diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml new file mode 100644 index 00000000..e0d4ab60 --- /dev/null +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + trusted-ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml new file mode 100644 index 00000000..7116a78e --- /dev/null +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + untrusted-ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml new file mode 100644 index 00000000..e0d4ab60 --- /dev/null +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + trusted-ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml new file mode 100644 index 00000000..7116a78e --- /dev/null +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + untrusted-ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml new file mode 100644 index 00000000..946f350a --- /dev/null +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check + +ingress: + ingress-default-deny: + description: "Deny and log any unmatched ingress traffic." + deny: true + priority: 65535 + enable_logging: + include_metadata: false diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf index 6675cfa4..f2b9f0b7 100644 --- a/modules/net-vpc-firewall/main.tf +++ b/modules/net-vpc-firewall/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,7 +27,7 @@ locals { for name, rule in ruleset : { name = name deny = try(rule.deny, false) - rules = try(rule.rules, [{ protocol = "all" }]) + rules = try(rule.rules, [{ protocol = "all", ports = null }]) description = try(rule.description, null) destination_ranges = try(rule.destination_ranges, null) direction = upper(direction) diff --git a/tests/fast/stages/s2_networking_a_peering/stage.yaml b/tests/fast/stages/s2_networking_a_peering/stage.yaml index 97c31a42..3ee8b990 100644 --- a/tests/fast/stages/s2_networking_a_peering/stage.yaml +++ b/tests/fast/stages/s2_networking_a_peering/stage.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,5 +13,5 @@ # limitations under the License. counts: - modules: 28 - resources: 148 + modules: 29 + resources: 151 diff --git a/tests/fast/stages/s2_networking_b_vpn/stage.yaml b/tests/fast/stages/s2_networking_b_vpn/stage.yaml index d864509a..af6e5cac 100644 --- a/tests/fast/stages/s2_networking_b_vpn/stage.yaml +++ b/tests/fast/stages/s2_networking_b_vpn/stage.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,5 +13,5 @@ # limitations under the License. counts: - modules: 30 - resources: 185 + modules: 31 + resources: 188 diff --git a/tests/fast/stages/s2_networking_c_nva/stage.yaml b/tests/fast/stages/s2_networking_c_nva/stage.yaml index 1067758a..01527c99 100644 --- a/tests/fast/stages/s2_networking_c_nva/stage.yaml +++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,5 +13,5 @@ # limitations under the License. counts: - modules: 42 - resources: 195 + modules: 43 + resources: 199 diff --git a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml index e2b6fe64..1c560f76 100644 --- a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml +++ b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,5 +13,5 @@ # limitations under the License. counts: - modules: 21 - resources: 170 + modules: 22 + resources: 172 diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml index c4e143d2..dad42420 100644 --- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml +++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,5 +13,5 @@ # limitations under the License. counts: - modules: 36 - resources: 206 + modules: 37 + resources: 210