall rules can prevent duplicate rule creation
• Custom firewall management: Organizations with centralized firewall management can disable module-managed rules

Changes Made

1. Dynamic backends module (modules/dynamic_backends/main.tf): Already had enable_firewall support; verified consistency
2. Variables: Added enable_firewall variable to root and backend modules with appropriate defaults to maintain backward compatibility

Implementation Details

The firewall rule resource now uses a conditional count:

resource "google_compute_firewall" "default-hc" {
  count   = var.enable_firewall ? length(var.firewall_networks) : 0
  project = length(var.firewall_networks) == 1 && var.firewall_projects[0] == "default" ? var.project : var.firewall_projects[count.index]
  name    = "${var.name}-hc-${count.index}"
  network = var.firewall_networks[count.index]
  source_ranges = [
    "130.211.0.0/22",
    "35.191.0.0/16"
  ]
  target_tags             = length(var.target_tags) > 0 ? var.target_tags : null
  target_service_accounts = length(var.target_service_accounts) > 0 ? var.target_service_accounts : null

  dynamic "allow" {
    for_each = local.health_checked_backends
    content {
      protocol = "tcp"
      ports    = [allow.value["health_check"].port]
    }
  }
}

Backward Compatibility

• Default behavior preserved: The enable_firewall variable defaults to true, ensuring existing configurations continue to work without modification
• No breaking changes: All existing module invocations will continue to create firewall rules as before

Usage Example

Disable firewall rule creation (for shared VPC scenarios):

module "lb" {
  source = "terraform-google-modules/lb-http/google"
  
  name    = "my-lb"
  project = "my-project"
  
  # Disable automatic firewall rule creation
  enable_firewall = false
  
  # ... other configuration
}

Enable firewall rule creation (default behavior):

module "lb" {
  source = "terraform-google-modules/lb-http/google"
  
  name    = "my-lb"
  project = "my-project"
  
  # Explicitly enable (or omit, as true is the default)
  enable_firewall = true
  
  # ... other configuration
}

Related Issues

Fixes #534

Checklist

• Code follows the project's style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated (if applicable)
• Changes tested locally
• No new warnings or errors introduced

[namcxn]

Hey @ayushmjain @imrannayer @q2w,
could you take a look and any feedback on this?

[namcxn]

Hey @ayushmjain @imrannayer @q2w

Any update? Do I need to change anything in this PR?

[namcxn]

/gcbrun