Merge pull request #1320 from ajlopezn/ajln-firewall
issue #1303: net-vpc-firewall module supporting source and destination ranges
This commit is contained in:
Antonio Lopez
GitHub
commit
a50473866f
|
|
@ -136,6 +136,36 @@ module "firewall" {
|
|||
# tftest modules=0 resources=0
|
||||
```
|
||||
|
||||
### Including source & destination ranges
|
||||
|
||||
Custom rules now support including both source & destination ranges in ingress and egress rules:
|
||||
|
||||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
default_rules_config = {
|
||||
disabled = true
|
||||
}
|
||||
egress_rules = {
|
||||
deny-egress-source-destination-ranges = {
|
||||
description = "Deny egress using source and destination ranges"
|
||||
source_ranges = ["10.132.0.0/20", "10.138.0.0/20"]
|
||||
destination_ranges = ["172.16.0.0/12"]
|
||||
}
|
||||
}
|
||||
ingress_rules = {
|
||||
allow-ingress-source-destination-ranges = {
|
||||
description = "Allow ingress using source and destination ranges"
|
||||
source_ranges = ["172.16.0.0/12"]
|
||||
destination_ranges = ["10.132.0.0/20", "10.138.0.0/20"]
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
```
|
||||
|
||||
### Rules Factory
|
||||
|
||||
The module includes a rules factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of rules leveraging YaML configuration files. Each configuration file can optionally contain more than one rule which a structure that reflects the `custom_rules` variable.
|
||||
|
|
@ -202,13 +232,13 @@ healthchecks:
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [network](variables.tf#L108) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L113) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L110) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L115) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L59) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = string })">object({…})</code> | | <code>null</code> |
|
||||
| [ingress_rules](variables.tf#L68) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L91) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L60) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = string })">object({…})</code> | | <code>null</code> |
|
||||
| [ingress_rules](variables.tf#L69) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270 disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L93) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -101,7 +101,8 @@ resource "google_compute_firewall" "custom-rules" {
|
|||
? ["0.0.0.0/0"]
|
||||
: each.value.source_ranges
|
||||
)
|
||||
: null
|
||||
#for egress, we will include the source_ranges when provided. Previously, null was forced
|
||||
: each.value.source_ranges
|
||||
)
|
||||
destination_ranges = (
|
||||
each.value.direction == "EGRESS"
|
||||
|
|
@ -110,7 +111,8 @@ resource "google_compute_firewall" "custom-rules" {
|
|||
? ["0.0.0.0/0"]
|
||||
: each.value.destination_ranges
|
||||
)
|
||||
: null
|
||||
#for ingress, we will include the destination_ranges when provided. Previously, null was forced
|
||||
: each.value.destination_ranges
|
||||
)
|
||||
source_tags = (
|
||||
each.value.use_service_accounts || each.value.direction == "EGRESS"
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ variable "egress_rules" {
|
|||
include_metadata = optional(bool)
|
||||
}))
|
||||
priority = optional(number, 1000)
|
||||
source_ranges = optional(list(string))
|
||||
targets = optional(list(string))
|
||||
use_service_accounts = optional(bool, false)
|
||||
rules = optional(list(object({
|
||||
|
|
@ -68,9 +69,10 @@ variable "factories_config" {
|
|||
variable "ingress_rules" {
|
||||
description = "List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0."
|
||||
type = map(object({
|
||||
deny = optional(bool, false)
|
||||
description = optional(string)
|
||||
disabled = optional(bool, false)
|
||||
deny = optional(bool, false)
|
||||
description = optional(string)
|
||||
destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270
|
||||
disabled = optional(bool, false)
|
||||
enable_logging = optional(object({
|
||||
include_metadata = optional(bool)
|
||||
}))
|
||||
|
|
|
|||
Loading…
Reference in New Issue