zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/net-vpc-firewall-policy
History
Ludovico Magnocavallo 45c12e233b
Network firewall policy module (#1232) 
* validated, untested

* tested

* typo in README
 		2023-03-10 08:21:49 +00:00
..
README.md Network firewall policy module (#1232) 2023-03-10 08:21:49 +00:00
main.tf Network firewall policy module (#1232) 2023-03-10 08:21:49 +00:00
variables.tf Network firewall policy module (#1232) 2023-03-10 08:21:49 +00:00
versions.tf Network firewall policy module (#1232) 2023-03-10 08:21:49 +00:00

README.md

Google Cloud Network Firewall Policies

This module allows creation and management of a global or regional network firewall policy, including its associations and rules.

The module interface deviates slightly from the net-vpc-firewall module since the underlying resources and API objects are different.

It also makes fewer assumptions about implicit defaults, only using one to set match.layer4_configs to [{ protocol = "all" }] if no explicit set of protocols and ports has been specified.

A factory implementation will be added in a subsequent release.

Example

module "firewall-policy" {
  source     = "./fabric/modules/net-vpc-firewall-policy"
  name       = "test-1"
  project_id = "my-project"
  # specify a region to create and manage a regional policy
  # region     = "europe-west8"
  target_vpcs = [
    "projects/my-project/global/networks/shared-vpc"
  ]
  egress_rules = {
    smtp = {
      priority = 900
      match = {
        destination_ranges = ["0.0.0.0/0"]
        layer4_configs     = [{ protocol = "tcp", ports = ["25"] }]
      }
    }
  }
  ingress_rules = {
    icmp = {
      priority = 1000
      match = {
        source_ranges  = ["0.0.0.0/0"]
        layer4_configs = [{ protocol = "icmp" }]
      }
    }
    mgmt = {
      priority = 1001
      match = {
        source_ranges = ["10.1.1.0/24"]
      }
    }
    ssh = {
      priority = 1002
      match = {
        source_ranges = ["10.0.0.0/8"]
        # source_tags    = ["tagValues/123456"]
        layer4_configs = [{ protocol = "tcp", ports = ["22"] }]
      }
    }
  }
}
# tftest modules=1 resources=6

Variables

name description type required default
name Policy name. string
project_id Project id of the project that holds the network. string
description Policy description. string null
egress_rules List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. map(object({…})) {}
ingress_rules List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. map(object({…})) {}
region Policy region. Leave null for global policy. string null
target_vpcs VPC ids to which this policy will be attached. list(string) []