kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

net vpc firewall factory schema (#2497)

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2024-08-10 15:04:50 +02:00
committed by GitHub
parent f15442d2f4
commit 3efb368b6c
22 changed files with 162 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
fast/stages/2-networking-a-simple/data/firewall-rules/dev/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-deny:

5
fast/stages/2-networking-a-simple/data/firewall-rules/dev/rules.yaml
View File

@@ -1,7 +1,8 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-allow-composer-nodes:

4
fast/stages/2-networking-a-simple/data/firewall-rules/landing/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-landing-deny:

5
fast/stages/2-networking-a-simple/data/firewall-rules/landing/rules.yaml
View File

@@ -1,7 +1,8 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
allow-onprem-probes-landing-example:

4
fast/stages/2-networking-a-simple/data/firewall-rules/prod/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-deny:

1
fast/stages/2-networking-a-simple/schemas/firewall-rules.schema.json Symbolic link
View File

@@ -0,0 +1 @@
../../../../modules/net-vpc-firewall/schemas/firewall-rules.schema.json

4
fast/stages/2-networking-b-nva/data/firewall-rules/dev/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-deny:

5
fast/stages/2-networking-b-nva/data/firewall-rules/dev/rules.yaml
View File

@@ -1,7 +1,8 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-allow-composer-nodes:

5
fast/stages/2-networking-b-nva/data/firewall-rules/dmz/bgp.yaml
View File

@@ -1,4 +1,9 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
# This is only relevant when using NCC-RA, and can be safely removed otherwise
ingress:
allow-ncc-nva-bgp-dmz:

4
fast/stages/2-networking-b-nva/data/firewall-rules/dmz/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
dmz-ingress-default-deny:

5
fast/stages/2-networking-b-nva/data/firewall-rules/dmz/rules.yaml
View File

@@ -1,7 +1,8 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
allow-hc-nva-ssh-dmz:

5
fast/stages/2-networking-b-nva/data/firewall-rules/landing/bgp.yaml
View File

@@ -1,4 +1,9 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
# This is only relevant when using NCC-RA, and can be safely removed otherwise
ingress:
allow-ncc-nva-bgp-landing:

4
fast/stages/2-networking-b-nva/data/firewall-rules/landing/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-landing-deny:

5
fast/stages/2-networking-b-nva/data/firewall-rules/landing/rules.yaml
View File

@@ -1,7 +1,8 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
allow-hc-nva-ssh-landing:

4
fast/stages/2-networking-b-nva/data/firewall-rules/prod/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-deny:

1
fast/stages/2-networking-b-nva/schemas/firewall-rules.schema.json Symbolic link
View File

@@ -0,0 +1 @@
../../../../modules/net-vpc-firewall/schemas/firewall-rules.schema.json

4
fast/stages/2-networking-c-separate-envs/data/firewall-rules/dev/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-deny:

5
fast/stages/2-networking-c-separate-envs/data/firewall-rules/dev/rules.yaml
View File

@@ -1,7 +1,8 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-allow-composer-nodes:

4
fast/stages/2-networking-c-separate-envs/data/firewall-rules/prod/default-ingress.yaml
View File

@@ -1,4 +1,8 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
ingress:
ingress-default-deny:

1
fast/stages/2-networking-c-separate-envs/schemas/firewall-rules.schema.json Symbolic link
View File

@@ -0,0 +1 @@
../../../../modules/net-vpc-firewall/schemas/firewall-rules.schema.json

16
modules/net-vpc-firewall/README.md
View File

@@ -198,12 +198,6 @@ module "firewall" {
```
```yaml
# tftest-file id=lbs path=configs/firewall/rules/load_balancers.yaml
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-healthchecks:
description: Allow ingress from healthchecks.
@@ -234,20 +228,18 @@ egress:
- protocol: tcp
ports:
- 23
# tftest-file id=lbs path=configs/firewall/rules/load_balancers.yaml
```
```yaml
# tftest-file id=cidrs path=configs/firewall/cidrs.yaml
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
- 130.211.0.0/22
- 209.85.152.0/22
- 209.85.204.0/22
# tftest-file id=cidrs path=configs/firewall/cidrs.yaml
```
Instead of using `factories_config.cidr_tpl_file` file, you can pass CIDR blocks directly in the `named_ranges` variable. This approach could be useful for dynamically generated CIDR blocks from outputs of other resources.

91
modules/net-vpc-firewall/schemas/firewall-rules.schema.json Normal file
View File

@@ -0,0 +1,91 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Firewall Rules",
"type": "object",
"additionalProperties": false,
"properties": {
"ingress": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9_-]+$": {
"$ref": "#/$defs/rule"
}
}
}
},
"$defs": {
"rule": {
"type": "object",
"additionalProperties": false,
"properties": {
"deny": {
"type": "boolean"
},
"description": {
"type": "string"
},
"destination_ranges": {
"type": "array",
"items": {
"type": "string"
}
},
"disabled": {
"type": "boolean"
},
"enable_logging": {
"type": "object",
"additionalProperties": false,
"properties": {
"include_metadata": {
"type": "boolean"
}
}
},
"priority": {
"type": "number"
},
"source_ranges": {
"type": "array",
"items": {
"type": "string"
}
},
"sources": {
"type": "array",
"items": {
"type": "string"
}
},
"targets": {
"type": "array",
"items": {
"type": "string"
}
},
"use_service_accounts": {
"type": "boolean"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"protocol": {
"type": "string"
},
"ports": {
"type": "array",
"items": {
"type": "number"
}
}
}
}
}
}
}
}
}