zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/factories/firewall-vpc-rules/nested
History
sruffilli 657cfa4130
Update main.tf 		2021-10-14 18:55:55 +02:00
..
README.md Update README.md 2021-10-14 18:44:49 +02:00
main.tf Update main.tf 2021-10-14 18:55:55 +02:00
outputs.tf Boilerplates 2021-10-14 18:01:32 +02:00
variables.tf Boilerplates 2021-10-14 18:01:32 +02:00

README.md

Google Cloud VPC Firewall Factory - Nested hierarchy

This module implements a resource factory which allows the creation and management of VPC firewall rules via properly formatted yaml files.

yaml configurations are stored in a well-defined folder structure, whose entry point can be customized, and which represents and forces the resource hierarchy a firewall rule belongs to (Project > VPC > Firewall Rule).

This module also allows for the definition of template variables, allowing to centralize common CIDRs or Service Account lists, which enables re-using them across different policies.

Example

Terraform code

module "vpc-firewall" {
  source           = "../../cloud-foundation-fabric/modules/resource-factories/vpc-firewall"
  config_folder    = "firewall/vpc"
  templates_folder = "firewall/templates"
}

# tftest:skip

Configuration Structure

The naming convention for the config_folder folder requires

  • the first directory layer to be named after the project ID which contains the VPC we're creating the firewall rules for
  • the second directory layer to be named after the VPC we're creating the firewall rules for
  • yaml files contained in the "VPC" directory can be arbitrarily named, to allow for an easier logical grouping.

Projects and VPCs should exist prior to running this module, or set as an explicit dependency to this module, leveraging depends_on.

The optional templates_folder folder can have two files.

  • cidrs.yaml - a YAML map defining lists of CIDRs
  • service_accounts.yaml - a YAML map definint lists of Service Accounts
└── firewall
    ├── vpc
    │   ├── project-resource-factory-dev
    │   │   └── vpc-resource-factory-dev-one
    │   │   │   ├── frontend.yaml
    │   │   │   └── backend.yaml       
    │   │   └── vpc-resource-factory-dev-two
    │   │       ├── foo.yaml
    │   │       └── bar.yaml               
    │   └── project-resource-factory-prod
    │   │   └── vpc-resource-factory-prod-alpha
    │   │       ├── lorem.yaml
    │   │       └── ipsum.yaml       
    └── templates
        ├── cidrs.yaml
        └── service_accounts.yaml

Rule definition format and structure

Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following:

rule-name:                  # descriptive name, naming convention is adjusted by the module
  description: "Allow icmp" # rule description
  action: allow             # `allow` or `deny`
  direction: INGRESS        # EGRESS or INGRESS
  ports:                    
    icmp: []                # {tcp, udp, icmp, all}: [ports], use [] for any port
  priority: 1000            # rule priority value, default value is 1000
  source_ranges:            # list of source ranges
    - 0.0.0.0/0
  destination_ranges:       # list of destination ranges
    - 0.0.0.0/0
  source_tags: ['some-tag'] # list of source tags
  source_service_accounts:  # list of source service accounts
    - myapp@myproject-id.iam.gserviceaccount.com
  target_tags: ['some-tag'] # list of target tags
  target_service_accounts:  # list of target service accounts
    - myapp@myproject-id.iam.gserviceaccount.com
  enable_logging: true      # `false` or `true`, logging is enabled when `true`

A sample configuration file might look like the following one:

allow-healthchecks:
  description: "Allow traffic from healthcheck"
  direction: INGRESS
  action: allow
  priority: 1000
  source_ranges:
    - $healthcheck
  ports:
    tcp: ["80"]
  enable_logging: false

allow-http:
  description: "Allow traffic to LB backend"
  direction: INGRESS
  action: allow
  priority: 1000
  source_ranges:
    - 0.0.0.0/0
  target_service_accounts:
    - $web_frontends
  ports:
    tcp: ["80", "443"]
  enable_logging: false

with firewall/templates/cidrs.yaml defined as follows:

healthcheck:
  - 35.191.0.0/16
  - 130.211.0.0/22

and firewall/templates/service_accounts.yaml:

web_frontends:
  - web-frontends@project-wf1.iam.gserviceaccount.com
  - web-frontends@project-wf2.iam.gserviceaccount.com

Variables

name description type required default
config_folder Relative path of the folder containing the hierarchical firewall configuration string
templates_folder Relative path of the folder containing the cidr/service account templates string

Outputs

name description sensitive
vpc-firewall-rules Generated VPC Firewall Rules