148 lines
4.8 KiB
Markdown
148 lines
4.8 KiB
Markdown
# Google Cloud VPC Firewall - Yaml
|
|
|
|
This module allows creation and management of different types of firewall rules by defining them in well formatted `yaml` files.
|
|
|
|
Yaml abstraction for FW rules can simplify users onboarding and also makes rules definition simpler and clearer comparing to HCL.
|
|
|
|
Nested folder structure for yaml configurations is supported, which allows better and structured code management.
|
|
|
|
## Example
|
|
|
|
### Terraform code
|
|
|
|
```hcl
|
|
module "prod-firewall" {
|
|
source = "./modules/net-vpc-firewall-yaml"
|
|
project_id = "my-prod-project"
|
|
network = "my-prod-network"
|
|
config_path = "./prod"
|
|
log_config = {
|
|
metadata = "INCLUDE_ALL_METADATA"
|
|
}
|
|
}
|
|
|
|
module "dev-firewall" {
|
|
source = "./modules/net-vpc-firewall-yaml"
|
|
project_id = "my-dev-project"
|
|
network = "my-dev-network"
|
|
config_path = "./dev"
|
|
}
|
|
# tftest:skip
|
|
```
|
|
|
|
### Configuration Structure
|
|
|
|
```bash
|
|
├── dev
|
|
│ ├── core
|
|
│ │ └── common-rules.yaml
|
|
│ ├── team-a
|
|
│ │ ├── databases.yaml
|
|
│ │ └── webb-app-a.yaml
|
|
│ └── team-b
|
|
│ ├── backend.yaml
|
|
│ └── frontend.yaml
|
|
└── prod
|
|
├── core
|
|
│ └── common-rules.yaml
|
|
├── team-a
|
|
│ ├── databases.yaml
|
|
│ └── webb-app-a.yaml
|
|
└── team-b
|
|
├── backend.yaml
|
|
└── frontend.yaml
|
|
```
|
|
|
|
### Rule definition format and structure
|
|
|
|
Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following:
|
|
|
|
```yaml
|
|
rule-name: # descriptive name, naming convention is adjusted by the module
|
|
allow: # `allow` or `deny`
|
|
- ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports
|
|
protocol: tcp # protocol, put `all` for any protocol
|
|
direction: EGRESS # EGRESS or INGRESS
|
|
disabled: false # `false` or `true`, FW rule is disabled when `true`, default value is `true`
|
|
priority: 1000 # rule priority value, default value is 1000
|
|
source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
|
|
- 0.0.0.0/0
|
|
destination_ranges: # list of destination ranges, should be specified only for `EGRESS` rule
|
|
- 0.0.0.0/0
|
|
source_tags: ['some-tag'] # list of source tags, should be specified only for `INGRESS` rule
|
|
source_service_accounts: # list of source service accounts, should be specified only for `INGRESS` rule, can not be specified together with `source_tags` or `target_tags`
|
|
- myapp@myproject-id.iam.gserviceaccount.com
|
|
target_tags: ['some-tag'] # list of target tags
|
|
target_service_accounts: # list of target service accounts, , can not be specified together with `source_tags` or `target_tags`
|
|
- myapp@myproject-id.iam.gserviceaccount.com
|
|
```
|
|
|
|
|
|
Firewall rules example yaml configuration
|
|
|
|
```bash
|
|
cat ./prod/core-network/common-rules.yaml
|
|
# allow ingress from GCLB to all instances in the network
|
|
lb-health-checks:
|
|
allow:
|
|
- ports: []
|
|
protocol: tcp
|
|
direction: INGRESS
|
|
priority: 1001
|
|
source_ranges:
|
|
- 35.191.0.0/16
|
|
- 130.211.0.0/22
|
|
|
|
# deny all egress
|
|
deny-all:
|
|
deny:
|
|
- ports: []
|
|
protocol: all
|
|
direction: EGRESS
|
|
priority: 65535
|
|
destination_ranges:
|
|
- 0.0.0.0/0
|
|
|
|
cat ./dev/team-a/web-app-a.yaml
|
|
# Myapp egress
|
|
web-app-a-egress:
|
|
allow:
|
|
- ports: [443]
|
|
protocol: tcp
|
|
direction: EGRESS
|
|
destination_ranges:
|
|
- 192.168.0.0/24
|
|
target_service_accounts:
|
|
- myapp@myproject-id.iam.gserviceaccount.com
|
|
# Myapp ingress
|
|
web-app-a-ingress:
|
|
allow:
|
|
- ports: [1234]
|
|
protocol: tcp
|
|
direction: INGRESS
|
|
source_service_accounts:
|
|
- frontend-sa@myproject-id.iam.gserviceaccount.com
|
|
target_service_accounts:
|
|
- web-app-a@myproject-id.iam.gserviceaccount.com
|
|
```
|
|
|
|
<!-- BEGIN TFDOC -->
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---: |:---:|:---:|
|
|
| config_path | Path to a folder where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | <code title="">string</code> | ✓ | |
|
|
| network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ | |
|
|
| project_id | Project Id. | <code title="">string</code> | ✓ | |
|
|
| *log_config* | Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging. | <code title="object({ metadata = string })">object({...})</code> | | <code title="">null</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| egress_allow_rules | Egress rules with allow blocks. | |
|
|
| egress_deny_rules | Egress rules with allow blocks. | |
|
|
| ingress_allow_rules | Ingress rules with allow blocks. | |
|
|
| ingress_deny_rules | Ingress rules with deny blocks. | |
|
|
<!-- END TFDOC -->
|