zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/net-vpc-firewall-policy
History
Eunan Hardy dd3a298892 Moved allow_net_admin to enable_features flag. Bumped provider version to 4.76 2023-08-07 14:27:20 +01:00
..
README.md Ensure all modules have an `id` output (#1410) 2023-06-02 16:07:22 +02:00
main.tf change target_vpcs variable to support dynamic values (#1255) 2023-03-17 07:14:09 +00:00
outputs.tf Ensure all modules have an `id` output (#1410) 2023-06-02 16:07:22 +02:00
variables.tf change target_vpcs variable to support dynamic values (#1255) 2023-03-17 07:14:09 +00:00
versions.tf Moved allow_net_admin to enable_features flag. Bumped provider version to 4.76 2023-08-07 14:27:20 +01:00

README.md

Google Cloud Network Firewall Policies

This module allows creation and management of a global or regional network firewall policy, including its associations and rules.

The module interface deviates slightly from the net-vpc-firewall module since the underlying resources and API objects are different.

It also makes fewer assumptions about implicit defaults, only using one to set match.layer4_configs to [{ protocol = "all" }] if no explicit set of protocols and ports has been specified.

A factory implementation will be added in a subsequent release.

Example

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
}

module "firewall-policy" {
  source     = "./fabric/modules/net-vpc-firewall-policy"
  name       = "test-1"
  project_id = "my-project"
  # specify a region to create and manage a regional policy
  # region     = "europe-west8"
  target_vpcs = {
    my-vpc = module.vpc.self_link
  }
  egress_rules = {
    smtp = {
      priority = 900
      match = {
        destination_ranges = ["0.0.0.0/0"]
        layer4_configs     = [{ protocol = "tcp", ports = ["25"] }]
      }
    }
  }
  ingress_rules = {
    icmp = {
      priority = 1000
      match = {
        source_ranges  = ["0.0.0.0/0"]
        layer4_configs = [{ protocol = "icmp" }]
      }
    }
    mgmt = {
      priority = 1001
      match = {
        source_ranges = ["10.1.1.0/24"]
      }
    }
    ssh = {
      priority = 1002
      match = {
        source_ranges = ["10.0.0.0/8"]
        # source_tags    = ["tagValues/123456"]
        layer4_configs = [{ protocol = "tcp", ports = ["22"] }]
      }
    }
  }
}
# tftest modules=2 resources=9

Variables

name description type required default
name Policy name. string
project_id Project id of the project that holds the network. string
description Policy description. string null
egress_rules List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. map(object({…})) {}
ingress_rules List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. map(object({…})) {}
region Policy region. Leave null for global policy. string null
target_vpcs VPC ids to which this policy will be attached, in descriptive name => self link format. map(string) {}

Outputs

name description sensitive
id Fully qualified firewall policy id.