Remove redundant variable `admin_ranges_enabled`
This commit is contained in:
parent
2a6f662e71
commit
2863d929a5
|
@ -60,11 +60,10 @@ module "vpc" {
|
|||
}
|
||||
|
||||
module "vpc-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project-service.project_id
|
||||
network = module.vpc.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = [var.vpc_ip_cidr_range]
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project-service.project_id
|
||||
network = module.vpc.name
|
||||
admin_ranges = [var.vpc_ip_cidr_range]
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
|
|
|
@ -167,14 +167,13 @@ module "vpc-transformation" {
|
|||
}
|
||||
|
||||
module "firewall" {
|
||||
source = "../../../modules/net-vpc-firewall"
|
||||
project_id = var.project_ids.transformation
|
||||
network = module.vpc-transformation.name
|
||||
admin_ranges_enabled = false
|
||||
admin_ranges = [""]
|
||||
http_source_ranges = []
|
||||
https_source_ranges = []
|
||||
ssh_source_ranges = []
|
||||
source = "../../../modules/net-vpc-firewall"
|
||||
project_id = var.project_ids.transformation
|
||||
network = module.vpc-transformation.name
|
||||
admin_ranges = []
|
||||
http_source_ranges = []
|
||||
https_source_ranges = []
|
||||
ssh_source_ranges = []
|
||||
|
||||
custom_rules = {
|
||||
iap-svc = {
|
||||
|
|
|
@ -178,11 +178,10 @@ module "vpc" {
|
|||
}
|
||||
|
||||
module "vpc-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project-service.project_id
|
||||
network = module.vpc.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = [var.vpc_ip_cidr_range]
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project-service.project_id
|
||||
network = module.vpc.name
|
||||
admin_ranges = [var.vpc_ip_cidr_range]
|
||||
}
|
||||
|
||||
module "nat" {
|
||||
|
|
|
@ -19,7 +19,6 @@ module "firewall" {
|
|||
source = "./modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
}
|
||||
# tftest:modules=1:resources=4
|
||||
|
@ -31,11 +30,10 @@ This is an example of how to define custom rules, with a sample rule allowing op
|
|||
|
||||
```hcl
|
||||
module "firewall" {
|
||||
source = "./modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
source = "./modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
custom_rules = {
|
||||
ntp-svc = {
|
||||
description = "NTP service."
|
||||
|
@ -55,17 +53,17 @@ module "firewall" {
|
|||
|
||||
### No predefined rules
|
||||
|
||||
If you don't want any predefined rules, set `admin_ranges_enabled` to `false` and `http_source_ranges`, `https_source_ranges`, `ssh_source_ranges` to an empty list.
|
||||
If you don't want any predefined rules set `admin_ranges`, `http_source_ranges`, `https_source_ranges` and `ssh_source_ranges` to an empty list.
|
||||
|
||||
```hcl
|
||||
module "firewall" {
|
||||
source = "./modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
admin_ranges_enabled = false
|
||||
http_source_ranges = []
|
||||
https_source_ranges = []
|
||||
ssh_source_ranges = []
|
||||
source = "./modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
admin_ranges = []
|
||||
http_source_ranges = []
|
||||
https_source_ranges = []
|
||||
ssh_source_ranges = []
|
||||
custom_rules = {
|
||||
allow-https = {
|
||||
description = "Allow HTTPS from internal networks."
|
||||
|
@ -91,7 +89,6 @@ module "firewall" {
|
|||
| network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ | |
|
||||
| project_id | Project id of the project that holds the network. | <code title="">string</code> | ✓ | |
|
||||
| *admin_ranges* | IP CIDR ranges that have complete access to all subnets. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *admin_ranges_enabled* | Enable admin ranges-based rules. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||
|
|
|
@ -34,7 +34,7 @@ locals {
|
|||
###############################################################################
|
||||
|
||||
resource "google_compute_firewall" "allow-admins" {
|
||||
count = var.admin_ranges_enabled == true ? 1 : 0
|
||||
count = length(var.admin_ranges) > 0 ? 1 : 0
|
||||
name = "${var.network}-ingress-admins"
|
||||
description = "Access from the admin subnet to all subnets"
|
||||
network = var.network
|
||||
|
|
|
@ -18,8 +18,8 @@ output "admin_ranges" {
|
|||
description = "Admin ranges data."
|
||||
|
||||
value = {
|
||||
enabled = var.admin_ranges_enabled
|
||||
ranges = var.admin_ranges_enabled ? join(",", var.admin_ranges) : ""
|
||||
enabled = length(var.admin_ranges) > 0
|
||||
ranges = join(",", var.admin_ranges)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -20,12 +20,6 @@ variable "admin_ranges" {
|
|||
default = []
|
||||
}
|
||||
|
||||
variable "admin_ranges_enabled" {
|
||||
description = "Enable admin ranges-based rules."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "custom_rules" {
|
||||
description = "List of custom rule definitions (refer to variables file for syntax)."
|
||||
type = map(object({
|
||||
|
|
|
@ -74,11 +74,10 @@ module "nat-hub" {
|
|||
}
|
||||
|
||||
module "vpc-hub-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-hub.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-hub.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
@ -100,11 +99,10 @@ module "vpc-spoke-1" {
|
|||
}
|
||||
|
||||
module "vpc-spoke-1-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-spoke-1.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-spoke-1.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
module "nat-spoke-1" {
|
||||
|
@ -146,11 +144,10 @@ module "vpc-spoke-2" {
|
|||
}
|
||||
|
||||
module "vpc-spoke-2-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-spoke-2.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-spoke-2.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
module "nat-spoke-2" {
|
||||
|
|
|
@ -48,11 +48,10 @@ module "vpc-hub" {
|
|||
}
|
||||
|
||||
module "vpc-hub-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-hub.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-hub.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
module "vpn-hub-a" {
|
||||
|
@ -140,11 +139,10 @@ module "vpc-spoke-1" {
|
|||
}
|
||||
|
||||
module "vpc-spoke-1-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-spoke-1.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-spoke-1.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
module "vpn-spoke-1" {
|
||||
|
@ -204,11 +202,10 @@ module "vpc-spoke-2" {
|
|||
}
|
||||
|
||||
module "vpc-spoke-2-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-spoke-2.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc-spoke-2.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
module "vpn-spoke-2" {
|
||||
|
|
|
@ -38,12 +38,11 @@ module "vpc-left" {
|
|||
}
|
||||
|
||||
module "firewall-left" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-left.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-left.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
||||
}
|
||||
|
||||
module "nat-left" {
|
||||
|
|
|
@ -52,12 +52,11 @@ module "vpc-right" {
|
|||
}
|
||||
|
||||
module "firewall-right" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-right.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-right.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
||||
}
|
||||
|
||||
module "nat-right" {
|
||||
|
|
|
@ -71,12 +71,11 @@ module "vpc" {
|
|||
}
|
||||
|
||||
module "vpc-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
ssh_source_ranges = var.ssh_source_ranges
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = var.project_id
|
||||
network = module.vpc.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
ssh_source_ranges = var.ssh_source_ranges
|
||||
}
|
||||
|
||||
module "vpn1" {
|
||||
|
|
|
@ -130,11 +130,10 @@ module "vpc-shared" {
|
|||
}
|
||||
|
||||
module "vpc-shared-firewall" {
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project-host.project_id
|
||||
network = module.vpc-shared.name
|
||||
admin_ranges_enabled = true
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
source = "../../modules/net-vpc-firewall"
|
||||
project_id = module.project-host.project_id
|
||||
network = module.vpc-shared.name
|
||||
admin_ranges = values(var.ip_ranges)
|
||||
}
|
||||
|
||||
module "nat" {
|
||||
|
|
Loading…
Reference in New Issue