Help with modules and resources

I’m having trouble with mixing modules and resources. I have a file,, and this file uses variables from an incoming file to set firewall rules. Inside the file is a module which is what is consuming these variables in order to create firewall rules, the source is another repository. It’s working fine.

However, I’m being told that I also have to add a “google_compute_firewall” resource in the same file. This doesn’t make sense to me since the sourced repository used by the module already uses this resource to actually create the rules. I basically just create a single module, source it, pass in the variables. I’m not sure why I would need to do this, and even if I did, if my file contained a module, and then had the google_compute_firewall resource defined in it as well, how it would work when the incoming variables (one is a map of the rules to create) would be seen by the module and by the resource. I may just be missing something here. There are no differences between the variables sent to the module compared to the ones which would be used by declaring the resource.

I’m sorry if that’s a bit jumbled up, I can provide some code if it would help any.


Yes it would - the prose description is fairly hard to follow.

This is what we currently have:

module "firewall_rules"{   
   source = "git::"
   network = var.network_name
   project_id = var.network_project_id
   rules   = var.firewall_rules

This is what I’m being told has to be added:

resource "google_compute_firewall" "myrule" {

    project = var.network_project_id
    network = var.network_name

That’s just a brief example, but if these were both in the the file, wouldn’t the same variables be used twice, once in the module, once in the resource, each time? Seems as if it would create duplicate rules.

And the var.firewall_rules is a map of the rules and isn’t really what I was aiming for help with, more of a how the heck would this work question.


You appear to be being told to create a firewall object before adding rules to it. That seems reasonable to me (not knowing anything about GCE though)

You probably shouldn’t use the misleading name myrule to identify the firewall resource, though.

Hi, “myrule” is just a placeholder, no worries :slight_smile: The firewall already exists in a shared vpc, so the network_project_id is the name of the project where the shared vpc lives. It creates the rule there. And they want BOTH the module and the resource in the exact same file. That’s where I’m getting really confused.