Use single resource for custom rules in firwall module
This commit is contained in:
parent
0bac954287
commit
d3e8b5e35e
|
@ -76,4 +76,5 @@ module "firewall" {
|
|||
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
||||
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
||||
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
||||
| rules | All google_compute_firewall resources created | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -14,15 +14,6 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
rules-allow = {
|
||||
for name, attrs in var.custom_rules : name => attrs if attrs.action == "allow"
|
||||
}
|
||||
rules-deny = {
|
||||
for name, attrs in var.custom_rules : name => attrs if attrs.action == "deny"
|
||||
}
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# rules based on IP ranges
|
||||
###############################################################################
|
||||
|
@ -87,44 +78,9 @@ resource "google_compute_firewall" "allow-tag-https" {
|
|||
# dynamic rules #
|
||||
################################################################################
|
||||
|
||||
resource "google_compute_firewall" "custom_allow" {
|
||||
resource "google_compute_firewall" "custom-rules" {
|
||||
# provider = "google-beta"
|
||||
for_each = local.rules-allow
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
direction = each.value.direction
|
||||
network = var.network
|
||||
project = var.project_id
|
||||
source_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
||||
destination_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
||||
source_tags = each.value.use_service_accounts || each.value.direction == "EGRESS" ? null : each.value.sources
|
||||
source_service_accounts = each.value.use_service_accounts && each.value.direction == "INGRESS" ? each.value.sources : null
|
||||
target_tags = each.value.use_service_accounts ? null : each.value.targets
|
||||
target_service_accounts = each.value.use_service_accounts ? each.value.targets : null
|
||||
disabled = lookup(each.value.extra_attributes, "disabled", false)
|
||||
priority = lookup(each.value.extra_attributes, "priority", 1000)
|
||||
|
||||
dynamic "log_config" {
|
||||
for_each = lookup(each.value.extra_attributes, "logging", null) != null ? [each.value.extra_attributes.logging] : []
|
||||
iterator = logging_config
|
||||
content {
|
||||
metadata = logging_config.value
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "allow" {
|
||||
for_each = each.value.rules
|
||||
iterator = rule
|
||||
content {
|
||||
protocol = rule.value.protocol
|
||||
ports = rule.value.ports
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "custom_deny" {
|
||||
# provider = "google-beta"
|
||||
for_each = local.rules-deny
|
||||
for_each = var.custom_rules
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
direction = each.value.direction
|
||||
|
@ -148,7 +104,24 @@ resource "google_compute_firewall" "custom_deny" {
|
|||
}
|
||||
|
||||
dynamic "deny" {
|
||||
for_each = each.value.rules
|
||||
for_each = (
|
||||
each.value.action == "deny"
|
||||
? { for index, rule in each.value.rules : index => rule }
|
||||
: {}
|
||||
)
|
||||
iterator = rule
|
||||
content {
|
||||
protocol = rule.value.protocol
|
||||
ports = rule.value.ports
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "allow" {
|
||||
for_each = (
|
||||
each.value.action == "allow"
|
||||
? { for index, rule in each.value.rules : index => rule }
|
||||
: {}
|
||||
)
|
||||
iterator = rule
|
||||
content {
|
||||
protocol = rule.value.protocol
|
||||
|
|
|
@ -26,31 +26,42 @@ output "admin_ranges" {
|
|||
output "custom_ingress_allow_rules" {
|
||||
description = "Custom ingress rules with allow blocks."
|
||||
value = [
|
||||
for rule in google_compute_firewall.custom_allow :
|
||||
rule.name if rule.direction == "INGRESS"
|
||||
for rule in google_compute_firewall.custom-rules :
|
||||
rule.name if rule.direction == "INGRESS" && try(length(rule.allow), 0) > 0
|
||||
]
|
||||
}
|
||||
|
||||
output "custom_ingress_deny_rules" {
|
||||
description = "Custom ingress rules with deny blocks."
|
||||
value = [
|
||||
for rule in google_compute_firewall.custom_deny :
|
||||
rule.name if rule.direction == "INGRESS"
|
||||
for rule in google_compute_firewall.custom-rules :
|
||||
rule.name if rule.direction == "INGRESS" && try(length(rule.deny), 0) > 0
|
||||
]
|
||||
}
|
||||
|
||||
output "custom_egress_allow_rules" {
|
||||
description = "Custom egress rules with allow blocks."
|
||||
value = [
|
||||
for rule in google_compute_firewall.custom_allow :
|
||||
rule.name if rule.direction == "EGRESS"
|
||||
for rule in google_compute_firewall.custom-rules :
|
||||
rule.name if rule.direction == "EGRESS" && try(length(rule.allow), 0) > 0
|
||||
]
|
||||
}
|
||||
|
||||
output "custom_egress_deny_rules" {
|
||||
description = "Custom egress rules with allow blocks."
|
||||
value = [
|
||||
for rule in google_compute_firewall.custom_deny :
|
||||
rule.name if rule.direction == "EGRESS"
|
||||
for rule in google_compute_firewall.custom-rules :
|
||||
rule.name if rule.direction == "EGRESS" && try(length(rule.deny), 0) > 0
|
||||
]
|
||||
}
|
||||
|
||||
output "rules" {
|
||||
description = "All google_compute_firewall resources created."
|
||||
value = merge(
|
||||
google_compute_firewall.custom-rules,
|
||||
try({ (google_compute_firewall.allow-admins.0.name) = google_compute_firewall.allow-admins.0 }, {}),
|
||||
try({ (google_compute_firewall.allow-tag-ssh.0.name) = google_compute_firewall.allow-tag-ssh.0 }, {}),
|
||||
try({ (google_compute_firewall.allow-tag-http.0.name) = google_compute_firewall.allow-tag-http.0 }, {}),
|
||||
try({ (google_compute_firewall.allow-tag-https.0.name) = google_compute_firewall.allow-tag-https.0 }, {})
|
||||
)
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue