diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 8198b100..908c397f 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -29,13 +29,13 @@ This is often useful for prototyping or testing infrastructure, allowing open in ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name default_rules_config = { admin_ranges = ["10.0.0.0/8"] } } -# tftest modules=1 resources=4 inventory=basic.yaml +# tftest modules=1 resources=4 inventory=basic.yaml e2e ``` ### Custom rules @@ -52,8 +52,8 @@ Some implicit defaults are used in the rules variable types and can be controlle ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name default_rules_config = { admin_ranges = ["10.0.0.0/8"] } @@ -90,7 +90,7 @@ module "firewall" { } } } -# tftest modules=1 resources=9 inventory=custom-rules.yaml +# tftest modules=1 resources=9 inventory=custom-rules.yaml e2e ``` ### Controlling or turning off default rules @@ -109,14 +109,14 @@ Default tags and ranges can be overridden for each protocol, like shown here for ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name default_rules_config = { ssh_ranges = ["10.0.0.0/8"] ssh_tags = ["ssh-default"] } } -# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml +# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml e2e ``` #### Disabling predefined rules @@ -126,13 +126,13 @@ Default rules can be disabled individually by specifying an empty set of ranges: ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name default_rules_config = { ssh_ranges = [] } } -# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml +# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml e2e ``` Or the entire set of rules can be disabled via the `disabled` attribute: @@ -140,13 +140,13 @@ Or the entire set of rules can be disabled via the `disabled` attribute: ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name default_rules_config = { disabled = true } } -# tftest modules=0 resources=0 inventory=no-default-rules.yaml +# tftest modules=0 resources=0 inventory=no-default-rules.yaml e2e ``` ### Including source & destination ranges @@ -156,8 +156,8 @@ Custom rules now support including both source & destination ranges in ingress a ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name default_rules_config = { disabled = true } @@ -176,7 +176,7 @@ module "firewall" { } } } -# tftest modules=1 resources=2 inventory=local-ranges.yaml +# tftest modules=1 resources=2 inventory=local-ranges.yaml e2e ``` ### Rules Factory @@ -186,8 +186,8 @@ The module includes a rules factory (see [Resource Factories](../../blueprints/f ```hcl module "firewall" { source = "./fabric/modules/net-vpc-firewall" - project_id = "my-project" - network = "my-network" + project_id = var.project_id + network = var.vpc.name factories_config = { rules_folder = "configs/firewall/rules" cidr_tpl_file = "configs/firewall/cidrs.yaml" @@ -220,7 +220,7 @@ ingress: targets: ["service-2"] use_service_accounts: true sources: - - service-1@my-project.iam.gserviceaccount.com + - service-1@project-id.iam.gserviceaccount.com rules: - protocol: tcp ports: diff --git a/tests/examples/variables.tf b/tests/examples/variables.tf index ebdbb155..6243da82 100644 --- a/tests/examples/variables.tf +++ b/tests/examples/variables.tf @@ -71,7 +71,7 @@ variable "subnet" { variable "vpc" { default = { - name = "vpc_name" + name = "vpc-name" self_link = "projects/xxx/global/networks/aaa" id = "projects/xxx/global/networks/aaa" } @@ -79,14 +79,14 @@ variable "vpc" { variable "vpc1" { default = { - name = "vpc_name" + name = "vpc-name" self_link = "projects/xxx/global/networks/bbb" } } variable "vpc2" { default = { - name = "vpc2_name" + name = "vpc2-name" self_link = "projects/xxx/global/networks/ccc" } } diff --git a/tests/modules/net_vpc_firewall/examples/basic.yaml b/tests/modules/net_vpc_firewall/examples/basic.yaml index 38aae194..e27e9dc4 100644 --- a/tests/modules/net_vpc_firewall/examples/basic.yaml +++ b/tests/modules/net_vpc_firewall/examples/basic.yaml @@ -20,10 +20,10 @@ values: deny: [] disabled: null log_config: [] - name: my-network-ingress-admins - network: my-network + name: vpc-name-ingress-admins + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 10.0.0.0/8 source_service_accounts: null @@ -38,10 +38,10 @@ values: deny: [] disabled: null log_config: [] - name: my-network-ingress-tag-http - network: my-network + name: vpc-name-ingress-tag-http + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 130.211.0.0/22 - 209.85.152.0/22 @@ -60,10 +60,10 @@ values: deny: [] disabled: null log_config: [] - name: my-network-ingress-tag-https - network: my-network + name: vpc-name-ingress-tag-https + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 130.211.0.0/22 - 209.85.152.0/22 @@ -82,10 +82,10 @@ values: deny: [] disabled: null log_config: [] - name: my-network-ingress-tag-ssh - network: my-network + name: vpc-name-ingress-tag-ssh + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 35.235.240.0/20 source_service_accounts: null diff --git a/tests/modules/net_vpc_firewall/examples/custom-rules.yaml b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml index 920ee750..e3c50b55 100644 --- a/tests/modules/net_vpc_firewall/examples/custom-rules.yaml +++ b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml @@ -32,9 +32,9 @@ values: disabled: false log_config: [] name: allow-egress-rfc1918 - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: null source_service_accounts: null source_tags: null @@ -52,9 +52,9 @@ values: disabled: false log_config: [] name: allow-egress-tag - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: null source_service_accounts: null source_tags: null @@ -72,9 +72,9 @@ values: disabled: false log_config: [] name: allow-ingress-ntp - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 0.0.0.0/0 source_service_accounts: null @@ -92,9 +92,9 @@ values: disabled: false log_config: [] name: allow-ingress-tag - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: null source_service_accounts: null source_tags: @@ -114,9 +114,9 @@ values: disabled: false log_config: [] name: deny-egress-all - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: null source_service_accounts: null source_tags: null diff --git a/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml index 1e3d3b04..0fce7be0 100644 --- a/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml +++ b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml @@ -24,10 +24,10 @@ values: description: Allow SSH to machines with matching tags. disabled: null log_config: [] - name: my-network-ingress-tag-ssh - network: my-network + name: vpc-name-ingress-tag-ssh + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 10.0.0.0/8 source_service_accounts: null diff --git a/tests/modules/net_vpc_firewall/examples/factory.yaml b/tests/modules/net_vpc_firewall/examples/factory.yaml index 73a095dd..e933dabb 100644 --- a/tests/modules/net_vpc_firewall/examples/factory.yaml +++ b/tests/modules/net_vpc_firewall/examples/factory.yaml @@ -25,9 +25,9 @@ values: disabled: false log_config: [] name: allow-healthchecks - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 130.211.0.0/22 - 209.85.152.0/22 @@ -50,11 +50,11 @@ values: disabled: false log_config: [] name: allow-service-1-to-service-2 - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_service_accounts: - - service-1@my-project.iam.gserviceaccount.com + - service-1@project-id.iam.gserviceaccount.com source_tags: null target_service_accounts: - service-2 @@ -72,9 +72,9 @@ values: disabled: false log_config: [] name: block-telnet - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: null source_service_accounts: null source_tags: null diff --git a/tests/modules/net_vpc_firewall/examples/local-ranges.yaml b/tests/modules/net_vpc_firewall/examples/local-ranges.yaml index df83717c..106a7ba7 100644 --- a/tests/modules/net_vpc_firewall/examples/local-ranges.yaml +++ b/tests/modules/net_vpc_firewall/examples/local-ranges.yaml @@ -26,9 +26,9 @@ values: disabled: false log_config: [] name: allow-ingress-source-destination-ranges - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 172.16.0.0/12 source_service_accounts: null @@ -47,9 +47,9 @@ values: disabled: false log_config: [] name: deny-egress-source-destination-ranges - network: my-network + network: vpc-name priority: 1000 - project: my-project + project: project-id source_ranges: - 10.132.0.0/20 - 10.138.0.0/20 diff --git a/tests/modules/organization/examples/network-tags.yaml b/tests/modules/organization/examples/network-tags.yaml index 976dccbd..1a550f7d 100644 --- a/tests/modules/organization/examples/network-tags.yaml +++ b/tests/modules/organization/examples/network-tags.yaml @@ -18,7 +18,7 @@ values: parent: organizations/1122334455 purpose: GCE_FIREWALL purpose_data: - network: project-id/vpc_name + network: project-id/vpc-name short_name: net-environment timeouts: null module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]: