Remove firewall policy management from resource management modules (#1581)
* rename firewall policy module, fix outputs * add TOC to firewall policy module * don't depend policy on parent id * remove firewall policy from resource management modules * remove factory conditionals * fast net a and b * fast stages * fast tfdoc * fast tfdoc * remove unused test * fix shielded folder blueprint * fix shielded folder blueprint
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
b7ff8f0933
commit
79373721df
@@ -45,6 +45,7 @@ These modules are used in the examples included in this repository. If you are u
|
||||
- [Cloud Endpoints](./endpoints)
|
||||
- [DNS](./dns)
|
||||
- [DNS Response Policy](./dns-response-policy/)
|
||||
- [Firewall policy](./net-firewall-policy)
|
||||
- [External Application Load Balancer](./net-lb-app-ext/)
|
||||
- [External Passthrough Network Load Balancer](./net-lb-ext)
|
||||
- [Internal Application Load Balancer](./net-lb-app-int)
|
||||
@@ -55,7 +56,6 @@ These modules are used in the examples included in this repository. If you are u
|
||||
- [Service Directory](./service-directory)
|
||||
- [VPC](./net-vpc)
|
||||
- [VPC firewall](./net-vpc-firewall)
|
||||
- [VPC firewall policy](./net-vpc-firewall-policy)
|
||||
- [VPN dynamic](./net-vpn-dynamic)
|
||||
- [VPC peering](./net-vpc-peering)
|
||||
- [VPN HA](./net-vpn-ha)
|
||||
|
||||
@@ -2,15 +2,12 @@
|
||||
|
||||
This module allows the creation and management of folders, including support for IAM bindings, organization policies, and hierarchical firewall rules.
|
||||
|
||||
|
||||
<!-- BEGIN TOC -->
|
||||
- [Basic example with IAM bindings](#basic-example-with-iam-bindings)
|
||||
- [IAM](#iam)
|
||||
- [Organization policies](#organization-policies)
|
||||
- [Organization Policy Factory](#organization-policy-factory)
|
||||
- [Hierarchical Firewall Policies](#hierarchical-firewall-policies)
|
||||
- [Directly Defined Firewall Policies](#directly-defined-firewall-policies)
|
||||
- [Firewall Policy Factory](#firewall-policy-factory)
|
||||
- [Hierarchical Firewall Policy Attachments](#hierarchical-firewall-policy-attachments)
|
||||
- [Log Sinks](#log-sinks)
|
||||
- [Data Access Logs](#data-access-logs)
|
||||
- [Tags](#tags)
|
||||
@@ -121,128 +118,31 @@ module "folder" {
|
||||
|
||||
See the [organization policy factory in the project module](../project#organization-policy-factory).
|
||||
|
||||
## Hierarchical Firewall Policies
|
||||
## Hierarchical Firewall Policy Attachments
|
||||
|
||||
Hierarchical firewall policies can be managed in two ways:
|
||||
|
||||
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
|
||||
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
|
||||
|
||||
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
|
||||
|
||||
### Directly Defined Firewall Policies
|
||||
Hierarchical firewall policies can be managed via the [`net-firewall-policy`](../net-firewall-policy/) module, including support for factories. Once a policy is available, attaching it to the organization can be done either in the firewall policy module itself, or here:
|
||||
|
||||
```hcl
|
||||
module "folder1" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "policy-container"
|
||||
|
||||
firewall_policies = {
|
||||
iap-policy = {
|
||||
allow-admins = {
|
||||
description = "Access from the admin subnet to all subnets"
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 1000
|
||||
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
||||
ports = { all = [] }
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
allow-iap-ssh = {
|
||||
description = "Always allow ssh from IAP"
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 100
|
||||
ranges = ["35.235.240.0/20"]
|
||||
ports = { tcp = ["22"] }
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
}
|
||||
}
|
||||
firewall_policy_association = {
|
||||
iap-policy = "iap-policy"
|
||||
}
|
||||
module "firewall-policy" {
|
||||
source = "./fabric/modules/net-firewall-policy"
|
||||
name = "test-1"
|
||||
parent_id = module.folder.id
|
||||
# attachment via the firewall policy module
|
||||
# attachments = {
|
||||
# folder-1 = module.folder.id
|
||||
# }
|
||||
}
|
||||
|
||||
module "folder2" {
|
||||
module "folder" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "hf2"
|
||||
firewall_policy_association = {
|
||||
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||
parent = "organizations/1234567890"
|
||||
name = "Folder name"
|
||||
# attachment via the organization module
|
||||
firewall_policy_associations = {
|
||||
test-1 = module.firewall-policy.id
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=7 inventory=hfw.yaml
|
||||
```
|
||||
|
||||
### Firewall Policy Factory
|
||||
|
||||
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
||||
|
||||
```hcl
|
||||
module "folder1" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "policy-container"
|
||||
firewall_policy_factory = {
|
||||
cidr_file = "configs/firewall-policies/cidrs.yaml"
|
||||
policy_name = "iap-policy"
|
||||
rules_file = "configs/firewall-policies/rules.yaml"
|
||||
}
|
||||
firewall_policy_association = {
|
||||
iap-policy = "iap-policy"
|
||||
}
|
||||
}
|
||||
|
||||
module "folder2" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "hf2"
|
||||
firewall_policy_association = {
|
||||
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=7 files=cidrs,rules inventory=hfw.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
|
||||
rfc1918:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
|
||||
allow-admins:
|
||||
description: Access from the admin subnet to all subnets
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 1000
|
||||
ranges:
|
||||
- $rfc1918
|
||||
ports:
|
||||
all: []
|
||||
target_resources: null
|
||||
logging: false
|
||||
|
||||
allow-iap-ssh:
|
||||
description: "Always allow ssh from IAP"
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 100
|
||||
ranges:
|
||||
- 35.235.240.0/20
|
||||
ports:
|
||||
tcp: ["22"]
|
||||
target_resources: null
|
||||
logging: false
|
||||
# tftest modules=2 resources=3
|
||||
```
|
||||
|
||||
## Log Sinks
|
||||
@@ -395,15 +295,13 @@ module "folder" {
|
||||
|
||||
<!-- TFDOC OPTS files:1 -->
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Files
|
||||
|
||||
| name | description | resources |
|
||||
|---|---|---|
|
||||
| [firewall-policies.tf](./firewall-policies.tf) | None | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
|
||||
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_folder_iam_binding</code> · <code>google_folder_iam_member</code> · <code>google_folder_iam_policy</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_folder_iam_audit_config</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
|
||||
@@ -415,34 +313,29 @@ module "folder" {
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [firewall_policies](variables.tf#L24) | Hierarchical firewall policies created in this folder. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [firewall_policy_association](variables.tf#L41) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [firewall_policy_factory](variables.tf#L48) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L58) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [group_iam](variables.tf#L64) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L71) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L78) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive_members](variables.tf#L85) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_policy](variables.tf#L92) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| [id](variables.tf#L98) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables.tf#L104) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables.tf#L119) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L126) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L156) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L162) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies_data_path](variables.tf#L189) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
|
||||
| [parent](variables.tf#L195) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L205) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [firewall_policy_associations](variables.tf#L24) | Hierarchical firewall policies to associate to this folder, in association name => policy id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [folder_create](variables.tf#L31) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [group_iam](variables.tf#L37) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L44) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L51) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive_members](variables.tf#L58) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_policy](variables.tf#L65) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| [id](variables.tf#L71) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables.tf#L77) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables.tf#L92) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L99) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L129) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L135) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies_data_path](variables.tf#L162) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
|
||||
| [parent](variables.tf#L168) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L178) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [firewall_policies](outputs.tf#L16) | Map of firewall policy resources created in this folder. | |
|
||||
| [firewall_policy_id](outputs.tf#L21) | Map of firewall policy ids created in this folder. | |
|
||||
| [folder](outputs.tf#L26) | Folder resource. | |
|
||||
| [id](outputs.tf#L31) | Fully qualified folder id. | |
|
||||
| [name](outputs.tf#L41) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L46) | Writer identities created for each sink. | |
|
||||
|
||||
| [folder](outputs.tf#L17) | Folder resource. | |
|
||||
| [id](outputs.tf#L22) | Fully qualified folder id. | |
|
||||
| [name](outputs.tf#L32) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L37) | Writer identities created for each sink. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -1,93 +0,0 @@
|
||||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
_factory_cidrs = try(
|
||||
yamldecode(file(var.firewall_policy_factory.cidr_file)), {}
|
||||
)
|
||||
_factory_name = (
|
||||
try(var.firewall_policy_factory.policy_name, null) == null
|
||||
? "factory"
|
||||
: var.firewall_policy_factory.policy_name
|
||||
)
|
||||
_factory_rules = try(
|
||||
yamldecode(file(var.firewall_policy_factory.rules_file)), {}
|
||||
)
|
||||
_factory_rules_parsed = {
|
||||
for name, rule in local._factory_rules : name => merge(rule, {
|
||||
ranges = flatten([
|
||||
for r in(rule.ranges == null ? [] : rule.ranges) :
|
||||
lookup(local._factory_cidrs, trimprefix(r, "$"), r)
|
||||
])
|
||||
})
|
||||
}
|
||||
_merged_rules = flatten([
|
||||
for policy, rules in local.firewall_policies : [
|
||||
for name, rule in rules : merge(rule, {
|
||||
policy = policy
|
||||
name = name
|
||||
})
|
||||
]
|
||||
])
|
||||
firewall_policies = merge(var.firewall_policies, (
|
||||
length(local._factory_rules) == 0
|
||||
? {}
|
||||
: { (local._factory_name) = local._factory_rules_parsed }
|
||||
))
|
||||
firewall_rules = {
|
||||
for r in local._merged_rules : "${r.policy}-${r.name}" => r
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy" "policy" {
|
||||
for_each = local.firewall_policies
|
||||
short_name = each.key
|
||||
parent = local.folder.id
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy_rule" "rule" {
|
||||
for_each = local.firewall_rules
|
||||
firewall_policy = google_compute_firewall_policy.policy[each.value.policy].id
|
||||
action = each.value.action
|
||||
direction = each.value.direction
|
||||
priority = try(each.value.priority, null)
|
||||
target_resources = try(each.value.target_resources, null)
|
||||
target_service_accounts = try(each.value.target_service_accounts, null)
|
||||
enable_logging = try(each.value.logging, null)
|
||||
# preview = each.value.preview
|
||||
description = each.value.description
|
||||
match {
|
||||
src_ip_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
||||
dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
||||
dynamic "layer4_configs" {
|
||||
for_each = each.value.ports
|
||||
iterator = port
|
||||
content {
|
||||
ip_protocol = port.key
|
||||
ports = port.value
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
resource "google_compute_firewall_policy_association" "association" {
|
||||
for_each = var.firewall_policy_association
|
||||
name = replace(local.folder.id, "/", "-")
|
||||
attachment_target = local.folder.id
|
||||
firewall_policy = try(google_compute_firewall_policy.policy[each.value].id, each.value)
|
||||
}
|
||||
|
||||
@@ -41,3 +41,10 @@ resource "google_essential_contacts_contact" "contact" {
|
||||
language_tag = "en"
|
||||
notification_category_subscriptions = each.value
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy_association" "default" {
|
||||
for_each = var.firewall_policy_associations
|
||||
attachment_target = local.folder.id
|
||||
name = each.key
|
||||
firewall_policy = each.value
|
||||
}
|
||||
|
||||
@@ -13,15 +13,6 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
output "firewall_policies" {
|
||||
description = "Map of firewall policy resources created in this folder."
|
||||
value = { for k, v in google_compute_firewall_policy.policy : k => v }
|
||||
}
|
||||
|
||||
output "firewall_policy_id" {
|
||||
description = "Map of firewall policy ids created in this folder."
|
||||
value = { for k, v in google_compute_firewall_policy.policy : k => v.id }
|
||||
}
|
||||
|
||||
output "folder" {
|
||||
description = "Folder resource."
|
||||
|
||||
@@ -21,40 +21,13 @@ variable "contacts" {
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
description = "Hierarchical firewall policies created in this folder."
|
||||
type = map(map(object({
|
||||
action = string
|
||||
description = string
|
||||
direction = string
|
||||
logging = bool
|
||||
ports = map(list(string))
|
||||
priority = number
|
||||
ranges = list(string)
|
||||
target_resources = list(string)
|
||||
target_service_accounts = list(string)
|
||||
})))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "firewall_policy_association" {
|
||||
description = "The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else."
|
||||
variable "firewall_policy_associations" {
|
||||
description = "Hierarchical firewall policies to associate to this folder, in association name => policy id format."
|
||||
type = map(string)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "firewall_policy_factory" {
|
||||
description = "Configuration for the firewall policy factory."
|
||||
type = object({
|
||||
cidr_file = string
|
||||
policy_name = string
|
||||
rules_file = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "folder_create" {
|
||||
description = "Create folder. When set to false, uses id to reference an existing folder."
|
||||
type = bool
|
||||
|
||||
@@ -9,13 +9,23 @@ The module also manages policy rules via code or a factory, and optional policy
|
||||
|
||||
The module also makes fewer assumptions about implicit defaults, only using one to set `match.layer4_configs` to `[{ protocol = "all" }]` if no explicit set of protocols and ports has been specified.
|
||||
|
||||
<!-- BEGIN TOC -->
|
||||
- [Examples](#examples)
|
||||
- [Hierarchical Policy](#hierarchical-policy)
|
||||
- [Global Network policy](#global-network-policy)
|
||||
- [Regional Network policy](#regional-network-policy)
|
||||
- [Factory](#factory)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
||||
## Examples
|
||||
|
||||
### Hierarchical Policy
|
||||
|
||||
```hcl
|
||||
module "firewall-policy" {
|
||||
source = "./fabric/modules/net-vpc-firewall-policy"
|
||||
source = "./fabric/modules/net-firewall-policy"
|
||||
name = "test-1"
|
||||
parent_id = "folders/1234567890"
|
||||
attachments = {
|
||||
@@ -67,9 +77,10 @@ module "vpc" {
|
||||
}
|
||||
|
||||
module "firewall-policy" {
|
||||
source = "./fabric/modules/net-vpc-firewall-policy"
|
||||
source = "./fabric/modules/net-firewall-policy"
|
||||
name = "test-1"
|
||||
parent_id = "my-project"
|
||||
region = "global"
|
||||
attachments = {
|
||||
my-vpc = module.vpc.self_link
|
||||
}
|
||||
@@ -119,7 +130,7 @@ module "vpc" {
|
||||
}
|
||||
|
||||
module "firewall-policy" {
|
||||
source = "./fabric/modules/net-vpc-firewall-policy"
|
||||
source = "./fabric/modules/net-firewall-policy"
|
||||
name = "test-1"
|
||||
parent_id = "my-project"
|
||||
region = "europe-west8"
|
||||
@@ -164,7 +175,7 @@ This is an example of a simple factory:
|
||||
|
||||
```hcl
|
||||
module "firewall-policy" {
|
||||
source = "./fabric/modules/net-vpc-firewall-policy"
|
||||
source = "./fabric/modules/net-firewall-policy"
|
||||
name = "test-1"
|
||||
parent_id = "folders/1234567890"
|
||||
attachments = {
|
||||
@@ -219,7 +230,6 @@ icmp:
|
||||
layer4_configs:
|
||||
- protocol: icmp
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
@@ -231,7 +241,7 @@ icmp:
|
||||
| [description](variables.tf#L24) | Policy description. | <code>string</code> | | <code>null</code> |
|
||||
| [egress_rules](variables.tf#L30) | List of egress rule definitions, action can be 'allow', 'deny', 'goto_next'. The match.layer4configs map is in protocol => optional [ports] format. | <code title="map(object({ priority = number action = optional(string, "deny") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L71) | List of ingress rule definitions, action can be 'allow', 'deny', 'goto_next'. | <code title="map(object({ priority = number action = optional(string, "allow") description = optional(string) disabled = optional(bool, false) enable_logging = optional(bool) target_service_accounts = optional(list(string)) target_tags = optional(list(string)) match = object({ address_groups = optional(list(string)) fqdns = optional(list(string)) region_codes = optional(list(string)) threat_intelligences = optional(list(string)) destination_ranges = optional(list(string)) source_ranges = optional(list(string)) source_tags = optional(list(string)) layer4_configs = optional(list(object({ protocol = optional(string, "all") ports = optional(list(string)) })), [{}]) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [region](variables.tf#L125) | Policy region. Leave null for hierarchical policy, or global network policy. | <code>string</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L125) | Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy. | <code>string</code> | | <code>null</code> |
|
||||
| [rules_factory_config](variables.tf#L131) | Configuration for the optional rules factory. | <code title="object({ cidr_file_path = optional(string) egress_rules_file_path = optional(string) ingress_rules_file_path = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
@@ -15,20 +15,14 @@
|
||||
*/
|
||||
|
||||
locals {
|
||||
_factory_egress_rules = (
|
||||
var.rules_factory_config.egress_rules_file_path == null
|
||||
? {}
|
||||
: yamldecode(file(var.rules_factory_config.egress_rules_file_path))
|
||||
_factory_egress_rules = try(
|
||||
yamldecode(file(var.rules_factory_config.egress_rules_file_path)), {}
|
||||
)
|
||||
_factory_ingress_rules = (
|
||||
var.rules_factory_config.ingress_rules_file_path == null
|
||||
? {}
|
||||
: yamldecode(file(var.rules_factory_config.ingress_rules_file_path))
|
||||
_factory_ingress_rules = try(
|
||||
yamldecode(file(var.rules_factory_config.ingress_rules_file_path)), {}
|
||||
)
|
||||
factory_cidrs = (
|
||||
var.rules_factory_config.cidr_file_path == null
|
||||
? {}
|
||||
: yamldecode(file(var.rules_factory_config.cidr_file_path))
|
||||
factory_cidrs = try(
|
||||
yamldecode(file(var.rules_factory_config.cidr_file_path)), {}
|
||||
)
|
||||
factory_egress_rules = {
|
||||
for k, v in local._factory_egress_rules : "ingress/${k}" => {
|
||||
@@ -27,6 +27,7 @@ locals {
|
||||
local.factory_egress_rules, local.factory_ingress_rules,
|
||||
local._rules_egress, local._rules_ingress
|
||||
)
|
||||
use_hierarchical = strcontains(var.parent_id, "/") ? true : false
|
||||
use_regional = !local.use_hierarchical && var.region != null
|
||||
# do not depend on the parent id as that might be dynamic and prevent count
|
||||
use_hierarchical = var.region == null
|
||||
use_regional = !local.use_hierarchical && var.region != "global"
|
||||
}
|
||||
@@ -16,9 +16,13 @@
|
||||
|
||||
output "id" {
|
||||
description = "Fully qualified firewall policy id."
|
||||
value = coalesce([
|
||||
try(google_compute_firewall_policy.hierarchical.0.id, null),
|
||||
try(google_compute_network_firewall_policy.net-global.0.id, null),
|
||||
try(google_compute_region_network_firewall_policy.net-regional.0.id, null)
|
||||
])
|
||||
value = (
|
||||
local.use_hierarchical
|
||||
? google_compute_firewall_policy.hierarchical.0.id
|
||||
: (
|
||||
local.use_regional
|
||||
? google_compute_region_network_firewall_policy.net-regional.0.id
|
||||
: google_compute_network_firewall_policy.net-global.0.id
|
||||
)
|
||||
)
|
||||
}
|
||||
@@ -123,7 +123,7 @@ variable "parent_id" {
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Policy region. Leave null for hierarchical policy, or global network policy."
|
||||
description = "Policy region. Leave null for hierarchical policy, set to 'global' for a global network policy."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -11,6 +11,7 @@ This module allows managing several organization properties:
|
||||
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
||||
|
||||
## TOC
|
||||
|
||||
<!-- BEGIN TOC -->
|
||||
- [TOC](#toc)
|
||||
- [Example](#example)
|
||||
@@ -19,9 +20,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
|
||||
- [Organization Policy Factory](#organization-policy-factory)
|
||||
- [Organization Policy Custom Constraints](#organization-policy-custom-constraints)
|
||||
- [Organization Policy Custom Constraints Factory](#organization-policy-custom-constraints-factory)
|
||||
- [Hierarchical Firewall Policies](#hierarchical-firewall-policies)
|
||||
- [Directly Defined Firewall Policies](#directly-defined-firewall-policies)
|
||||
- [Firewall Policy Factory](#firewall-policy-factory)
|
||||
- [Hierarchical Firewall Policy Attachments](#hierarchical-firewall-policy-attachments)
|
||||
- [Log Sinks](#log-sinks)
|
||||
- [Data Access Logs](#data-access-logs)
|
||||
- [Custom Roles](#custom-roles)
|
||||
@@ -226,109 +225,30 @@ custom.dataprocNoMoreThan10Workers:
|
||||
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
|
||||
```
|
||||
|
||||
## Hierarchical Firewall Policies
|
||||
## Hierarchical Firewall Policy Attachments
|
||||
|
||||
Hierarchical firewall policies can be managed in two ways:
|
||||
|
||||
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
|
||||
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
|
||||
|
||||
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
|
||||
|
||||
### Directly Defined Firewall Policies
|
||||
Hierarchical firewall policies can be managed via the [`net-firewall-policy`](../net-firewall-policy/) module, including support for factories. Once a policy is available, attaching it to the organization can be done either in the firewall policy module itself, or here:
|
||||
|
||||
```hcl
|
||||
module "firewall-policy" {
|
||||
source = "./fabric/modules/net-firewall-policy"
|
||||
name = "test-1"
|
||||
parent_id = var.organization_id
|
||||
# attachment via the firewall policy module
|
||||
# attachments = {
|
||||
# org = var.organization_id
|
||||
# }
|
||||
}
|
||||
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
firewall_policies = {
|
||||
iap-policy = {
|
||||
allow-admins = {
|
||||
description = "Access from the admin subnet to all subnets"
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 1000
|
||||
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
||||
ports = { all = [] }
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
allow-iap-ssh = {
|
||||
description = "Always allow ssh from IAP."
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 100
|
||||
ranges = ["35.235.240.0/20"]
|
||||
ports = {
|
||||
tcp = ["22"]
|
||||
}
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
}
|
||||
}
|
||||
firewall_policy_association = {
|
||||
iap_policy = "iap-policy"
|
||||
# attachment via the organization module
|
||||
firewall_policy_associations = {
|
||||
test-1 = module.firewall-policy.id
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4 inventory=hfw.yaml
|
||||
```
|
||||
|
||||
### Firewall Policy Factory
|
||||
|
||||
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
firewall_policy_factory = {
|
||||
cidr_file = "configs/firewall-policies/cidrs.yaml"
|
||||
policy_name = "iap-policy"
|
||||
rules_file = "configs/firewall-policies/rules.yaml"
|
||||
}
|
||||
firewall_policy_association = {
|
||||
iap_policy = module.org.firewall_policy_id["iap-policy"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4 files=cidrs,rules inventory=hfw.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
|
||||
rfc1918:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
|
||||
allow-admins:
|
||||
description: Access from the admin subnet to all subnets
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 1000
|
||||
ranges:
|
||||
- $rfc1918
|
||||
ports:
|
||||
all: []
|
||||
target_resources: null
|
||||
logging: false
|
||||
|
||||
allow-iap-ssh:
|
||||
description: "Always allow ssh from IAP."
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 100
|
||||
ranges:
|
||||
- 35.235.240.0/20
|
||||
ports:
|
||||
tcp: ["22"]
|
||||
target_resources: null
|
||||
logging: false
|
||||
# tftest modules=2 resources=2
|
||||
```
|
||||
|
||||
## Log Sinks
|
||||
@@ -530,18 +450,14 @@ module "org" {
|
||||
```
|
||||
|
||||
<!-- TFDOC OPTS files:1 -->
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Files
|
||||
|
||||
| name | description | resources |
|
||||
|---|---|---|
|
||||
| [firewall-policies.tf](./firewall-policies.tf) | Hierarchical firewall policies. | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
|
||||
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and data access logs. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_organization_iam_audit_config</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> |
|
||||
| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
@@ -553,27 +469,25 @@ module "org" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [organization_id](variables.tf#L226) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L199) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [firewall_policy_association](variables.tf#L48) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [firewall_policy_factory](variables.tf#L55) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
||||
| [group_iam](variables.tf#L65) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L72) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L79) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive_members](variables.tf#L86) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_policy](variables.tf#L93) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables.tf#L99) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables.tf#L114) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L121) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [network_tags](variables.tf#L151) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L173) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies_data_path](variables.tf#L200) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policy_custom_constraints](variables.tf#L206) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policy_custom_constraints_data_path](variables.tf#L220) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L235) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L241) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [firewall_policy_associations](variables.tf#L31) | Hierarchical firewall policies to associate to this folder, in association name => policy id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [group_iam](variables.tf#L38) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L45) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L52) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive_members](variables.tf#L59) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_policy](variables.tf#L66) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables.tf#L72) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables.tf#L87) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L94) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [network_tags](variables.tf#L124) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L146) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies_data_path](variables.tf#L173) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policy_custom_constraints](variables.tf#L179) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policy_custom_constraints_data_path](variables.tf#L193) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L208) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L214) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
@@ -582,13 +496,11 @@ module "org" {
|
||||
| [custom_constraint_ids](outputs.tf#L17) | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
|
||||
| [custom_role_id](outputs.tf#L22) | Map of custom role IDs created in the organization. | |
|
||||
| [custom_roles](outputs.tf#L35) | Map of custom roles resources created in the organization. | |
|
||||
| [firewall_policies](outputs.tf#L40) | Map of firewall policy resources created in the organization. | |
|
||||
| [firewall_policy_id](outputs.tf#L45) | Map of firewall policy ids created in the organization. | |
|
||||
| [id](outputs.tf#L50) | Fully qualified organization id. | |
|
||||
| [network_tag_keys](outputs.tf#L67) | Tag key resources. | |
|
||||
| [network_tag_values](outputs.tf#L76) | Tag value resources. | |
|
||||
| [organization_id](outputs.tf#L86) | Organization id dependent on module resources. | |
|
||||
| [sink_writer_identities](outputs.tf#L103) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L111) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L120) | Tag value resources. | |
|
||||
| [id](outputs.tf#L40) | Fully qualified organization id. | |
|
||||
| [network_tag_keys](outputs.tf#L57) | Tag key resources. | |
|
||||
| [network_tag_values](outputs.tf#L66) | Tag value resources. | |
|
||||
| [organization_id](outputs.tf#L76) | Organization id dependent on module resources. | |
|
||||
| [sink_writer_identities](outputs.tf#L93) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L101) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L110) | Tag value resources. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -1,100 +0,0 @@
|
||||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description Hierarchical firewall policies.
|
||||
|
||||
locals {
|
||||
_factory_cidrs = try(
|
||||
yamldecode(file(var.firewall_policy_factory.cidr_file)), {}
|
||||
)
|
||||
_factory_name = (
|
||||
try(var.firewall_policy_factory.policy_name, null) == null
|
||||
? "factory"
|
||||
: var.firewall_policy_factory.policy_name
|
||||
)
|
||||
_factory_rules = try(
|
||||
yamldecode(file(var.firewall_policy_factory.rules_file)), {}
|
||||
)
|
||||
_factory_rules_parsed = {
|
||||
for name, rule in local._factory_rules : name => merge(rule, {
|
||||
ranges = flatten([
|
||||
for r in(rule.ranges == null ? [] : rule.ranges) :
|
||||
lookup(local._factory_cidrs, trimprefix(r, "$"), r)
|
||||
])
|
||||
})
|
||||
}
|
||||
_merged_rules = flatten([
|
||||
for policy, rules in local.firewall_policies : [
|
||||
for name, rule in rules : merge(rule, {
|
||||
policy = policy
|
||||
name = name
|
||||
})
|
||||
]
|
||||
])
|
||||
firewall_policies = merge(var.firewall_policies, (
|
||||
length(local._factory_rules) == 0
|
||||
? {}
|
||||
: { (local._factory_name) = local._factory_rules_parsed }
|
||||
))
|
||||
firewall_rules = {
|
||||
for r in local._merged_rules : "${r.policy}-${r.name}" => r
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy" "policy" {
|
||||
for_each = local.firewall_policies
|
||||
short_name = each.key
|
||||
parent = var.organization_id
|
||||
depends_on = [
|
||||
google_organization_iam_binding.authoritative,
|
||||
google_organization_iam_custom_role.roles,
|
||||
google_organization_iam_member.additive,
|
||||
google_organization_iam_policy.authoritative,
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy_rule" "rule" {
|
||||
for_each = local.firewall_rules
|
||||
firewall_policy = google_compute_firewall_policy.policy[each.value.policy].id
|
||||
action = each.value.action
|
||||
direction = each.value.direction
|
||||
priority = try(each.value.priority, null)
|
||||
target_resources = try(each.value.target_resources, null)
|
||||
target_service_accounts = try(each.value.target_service_accounts, null)
|
||||
enable_logging = try(each.value.logging, null)
|
||||
# preview = each.value.preview
|
||||
description = each.value.description
|
||||
match {
|
||||
src_ip_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
||||
dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
||||
dynamic "layer4_configs" {
|
||||
for_each = each.value.ports
|
||||
iterator = port
|
||||
content {
|
||||
ip_protocol = port.key
|
||||
ports = port.value
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy_association" "association" {
|
||||
for_each = var.firewall_policy_association
|
||||
name = replace(var.organization_id, "/", "-")
|
||||
attachment_target = var.organization_id
|
||||
firewall_policy = try(google_compute_firewall_policy.policy[each.value].id, each.value)
|
||||
}
|
||||
|
||||
@@ -26,3 +26,10 @@ resource "google_essential_contacts_contact" "contact" {
|
||||
language_tag = "en"
|
||||
notification_category_subscriptions = each.value
|
||||
}
|
||||
|
||||
resource "google_compute_firewall_policy_association" "default" {
|
||||
for_each = var.firewall_policy_associations
|
||||
attachment_target = var.organization_id
|
||||
name = each.key
|
||||
firewall_policy = each.value
|
||||
}
|
||||
|
||||
@@ -37,16 +37,6 @@ output "custom_roles" {
|
||||
value = google_organization_iam_custom_role.roles
|
||||
}
|
||||
|
||||
output "firewall_policies" {
|
||||
description = "Map of firewall policy resources created in the organization."
|
||||
value = { for k, v in google_compute_firewall_policy.policy : k => v }
|
||||
}
|
||||
|
||||
output "firewall_policy_id" {
|
||||
description = "Map of firewall policy ids created in the organization."
|
||||
value = { for k, v in google_compute_firewall_policy.policy : k => v.id }
|
||||
}
|
||||
|
||||
output "id" {
|
||||
description = "Fully qualified organization id."
|
||||
value = var.organization_id
|
||||
|
||||
@@ -28,40 +28,13 @@ variable "custom_roles" {
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
description = "Hierarchical firewall policy rules created in the organization."
|
||||
type = map(map(object({
|
||||
action = string
|
||||
description = string
|
||||
direction = string
|
||||
logging = bool
|
||||
ports = map(list(string))
|
||||
priority = number
|
||||
ranges = list(string)
|
||||
target_resources = list(string)
|
||||
target_service_accounts = list(string)
|
||||
# preview = bool
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policy_association" {
|
||||
description = "The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else."
|
||||
variable "firewall_policy_associations" {
|
||||
description = "Hierarchical firewall policies to associate to this folder, in association name => policy id format."
|
||||
type = map(string)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "firewall_policy_factory" {
|
||||
description = "Configuration for the firewall policy factory."
|
||||
type = object({
|
||||
cidr_file = string
|
||||
policy_name = string
|
||||
rules_file = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "group_iam" {
|
||||
description = "Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable."
|
||||
type = map(list(string))
|
||||
|
||||
Reference in New Issue
Block a user