Allow setting no ranges in firewall module custom rules (#1073)
* allow setting no ranges in custom firewall rules * fix blueprint * fix example * fix example
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
53135cdef9
commit
66a402083b
@@ -33,7 +33,7 @@ Some implicit defaults are used in the rules variable types and can be controlle
|
||||
|
||||
- action is controlled via the `deny` attribute which defaults to `true` for egress and `false` for ingress
|
||||
- priority defaults to `1000`
|
||||
- destination ranges (for egress) and source ranges (for ingress) default to `["0.0.0.0/0"]` if not explicitly set
|
||||
- destination ranges (for egress) and source ranges (for ingress) default to `["0.0.0.0/0"]` if not explicitly set or set to `null`, to disable the behaviour set ranges to the empty list (`[]`)
|
||||
- rules default to all protocols if not set
|
||||
|
||||
```hcl
|
||||
@@ -45,31 +45,39 @@ module "firewall" {
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
}
|
||||
egress_rules = {
|
||||
# implicit `deny` action
|
||||
# implicit deny action
|
||||
allow-egress-rfc1918 = {
|
||||
deny = false
|
||||
description = "Allow egress to RFC 1918 ranges."
|
||||
destination_ranges = [
|
||||
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
|
||||
]
|
||||
# implicit { protocol = "all" } rule
|
||||
}
|
||||
allow-egress-tag = {
|
||||
deny = false
|
||||
description = "Allow egress from a specific tag to 0/0."
|
||||
targets = ["target-tag"]
|
||||
}
|
||||
deny-egress-all = {
|
||||
description = "Block egress."
|
||||
# implicit ["0.0.0.0/0"] destination ranges
|
||||
# implicit { protocol = "all" } rule
|
||||
}
|
||||
}
|
||||
ingress_rules = {
|
||||
# implicit `allow` action
|
||||
# implicit allow action
|
||||
allow-ingress-ntp = {
|
||||
description = "Allow NTP service based on tag."
|
||||
source_ranges = ["0.0.0.0/0"]
|
||||
targets = ["ntp-svc"]
|
||||
rules = [{ protocol = "udp", ports = [123] }]
|
||||
description = "Allow NTP service based on tag."
|
||||
targets = ["ntp-svc"]
|
||||
rules = [{ protocol = "udp", ports = [123] }]
|
||||
}
|
||||
allow-ingress-tag = {
|
||||
description = "Allow ingress from a specific tag."
|
||||
source_ranges = []
|
||||
sources = ["client-tag"]
|
||||
targets = ["target-tag"]
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=7
|
||||
# tftest modules=1 resources=9
|
||||
```
|
||||
|
||||
### Controlling or turning off default rules
|
||||
@@ -194,13 +202,13 @@ healthchecks:
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [network](variables.tf#L109) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L114) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L108) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L113) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L60) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = string })">object({…})</code> | | <code>null</code> |
|
||||
| [ingress_rules](variables.tf#L69) | List of ingress rule definitions, default to allow action. | <code title="map(object({ deny = optional(bool, false) description = optional(string) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L92) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L59) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = string })">object({…})</code> | | <code>null</code> |
|
||||
| [ingress_rules](variables.tf#L68) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L91) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -66,15 +66,23 @@ locals {
|
||||
for name, rule in local._rules :
|
||||
name => merge(rule, {
|
||||
action = rule.deny == true ? "DENY" : "ALLOW"
|
||||
destination_ranges = flatten([
|
||||
for range in coalesce(try(rule.destination_ranges, null), []) :
|
||||
try(local._named_ranges[range], range)
|
||||
])
|
||||
destination_ranges = (
|
||||
try(rule.destination_ranges, null) == null
|
||||
? null
|
||||
: flatten([
|
||||
for range in rule.destination_ranges :
|
||||
try(local._named_ranges[range], range)
|
||||
])
|
||||
)
|
||||
rules = { for k, v in rule.rules : k => v }
|
||||
source_ranges = flatten([
|
||||
for range in coalesce(try(rule.source_ranges, null), []) :
|
||||
try(local._named_ranges[range], range)
|
||||
])
|
||||
source_ranges = (
|
||||
try(rule.source_ranges, null) == null
|
||||
? null
|
||||
: flatten([
|
||||
for range in rule.source_ranges :
|
||||
try(local._named_ranges[range], range)
|
||||
])
|
||||
)
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -89,18 +97,20 @@ resource "google_compute_firewall" "custom-rules" {
|
||||
source_ranges = (
|
||||
each.value.direction == "INGRESS"
|
||||
? (
|
||||
coalesce(each.value.source_ranges, []) == []
|
||||
each.value.source_ranges == null
|
||||
? ["0.0.0.0/0"]
|
||||
: each.value.source_ranges
|
||||
) : null
|
||||
)
|
||||
: null
|
||||
)
|
||||
destination_ranges = (
|
||||
each.value.direction == "EGRESS"
|
||||
? (
|
||||
coalesce(each.value.destination_ranges, []) == []
|
||||
each.value.destination_ranges == null
|
||||
? ["0.0.0.0/0"]
|
||||
: each.value.destination_ranges
|
||||
) : null
|
||||
)
|
||||
: null
|
||||
)
|
||||
source_tags = (
|
||||
each.value.use_service_accounts || each.value.direction == "EGRESS"
|
||||
|
||||
@@ -35,7 +35,7 @@ variable "default_rules_config" {
|
||||
}
|
||||
|
||||
variable "egress_rules" {
|
||||
description = "List of egress rule definitions, default to deny action."
|
||||
description = "List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0."
|
||||
type = map(object({
|
||||
deny = optional(bool, true)
|
||||
description = optional(string)
|
||||
@@ -45,7 +45,6 @@ variable "egress_rules" {
|
||||
include_metadata = optional(bool)
|
||||
}))
|
||||
priority = optional(number, 1000)
|
||||
sources = optional(list(string))
|
||||
targets = optional(list(string))
|
||||
use_service_accounts = optional(bool, false)
|
||||
rules = optional(list(object({
|
||||
@@ -67,7 +66,7 @@ variable "factories_config" {
|
||||
}
|
||||
|
||||
variable "ingress_rules" {
|
||||
description = "List of ingress rule definitions, default to allow action."
|
||||
description = "List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0."
|
||||
type = map(object({
|
||||
deny = optional(bool, false)
|
||||
description = optional(string)
|
||||
|
||||
Reference in New Issue
Block a user