112 lines
6.3 KiB
Markdown
112 lines
6.3 KiB
Markdown
# Google Cloud VPC Firewall
|
|
|
|
This module allows creation and management of different types of firewall rules for a single VPC network:
|
|
|
|
- blanket ingress rules based on IP ranges that allow all traffic via the `admin_ranges` variable
|
|
- simplified tag-based ingress rules for the HTTP, HTTPS and SSH protocols via the `xxx_source_ranges` variables; HTTP and HTTPS tags match those set by the console via the "Allow HTTP(S) traffic" instance flags
|
|
- custom rules via the `custom_rules` variables
|
|
|
|
The simplified tag-based rules are enabled by default, set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. To disable them set the corresponding variables to empty lists.
|
|
|
|
## Examples
|
|
|
|
### Minimal open firewall
|
|
|
|
This is often useful for prototyping or testing infrastructure, allowing open ingress from the private range, enabling SSH to private addresses from IAP, and HTTP/HTTPS from the health checkers.
|
|
|
|
```hcl
|
|
module "firewall" {
|
|
source = "./modules/net-vpc-firewall"
|
|
project_id = "my-project"
|
|
network = "my-network"
|
|
admin_ranges_enabled = true
|
|
admin_ranges = ["10.0.0.0/8"]
|
|
}
|
|
# tftest:modules=1:resources=4
|
|
```
|
|
|
|
### Custom rules
|
|
|
|
This is an example of how to define custom rules, with a sample rule allowing open ingress for the NTP protocol to instances with the `ntp-svc` tag.
|
|
|
|
```hcl
|
|
module "firewall" {
|
|
source = "./modules/net-vpc-firewall"
|
|
project_id = "my-project"
|
|
network = "my-network"
|
|
admin_ranges_enabled = true
|
|
admin_ranges = ["10.0.0.0/8"]
|
|
custom_rules = {
|
|
ntp-svc = {
|
|
description = "NTP service."
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
sources = []
|
|
ranges = ["0.0.0.0/0"]
|
|
targets = ["ntp-svc"]
|
|
use_service_accounts = false
|
|
rules = [{ protocol = "udp", ports = [123] }]
|
|
extra_attributes = {}
|
|
}
|
|
}
|
|
}
|
|
# tftest:modules=1:resources=5
|
|
```
|
|
|
|
### No predefined rules
|
|
|
|
If you don't want any predefined rules, set `admin_ranges_enabled` to `false` and `http_source_ranges`, `https_source_ranges`, `ssh_source_ranges` to an empty list.
|
|
|
|
```hcl
|
|
module "firewall" {
|
|
source = "./modules/net-vpc-firewall"
|
|
project_id = "my-project"
|
|
network = "my-network"
|
|
admin_ranges_enabled = false
|
|
http_source_ranges = []
|
|
https_source_ranges = []
|
|
ssh_source_ranges = []
|
|
custom_rules = {
|
|
allow-https = {
|
|
description = "Allow HTTPS from internal networks."
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
sources = []
|
|
ranges = ["rfc1918"]
|
|
targets = []
|
|
use_service_accounts = false
|
|
rules = [{ protocol = "tcp", ports = [443] }]
|
|
extra_attributes = {}
|
|
}
|
|
}
|
|
}
|
|
# tftest:modules=1:resources=1
|
|
```
|
|
|
|
<!-- BEGIN TFDOC -->
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---: |:---:|:---:|
|
|
| network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ | |
|
|
| project_id | Project id of the project that holds the network. | <code title="">string</code> | ✓ | |
|
|
| *admin_ranges* | IP CIDR ranges that have complete access to all subnets. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
|
| *admin_ranges_enabled* | Enable admin ranges-based rules. | <code title="">bool</code> | | <code title="">false</code> |
|
|
| *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
|
| *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
|
| *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list(string)">list(string)</code> | | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
|
| *named_ranges* | Names that can be used of valid values for the `ranges` field of `custom_rules` | <code title="map(list(string))">map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">...</code> |
|
|
| *ssh_source_ranges* | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code title="list(string)">list(string)</code> | | <code title="">["35.235.240.0/20"]</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| admin_ranges | Admin ranges data. | |
|
|
| custom_egress_allow_rules | Custom egress rules with allow blocks. | |
|
|
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
|
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
|
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
|
| rules | All google_compute_firewall resources created. | |
|
|
<!-- END TFDOC -->
|