Hierarchical firewall policies for folders

2020-11-23 18:45:18 +01:00 · 2020-11-23 18:45:18 +01:00 · 779f585d1d
parent 2ea59d2ee4
commit 779f585d1d
5 changed files with 144 additions and 1 deletions
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@ -41,6 +41,48 @@ module "folder" {
 # tftest:modules=1:resources=4
 ```

+### Hierarchical firewall policies
+
+```hcl
+module "folder1" {
+  source = "./modules/folder"
+  parent = var.organization_id
+  name   = "policy-container"
+
+  firewall_policies = {
+    iap-policy = {
+      allow-iap-ssh = {
+        description = "Always allow ssh from IAP"
+        direction   = "INGRESS"
+        action      = "allow"
+        priority    = 100
+        ranges      = ["35.235.240.0/20"]
+        ports = {
+          tcp = ["22"]
+        }
+        target_service_accounts = null
+        target_resources        = null
+        logging                 = false
+      }
+    }
+  }
+  firewall_policy_attachments = {
+    iap-policy = module.folder1.firewall_policy_id["iap-policy"]
+  }
+}
+
+module "folder2" {
+  source = "./modules/folder"
+  parent = var.organization_id
+  name   = "hf2"
+  firewall_policy_attachments = {
+    iap-policy = module.folder1.firewall_policy_id["iap-policy"]
+  }
+}
+# tftest:modules=2:resources=6
+```
+
+
 <!-- BEGIN TFDOC -->
 ## Variables

@ -48,6 +90,8 @@ module "folder" {
 |---|---|:---: |:---:|:---:|
 | name | Folder name. | <code title="">string</code> | ✓ |  |
 | parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string&#10;validation &#123;&#10;condition     &#61; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">string</code> | ✓ |  |
+| *firewall_policies* | Hierarchical firewall policies to *create* in this folder. | <code title="map&#40;map&#40;object&#40;&#123;&#10;description             &#61; string&#10;direction               &#61; string&#10;action                  &#61; string&#10;priority                &#61; number&#10;ranges                  &#61; list&#40;string&#41;&#10;ports                   &#61; map&#40;list&#40;string&#41;&#41;&#10;target_service_accounts &#61; list&#40;string&#41;&#10;target_resources        &#61; list&#40;string&#41;&#10;logging                 &#61; bool&#10;&#125;&#41;&#41;&#41;">map(map(object({...})))</code> |  | <code title="">{}</code> |
+| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to this folder. | <code title="set&#40;string&#41;">set(string)</code> |  | <code title="">[]</code> |
 | *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
@ -56,6 +100,8 @@ module "folder" {

 | name | description | sensitive |
 |---|---|:---:|
+| firewall_policies | Map of firewall policy resources created in this folder. |  |
+| firewall_policy_id | Map of firewall policy ids created in this folder. |  |
 | folder | Folder resource. |  |
 | id | Folder id. |  |
 | name | Folder name. |  |
--- a/modules/folder/main.tf
+++ b/modules/folder/main.tf
@ -14,6 +14,18 @@
 * limitations under the License.
 */

+locals {
+  extended_rules = flatten([
+    for policy, rules in var.firewall_policies : [
+      for rule_name, rule in rules :
+      merge(rule, { policy = policy, name = rule_name })
+    ]
+  ])
+  rules_map = {
+    for rule in local.extended_rules :
+    "${rule.policy}-${rule.name}" => rule
+  }
+}

 resource "google_folder" "folder" {
  display_name = var.name
@ -99,3 +111,48 @@ resource "google_folder_organization_policy" "list" {
    }
  }
 }
+
+resource "google_compute_organization_security_policy" "policy" {
+  provider = google-beta
+  for_each = var.firewall_policies
+
+  display_name = each.key
+  parent       = google_folder.folder.id
+}
+
+resource "google_compute_organization_security_policy_rule" "rule" {
+  provider = google-beta
+  for_each = local.rules_map
+
+  policy_id               = google_compute_organization_security_policy.policy[each.value.policy].id
+  action                  = each.value.action
+  direction               = each.value.direction
+  priority                = each.value.priority
+  target_resources        = each.value.target_resources
+  target_service_accounts = each.value.target_service_accounts
+  enable_logging          = each.value.logging
+  # preview                 = each.value.preview
+  match {
+    description = each.value.description
+    config {
+      src_ip_ranges  = each.value.direction == "INGRESS" ? each.value.ranges : null
+      dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
+      dynamic "layer4_config" {
+        for_each = each.value.ports
+        iterator = port
+        content {
+          ip_protocol = port.key
+          ports       = port.value
+        }
+      }
+    }
+  }
+}
+
+resource "google_compute_organization_security_policy_association" "attachment" {
+  provider      = google-beta
+  for_each      = var.firewall_policy_attachments
+  name          = "${google_folder.folder.id}-${each.key}"
+  attachment_id = google_folder.folder.id
+  policy_id     = each.value
+}
--- a/modules/folder/outputs.tf
+++ b/modules/folder/outputs.tf
@ -33,3 +33,19 @@ output "name" {
  description = "Folder name."
  value       = google_folder.folder.display_name
 }
+
+output "firewall_policies" {
+  description = "Map of firewall policy resources created in this folder."
+  value = {
+    for name, _ in var.firewall_policies :
+    name => google_compute_organization_security_policy.policy[name]
+  }
+}
+
+output "firewall_policy_id" {
+  description = "Map of firewall policy ids created in this folder."
+  value = {
+    for name, _ in var.firewall_policies :
+    name => google_compute_organization_security_policy.policy[name].id
+  }
+}
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@ -50,3 +50,27 @@ variable "policy_list" {
  }))
  default = {}
 }
+
+variable "firewall_policies" {
+  description = "Hierarchical firewall policies to *create* in this folder."
+  type = map(map(object({
+    description             = string
+    direction               = string
+    action                  = string
+    priority                = number
+    ranges                  = list(string)
+    ports                   = map(list(string))
+    target_service_accounts = list(string)
+    target_resources        = list(string)
+    logging                 = bool
+    #preview                 = bool
+  })))
+  default = {}
+}
+
+variable "firewall_policy_attachments" {
+  description = "List of hierarchical firewall policy IDs to *attach* to this folder."
+  # set to avoid manual casting with toset()
+  type    = map(string)
+  default = {}
+}
--- a/tests/examples/variables.tf
+++ b/tests/examples/variables.tf
@ -15,7 +15,7 @@
 # common variables used for examples

 variable "organization_id" {
-  default = "organization/organization"
+  default = "organizations/1122334455"
 }

 variable "project_id" {