Allow using named ranges in firewall rules

2021-10-04 12:39:45 +02:00
parent d3e8b5e35e
commit 400a94658d
3 changed files with 98 additions and 44 deletions
--- a/modules/net-vpc-firewall/variables.tf
+++ b/modules/net-vpc-firewall/variables.tf
@@ -14,44 +14,16 @@
 * limitations under the License.
 */

-variable "network" {
-  description = "Name of the network this set of firewall rules applies to."
-  type        = string
-}
-
-variable "project_id" {
-  description = "Project id of the project that holds the network."
-  type        = string
-}
-
-variable "admin_ranges_enabled" {
-  description = "Enable admin ranges-based rules."
-  type        = bool
-  default     = false
-}
-
 variable "admin_ranges" {
  description = "IP CIDR ranges that have complete access to all subnets."
  type        = list(string)
  default     = []
 }

-variable "ssh_source_ranges" {
-  description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
-  type        = list(string)
-  default     = ["35.235.240.0/20"]
-}
-
-variable "http_source_ranges" {
-  description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
-  type        = list(string)
-  default     = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
-}
-
-variable "https_source_ranges" {
-  description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
-  type        = list(string)
-  default     = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+variable "admin_ranges_enabled" {
+  description = "Enable admin ranges-based rules."
+  type        = bool
+  default     = false
 }

 variable "custom_rules" {
@@ -72,3 +44,45 @@ variable "custom_rules" {
  }))
  default = {}
 }
+
+variable "http_source_ranges" {
+  description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
+  type        = list(string)
+  default     = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+}
+
+variable "https_source_ranges" {
+  description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
+  type        = list(string)
+  default     = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+}
+
+variable "named_ranges" {
+  description = "Names that can be used of valid values for the `ranges` field of `custom_rules`"
+  type        = map(list(string))
+  default = {
+    any                   = ["0.0.0.0/0"]
+    dns-forwarders        = ["35.199.192.0/19"]
+    health-checkers       = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+    iap-forwarders        = ["35.235.240.0/20"]
+    private-googleapis    = ["199.36.153.8/30"]
+    restricted-googleapis = ["199.36.153.4/30"]
+    rfc1918               = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  }
+}
+
+variable "network" {
+  description = "Name of the network this set of firewall rules applies to."
+  type        = string
+}
+
+variable "project_id" {
+  description = "Project id of the project that holds the network."
+  type        = string
+}
+
+variable "ssh_source_ranges" {
+  description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
+  type        = list(string)
+  default     = ["35.235.240.0/20"]
+}