diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
index 01fdf452..689afbbd 100644
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@@ -53,6 +53,36 @@ module "firewall" {
# tftest:modules=1:resources=5
```
+### No predefined rules
+
+If you don't want any predefined rules, `admin_ranges_enabled` to `false` and `http_source_ranges`, `https_source_ranges`, `ssh_source_ranges` to an empty list.
+
+```hcl
+module "firewall" {
+ source = "./modules/net-vpc-firewall"
+ project_id = "my-project"
+ network = "my-network"
+ admin_ranges_enabled = false
+ http_source_ranges = []
+ https_source_ranges = []
+ ssh_source_ranges = []
+ custom_rules = {
+ allow-https = {
+ description = "Allow HTTPS from internal networks."
+ direction = "INGRESS"
+ action = "allow"
+ sources = []
+ ranges = ["rfc1918"]
+ targets = []
+ use_service_accounts = false
+ rules = [{ protocol = "tcp", ports = [443] }]
+ extra_attributes = {}
+ }
+ }
+}
+# tftest:modules=1:resources=1
+```
+
## Variables
@@ -65,6 +95,7 @@ module "firewall" {
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | map(object({...})) | | {} |
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | list(string) | | ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] |
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | list(string) | | ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] |
+| *named_ranges* | Names that can be used of valid values for the `ranges` field of `custom_rules` | map(list(string)) | | ... |
| *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | list(string) | | ["35.235.240.0/20"] |
## Outputs
@@ -76,5 +107,5 @@ module "firewall" {
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
-| rules | All google_compute_firewall resources created | |
+| rules | All google_compute_firewall resources created. | |
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index 392b3d6d..0798075d 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -14,6 +14,21 @@
* limitations under the License.
*/
+locals {
+ custom_rules = {
+ for id, rule in var.custom_rules :
+ id => merge(rule, {
+ # make rules a map so we use it in a for_each
+ rules = { for index, ports in rule.rules : index => ports }
+ # lookup any named ranges references
+ ranges = flatten([
+ for range in rule.ranges :
+ try(var.named_ranges[range], range)
+ ])
+ })
+ }
+}
+
###############################################################################
# rules based on IP ranges
###############################################################################
@@ -80,7 +95,7 @@ resource "google_compute_firewall" "allow-tag-https" {
resource "google_compute_firewall" "custom-rules" {
# provider = "google-beta"
- for_each = var.custom_rules
+ for_each = local.custom_rules
name = each.key
description = each.value.description
direction = each.value.direction
@@ -104,11 +119,8 @@ resource "google_compute_firewall" "custom-rules" {
}
dynamic "deny" {
- for_each = (
- each.value.action == "deny"
- ? { for index, rule in each.value.rules : index => rule }
- : {}
- )
+ for_each = each.value.action == "deny" ? each.value.rules : {}
+
iterator = rule
content {
protocol = rule.value.protocol
@@ -117,11 +129,8 @@ resource "google_compute_firewall" "custom-rules" {
}
dynamic "allow" {
- for_each = (
- each.value.action == "allow"
- ? { for index, rule in each.value.rules : index => rule }
- : {}
- )
+ for_each = each.value.action == "allow" ? each.value.rules : {}
+
iterator = rule
content {
protocol = rule.value.protocol
diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf
index ff8a5b60..1e70c5e0 100644
--- a/modules/net-vpc-firewall/variables.tf
+++ b/modules/net-vpc-firewall/variables.tf
@@ -14,44 +14,16 @@
* limitations under the License.
*/
-variable "network" {
- description = "Name of the network this set of firewall rules applies to."
- type = string
-}
-
-variable "project_id" {
- description = "Project id of the project that holds the network."
- type = string
-}
-
-variable "admin_ranges_enabled" {
- description = "Enable admin ranges-based rules."
- type = bool
- default = false
-}
-
variable "admin_ranges" {
description = "IP CIDR ranges that have complete access to all subnets."
type = list(string)
default = []
}
-variable "ssh_source_ranges" {
- description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
- type = list(string)
- default = ["35.235.240.0/20"]
-}
-
-variable "http_source_ranges" {
- description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
- type = list(string)
- default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
-}
-
-variable "https_source_ranges" {
- description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
- type = list(string)
- default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+variable "admin_ranges_enabled" {
+ description = "Enable admin ranges-based rules."
+ type = bool
+ default = false
}
variable "custom_rules" {
@@ -72,3 +44,45 @@ variable "custom_rules" {
}))
default = {}
}
+
+variable "http_source_ranges" {
+ description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
+ type = list(string)
+ default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+}
+
+variable "https_source_ranges" {
+ description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
+ type = list(string)
+ default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+}
+
+variable "named_ranges" {
+ description = "Names that can be used of valid values for the `ranges` field of `custom_rules`"
+ type = map(list(string))
+ default = {
+ any = ["0.0.0.0/0"]
+ dns-forwarders = ["35.199.192.0/19"]
+ health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+ iap-forwarders = ["35.235.240.0/20"]
+ private-googleapis = ["199.36.153.8/30"]
+ restricted-googleapis = ["199.36.153.4/30"]
+ rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+ }
+}
+
+variable "network" {
+ description = "Name of the network this set of firewall rules applies to."
+ type = string
+}
+
+variable "project_id" {
+ description = "Project id of the project that holds the network."
+ type = string
+}
+
+variable "ssh_source_ranges" {
+ description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
+ type = list(string)
+ default = ["35.235.240.0/20"]
+}