diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a011824..cc7ba455 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,8 @@ All notable changes to this project will be documented in this file. - add support for CMEK keys in Data Foundation end to end example - add support for VPC-SC perimeters in Data Foundation end to end example - fix `vpc-sc` module -- new networking example showing how to use [Private Service Connect to call a Cloud Function from on-premises](networking/private-cloud-function-from-onprem/) +- new networking example showing how to use [Private Service Connect to call a Cloud Function from on-premises](./networking/private-cloud-function-from-onprem/) +- new networking example showing how to organize [decentralized firewall](./networking/decentralized-firewall/) management on GCP ## [5.0.0] - 2021-06-17 diff --git a/README.md b/README.md index df419fca..4cb79901 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ The examples in this repository are split in several main sections: **foundation Currently available examples: - **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments) -- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop) +- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall) - **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow](./data-solutions/gcs-to-bq-with-dataflow/) - **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq) - **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift) diff --git a/modules/net-vpc-firewall-yaml/README.md b/modules/net-vpc-firewall-yaml/README.md index 95508092..2d4ab90e 100644 --- a/modules/net-vpc-firewall-yaml/README.md +++ b/modules/net-vpc-firewall-yaml/README.md @@ -4,7 +4,7 @@ This module allows creation and management of different types of firewall rules Yaml abstraction for FW rules can simplify users onboarding and also makes rules definition simpler and clearer comparing to HCL. -Nested folder structure for yaml configurations is supported, which allows better and structured code management. +Nested folder structure for yaml configurations is supported, which allows better and structured code management for multiple teams and environments. ## Example @@ -12,20 +12,29 @@ Nested folder structure for yaml configurations is supported, which allows bette ```hcl module "prod-firewall" { - source = "./modules/net-vpc-firewall-yaml" - project_id = "my-prod-project" - network = "my-prod-network" - config_path = "./prod" + source = "./modules/net-vpc-firewall-yaml" + + project_id = "my-prod-project" + network = "my-prod-network" + config_directories = [ + "./prod", + "./common" + ] + log_config = { metadata = "INCLUDE_ALL_METADATA" } } module "dev-firewall" { - source = "./modules/net-vpc-firewall-yaml" - project_id = "my-dev-project" - network = "my-dev-network" - config_path = "./dev" + source = "./modules/net-vpc-firewall-yaml" + + project_id = "my-dev-project" + network = "my-dev-network" + config_directories = [ + "./dev", + "./common" + ] } # tftest:skip ``` @@ -33,9 +42,11 @@ module "dev-firewall" { ### Configuration Structure ```bash +├── common +│ ├── default-egress.yaml +│   ├── lb-rules.yaml +│   └── iap-ingress.yaml ├── dev -│   ├── core -│   │   └── common-rules.yaml │   ├── team-a │   │   ├── databases.yaml │   │   └── webb-app-a.yaml @@ -43,8 +54,6 @@ module "dev-firewall" { │   ├── backend.yaml │   └── frontend.yaml └── prod - ├── core - │   └── common-rules.yaml ├── team-a │   ├── databases.yaml │   └── webb-app-a.yaml @@ -63,7 +72,7 @@ rule-name: # descriptive name, naming convention is adjusted by the module - ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports protocol: tcp # protocol, put `all` for any protocol direction: EGRESS # EGRESS or INGRESS - disabled: false # `false` or `true`, FW rule is disabled when `true`, default value is `true` + disabled: false # `false` or `true`, FW rule is disabled when `true`, default value is `false` priority: 1000 # rule priority value, default value is 1000 source_ranges: # list of source ranges, should be specified only for `INGRESS` rule - 0.0.0.0/0 @@ -131,7 +140,7 @@ web-app-a-ingress: | name | description | type | required | default | |---|---|:---: |:---:|:---:| -| config_path | Path to a folder where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | string | ✓ | | +| config_directories | List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | list(string) | ✓ | | | network | Name of the network this set of firewall rules applies to. | string | ✓ | | | project_id | Project Id. | string | ✓ | | | *log_config* | Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging. | object({...}) | | null | diff --git a/modules/net-vpc-firewall-yaml/main.tf b/modules/net-vpc-firewall-yaml/main.tf index e401f3b9..ab19b23a 100644 --- a/modules/net-vpc-firewall-yaml/main.tf +++ b/modules/net-vpc-firewall-yaml/main.tf @@ -15,10 +15,23 @@ */ locals { + firewall_rule_files = flatten( + [ + for config_path in var.config_directories : + concat( + [ + for config_file in fileset("${path.root}/${config_path}", "**/*.yaml") : + "${path.root}/${config_path}/${config_file}" + ] + ) + + ] + ) + firewall_rules = merge( [ - for config_file in fileset("${path.root}/${var.config_path}", "**/*.yaml") : - try(yamldecode(file("${path.root}/${var.config_path}/${config_file}")), {}) + for config_file in local.firewall_rule_files : + try(yamldecode(file(config_file)), {}) ]... ) } diff --git a/modules/net-vpc-firewall-yaml/outputs.tf b/modules/net-vpc-firewall-yaml/outputs.tf index 63c3d0c8..d964b5a9 100644 --- a/modules/net-vpc-firewall-yaml/outputs.tf +++ b/modules/net-vpc-firewall-yaml/outputs.tf @@ -18,7 +18,7 @@ output "ingress_allow_rules" { description = "Ingress rules with allow blocks." value = [ for rule in google_compute_firewall.rules : - rule.name if rule.direction == "INGRESS" && length(rule.allow) > 0 + rule if rule.direction == "INGRESS" && length(rule.allow) > 0 ] } @@ -26,7 +26,7 @@ output "ingress_deny_rules" { description = "Ingress rules with deny blocks." value = [ for rule in google_compute_firewall.rules : - rule.name if rule.direction == "INGRESS" && length(rule.deny) > 0 + rule if rule.direction == "INGRESS" && length(rule.deny) > 0 ] } @@ -34,7 +34,7 @@ output "egress_allow_rules" { description = "Egress rules with allow blocks." value = [ for rule in google_compute_firewall.rules : - rule.name if rule.direction == "EGRESS" && length(rule.allow) > 0 + rule if rule.direction == "EGRESS" && length(rule.allow) > 0 ] } @@ -42,6 +42,6 @@ output "egress_deny_rules" { description = "Egress rules with allow blocks." value = [ for rule in google_compute_firewall.rules : - rule.name if rule.direction == "EGRESS" && length(rule.deny) > 0 + rule if rule.direction == "EGRESS" && length(rule.deny) > 0 ] } diff --git a/modules/net-vpc-firewall-yaml/variables.tf b/modules/net-vpc-firewall-yaml/variables.tf index 0d5d4da3..d54d5a35 100644 --- a/modules/net-vpc-firewall-yaml/variables.tf +++ b/modules/net-vpc-firewall-yaml/variables.tf @@ -24,9 +24,9 @@ variable "project_id" { type = string } -variable "config_path" { - description = "Path to a folder where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml`" - type = string +variable "config_directories" { + description = "List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml`" + type = list(string) } variable "log_config" { diff --git a/networking/README.md b/networking/README.md index 5a1489da..00611913 100644 --- a/networking/README.md +++ b/networking/README.md @@ -37,7 +37,14 @@ It is meant to be used as a starting point for most Shared VPC configurations, a ### ILB as next hop This [example](./ilb-next-hop/) allows testing [ILB as next hop](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) using simple Linux gateway VMS between two VPCs, to emulate virtual appliances. An optional additional ILB can be enabled to test multiple load balancer configurations and hashing. +
### Calling a private Cloud Function from On-premises - This [example](./private-cloud-function-from-onprem/) shows how to invoke a [private Google Cloud Function](https://cloud.google.com/functions/docs/networking/network-settings) from the on-prem environment via a [Private Service Connect endpoint](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis). \ No newline at end of file + This [example](./private-cloud-function-from-onprem/) shows how to invoke a [private Google Cloud Function](https://cloud.google.com/functions/docs/networking/network-settings) from the on-prem environment via a [Private Service Connect endpoint](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis). +
+ +### Decentralized firewall management + + This [example](./decentralized-firewall/) shows how a decentralized firewall management can be organized using [firewall-yaml](../modules/net-vpc-firewall-yaml) module. +
diff --git a/networking/decentralized-firewall/README.md b/networking/decentralized-firewall/README.md new file mode 100644 index 00000000..8a4c0066 --- /dev/null +++ b/networking/decentralized-firewall/README.md @@ -0,0 +1,33 @@ +# Decentralized firewall management + +This sample shows how a decentralized firewall management can be organized using the [firewall-yaml](../../modules/net-vpc-firewall-yaml) module. + +This approach is a good fit when Shared VPCs are used across multiple application/infrastructure teams. A central repository keeps environment/team specific folders with firewall definitions in `yaml` format. + +In the current example multiple teams can define their [VPC Firewall Rules](https://cloud.google.com/vpc/docs/firewalls) for [dev](./firewall/dev) and [prod](./firewall/prod) environments using team specific subfolders. Rules defined in the [common](./firewall/common) folder are applied to both dev and prod environments. +> **_NOTE:_** Common rules are meant to be used for situations where [hierarchical rules](https://cloud.google.com/vpc/docs/firewall-policies) do not map precisely to requirements (e.g. SA, etc.) + +This is the high level diagram: + +![High-level diagram](diagram.png "High-level diagram") + + +## Variables + +| name | description | type | required | default | +|---|---|:---: |:---:|:---:| +| billing_account_id | Billing account id used as default for new projects. | string | ✓ | | +| prefix | Prefix used for resources that need unique names. | string | ✓ | | +| root_node | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | string | ✓ | | +| *ip_ranges* | Subnet IP CIDR ranges. | map(string) | | ... | +| *project_services* | Service APIs enabled by default in new projects. | list(string) | | ... | +| *region* | Region used. | string | | europe-west1 | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| fw_rules | Firewall rules. | | +| projects | Project ids. | | +| vpc | Shared VPCs. | | + diff --git a/networking/decentralized-firewall/backend.tf.sample b/networking/decentralized-firewall/backend.tf.sample new file mode 100644 index 00000000..99f84b17 --- /dev/null +++ b/networking/decentralized-firewall/backend.tf.sample @@ -0,0 +1,20 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +terraform { + backend "gcs" { + bucket = "" + } +} diff --git a/networking/decentralized-firewall/diagram.png b/networking/decentralized-firewall/diagram.png new file mode 100644 index 00000000..bf655309 Binary files /dev/null and b/networking/decentralized-firewall/diagram.png differ diff --git a/networking/decentralized-firewall/firewall/common/common-egress.yaml b/networking/decentralized-firewall/firewall/common/common-egress.yaml new file mode 100644 index 00000000..716c1498 --- /dev/null +++ b/networking/decentralized-firewall/firewall/common/common-egress.yaml @@ -0,0 +1,43 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Deny all egress (egress traffic is allowed by default) +deny-all: + deny: + - ports: [] + protocol: all + direction: EGRESS + priority: 65535 + destination_ranges: + - 0.0.0.0/0 + +# Allow access to GCP APIs via Private Google Access +# https://cloud.google.com/vpc/docs/access-apis-external-ip#config +gcp-pga-apis: + allow: + - ports: [443] + protocol: tcp + direction: EGRESS + priority: 500 + destination_ranges: + - 199.36.153.8/30 + +# Allow egress to internal networks +internal-egress: + allow: + - ports: [] + protocol: tcp + direction: EGRESS + destination_ranges: + - 10.0.0.0/16 diff --git a/networking/decentralized-firewall/firewall/common/iap-access.yaml b/networking/decentralized-firewall/firewall/common/iap-access.yaml new file mode 100644 index 00000000..931a180e --- /dev/null +++ b/networking/decentralized-firewall/firewall/common/iap-access.yaml @@ -0,0 +1,24 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Access via SSH from IAP to all instancess https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule +iap-ssh-access: + allow: + - ports: [22] + protocol: tcp + direction: INGRESS + priority: 1001 + source_ranges: + - 35.235.240.0/20 + \ No newline at end of file diff --git a/networking/decentralized-firewall/firewall/common/lb-access.yaml b/networking/decentralized-firewall/firewall/common/lb-access.yaml new file mode 100644 index 00000000..975d3ca0 --- /dev/null +++ b/networking/decentralized-firewall/firewall/common/lb-access.yaml @@ -0,0 +1,24 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Access from GCP LBs https://cloud.google.com/load-balancing/docs/https/#firewall_rules +lb-health-checks: + allow: + - ports: [] + protocol: tcp + direction: INGRESS + priority: 1001 + source_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 diff --git a/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml b/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml new file mode 100644 index 00000000..9a26650b --- /dev/null +++ b/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml @@ -0,0 +1,31 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Allow traffic from the frontend VMs +app1-backend: + allow: + - ports: ['443', '80'] + protocol: tcp + direction: INGRESS + source_tags: ['app1-frontend'] + target_tags: ['app1-backend'] + +# Allow traffic to MySQL Servers from App1 backend +app1-db: + allow: + - ports: ['3306'] + protocol: tcp + direction: INGRESS + source_tags: ['app1-backend'] + target_tags: ['mysql-server'] diff --git a/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml b/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml new file mode 100644 index 00000000..d7b79b63 --- /dev/null +++ b/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml @@ -0,0 +1,31 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Allow traffic from app1 frontend +app2-backend: + allow: + - ports: ['443', '80'] + protocol: tcp + direction: INGRESS + source_tags: ['app1-frontend'] + target_tags: ['app2-backend'] + +# Allow traffic to MySQL servers from App2 backend +app2-db: + allow: + - ports: ['3306'] + protocol: tcp + direction: INGRESS + source_tags: ['app2-backend'] + target_tags: ['mysql-server'] diff --git a/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml b/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml new file mode 100644 index 00000000..9a26650b --- /dev/null +++ b/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml @@ -0,0 +1,31 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Allow traffic from the frontend VMs +app1-backend: + allow: + - ports: ['443', '80'] + protocol: tcp + direction: INGRESS + source_tags: ['app1-frontend'] + target_tags: ['app1-backend'] + +# Allow traffic to MySQL Servers from App1 backend +app1-db: + allow: + - ports: ['3306'] + protocol: tcp + direction: INGRESS + source_tags: ['app1-backend'] + target_tags: ['mysql-server'] diff --git a/networking/decentralized-firewall/main.tf b/networking/decentralized-firewall/main.tf new file mode 100644 index 00000000..2502d41f --- /dev/null +++ b/networking/decentralized-firewall/main.tf @@ -0,0 +1,136 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############################################################################### +# Shared VPC Host projects # +############################################################################### + +module "project-host-prod" { + source = "../../modules/project" + parent = var.root_node + billing_account = var.billing_account_id + prefix = var.prefix + name = "prod-host" + services = var.project_services + + shared_vpc_host_config = { + enabled = true + service_projects = [] + } +} + +module "project-host-dev" { + source = "../../modules/project" + parent = var.root_node + billing_account = var.billing_account_id + prefix = var.prefix + name = "dev-host" + services = var.project_services + + shared_vpc_host_config = { + enabled = true + service_projects = [] + } +} + +################################################################################ +# Networking # +################################################################################ + +module "vpc-prod" { + source = "../../modules/net-vpc" + project_id = module.project-host-prod.project_id + name = "prod-vpc" + subnets = [ + { + ip_cidr_range = var.ip_ranges.prod + name = "prod" + region = var.region + secondary_ip_range = {} + } + ] +} + +module "vpc-dev" { + source = "../../modules/net-vpc" + project_id = module.project-host-dev.project_id + name = "dev-vpc" + subnets = [ + { + ip_cidr_range = var.ip_ranges.dev + name = "dev" + region = var.region + secondary_ip_range = {} + } + ] +} + +############################################################################### +# Private Google Access DNS # +############################################################################### + +module "dns-api-prod" { + source = "../../modules/dns" + project_id = module.project-host-prod.project_id + type = "private" + name = "googleapis" + domain = "googleapis.com." + client_networks = [module.vpc-prod.self_link] + recordsets = [ + { name = "*", type = "CNAME", ttl = 300, records = ["private.googleapis.com."] }, + ] +} + +module "dns-api-dev" { + source = "../../modules/dns" + project_id = module.project-host-dev.project_id + type = "private" + name = "googleapis" + domain = "googleapis.com." + client_networks = [module.vpc-dev.self_link] + recordsets = [ + { name = "*", type = "CNAME", ttl = 300, records = ["private.googleapis.com."] }, + ] +} + +############################################################################### +# Distributed Firewall # +############################################################################### + +module "vpc-firewall-prod" { + source = "../../modules/net-vpc-firewall-yaml" + + project_id = module.project-host-prod.project_id + network = module.vpc-prod.name + config_directories = [ + "${path.module}/firewall/common", + "${path.module}/firewall/prod" + ] + + # Enable Firewall Logging for the production fwl rules + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } +} + +module "vpc-firewall-dev" { + source = "../../modules/net-vpc-firewall-yaml" + + project_id = module.project-host-dev.project_id + network = module.vpc-dev.name + config_directories = [ + "${path.module}/firewall/common", + "${path.module}/firewall/dev" + ] +} diff --git a/networking/decentralized-firewall/outputs.tf b/networking/decentralized-firewall/outputs.tf new file mode 100644 index 00000000..f744821f --- /dev/null +++ b/networking/decentralized-firewall/outputs.tf @@ -0,0 +1,53 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +output "projects" { + description = "Project ids." + value = { + prod-host = module.project-host-prod.project_id + dev-host = module.project-host-dev.project_id + } +} + +output "vpc" { + description = "Shared VPCs." + value = { + prod = { + name = module.vpc-prod.name + subnets = module.vpc-prod.subnet_ips + } + dev = { + name = module.vpc-dev.name + subnets = module.vpc-dev.subnet_ips + } + } +} + +output "fw_rules" { + description = "Firewall rules." + value = { + prod = { + ingress_allow_rules = module.vpc-firewall-prod.ingress_allow_rules + ingress_deny_rules = module.vpc-firewall-prod.ingress_deny_rules + egress_allow_rules = module.vpc-firewall-prod.egress_allow_rules + egress_deny_rules = module.vpc-firewall-prod.egress_deny_rules + } + dev = { + ingress_allow_rules = module.vpc-firewall-dev.ingress_allow_rules + ingress_deny_rules = module.vpc-firewall-dev.ingress_deny_rules + egress_allow_rules = module.vpc-firewall-dev.egress_allow_rules + egress_deny_rules = module.vpc-firewall-dev.egress_deny_rules + } + } +} diff --git a/networking/decentralized-firewall/variables.tf b/networking/decentralized-firewall/variables.tf new file mode 100644 index 00000000..6e71fbc3 --- /dev/null +++ b/networking/decentralized-firewall/variables.tf @@ -0,0 +1,53 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +variable "billing_account_id" { + description = "Billing account id used as default for new projects." + type = string +} + +variable "prefix" { + description = "Prefix used for resources that need unique names." + type = string +} + +variable "region" { + description = "Region used." + type = string + default = "europe-west1" +} + +variable "root_node" { + description = "Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'." + type = string +} + +variable "ip_ranges" { + description = "Subnet IP CIDR ranges." + type = map(string) + default = { + prod = "10.0.16.0/24" + dev = "10.0.32.0/24" + } +} + +variable "project_services" { + description = "Service APIs enabled by default in new projects." + type = list(string) + default = [ + "container.googleapis.com", + "dns.googleapis.com", + "stackdriver.googleapis.com", + ] +} diff --git a/tests/modules/net_vpc_firewall_yaml/fixture/main.tf b/tests/modules/net_vpc_firewall_yaml/fixture/main.tf index 7db37c77..4dcc9b7c 100644 --- a/tests/modules/net_vpc_firewall_yaml/fixture/main.tf +++ b/tests/modules/net_vpc_firewall_yaml/fixture/main.tf @@ -15,9 +15,11 @@ */ module "firewall" { - source = "../../../../modules/net-vpc-firewall-yaml" - project_id = "my-project" - network = "my-network" - config_path = "./rules" - log_config = var.log_config + source = "../../../../modules/net-vpc-firewall-yaml" + project_id = "my-project" + network = "my-network" + config_directories = [ + "./rules" + ] + log_config = var.log_config } diff --git a/tests/networking/decentralized_firewall/__init__.py b/tests/networking/decentralized_firewall/__init__.py new file mode 100644 index 00000000..d46dbae5 --- /dev/null +++ b/tests/networking/decentralized_firewall/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/tests/networking/decentralized_firewall/fixture/main.tf b/tests/networking/decentralized_firewall/fixture/main.tf new file mode 100644 index 00000000..9bef2d73 --- /dev/null +++ b/tests/networking/decentralized_firewall/fixture/main.tf @@ -0,0 +1,22 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "test" { + source = "../../../../networking/decentralized-firewall" + billing_account_id = var.billing_account_id + prefix = var.prefix + root_node = var.root_node +} diff --git a/tests/networking/decentralized_firewall/fixture/variables.tf b/tests/networking/decentralized_firewall/fixture/variables.tf new file mode 100644 index 00000000..9646fe1b --- /dev/null +++ b/tests/networking/decentralized_firewall/fixture/variables.tf @@ -0,0 +1,28 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +variable "billing_account_id" { + type = string + default = "ABCDE-12345-ABCDE" +} + +variable "prefix" { + type = string + default = "test" +} + +variable "root_node" { + type = string + default = "organizations/0123456789" +} diff --git a/tests/networking/decentralized_firewall/test_plan.py b/tests/networking/decentralized_firewall/test_plan.py new file mode 100644 index 00000000..cb1764a9 --- /dev/null +++ b/tests/networking/decentralized_firewall/test_plan.py @@ -0,0 +1,27 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +import os +import pytest + + +FIXTURES_DIR = os.path.join(os.path.dirname(__file__), "fixture") + + +def test_resources(e2e_plan_runner): + "Test that plan works and the numbers of resources is as expected." + modules, resources = e2e_plan_runner(FIXTURES_DIR) + assert len(modules) == 8 + assert len(resources) == 50