2022-01-13 23:30:06 -08:00
# Google Cloud VPC Firewall Factory
2021-03-13 18:03:36 -08:00
2022-11-23 02:09:00 -08:00
This module allows creation and management of different types of firewall rules by defining them in well formatted `yaml` files.
2021-03-13 18:03:36 -08:00
Yaml abstraction for FW rules can simplify users onboarding and also makes rules definition simpler and clearer comparing to HCL.
2021-10-14 08:00:04 -07:00
Nested folder structure for yaml configurations is optionally supported, which allows better and structured code management for multiple teams and environments.
2021-03-13 18:03:36 -08:00
## Example
### Terraform code
```hcl
module "prod-firewall" {
2022-09-09 06:33:59 -07:00
source = "./fabric/blueprints/factories/net-vpc-firewall-yaml"
2022-12-18 11:37:16 -08:00
project_id = "my-prod-project"
network = "my-prod-network"
2021-07-26 00:22:40 -07:00
config_directories = [
"./prod",
"./common"
]
2022-12-18 11:37:16 -08:00
log_config = {
2021-03-13 18:03:36 -08:00
metadata = "INCLUDE_ALL_METADATA"
}
}
module "dev-firewall" {
2022-09-09 06:33:59 -07:00
source = "./fabric/blueprints/factories/net-vpc-firewall-yaml"
2022-12-18 11:37:16 -08:00
project_id = "my-dev-project"
network = "my-dev-network"
2021-07-26 00:22:40 -07:00
config_directories = [
2021-07-29 02:54:26 -07:00
"./dev",
2021-07-26 00:22:40 -07:00
"./common"
]
2021-03-13 18:03:36 -08:00
}
2022-01-28 11:15:35 -08:00
# tftest skip
2021-03-13 18:03:36 -08:00
```
### Configuration Structure
```bash
2021-07-26 00:22:40 -07:00
├── common
│ ├── default-egress.yaml
│ ├── lb-rules.yaml
│ └── iap-ingress.yaml
2021-03-14 01:14:39 -08:00
├── dev
2021-03-13 18:03:36 -08:00
│ ├── team-a
│ │ ├── databases.yaml
│ │ └── webb-app-a.yaml
│ └── team-b
│ ├── backend.yaml
│ └── frontend.yaml
2021-03-14 01:14:39 -08:00
└── prod
2021-03-13 18:03:36 -08:00
├── team-a
│ ├── databases.yaml
│ └── webb-app-a.yaml
└── team-b
├── backend.yaml
└── frontend.yaml
```
### Rule definition format and structure
Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following:
```yaml
rule-name: # descriptive name, naming convention is adjusted by the module
allow: # `allow` or `deny`
- ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports
protocol: tcp # protocol, put `all` for any protocol
direction: EGRESS # EGRESS or INGRESS
2021-07-26 00:22:40 -07:00
disabled: false # `false` or `true` , FW rule is disabled when `true` , default value is `false`
2021-03-13 18:03:36 -08:00
priority: 1000 # rule priority value, default value is 1000
source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
- 0.0.0.0/0
destination_ranges: # list of destination ranges, should be specified only for `EGRESS` rule
- 0.0.0.0/0
source_tags: ['some-tag'] # list of source tags, should be specified only for `INGRESS` rule
2022-11-23 02:09:00 -08:00
source_service_accounts: # list of source service accounts, should be specified only for `INGRESS` rule, cannot be specified together with `source_tags` or `target_tags`
2021-03-13 18:03:36 -08:00
- myapp@myproject-id.iam.gserviceaccount.com
target_tags: ['some-tag'] # list of target tags
2022-11-23 02:09:00 -08:00
target_service_accounts: # list of target service accounts, , cannot be specified together with `source_tags` or `target_tags`
2021-03-13 18:03:36 -08:00
- myapp@myproject-id.iam.gserviceaccount.com
```
Firewall rules example yaml configuration
```bash
2021-03-14 01:23:52 -08:00
cat ./prod/core-network/common-rules.yaml
2021-03-13 18:03:36 -08:00
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
2021-03-13 18:10:16 -08:00
# deny all egress
2021-03-13 18:03:36 -08:00
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0
2021-03-14 01:23:52 -08:00
cat ./dev/team-a/web-app-a.yaml
2021-03-13 18:03:36 -08:00
# Myapp egress
web-app-a-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.0.0/24
target_service_accounts:
- myapp@myproject-id.iam.gserviceaccount.com
# Myapp ingress
web-app-a-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-id.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-id.iam.gserviceaccount.com
```
<!-- BEGIN TFDOC -->
2021-12-20 23:51:51 -08:00
2021-03-13 18:03:36 -08:00
## Variables
2022-01-19 05:17:20 -08:00
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
2022-01-31 01:45:34 -08:00
| [config_directories ](variables.tf#L17 ) | List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` . | < code > list( string) </ code > | ✓ | |
2022-01-22 04:34:35 -08:00
| [network ](variables.tf#L30 ) | Name of the network this set of firewall rules applies to. | < code > string</ code > | ✓ | |
| [project_id ](variables.tf#L35 ) | Project Id. | < code > string</ code > | ✓ | |
| [log_config ](variables.tf#L22 ) | Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA` . Set to `null` for disabling firewall logging. | < code title = "object({ metadata = string })" > object({…}) </ code > | | < code > null</ code > |
2021-03-13 18:03:36 -08:00
## Outputs
2022-01-19 05:17:20 -08:00
| name | description | sensitive |
|---|---|:---:|
2022-01-22 04:34:35 -08:00
| [egress_allow_rules ](outputs.tf#L17 ) | Egress rules with allow blocks. | |
| [egress_deny_rules ](outputs.tf#L25 ) | Egress rules with allow blocks. | |
| [ingress_allow_rules ](outputs.tf#L33 ) | Ingress rules with allow blocks. | |
| [ingress_deny_rules ](outputs.tf#L41 ) | Ingress rules with deny blocks. | |
2021-12-20 23:51:51 -08:00
2021-03-13 18:03:36 -08:00
<!-- END TFDOC -->