Allow setting no ranges in firewall module custom rules (#1073)
* allow setting no ranges in custom firewall rules * fix blueprint * fix example * fix example
This commit is contained in:
parent
53135cdef9
commit
66a402083b
|
@ -85,6 +85,7 @@ module "firewall" {
|
||||||
ingress_rules = {
|
ingress_rules = {
|
||||||
"${var.prefix}-allow-all-between-wsfc-nodes" = {
|
"${var.prefix}-allow-all-between-wsfc-nodes" = {
|
||||||
description = "Allow all between WSFC nodes"
|
description = "Allow all between WSFC nodes"
|
||||||
|
source_ranges = []
|
||||||
sources = [module.compute-service-account.email]
|
sources = [module.compute-service-account.email]
|
||||||
targets = [module.compute-service-account.email]
|
targets = [module.compute-service-account.email]
|
||||||
use_service_accounts = true
|
use_service_accounts = true
|
||||||
|
@ -96,6 +97,7 @@ module "firewall" {
|
||||||
}
|
}
|
||||||
"${var.prefix}-allow-all-between-wsfc-witness" = {
|
"${var.prefix}-allow-all-between-wsfc-witness" = {
|
||||||
description = "Allow all between WSFC witness nodes"
|
description = "Allow all between WSFC witness nodes"
|
||||||
|
source_ranges = []
|
||||||
sources = [module.compute-service-account.email]
|
sources = [module.compute-service-account.email]
|
||||||
targets = [module.witness-service-account.email]
|
targets = [module.witness-service-account.email]
|
||||||
use_service_accounts = true
|
use_service_accounts = true
|
||||||
|
@ -108,7 +110,7 @@ module "firewall" {
|
||||||
"${var.prefix}-allow-sql-to-wsfc-nodes" = {
|
"${var.prefix}-allow-sql-to-wsfc-nodes" = {
|
||||||
description = "Allow SQL connections to WSFC nodes"
|
description = "Allow SQL connections to WSFC nodes"
|
||||||
targets = [module.compute-service-account.email]
|
targets = [module.compute-service-account.email]
|
||||||
ranges = var.sql_client_cidrs
|
source_ranges = var.sql_client_cidrs
|
||||||
use_service_accounts = true
|
use_service_accounts = true
|
||||||
rules = [
|
rules = [
|
||||||
{ protocol = "tcp", ports = [1433] },
|
{ protocol = "tcp", ports = [1433] },
|
||||||
|
@ -117,7 +119,7 @@ module "firewall" {
|
||||||
"${var.prefix}-allow-health-check-to-wsfc-nodes" = {
|
"${var.prefix}-allow-health-check-to-wsfc-nodes" = {
|
||||||
description = "Allow health checks to WSFC nodes"
|
description = "Allow health checks to WSFC nodes"
|
||||||
targets = [module.compute-service-account.email]
|
targets = [module.compute-service-account.email]
|
||||||
ranges = var.health_check_ranges
|
source_ranges = var.health_check_ranges
|
||||||
use_service_accounts = true
|
use_service_accounts = true
|
||||||
rules = [
|
rules = [
|
||||||
{ protocol = "tcp" }
|
{ protocol = "tcp" }
|
||||||
|
|
|
@ -33,7 +33,7 @@ Some implicit defaults are used in the rules variable types and can be controlle
|
||||||
|
|
||||||
- action is controlled via the `deny` attribute which defaults to `true` for egress and `false` for ingress
|
- action is controlled via the `deny` attribute which defaults to `true` for egress and `false` for ingress
|
||||||
- priority defaults to `1000`
|
- priority defaults to `1000`
|
||||||
- destination ranges (for egress) and source ranges (for ingress) default to `["0.0.0.0/0"]` if not explicitly set
|
- destination ranges (for egress) and source ranges (for ingress) default to `["0.0.0.0/0"]` if not explicitly set or set to `null`, to disable the behaviour set ranges to the empty list (`[]`)
|
||||||
- rules default to all protocols if not set
|
- rules default to all protocols if not set
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
|
@ -45,31 +45,39 @@ module "firewall" {
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
}
|
}
|
||||||
egress_rules = {
|
egress_rules = {
|
||||||
# implicit `deny` action
|
# implicit deny action
|
||||||
allow-egress-rfc1918 = {
|
allow-egress-rfc1918 = {
|
||||||
|
deny = false
|
||||||
description = "Allow egress to RFC 1918 ranges."
|
description = "Allow egress to RFC 1918 ranges."
|
||||||
destination_ranges = [
|
destination_ranges = [
|
||||||
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
|
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
|
||||||
]
|
]
|
||||||
# implicit { protocol = "all" } rule
|
}
|
||||||
|
allow-egress-tag = {
|
||||||
|
deny = false
|
||||||
|
description = "Allow egress from a specific tag to 0/0."
|
||||||
|
targets = ["target-tag"]
|
||||||
}
|
}
|
||||||
deny-egress-all = {
|
deny-egress-all = {
|
||||||
description = "Block egress."
|
description = "Block egress."
|
||||||
# implicit ["0.0.0.0/0"] destination ranges
|
|
||||||
# implicit { protocol = "all" } rule
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ingress_rules = {
|
ingress_rules = {
|
||||||
# implicit `allow` action
|
# implicit allow action
|
||||||
allow-ingress-ntp = {
|
allow-ingress-ntp = {
|
||||||
description = "Allow NTP service based on tag."
|
description = "Allow NTP service based on tag."
|
||||||
source_ranges = ["0.0.0.0/0"]
|
targets = ["ntp-svc"]
|
||||||
targets = ["ntp-svc"]
|
rules = [{ protocol = "udp", ports = [123] }]
|
||||||
rules = [{ protocol = "udp", ports = [123] }]
|
}
|
||||||
|
allow-ingress-tag = {
|
||||||
|
description = "Allow ingress from a specific tag."
|
||||||
|
source_ranges = []
|
||||||
|
sources = ["client-tag"]
|
||||||
|
targets = ["target-tag"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=7
|
# tftest modules=1 resources=9
|
||||||
```
|
```
|
||||||
|
|
||||||
### Controlling or turning off default rules
|
### Controlling or turning off default rules
|
||||||
|
@ -194,13 +202,13 @@ healthchecks:
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [network](variables.tf#L109) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
| [network](variables.tf#L108) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||||
| [project_id](variables.tf#L114) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L113) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||||
| [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
| [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||||
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [factories_config](variables.tf#L60) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = string })">object({…})</code> | | <code>null</code> |
|
| [factories_config](variables.tf#L59) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [ingress_rules](variables.tf#L69) | List of ingress rule definitions, default to allow action. | <code title="map(object({ deny = optional(bool, false) description = optional(string) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [ingress_rules](variables.tf#L68) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [named_ranges](variables.tf#L92) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
| [named_ranges](variables.tf#L91) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -66,15 +66,23 @@ locals {
|
||||||
for name, rule in local._rules :
|
for name, rule in local._rules :
|
||||||
name => merge(rule, {
|
name => merge(rule, {
|
||||||
action = rule.deny == true ? "DENY" : "ALLOW"
|
action = rule.deny == true ? "DENY" : "ALLOW"
|
||||||
destination_ranges = flatten([
|
destination_ranges = (
|
||||||
for range in coalesce(try(rule.destination_ranges, null), []) :
|
try(rule.destination_ranges, null) == null
|
||||||
try(local._named_ranges[range], range)
|
? null
|
||||||
])
|
: flatten([
|
||||||
|
for range in rule.destination_ranges :
|
||||||
|
try(local._named_ranges[range], range)
|
||||||
|
])
|
||||||
|
)
|
||||||
rules = { for k, v in rule.rules : k => v }
|
rules = { for k, v in rule.rules : k => v }
|
||||||
source_ranges = flatten([
|
source_ranges = (
|
||||||
for range in coalesce(try(rule.source_ranges, null), []) :
|
try(rule.source_ranges, null) == null
|
||||||
try(local._named_ranges[range], range)
|
? null
|
||||||
])
|
: flatten([
|
||||||
|
for range in rule.source_ranges :
|
||||||
|
try(local._named_ranges[range], range)
|
||||||
|
])
|
||||||
|
)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -89,18 +97,20 @@ resource "google_compute_firewall" "custom-rules" {
|
||||||
source_ranges = (
|
source_ranges = (
|
||||||
each.value.direction == "INGRESS"
|
each.value.direction == "INGRESS"
|
||||||
? (
|
? (
|
||||||
coalesce(each.value.source_ranges, []) == []
|
each.value.source_ranges == null
|
||||||
? ["0.0.0.0/0"]
|
? ["0.0.0.0/0"]
|
||||||
: each.value.source_ranges
|
: each.value.source_ranges
|
||||||
) : null
|
)
|
||||||
|
: null
|
||||||
)
|
)
|
||||||
destination_ranges = (
|
destination_ranges = (
|
||||||
each.value.direction == "EGRESS"
|
each.value.direction == "EGRESS"
|
||||||
? (
|
? (
|
||||||
coalesce(each.value.destination_ranges, []) == []
|
each.value.destination_ranges == null
|
||||||
? ["0.0.0.0/0"]
|
? ["0.0.0.0/0"]
|
||||||
: each.value.destination_ranges
|
: each.value.destination_ranges
|
||||||
) : null
|
)
|
||||||
|
: null
|
||||||
)
|
)
|
||||||
source_tags = (
|
source_tags = (
|
||||||
each.value.use_service_accounts || each.value.direction == "EGRESS"
|
each.value.use_service_accounts || each.value.direction == "EGRESS"
|
||||||
|
|
|
@ -35,7 +35,7 @@ variable "default_rules_config" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "egress_rules" {
|
variable "egress_rules" {
|
||||||
description = "List of egress rule definitions, default to deny action."
|
description = "List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
deny = optional(bool, true)
|
deny = optional(bool, true)
|
||||||
description = optional(string)
|
description = optional(string)
|
||||||
|
@ -45,7 +45,6 @@ variable "egress_rules" {
|
||||||
include_metadata = optional(bool)
|
include_metadata = optional(bool)
|
||||||
}))
|
}))
|
||||||
priority = optional(number, 1000)
|
priority = optional(number, 1000)
|
||||||
sources = optional(list(string))
|
|
||||||
targets = optional(list(string))
|
targets = optional(list(string))
|
||||||
use_service_accounts = optional(bool, false)
|
use_service_accounts = optional(bool, false)
|
||||||
rules = optional(list(object({
|
rules = optional(list(object({
|
||||||
|
@ -67,7 +66,7 @@ variable "factories_config" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "ingress_rules" {
|
variable "ingress_rules" {
|
||||||
description = "List of ingress rule definitions, default to allow action."
|
description = "List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
deny = optional(bool, false)
|
deny = optional(bool, false)
|
||||||
description = optional(string)
|
description = optional(string)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
default_rules_config = {
|
||||||
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
|
https_ranges = []
|
||||||
|
}
|
|
@ -0,0 +1,44 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
google_compute_firewall.allow-admins[0]:
|
||||||
|
source_ranges:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
google_compute_firewall.allow-tag-http[0]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- "80"
|
||||||
|
protocol: tcp
|
||||||
|
source_ranges:
|
||||||
|
- 130.211.0.0/22
|
||||||
|
- 209.85.152.0/22
|
||||||
|
- 209.85.204.0/22
|
||||||
|
- 35.191.0.0/16
|
||||||
|
google_compute_firewall.allow-tag-ssh[0]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- "22"
|
||||||
|
protocol: tcp
|
||||||
|
source_ranges:
|
||||||
|
- 35.235.240.0/20
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 3
|
||||||
|
modules: 0
|
||||||
|
resources: 3
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
default_rules: __missing__
|
||||||
|
rules: {}
|
|
@ -0,0 +1,2 @@
|
||||||
|
project_id = "test-project"
|
||||||
|
network = "test-network"
|
|
@ -0,0 +1,33 @@
|
||||||
|
default_rules_config = {
|
||||||
|
disabled = true
|
||||||
|
}
|
||||||
|
egress_rules = {
|
||||||
|
allow-egress-rfc1918 = {
|
||||||
|
deny = false
|
||||||
|
description = "Allow egress to RFC 1918 ranges."
|
||||||
|
destination_ranges = [
|
||||||
|
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
allow-egress-tag = {
|
||||||
|
deny = false
|
||||||
|
description = "Allow egress from a specific tag to 0/0."
|
||||||
|
targets = ["target-tag"]
|
||||||
|
}
|
||||||
|
deny-egress-all = {
|
||||||
|
description = "Block egress."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ingress_rules = {
|
||||||
|
allow-ingress-ntp = {
|
||||||
|
description = "Allow NTP service based on tag."
|
||||||
|
targets = ["ntp-svc"]
|
||||||
|
rules = [{ protocol = "udp", ports = [123] }]
|
||||||
|
}
|
||||||
|
allow-ingress-tag = {
|
||||||
|
description = "Allow ingress from a specific tag."
|
||||||
|
source_ranges = []
|
||||||
|
sources = ["client-tag"]
|
||||||
|
targets = ["target-tag"]
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,83 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow egress to RFC 1918 ranges.
|
||||||
|
destination_ranges:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 192.168.0.0/16
|
||||||
|
direction: EGRESS
|
||||||
|
google_compute_firewall.custom-rules["allow-egress-tag"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow egress from a specific tag to 0/0.
|
||||||
|
destination_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
direction: EGRESS
|
||||||
|
target_tags:
|
||||||
|
- target-tag
|
||||||
|
google_compute_firewall.custom-rules["allow-ingress-ntp"]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- "123"
|
||||||
|
protocol: udp
|
||||||
|
deny: []
|
||||||
|
description: Allow NTP service based on tag.
|
||||||
|
direction: INGRESS
|
||||||
|
source_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_tags:
|
||||||
|
- ntp-svc
|
||||||
|
google_compute_firewall.custom-rules["allow-ingress-tag"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow ingress from a specific tag.
|
||||||
|
direction: INGRESS
|
||||||
|
source_ranges: null
|
||||||
|
source_tags:
|
||||||
|
- client-tag
|
||||||
|
target_tags:
|
||||||
|
- target-tag
|
||||||
|
google_compute_firewall.custom-rules["deny-egress-all"]:
|
||||||
|
allow: []
|
||||||
|
deny:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
description: Block egress.
|
||||||
|
direction: EGRESS
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 5
|
||||||
|
modules: 0
|
||||||
|
resources: 5
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
default_rules:
|
||||||
|
admin: []
|
||||||
|
http: []
|
||||||
|
https: []
|
||||||
|
ssh: []
|
||||||
|
rules: __missing__
|
|
@ -0,0 +1,7 @@
|
||||||
|
default_rules_config = {
|
||||||
|
disabled = true
|
||||||
|
}
|
||||||
|
factories_config = {
|
||||||
|
cidr_tpl_file = "../../tests/modules/net_vpc_firewall/data/cidr_template.yaml"
|
||||||
|
rules_folder = "../../tests/modules/net_vpc_firewall/data/firewall"
|
||||||
|
}
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
google_compute_firewall.custom-rules["allow-healthchecks"]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- "80"
|
||||||
|
- "443"
|
||||||
|
protocol: tcp
|
||||||
|
deny: []
|
||||||
|
description: Allow ingress from healthchecks.
|
||||||
|
direction: INGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-healthchecks
|
||||||
|
network: test-network
|
||||||
|
priority: 1000
|
||||||
|
project: test-project
|
||||||
|
source_ranges:
|
||||||
|
- 130.211.0.0/22
|
||||||
|
- 209.85.152.0/22
|
||||||
|
- 209.85.204.0/22
|
||||||
|
- 35.191.0.0/16
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- lb-backends
|
||||||
|
timeouts: null
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 1
|
||||||
|
modules: 0
|
||||||
|
resources: 1
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
default_rules:
|
||||||
|
admin: []
|
||||||
|
http: []
|
||||||
|
https: []
|
||||||
|
ssh: []
|
||||||
|
rules: __missing__
|
|
@ -1,25 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
module "firewall" {
|
|
||||||
source = "../../../../modules/net-vpc-firewall"
|
|
||||||
project_id = "test-project"
|
|
||||||
network = "test-vpc"
|
|
||||||
default_rules_config = var.default_rules_config
|
|
||||||
egress_rules = var.egress_rules
|
|
||||||
ingress_rules = var.ingress_rules
|
|
||||||
factories_config = var.factories_config
|
|
||||||
}
|
|
|
@ -1,22 +0,0 @@
|
||||||
egress_rules = {
|
|
||||||
allow-egress-rfc1918 = {
|
|
||||||
description = "Allow egress to RFC 1918 ranges."
|
|
||||||
is_egress = true
|
|
||||||
destination_ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
|
||||||
}
|
|
||||||
deny-egress-all = {
|
|
||||||
description = "Block egress."
|
|
||||||
is_deny = true
|
|
||||||
is_egress = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ingress_rules = {
|
|
||||||
allow-ingress-ntp = {
|
|
||||||
description = "Allow NTP service based on tag."
|
|
||||||
targets = ["ntp-svc"]
|
|
||||||
rules = [{ protocol = "udp", ports = [123] }]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
default_rules_config = {
|
|
||||||
disabled = true
|
|
||||||
}
|
|
|
@ -1,51 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
variable "default_rules_config" {
|
|
||||||
type = any
|
|
||||||
default = {}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "egress_rules" {
|
|
||||||
type = any
|
|
||||||
default = {}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "factories_config" {
|
|
||||||
type = any
|
|
||||||
default = null
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "ingress_rules" {
|
|
||||||
type = any
|
|
||||||
default = {}
|
|
||||||
}
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
module: modules/net-vpc-firewall
|
||||||
|
common_tfvars:
|
||||||
|
- common.tfvars
|
||||||
|
tests:
|
||||||
|
auto-rules:
|
||||||
|
custom-rules:
|
||||||
|
factory:
|
Loading…
Reference in New Issue