Merge pull request #315 from terraform-google-modules/jccb/dry-firewall
Improve firewall module
This commit is contained in:
commit
d794eb974d
|
@ -60,11 +60,10 @@ module "vpc" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-firewall" {
|
module "vpc-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project-service.project_id
|
project_id = module.project-service.project_id
|
||||||
network = module.vpc.name
|
network = module.vpc.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = [var.vpc_ip_cidr_range]
|
||||||
admin_ranges = [var.vpc_ip_cidr_range]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
|
@ -167,14 +167,13 @@ module "vpc-transformation" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "../../../modules/net-vpc-firewall"
|
source = "../../../modules/net-vpc-firewall"
|
||||||
project_id = var.project_ids.transformation
|
project_id = var.project_ids.transformation
|
||||||
network = module.vpc-transformation.name
|
network = module.vpc-transformation.name
|
||||||
admin_ranges_enabled = false
|
admin_ranges = []
|
||||||
admin_ranges = [""]
|
http_source_ranges = []
|
||||||
http_source_ranges = []
|
https_source_ranges = []
|
||||||
https_source_ranges = []
|
ssh_source_ranges = []
|
||||||
ssh_source_ranges = []
|
|
||||||
|
|
||||||
custom_rules = {
|
custom_rules = {
|
||||||
iap-svc = {
|
iap-svc = {
|
||||||
|
|
|
@ -178,11 +178,10 @@ module "vpc" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-firewall" {
|
module "vpc-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project-service.project_id
|
project_id = module.project-service.project_id
|
||||||
network = module.vpc.name
|
network = module.vpc.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = [var.vpc_ip_cidr_range]
|
||||||
admin_ranges = [var.vpc_ip_cidr_range]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat" {
|
module "nat" {
|
||||||
|
|
|
@ -19,7 +19,6 @@ module "firewall" {
|
||||||
source = "./modules/net-vpc-firewall"
|
source = "./modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
network = "my-network"
|
network = "my-network"
|
||||||
admin_ranges_enabled = true
|
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
}
|
}
|
||||||
# tftest:modules=1:resources=4
|
# tftest:modules=1:resources=4
|
||||||
|
@ -31,11 +30,10 @@ This is an example of how to define custom rules, with a sample rule allowing op
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./modules/net-vpc-firewall"
|
source = "./modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
network = "my-network"
|
network = "my-network"
|
||||||
admin_ranges_enabled = true
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
|
||||||
custom_rules = {
|
custom_rules = {
|
||||||
ntp-svc = {
|
ntp-svc = {
|
||||||
description = "NTP service."
|
description = "NTP service."
|
||||||
|
@ -53,6 +51,36 @@ module "firewall" {
|
||||||
# tftest:modules=1:resources=5
|
# tftest:modules=1:resources=5
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### No predefined rules
|
||||||
|
|
||||||
|
If you don't want any predefined rules set `admin_ranges`, `http_source_ranges`, `https_source_ranges` and `ssh_source_ranges` to an empty list.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "firewall" {
|
||||||
|
source = "./modules/net-vpc-firewall"
|
||||||
|
project_id = "my-project"
|
||||||
|
network = "my-network"
|
||||||
|
admin_ranges = []
|
||||||
|
http_source_ranges = []
|
||||||
|
https_source_ranges = []
|
||||||
|
ssh_source_ranges = []
|
||||||
|
custom_rules = {
|
||||||
|
allow-https = {
|
||||||
|
description = "Allow HTTPS from internal networks."
|
||||||
|
direction = "INGRESS"
|
||||||
|
action = "allow"
|
||||||
|
sources = []
|
||||||
|
ranges = ["rfc1918"]
|
||||||
|
targets = []
|
||||||
|
use_service_accounts = false
|
||||||
|
rules = [{ protocol = "tcp", ports = [443] }]
|
||||||
|
extra_attributes = {}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest:modules=1:resources=1
|
||||||
|
```
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -61,10 +89,10 @@ module "firewall" {
|
||||||
| network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ | |
|
| network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ | |
|
||||||
| project_id | Project id of the project that holds the network. | <code title="">string</code> | ✓ | |
|
| project_id | Project id of the project that holds the network. | <code title="">string</code> | ✓ | |
|
||||||
| *admin_ranges* | IP CIDR ranges that have complete access to all subnets. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
| *admin_ranges* | IP CIDR ranges that have complete access to all subnets. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||||
| *admin_ranges_enabled* | Enable admin ranges-based rules. | <code title="">bool</code> | | <code title="">false</code> |
|
|
||||||
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||||
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||||
|
| *named_ranges* | Names that can be used of valid values for the `ranges` field of `custom_rules` | <code title="map(list(string))">map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">...</code> |
|
||||||
| *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code title="list(string)">list(string)</code> | | <code title="">["35.235.240.0/20"]</code> |
|
| *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code title="list(string)">list(string)</code> | | <code title="">["35.235.240.0/20"]</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
@ -76,4 +104,5 @@ module "firewall" {
|
||||||
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
||||||
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
||||||
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
||||||
|
| rules | All google_compute_firewall resources created. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -15,11 +15,17 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
rules-allow = {
|
custom_rules = {
|
||||||
for name, attrs in var.custom_rules : name => attrs if attrs.action == "allow"
|
for id, rule in var.custom_rules :
|
||||||
}
|
id => merge(rule, {
|
||||||
rules-deny = {
|
# make rules a map so we use it in a for_each
|
||||||
for name, attrs in var.custom_rules : name => attrs if attrs.action == "deny"
|
rules = { for index, ports in rule.rules : index => ports }
|
||||||
|
# lookup any named ranges references
|
||||||
|
ranges = flatten([
|
||||||
|
for range in rule.ranges :
|
||||||
|
try(var.named_ranges[range], range)
|
||||||
|
])
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -28,7 +34,7 @@ locals {
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
resource "google_compute_firewall" "allow-admins" {
|
resource "google_compute_firewall" "allow-admins" {
|
||||||
count = var.admin_ranges_enabled == true ? 1 : 0
|
count = length(var.admin_ranges) > 0 ? 1 : 0
|
||||||
name = "${var.network}-ingress-admins"
|
name = "${var.network}-ingress-admins"
|
||||||
description = "Access from the admin subnet to all subnets"
|
description = "Access from the admin subnet to all subnets"
|
||||||
network = var.network
|
network = var.network
|
||||||
|
@ -87,44 +93,9 @@ resource "google_compute_firewall" "allow-tag-https" {
|
||||||
# dynamic rules #
|
# dynamic rules #
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
resource "google_compute_firewall" "custom_allow" {
|
resource "google_compute_firewall" "custom-rules" {
|
||||||
# provider = "google-beta"
|
# provider = "google-beta"
|
||||||
for_each = local.rules-allow
|
for_each = local.custom_rules
|
||||||
name = each.key
|
|
||||||
description = each.value.description
|
|
||||||
direction = each.value.direction
|
|
||||||
network = var.network
|
|
||||||
project = var.project_id
|
|
||||||
source_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
|
||||||
destination_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
|
||||||
source_tags = each.value.use_service_accounts || each.value.direction == "EGRESS" ? null : each.value.sources
|
|
||||||
source_service_accounts = each.value.use_service_accounts && each.value.direction == "INGRESS" ? each.value.sources : null
|
|
||||||
target_tags = each.value.use_service_accounts ? null : each.value.targets
|
|
||||||
target_service_accounts = each.value.use_service_accounts ? each.value.targets : null
|
|
||||||
disabled = lookup(each.value.extra_attributes, "disabled", false)
|
|
||||||
priority = lookup(each.value.extra_attributes, "priority", 1000)
|
|
||||||
|
|
||||||
dynamic "log_config" {
|
|
||||||
for_each = lookup(each.value.extra_attributes, "logging", null) != null ? [each.value.extra_attributes.logging] : []
|
|
||||||
iterator = logging_config
|
|
||||||
content {
|
|
||||||
metadata = logging_config.value
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
dynamic "allow" {
|
|
||||||
for_each = each.value.rules
|
|
||||||
iterator = rule
|
|
||||||
content {
|
|
||||||
protocol = rule.value.protocol
|
|
||||||
ports = rule.value.ports
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_compute_firewall" "custom_deny" {
|
|
||||||
# provider = "google-beta"
|
|
||||||
for_each = local.rules-deny
|
|
||||||
name = each.key
|
name = each.key
|
||||||
description = each.value.description
|
description = each.value.description
|
||||||
direction = each.value.direction
|
direction = each.value.direction
|
||||||
|
@ -148,7 +119,18 @@ resource "google_compute_firewall" "custom_deny" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "deny" {
|
dynamic "deny" {
|
||||||
for_each = each.value.rules
|
for_each = each.value.action == "deny" ? each.value.rules : {}
|
||||||
|
|
||||||
|
iterator = rule
|
||||||
|
content {
|
||||||
|
protocol = rule.value.protocol
|
||||||
|
ports = rule.value.ports
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "allow" {
|
||||||
|
for_each = each.value.action == "allow" ? each.value.rules : {}
|
||||||
|
|
||||||
iterator = rule
|
iterator = rule
|
||||||
content {
|
content {
|
||||||
protocol = rule.value.protocol
|
protocol = rule.value.protocol
|
||||||
|
|
|
@ -18,39 +18,50 @@ output "admin_ranges" {
|
||||||
description = "Admin ranges data."
|
description = "Admin ranges data."
|
||||||
|
|
||||||
value = {
|
value = {
|
||||||
enabled = var.admin_ranges_enabled
|
enabled = length(var.admin_ranges) > 0
|
||||||
ranges = var.admin_ranges_enabled ? join(",", var.admin_ranges) : ""
|
ranges = join(",", var.admin_ranges)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
output "custom_ingress_allow_rules" {
|
output "custom_ingress_allow_rules" {
|
||||||
description = "Custom ingress rules with allow blocks."
|
description = "Custom ingress rules with allow blocks."
|
||||||
value = [
|
value = [
|
||||||
for rule in google_compute_firewall.custom_allow :
|
for rule in google_compute_firewall.custom-rules :
|
||||||
rule.name if rule.direction == "INGRESS"
|
rule.name if rule.direction == "INGRESS" && try(length(rule.allow), 0) > 0
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
output "custom_ingress_deny_rules" {
|
output "custom_ingress_deny_rules" {
|
||||||
description = "Custom ingress rules with deny blocks."
|
description = "Custom ingress rules with deny blocks."
|
||||||
value = [
|
value = [
|
||||||
for rule in google_compute_firewall.custom_deny :
|
for rule in google_compute_firewall.custom-rules :
|
||||||
rule.name if rule.direction == "INGRESS"
|
rule.name if rule.direction == "INGRESS" && try(length(rule.deny), 0) > 0
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
output "custom_egress_allow_rules" {
|
output "custom_egress_allow_rules" {
|
||||||
description = "Custom egress rules with allow blocks."
|
description = "Custom egress rules with allow blocks."
|
||||||
value = [
|
value = [
|
||||||
for rule in google_compute_firewall.custom_allow :
|
for rule in google_compute_firewall.custom-rules :
|
||||||
rule.name if rule.direction == "EGRESS"
|
rule.name if rule.direction == "EGRESS" && try(length(rule.allow), 0) > 0
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
output "custom_egress_deny_rules" {
|
output "custom_egress_deny_rules" {
|
||||||
description = "Custom egress rules with allow blocks."
|
description = "Custom egress rules with allow blocks."
|
||||||
value = [
|
value = [
|
||||||
for rule in google_compute_firewall.custom_deny :
|
for rule in google_compute_firewall.custom-rules :
|
||||||
rule.name if rule.direction == "EGRESS"
|
rule.name if rule.direction == "EGRESS" && try(length(rule.deny), 0) > 0
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "rules" {
|
||||||
|
description = "All google_compute_firewall resources created."
|
||||||
|
value = merge(
|
||||||
|
google_compute_firewall.custom-rules,
|
||||||
|
try({ (google_compute_firewall.allow-admins.0.name) = google_compute_firewall.allow-admins.0 }, {}),
|
||||||
|
try({ (google_compute_firewall.allow-tag-ssh.0.name) = google_compute_firewall.allow-tag-ssh.0 }, {}),
|
||||||
|
try({ (google_compute_firewall.allow-tag-http.0.name) = google_compute_firewall.allow-tag-http.0 }, {}),
|
||||||
|
try({ (google_compute_firewall.allow-tag-https.0.name) = google_compute_firewall.allow-tag-https.0 }, {})
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
|
@ -14,46 +14,12 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "network" {
|
|
||||||
description = "Name of the network this set of firewall rules applies to."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "project_id" {
|
|
||||||
description = "Project id of the project that holds the network."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "admin_ranges_enabled" {
|
|
||||||
description = "Enable admin ranges-based rules."
|
|
||||||
type = bool
|
|
||||||
default = false
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "admin_ranges" {
|
variable "admin_ranges" {
|
||||||
description = "IP CIDR ranges that have complete access to all subnets."
|
description = "IP CIDR ranges that have complete access to all subnets."
|
||||||
type = list(string)
|
type = list(string)
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "ssh_source_ranges" {
|
|
||||||
description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
|
|
||||||
type = list(string)
|
|
||||||
default = ["35.235.240.0/20"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "http_source_ranges" {
|
|
||||||
description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
|
|
||||||
type = list(string)
|
|
||||||
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "https_source_ranges" {
|
|
||||||
description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
|
|
||||||
type = list(string)
|
|
||||||
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "custom_rules" {
|
variable "custom_rules" {
|
||||||
description = "List of custom rule definitions (refer to variables file for syntax)."
|
description = "List of custom rule definitions (refer to variables file for syntax)."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
|
@ -72,3 +38,45 @@ variable "custom_rules" {
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "http_source_ranges" {
|
||||||
|
description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
|
||||||
|
type = list(string)
|
||||||
|
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "https_source_ranges" {
|
||||||
|
description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
|
||||||
|
type = list(string)
|
||||||
|
default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "named_ranges" {
|
||||||
|
description = "Names that can be used of valid values for the `ranges` field of `custom_rules`"
|
||||||
|
type = map(list(string))
|
||||||
|
default = {
|
||||||
|
any = ["0.0.0.0/0"]
|
||||||
|
dns-forwarders = ["35.199.192.0/19"]
|
||||||
|
health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
|
||||||
|
iap-forwarders = ["35.235.240.0/20"]
|
||||||
|
private-googleapis = ["199.36.153.8/30"]
|
||||||
|
restricted-googleapis = ["199.36.153.4/30"]
|
||||||
|
rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "network" {
|
||||||
|
description = "Name of the network this set of firewall rules applies to."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
description = "Project id of the project that holds the network."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ssh_source_ranges" {
|
||||||
|
description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
|
||||||
|
type = list(string)
|
||||||
|
default = ["35.235.240.0/20"]
|
||||||
|
}
|
||||||
|
|
|
@ -74,11 +74,10 @@ module "nat-hub" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-hub-firewall" {
|
module "vpc-hub-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
network = module.vpc-hub.name
|
network = module.vpc-hub.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -100,11 +99,10 @@ module "vpc-spoke-1" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-spoke-1-firewall" {
|
module "vpc-spoke-1-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
network = module.vpc-spoke-1.name
|
network = module.vpc-spoke-1.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat-spoke-1" {
|
module "nat-spoke-1" {
|
||||||
|
@ -146,11 +144,10 @@ module "vpc-spoke-2" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-spoke-2-firewall" {
|
module "vpc-spoke-2-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
network = module.vpc-spoke-2.name
|
network = module.vpc-spoke-2.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat-spoke-2" {
|
module "nat-spoke-2" {
|
||||||
|
|
|
@ -48,11 +48,10 @@ module "vpc-hub" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-hub-firewall" {
|
module "vpc-hub-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
network = module.vpc-hub.name
|
network = module.vpc-hub.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpn-hub-a" {
|
module "vpn-hub-a" {
|
||||||
|
@ -140,11 +139,10 @@ module "vpc-spoke-1" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-spoke-1-firewall" {
|
module "vpc-spoke-1-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
network = module.vpc-spoke-1.name
|
network = module.vpc-spoke-1.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpn-spoke-1" {
|
module "vpn-spoke-1" {
|
||||||
|
@ -204,11 +202,10 @@ module "vpc-spoke-2" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-spoke-2-firewall" {
|
module "vpc-spoke-2-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
network = module.vpc-spoke-2.name
|
network = module.vpc-spoke-2.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpn-spoke-2" {
|
module "vpn-spoke-2" {
|
||||||
|
|
|
@ -38,12 +38,11 @@ module "vpc-left" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "firewall-left" {
|
module "firewall-left" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
network = module.vpc-left.name
|
network = module.vpc-left.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
||||||
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat-left" {
|
module "nat-left" {
|
||||||
|
|
|
@ -52,12 +52,11 @@ module "vpc-right" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "firewall-right" {
|
module "firewall-right" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
network = module.vpc-right.name
|
network = module.vpc-right.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
||||||
ssh_source_ranges = ["35.235.240.0/20", "35.191.0.0/16", "130.211.0.0/22"]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat-right" {
|
module "nat-right" {
|
||||||
|
|
|
@ -71,12 +71,11 @@ module "vpc" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-firewall" {
|
module "vpc-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
network = module.vpc.name
|
network = module.vpc.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
ssh_source_ranges = var.ssh_source_ranges
|
||||||
ssh_source_ranges = var.ssh_source_ranges
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpn1" {
|
module "vpn1" {
|
||||||
|
|
|
@ -130,11 +130,10 @@ module "vpc-shared" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpc-shared-firewall" {
|
module "vpc-shared-firewall" {
|
||||||
source = "../../modules/net-vpc-firewall"
|
source = "../../modules/net-vpc-firewall"
|
||||||
project_id = module.project-host.project_id
|
project_id = module.project-host.project_id
|
||||||
network = module.vpc-shared.name
|
network = module.vpc-shared.name
|
||||||
admin_ranges_enabled = true
|
admin_ranges = values(var.ip_ranges)
|
||||||
admin_ranges = values(var.ip_ranges)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat" {
|
module "nat" {
|
||||||
|
|
Loading…
Reference in New Issue