# Google Cloud VPC Firewall This module allows creation and management of different types of firewall rules for a single VPC network: - blanket ingress rules based on IP ranges that allow all traffic via the `admin_ranges` variable - simplified tag-based ingress rules for the HTTP, HTTPS and SSH protocols via the `xxx_source_ranges` variables; HTTP and HTTPS tags match those set by the console via the "Allow HTTP(S) traffic" instance flags - custom rules via the `custom_rules` variables The simplified tag-based rules are enabled by default, set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. To disable them set the corresponding variables to empty lists. ## Examples ### Minimal open firewall This is often useful for prototyping or testing infrastructure, allowing open ingress from the private range, enabling SSH to private addresses from IAP, and HTTP/HTTPS from the health checkers. ```hcl module "firewall" { source = "./modules/net-vpc-firewall" project_id = "my-project" network = "my-network" admin_ranges_enabled = true admin_ranges = ["10.0.0.0/8"] } # tftest:modules=1:resources=4 ``` ### Custom rules This is an example of how to define custom rules, with a sample rule allowing open ingress for the NTP protocol to instances with the `ntp-svc` tag. ```hcl module "firewall" { source = "./modules/net-vpc-firewall" project_id = "my-project" network = "my-network" admin_ranges_enabled = true admin_ranges = ["10.0.0.0/8"] custom_rules = { ntp-svc = { description = "NTP service." direction = "INGRESS" action = "allow" sources = [] ranges = ["0.0.0.0/0"] targets = ["ntp-svc"] use_service_accounts = false rules = [{ protocol = "udp", ports = [123] }] extra_attributes = {} } } } # tftest:modules=1:resources=5 ``` ### No predefined rules If you don't want any predefined rules, set `admin_ranges_enabled` to `false` and `http_source_ranges`, `https_source_ranges`, `ssh_source_ranges` to an empty list. ```hcl module "firewall" { source = "./modules/net-vpc-firewall" project_id = "my-project" network = "my-network" admin_ranges_enabled = false http_source_ranges = [] https_source_ranges = [] ssh_source_ranges = [] custom_rules = { allow-https = { description = "Allow HTTPS from internal networks." direction = "INGRESS" action = "allow" sources = [] ranges = ["rfc1918"] targets = [] use_service_accounts = false rules = [{ protocol = "tcp", ports = [443] }] extra_attributes = {} } } } # tftest:modules=1:resources=1 ``` ## Variables | name | description | type | required | default | |---|---|:---: |:---:|:---:| | network | Name of the network this set of firewall rules applies to. | string | ✓ | | | project_id | Project id of the project that holds the network. | string | ✓ | | | *admin_ranges* | IP CIDR ranges that have complete access to all subnets. | list(string) | | [] | | *admin_ranges_enabled* | Enable admin ranges-based rules. | bool | | false | | *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | map(object({...})) | | {} | | *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | list(string) | | ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] | | *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | list(string) | | ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] | | *named_ranges* | Names that can be used of valid values for the `ranges` field of `custom_rules` | map(list(string)) | | ... | | *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | list(string) | | ["35.235.240.0/20"] | ## Outputs | name | description | sensitive | |---|---|:---:| | admin_ranges | Admin ranges data. | | | custom_egress_allow_rules | Custom egress rules with allow blocks. | | | custom_egress_deny_rules | Custom egress rules with allow blocks. | | | custom_ingress_allow_rules | Custom ingress rules with allow blocks. | | | custom_ingress_deny_rules | Custom ingress rules with deny blocks. | | | rules | All google_compute_firewall resources created. | |