2021-07-26 00:22:40 -07:00
# Decentralized firewall management
2021-07-27 07:46:56 -07:00
This sample shows how a decentralized firewall management can be organized using the [firewall-yaml ](../../modules/net-vpc-firewall-yaml ) module.
2021-07-26 00:22:40 -07:00
2021-11-17 02:41:21 -08:00
This approach is a good fit when Shared VPCs are used across multiple application/infrastructure teams. A central repository keeps environment/team
specific folders with firewall definitions in `yaml` format.
2021-07-29 16:16:47 -07:00
2021-11-17 02:41:21 -08:00
In the current example multiple teams can define their [VPC Firewall Rules ](https://cloud.google.com/vpc/docs/firewalls )
for [dev ](./firewall/dev ) and [prod ](./firewall/prod ) environments using team specific subfolders. Rules defined in the
[common ](./firewall/common ) folder are applied to both dev and prod environments.
> **_NOTE:_** Common rules are meant to be used for situations where [hierarchical rules](https://cloud.google.com/vpc/docs/firewall-policies)
do not map precisely to requirements (e.g. SA, etc.)
2021-07-29 16:16:47 -07:00
This is the high level diagram:
2021-07-26 00:22:40 -07:00
![High-level diagram ](diagram.png "High-level diagram" )
2021-11-17 02:41:21 -08:00
The rules can be validated either using an automated process or a manual process (or a combination of
the two). There is an example of a YAML-based validator using [Yamale ](https://github.com/23andMe/Yamale )
in the [`validator/` ](validator/ ) subdirectory, which can be integrated as part of a CI/CD pipeline.
2021-07-26 00:22:40 -07:00
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| billing_account_id | Billing account id used as default for new projects. | < code title = "" > string< / code > | ✓ | |
| prefix | Prefix used for resources that need unique names. | < code title = "" > string< / code > | ✓ | |
| root_node | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | < code title = "" > string< / code > | ✓ | |
| *ip_ranges* | Subnet IP CIDR ranges. | < code title = "map(string)" > map(string)</ code > | | < code title = "{ prod = "10.0.16.0/24" dev = "10.0.32.0/24" }" > ...</ code > |
2021-07-26 00:32:53 -07:00
| *project_services* | Service APIs enabled by default in new projects. | < code title = "list(string)" > list(string)</ code > | | < code title = "[ "container.googleapis.com", "dns.googleapis.com", "stackdriver.googleapis.com", ]" > ...</ code > |
2021-07-26 00:22:40 -07:00
| *region* | Region used. | < code title = "" > string</ code > | | < code title = "" > europe-west1</ code > |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| fw_rules | Firewall rules. | |
| projects | Project ids. | |
| vpc | Shared VPCs. | |
<!-- END TFDOC -->