composer working

examples/data-solutions/data-platform-foundations/03-composer.tf

@@ -34,11 +34,12 @@ resource "google_composer_environment" "orch-cmp-0" {
   config {
     node_count = var.composer_config.node_count
     node_config {
-      zone            = "${var.region}-b"
-      service_account = module.orch-sa-cmp-0.email
-      network         = local.orch_vpc
-      subnetwork      = local.orch_subnet
-      tags            = ["composer-worker", "http-server", "https-server"]
+      zone                 = "${var.region}-b"
+      service_account      = module.orch-sa-cmp-0.email
+      network              = local.orch_vpc
+      subnetwork           = local.orch_subnet
+      tags                 = ["composer-worker", "http-server", "https-server"]
+      enable_ip_masq_agent = true
       ip_allocation_policy {
         use_ip_aliases = "true"
         cluster_secondary_range_name = try(
@@ -49,6 +50,18 @@ resource "google_composer_environment" "orch-cmp-0" {
         )
       }
     }
+    private_environment_config {
+      enable_private_endpoint = "true"
+      cloud_sql_ipv4_cidr_block = try(
+        var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24"
+      )
+      master_ipv4_cidr_block = try(
+        var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28"
+      )
+      web_server_ipv4_cidr_block = try(
+        var.network_config.composer_ip_ranges.web_server, "10.20.11.16/28"
+      )
+    }
     software_config {
       image_version = var.composer_config.airflow_version
       env_variables = merge(
@@ -87,18 +100,6 @@ resource "google_composer_environment" "orch-cmp-0" {
         }
       )
     }
-    private_environment_config {
-      enable_private_endpoint = "true"
-      cloud_sql_ipv4_cidr_block = try(
-        var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24"
-      )
-      master_ipv4_cidr_block = try(
-        var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28"
-      )
-      web_server_ipv4_cidr_block = try(
-        var.network_config.composer_ip_ranges.web_server, "10.20.11.16/28"
-      )
-    }
 
     dynamic "encryption_config" {
       for_each = (
@@ -111,12 +112,22 @@ resource "google_composer_environment" "orch-cmp-0" {
       }
     }
 
-    # web_server_network_access_control {
-    #   allowed_ip_range {
-    #     value       = "172.16.0.0/12"
-    #     description = "Allowed ip range"
+    # dynamic "web_server_network_access_control" {
+    #   for_each = toset(
+    #     var.network_config.web_server_network_access_control == null
+    #     ? []
+    #     : [var.network_config.web_server_network_access_control]
+    #   )
+    #   content {
+    #     dynamic "allowed_ip_range" {
+    #       for_each = toset(web_server_network_access_control.key)
+    #       content {
+    #         value = allowed_ip_range.key
+    #       }
+    #     }
     #   }
     # }
+
   }
   depends_on = [
     google_project_iam_member.shared_vpc,

examples/data-solutions/data-platform-foundations/variables.tf

@@ -79,6 +79,7 @@ variable "network_config" {
       pods     = string
       services = string
     })
+    # web_server_network_access_control = list(string)
   })
   default = null
 }

fast/stages/02-networking-vpn/data/firewall-rules/dev/rules.yaml

@@ -1,6 +1,24 @@
 # skip boilerplate check
 
-allow-dataflow-load-ingress-traffic:
+ingress-allow-composer-nodes:
+  description: "Allow traffic on Cloud Dataflow subnet"
+  direction: INGRESS
+  action: allow
+  sources: []
+  ranges:
+    - 10.128.48.0/24
+  targets:
+    - composer-worker
+  use_service_accounts: false
+  rules:
+    - protocol: tcp
+      ports:
+        - 80
+        - 443
+        - 3306
+        - 3307
+
+ingress-allow-dataflow-load:
   description: "Allow traffic on Cloud Dataflow subnet"
   direction: INGRESS
   action: allow