Hierarchical firewall policies for folders
This commit is contained in:
parent
2ea59d2ee4
commit
779f585d1d
|
@ -41,6 +41,48 @@ module "folder" {
|
|||
# tftest:modules=1:resources=4
|
||||
```
|
||||
|
||||
### Hierarchical firewall policies
|
||||
|
||||
```hcl
|
||||
module "folder1" {
|
||||
source = "./modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "policy-container"
|
||||
|
||||
firewall_policies = {
|
||||
iap-policy = {
|
||||
allow-iap-ssh = {
|
||||
description = "Always allow ssh from IAP"
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 100
|
||||
ranges = ["35.235.240.0/20"]
|
||||
ports = {
|
||||
tcp = ["22"]
|
||||
}
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
}
|
||||
}
|
||||
firewall_policy_attachments = {
|
||||
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||
}
|
||||
}
|
||||
|
||||
module "folder2" {
|
||||
source = "./modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "hf2"
|
||||
firewall_policy_attachments = {
|
||||
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||
}
|
||||
}
|
||||
# tftest:modules=2:resources=6
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
@ -48,6 +90,8 @@ module "folder" {
|
|||
|---|---|:---: |:---:|:---:|
|
||||
| name | Folder name. | <code title="">string</code> | ✓ | |
|
||||
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string validation { condition = can(regex("(organizations|folders)/[0-9]+", var.parent)) error_message = "Parent must be of the form folders/folder_id or organizations/organization_id." }">string</code> | ✓ | |
|
||||
| *firewall_policies* | Hierarchical firewall policies to *create* in this folder. | <code title="map(map(object({ description = string direction = string action = string priority = number ranges = list(string) ports = map(list(string)) target_service_accounts = list(string) target_resources = list(string) logging = bool })))">map(map(object({...})))</code> | | <code title="">{}</code> |
|
||||
| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to this folder. | <code title="set(string)">set(string)</code> | | <code title="">[]</code> |
|
||||
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
@ -56,6 +100,8 @@ module "folder" {
|
|||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| firewall_policies | Map of firewall policy resources created in this folder. | |
|
||||
| firewall_policy_id | Map of firewall policy ids created in this folder. | |
|
||||
| folder | Folder resource. | |
|
||||
| id | Folder id. | |
|
||||
| name | Folder name. | |
|
||||
|
|
|
@ -14,6 +14,18 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
extended_rules = flatten([
|
||||
for policy, rules in var.firewall_policies : [
|
||||
for rule_name, rule in rules :
|
||||
merge(rule, { policy = policy, name = rule_name })
|
||||
]
|
||||
])
|
||||
rules_map = {
|
||||
for rule in local.extended_rules :
|
||||
"${rule.policy}-${rule.name}" => rule
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_folder" "folder" {
|
||||
display_name = var.name
|
||||
|
@ -99,3 +111,48 @@ resource "google_folder_organization_policy" "list" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_organization_security_policy" "policy" {
|
||||
provider = google-beta
|
||||
for_each = var.firewall_policies
|
||||
|
||||
display_name = each.key
|
||||
parent = google_folder.folder.id
|
||||
}
|
||||
|
||||
resource "google_compute_organization_security_policy_rule" "rule" {
|
||||
provider = google-beta
|
||||
for_each = local.rules_map
|
||||
|
||||
policy_id = google_compute_organization_security_policy.policy[each.value.policy].id
|
||||
action = each.value.action
|
||||
direction = each.value.direction
|
||||
priority = each.value.priority
|
||||
target_resources = each.value.target_resources
|
||||
target_service_accounts = each.value.target_service_accounts
|
||||
enable_logging = each.value.logging
|
||||
# preview = each.value.preview
|
||||
match {
|
||||
description = each.value.description
|
||||
config {
|
||||
src_ip_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
||||
dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
||||
dynamic "layer4_config" {
|
||||
for_each = each.value.ports
|
||||
iterator = port
|
||||
content {
|
||||
ip_protocol = port.key
|
||||
ports = port.value
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_organization_security_policy_association" "attachment" {
|
||||
provider = google-beta
|
||||
for_each = var.firewall_policy_attachments
|
||||
name = "${google_folder.folder.id}-${each.key}"
|
||||
attachment_id = google_folder.folder.id
|
||||
policy_id = each.value
|
||||
}
|
||||
|
|
|
@ -33,3 +33,19 @@ output "name" {
|
|||
description = "Folder name."
|
||||
value = google_folder.folder.display_name
|
||||
}
|
||||
|
||||
output "firewall_policies" {
|
||||
description = "Map of firewall policy resources created in this folder."
|
||||
value = {
|
||||
for name, _ in var.firewall_policies :
|
||||
name => google_compute_organization_security_policy.policy[name]
|
||||
}
|
||||
}
|
||||
|
||||
output "firewall_policy_id" {
|
||||
description = "Map of firewall policy ids created in this folder."
|
||||
value = {
|
||||
for name, _ in var.firewall_policies :
|
||||
name => google_compute_organization_security_policy.policy[name].id
|
||||
}
|
||||
}
|
||||
|
|
|
@ -50,3 +50,27 @@ variable "policy_list" {
|
|||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
description = "Hierarchical firewall policies to *create* in this folder."
|
||||
type = map(map(object({
|
||||
description = string
|
||||
direction = string
|
||||
action = string
|
||||
priority = number
|
||||
ranges = list(string)
|
||||
ports = map(list(string))
|
||||
target_service_accounts = list(string)
|
||||
target_resources = list(string)
|
||||
logging = bool
|
||||
#preview = bool
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policy_attachments" {
|
||||
description = "List of hierarchical firewall policy IDs to *attach* to this folder."
|
||||
# set to avoid manual casting with toset()
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
# common variables used for examples
|
||||
|
||||
variable "organization_id" {
|
||||
default = "organization/organization"
|
||||
default = "organizations/1122334455"
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
|
|
Loading…
Reference in New Issue