Allow module output when configuring firewall

google/resource_compute_firewall.go

@@ -88,10 +88,10 @@ func resourceComputeFirewallSourceFieldsCustomizeDiff(_ context.Context, diff *s
 		_, sasOk := diff.GetOk("source_service_accounts")
 
 		_, tagsExist := diff.GetOkExists("source_tags")
-		// ranges is computed, but this is what we're trying to avoid, so we're not going to check this
+		_, rangesExist := diff.GetOkExists("source_ranges")
 		_, sasExist := diff.GetOkExists("source_service_accounts")
 
-		if !tagsOk && !rangesOk && !sasOk && !tagsExist && !sasExist {
+		if !tagsOk && !rangesOk && !sasOk && !tagsExist && !rangesExist && !sasExist {
 			return fmt.Errorf("one of source_tags, source_ranges, or source_service_accounts must be defined")
 		}
 	}
@@ -884,6 +884,7 @@ func flattenComputeFirewallAllow(v interface{}, d *schema.ResourceData, config *
 	}
 	return transformed
 }
+
 func flattenComputeFirewallAllowProtocol(v interface{}, d *schema.ResourceData, config *Config) interface{} {
 	return v
 }
@@ -915,6 +916,7 @@ func flattenComputeFirewallDeny(v interface{}, d *schema.ResourceData, config *C
 	}
 	return transformed
 }
+
 func flattenComputeFirewallDenyProtocol(v interface{}, d *schema.ResourceData, config *Config) interface{} {
 	return v
 }

google/resource_compute_firewall_test.go

@@ -239,6 +239,29 @@ func TestAccComputeFirewall_enableLogging(t *testing.T) {
 	})
 }
 
+func TestAccComputeFirewall_moduleOutput(t *testing.T) {
+	t.Parallel()
+
+	networkName := fmt.Sprintf("tf-test-firewall-%s", randString(t, 10))
+	firewallName := fmt.Sprintf("tf-test-firewall-%s", randString(t, 10))
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckComputeFirewallDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeFirewall_moduleOutput(networkName, firewallName),
+			},
+			{
+				ResourceName:      "google_compute_firewall.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccComputeFirewall_basic(network, firewall string) string {
 	return fmt.Sprintf(`
 resource "google_compute_network" "foobar" {
@@ -444,3 +467,40 @@ resource "google_compute_firewall" "foobar" {
 }
 `, network, firewall, enableLoggingCfg)
 }
+
+func testAccComputeFirewall_moduleOutput(network, firewall string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "foobar" {
+  name = "%s"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "foobar" {
+  name          = "%s-subnet"
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+  network       = google_compute_network.foobar.name
+}
+
+resource "google_compute_address" "foobar" {
+	name         = "%s-address"
+	subnetwork   = google_compute_subnetwork.foobar.id
+	address_type = "INTERNAL"
+	region       = "us-central1"
+  }
+
+resource "google_compute_firewall" "foobar" {
+  name        = "%s"
+  description = "Resource created for Terraform acceptance testing"
+  network     = google_compute_network.foobar.name
+  direction   = "INGRESS"
+
+  source_ranges = ["${google_compute_address.foobar.address}/32"]
+  target_tags   = ["foo"]
+
+  allow {
+    protocol = "tcp"
+  }
+}
+`, network, network, network, firewall)
+}