2021-07-26 00:22:40 -07:00
# Decentralized firewall management
2022-09-09 07:40:37 -07:00
This example shows how a decentralized firewall management can be organized using the [firewall factory ](../../factories/net-vpc-firewall-yaml/README.md ).
2021-07-26 00:22:40 -07:00
2023-02-24 10:56:32 -08:00
This approach is a good fit when Shared VPCs are used across multiple application/infrastructure teams. A central repository keeps environment/team
specific folders with firewall definitions in `yaml` format.
2021-07-29 16:16:47 -07:00
2023-02-24 10:56:32 -08:00
In the current blueprint multiple teams can define their [VPC Firewall Rules ](https://cloud.google.com/vpc/docs/firewalls )
for [dev ](./firewall/dev ) and [prod ](./firewall/prod ) environments using team specific subfolders. Rules defined in the
2021-11-17 02:41:21 -08:00
[common ](./firewall/common ) folder are applied to both dev and prod environments.
2023-02-24 10:56:32 -08:00
> **_NOTE:_** Common rules are meant to be used for situations where [hierarchical rules](https://cloud.google.com/vpc/docs/firewall-policies)
do not map precisely to requirements (e.g. SA, etc.)
2021-07-29 16:16:47 -07:00
This is the high level diagram:
2021-07-26 00:22:40 -07:00
![High-level diagram ](diagram.png "High-level diagram" )
2023-02-24 10:56:32 -08:00
The rules can be validated either using an automated process or a manual process (or a combination of
the two). There is an blueprint of a YAML-based validator using [Yamale ](https://github.com/23andMe/Yamale )
2021-11-17 02:41:21 -08:00
in the [`validator/` ](validator/ ) subdirectory, which can be integrated as part of a CI/CD pipeline.
2021-07-26 00:22:40 -07:00
<!-- BEGIN TFDOC -->
2021-12-20 23:51:51 -08:00
2021-07-26 00:22:40 -07:00
## Variables
2022-01-19 05:17:20 -08:00
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
2022-01-22 04:34:35 -08:00
| [billing_account_id ](variables.tf#L15 ) | Billing account id used as default for new projects. | < code > string</ code > | ✓ | |
2022-11-23 02:09:00 -08:00
| [prefix ](variables.tf#L29 ) | Prefix used for resource names. | < code > string</ code > | ✓ | |
| [root_node ](variables.tf#L54 ) | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | < code > string</ code > | ✓ | |
2022-01-22 04:34:35 -08:00
| [ip_ranges ](variables.tf#L20 ) | Subnet IP CIDR ranges. | < code > map( string) </ code > | | < code title = "{ prod = "10.0.16.0/24" dev = "10.0.32.0/24" }" > {…} </ code > |
2022-11-23 02:09:00 -08:00
| [project_services ](variables.tf#L38 ) | Service APIs enabled by default in new projects. | < code > list( string) </ code > | | < code title = "[ "container.googleapis.com", "dns.googleapis.com", "stackdriver.googleapis.com", ]" > […] </ code > |
| [region ](variables.tf#L48 ) | Region used. | < code > string</ code > | | < code > " europe-west1" </ code > |
2021-07-26 00:22:40 -07:00
## Outputs
2022-01-19 05:17:20 -08:00
| name | description | sensitive |
|---|---|:---:|
2022-01-22 04:34:35 -08:00
| [fw_rules ](outputs.tf#L15 ) | Firewall rules. | |
| [projects ](outputs.tf#L33 ) | Project ids. | |
| [vpc ](outputs.tf#L41 ) | Shared VPCs. | |
2021-12-20 23:51:51 -08:00
2021-07-26 00:22:40 -07:00
<!-- END TFDOC -->
2023-02-08 12:50:29 -08:00
## Test
```hcl
module "test" {
source = "./fabric/blueprints/networking/decentralized-firewall"
billing_account_id = "ABCDE-12345-ABCDE"
prefix = "prefix"
root_node = "organizations/0123456789"
}
2023-02-25 03:26:53 -08:00
# tftest modules=9 resources=50
2023-02-08 12:50:29 -08:00
```