zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/net-vpc-firewall
History
Ludovico Magnocavallo f6775aca1b
Use the same versions file everywhere, pin to tf 1.0+ provider 4.0+ (#355) 
* add default versions file, remove old providers and versions

* use default versions file everywhere

* fix kms module

* re-add provider configuration for data platform step 2

* update kms module outputs sorting

* update kms documentation

* fix data solutions tests

* fix GKE workload identity attribute name

* work around firewall provider issue in datafusion example
 		2021-11-03 15:05:43 +01:00
..
README.md Remove redundant variable `admin_ranges_enabled` 2021-10-04 14:12:00 +02:00
main.tf Remove redundant variable `admin_ranges_enabled` 2021-10-04 14:12:00 +02:00
outputs.tf Add more validations to linter 2021-10-08 18:26:04 +02:00
variables.tf Remove redundant variable `admin_ranges_enabled` 2021-10-04 14:12:00 +02:00
versions.tf Use the same versions file everywhere, pin to tf 1.0+ provider 4.0+ (#355) 2021-11-03 15:05:43 +01:00

README.md

Google Cloud VPC Firewall

This module allows creation and management of different types of firewall rules for a single VPC network:

  • blanket ingress rules based on IP ranges that allow all traffic via the admin_ranges variable
  • simplified tag-based ingress rules for the HTTP, HTTPS and SSH protocols via the xxx_source_ranges variables; HTTP and HTTPS tags match those set by the console via the "Allow HTTP(S) traffic" instance flags
  • custom rules via the custom_rules variables

The simplified tag-based rules are enabled by default, set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. To disable them set the corresponding variables to empty lists.

Examples

Minimal open firewall

This is often useful for prototyping or testing infrastructure, allowing open ingress from the private range, enabling SSH to private addresses from IAP, and HTTP/HTTPS from the health checkers.

module "firewall" {
  source               = "./modules/net-vpc-firewall"
  project_id           = "my-project"
  network              = "my-network"
  admin_ranges         = ["10.0.0.0/8"]
}
# tftest:modules=1:resources=4

Custom rules

This is an example of how to define custom rules, with a sample rule allowing open ingress for the NTP protocol to instances with the ntp-svc tag.

module "firewall" {
  source       = "./modules/net-vpc-firewall"
  project_id   = "my-project"
  network      = "my-network"
  admin_ranges = ["10.0.0.0/8"]
  custom_rules = {
    ntp-svc = {
      description          = "NTP service."
      direction            = "INGRESS"
      action               = "allow"
      sources              = []
      ranges               = ["0.0.0.0/0"]
      targets              = ["ntp-svc"]
      use_service_accounts = false
      rules                = [{ protocol = "udp", ports = [123] }]
      extra_attributes     = {}
    }
  }
}
# tftest:modules=1:resources=5

No predefined rules

If you don't want any predefined rules set admin_ranges, http_source_ranges, https_source_ranges and ssh_source_ranges to an empty list.

module "firewall" {
  source              = "./modules/net-vpc-firewall"
  project_id          = "my-project"
  network             = "my-network"
  admin_ranges        = []
  http_source_ranges  = []
  https_source_ranges = []
  ssh_source_ranges   = []
  custom_rules = {
    allow-https = {
      description          = "Allow HTTPS from internal networks."
      direction            = "INGRESS"
      action               = "allow"
      sources              = []
      ranges               = ["rfc1918"]
      targets              = []
      use_service_accounts = false
      rules                = [{ protocol = "tcp", ports = [443] }]
      extra_attributes     = {}
    }
  }
}
# tftest:modules=1:resources=1

Variables

name description type required default
network Name of the network this set of firewall rules applies to. string
project_id Project id of the project that holds the network. string
admin_ranges IP CIDR ranges that have complete access to all subnets. list(string) []
custom_rules List of custom rule definitions (refer to variables file for syntax). map(object({...})) {}
http_source_ranges List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. list(string) ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
https_source_ranges List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. list(string) ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
named_ranges Names that can be used of valid values for the ranges field of custom_rules map(list(string)) ...
ssh_source_ranges List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. list(string) ["35.235.240.0/20"]

Outputs

name description sensitive
admin_ranges Admin ranges data.
custom_egress_allow_rules Custom egress rules with allow blocks.
custom_egress_deny_rules Custom egress rules with allow blocks.
custom_ingress_allow_rules Custom ingress rules with allow blocks.
custom_ingress_deny_rules Custom ingress rules with deny blocks.
rules All google_compute_firewall resources created.