zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/net-vpc-firewall-yaml/README.md

4.9 KiB
Raw Blame History

Google Cloud VPC Firewall - Yaml

This module allows creation and management of different types of firewall rules by defining them in well formatted yaml files.

Yaml abstraction for FW rules can simplify users onboarding and also makes rules definition simpler and clearer comparing to HCL.

Nested folder structure for yaml configurations is supported, which allows better and structured code management.

Example

Terraform code

module "prod-firewall" {
  source      = "./modules/net-vpc-firewall-yaml"
  project_id  = "my-prod-project"
  network     = "my-prod-network"
  config_path = "./production"
  log_config  = {
    metadata = "INCLUDE_ALL_METADATA"
  }
}

module "dev-firewall" {
  source      = "./modules/net-vpc-firewall-yaml"
  project_id  = "my-dev-project"
  network     = "my-dev-network"
  config_path = "./development"
}

Configuration Structure

├── development
│   ├── core-network
│   │   └── common-rules.yaml
│   ├── team-a
│   │   ├── databases.yaml
│   │   └── webb-app-a.yaml
│   └── team-b
│       ├── backend.yaml
│       └── frontend.yaml
└── production
    ├── core-network
    │   └── common-rules.yaml
    ├── team-a
    │   ├── databases.yaml
    │   └── webb-app-a.yaml
    └── team-b
        ├── backend.yaml
        └── frontend.yaml

Rule definition format and structure

Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following:

rule-name: # descriptive name, naming convention is adjusted by the module
  allow:  # `allow` or `deny`
  - ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports
    protocol: tcp # protocol, put `all` for any protocol
  direction: EGRESS # EGRESS or INGRESS
  disabled: false # `false` or `true`, FW rule is disabled when `true`, default value is `true`
  priority: 1000 # rule priority value, default value is 1000
  source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
  - 0.0.0.0/0
  destination_ranges: # list of destination ranges, should be specified only for `EGRESS` rule
  - 0.0.0.0/0
  source_tags: ['some-tag'] # list of source tags,  should be specified only for `INGRESS` rule
  source_service_accounts: # list of source service accounts, should be specified only for `INGRESS` rule, can not be specified together with `source_tags` or `target_tags`
  - myapp@myproject-id.iam.gserviceaccount.com
  target_tags: ['some-tag'] # list of target tags
  target_service_accounts: # list of target service accounts, , can not be specified together with `source_tags` or `target_tags`
  - myapp@myproject-id.iam.gserviceaccount.com

Firewall rules example yaml configuration

cat ./production/core-network/common-rules.yaml
# allow ingress from GCLB to all instances in the network
lb-health-checks:
  allow:
  - ports: []
    protocol: tcp
  direction: INGRESS
  priority: 1001
  source_ranges:
  - 35.191.0.0/16
  - 130.211.0.0/22

# deny all egress
deny-all:
  deny:
  - ports: []
    protocol: all
  direction: EGRESS
  priority: 65535
  destination_ranges:
  - 0.0.0.0/0

cat ./development/team-a/web-app-a.yaml
# Myapp egress
web-app-a-egress:
  allow:
    - ports: [443]
      protocol: tcp
  direction: EGRESS
  destination_ranges:
    - 192.168.0.0/24
  target_service_accounts:
    - myapp@myproject-id.iam.gserviceaccount.com
# Myapp ingress
web-app-a-ingress:
  allow:
    - ports: [1234]
      protocol: tcp
  direction: INGRESS
  source_service_accounts:
    - frontend-sa@myproject-id.iam.gserviceaccount.com
  target_service_accounts:
    - web-app-a@myproject-id.iam.gserviceaccount.com

Variables

name description type required default
config_path Path to a folder where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be .yaml string
network Name of the network this set of firewall rules applies to. string
project_id Project Id. string
log_config Log configuration. Possible values for metadata are EXCLUDE_ALL_METADATA and INCLUDE_ALL_METADATA. Set to null for disabling firewall logging. object({...}) null

Outputs

name description sensitive
egress_allow_rules Egress rules with allow blocks.
egress_deny_rules Egress rules with allow blocks.
ingress_allow_rules Ingress rules with allow blocks.
ingress_deny_rules Ingress rules with deny blocks.