Allow using named ranges in firewall rules
This commit is contained in:
parent
d3e8b5e35e
commit
400a94658d
|
@ -53,6 +53,36 @@ module "firewall" {
|
||||||
# tftest:modules=1:resources=5
|
# tftest:modules=1:resources=5
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### No predefined rules
|
||||||
|
|
||||||
|
If you don't want any predefined rules, `admin_ranges_enabled` to `false` and `http_source_ranges`, `https_source_ranges`, `ssh_source_ranges` to an empty list.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "firewall" {
|
||||||
|
source = "./modules/net-vpc-firewall"
|
||||||
|
project_id = "my-project"
|
||||||
|
network = "my-network"
|
||||||
|
admin_ranges_enabled = false
|
||||||
|
http_source_ranges = []
|
||||||
|
https_source_ranges = []
|
||||||
|
ssh_source_ranges = []
|
||||||
|
custom_rules = {
|
||||||
|
allow-https = {
|
||||||
|
description = "Allow HTTPS from internal networks."
|
||||||
|
direction = "INGRESS"
|
||||||
|
action = "allow"
|
||||||
|
sources = []
|
||||||
|
ranges = ["rfc1918"]
|
||||||
|
targets = []
|
||||||
|
use_service_accounts = false
|
||||||
|
rules = [{ protocol = "tcp", ports = [443] }]
|
||||||
|
extra_attributes = {}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest:modules=1:resources=1
|
||||||
|
```
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -65,6 +95,7 @@ module "firewall" {
|
||||||
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||||
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||||
|
| *named_ranges* | Names that can be used of valid values for the `ranges` field of `custom_rules` | <code title="map(list(string))">map(list(string))</code> | | <code title="{ dns-forwarders = ["35.199.192.0/19"] health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">...</code> |
|
||||||
| *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code title="list(string)">list(string)</code> | | <code title="">["35.235.240.0/20"]</code> |
|
| *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code title="list(string)">list(string)</code> | | <code title="">["35.235.240.0/20"]</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
@ -76,5 +107,5 @@ module "firewall" {
|
||||||
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
||||||
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
||||||
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
||||||
| rules | All google_compute_firewall resources created | |
|
| rules | All google_compute_firewall resources created. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -14,6 +14,21 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
custom_rules = {
|
||||||
|
for id, rule in var.custom_rules :
|
||||||
|
id => merge(rule, {
|
||||||
|
# make rules a map so we use it in a for_each
|
||||||
|
rules = { for index, ports in rule.rules : index => ports }
|
||||||
|
# lookup any named ranges references
|
||||||
|
ranges = flatten([
|
||||||
|
for range in rule.ranges :
|
||||||
|
try(var.named_ranges[range], range)
|
||||||
|
])
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# rules based on IP ranges
|
# rules based on IP ranges
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -80,7 +95,7 @@ resource "google_compute_firewall" "allow-tag-https" {
|
||||||
|
|
||||||
resource "google_compute_firewall" "custom-rules" {
|
resource "google_compute_firewall" "custom-rules" {
|
||||||
# provider = "google-beta"
|
# provider = "google-beta"
|
||||||
for_each = var.custom_rules
|
for_each = local.custom_rules
|
||||||
name = each.key
|
name = each.key
|
||||||
description = each.value.description
|
description = each.value.description
|
||||||
direction = each.value.direction
|
direction = each.value.direction
|
||||||
|
@ -104,11 +119,8 @@ resource "google_compute_firewall" "custom-rules" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "deny" {
|
dynamic "deny" {
|
||||||
for_each = (
|
for_each = each.value.action == "deny" ? each.value.rules : {}
|
||||||
each.value.action == "deny"
|
|
||||||
? { for index, rule in each.value.rules : index => rule }
|
|
||||||
: {}
|
|
||||||
)
|
|
||||||
iterator = rule
|
iterator = rule
|
||||||
content {
|
content {
|
||||||
protocol = rule.value.protocol
|
protocol = rule.value.protocol
|
||||||
|
@ -117,11 +129,8 @@ resource "google_compute_firewall" "custom-rules" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "allow" {
|
dynamic "allow" {
|
||||||
for_each = (
|
for_each = each.value.action == "allow" ? each.value.rules : {}
|
||||||
each.value.action == "allow"
|
|
||||||
? { for index, rule in each.value.rules : index => rule }
|
|
||||||
: {}
|
|
||||||
)
|
|
||||||
iterator = rule
|
iterator = rule
|
||||||
content {
|
content {
|
||||||
protocol = rule.value.protocol
|
protocol = rule.value.protocol
|
||||||
|
|
|
@ -14,44 +14,16 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "network" {
|
|
||||||
description = "Name of the network this set of firewall rules applies to."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "project_id" {
|
|
||||||
description = "Project id of the project that holds the network."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "admin_ranges_enabled" {
|
|
||||||
description = "Enable admin ranges-based rules."
|
|
||||||
type = bool
|
|
||||||
default = false
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "admin_ranges" {
|
variable "admin_ranges" {
|
||||||
description = "IP CIDR ranges that have complete access to all subnets."
|
description = "IP CIDR ranges that have complete access to all subnets."
|
||||||
type = list(string)
|
type = list(string)
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "ssh_source_ranges" {
|
variable "admin_ranges_enabled" {
|
||||||
description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
|
description = "Enable admin ranges-based rules."
|
||||||
type = list(string)
|
type = bool
|
||||||
default = ["35.235.240.0/20"]
|
default = false
|
||||||
}
|
|
||||||
|
|
||||||
variable "http_source_ranges" {
|
|
||||||
description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
|
|
||||||
type = list(string)
|
|
||||||
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "https_source_ranges" {
|
|
||||||
description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
|
|
||||||
type = list(string)
|
|
||||||
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "custom_rules" {
|
variable "custom_rules" {
|
||||||
|
@ -72,3 +44,45 @@ variable "custom_rules" {
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "http_source_ranges" {
|
||||||
|
description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
|
||||||
|
type = list(string)
|
||||||
|
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "https_source_ranges" {
|
||||||
|
description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
|
||||||
|
type = list(string)
|
||||||
|
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "named_ranges" {
|
||||||
|
description = "Names that can be used of valid values for the `ranges` field of `custom_rules`"
|
||||||
|
type = map(list(string))
|
||||||
|
default = {
|
||||||
|
any = ["0.0.0.0/0"]
|
||||||
|
dns-forwarders = ["35.199.192.0/19"]
|
||||||
|
health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
||||||
|
iap-forwarders = ["35.235.240.0/20"]
|
||||||
|
private-googleapis = ["199.36.153.8/30"]
|
||||||
|
restricted-googleapis = ["199.36.153.4/30"]
|
||||||
|
rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "network" {
|
||||||
|
description = "Name of the network this set of firewall rules applies to."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
description = "Project id of the project that holds the network."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ssh_source_ranges" {
|
||||||
|
description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
|
||||||
|
type = list(string)
|
||||||
|
default = ["35.235.240.0/20"]
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue