Add support for context to net-lb-int net-vpc-firewall and net-vpc module (#3419)
* net-lb-int * net-vpc-firewall * net-vpc * net-vpc
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
ecdc248f3f
commit
7c920d7d35
@@ -269,13 +269,14 @@ module "firewall" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [network](variables.tf#L111) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L116) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L60) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L70) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270 disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L94) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
| [network](variables.tf#L123) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L128) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [context](variables.tf#L17) | Context-specific interpolations. | <code title="object({ cidr_ranges = optional(map(string), {}) iam_principals = optional(map(string), {}) networks = optional(map(string), {}) project_ids = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [default_rules_config](variables.tf#L29) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_rules](variables.tf#L49) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L72) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L82) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270 disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L106) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -25,23 +25,27 @@ locals {
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "allow-admins" {
|
||||
count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
|
||||
name = "${var.network}-ingress-admins"
|
||||
description = "Access from the admin subnet to all subnets."
|
||||
network = var.network
|
||||
project = var.project_id
|
||||
source_ranges = local.default_rules.admin_ranges
|
||||
count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
|
||||
project = local.project_id
|
||||
network = local.network
|
||||
name = "${local.network_name}-ingress-admins"
|
||||
description = "Access from the admin subnet to all subnets."
|
||||
source_ranges = [
|
||||
for r in local.default_rules.admin_ranges : lookup(local.ctx.cidr_ranges, r, r)
|
||||
]
|
||||
allow { protocol = "all" }
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "allow-tag-http" {
|
||||
count = length(local.default_rules.http_ranges) > 0 ? 1 : 0
|
||||
name = "${var.network}-ingress-tag-http"
|
||||
description = "Allow http to machines with matching tags."
|
||||
network = var.network
|
||||
project = var.project_id
|
||||
source_ranges = local.default_rules.http_ranges
|
||||
target_tags = local.default_rules.http_tags
|
||||
count = length(local.default_rules.http_ranges) > 0 ? 1 : 0
|
||||
project = local.project_id
|
||||
network = local.network
|
||||
name = "${local.network_name}-ingress-tag-http"
|
||||
description = "Allow http to machines with matching tags."
|
||||
source_ranges = [
|
||||
for r in local.default_rules.http_ranges : lookup(local.ctx.cidr_ranges, r, r)
|
||||
]
|
||||
target_tags = local.default_rules.http_tags
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
ports = ["80"]
|
||||
@@ -49,13 +53,15 @@ resource "google_compute_firewall" "allow-tag-http" {
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "allow-tag-https" {
|
||||
count = length(local.default_rules.https_ranges) > 0 ? 1 : 0
|
||||
name = "${var.network}-ingress-tag-https"
|
||||
description = "Allow http to machines with matching tags."
|
||||
network = var.network
|
||||
project = var.project_id
|
||||
source_ranges = local.default_rules.https_ranges
|
||||
target_tags = local.default_rules.https_tags
|
||||
count = length(local.default_rules.https_ranges) > 0 ? 1 : 0
|
||||
project = local.project_id
|
||||
network = local.network
|
||||
name = "${local.network_name}-ingress-tag-https"
|
||||
description = "Allow http to machines with matching tags."
|
||||
source_ranges = [
|
||||
for r in local.default_rules.https_ranges : lookup(local.ctx.cidr_ranges, r, r)
|
||||
]
|
||||
target_tags = local.default_rules.https_tags
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
ports = ["443"]
|
||||
@@ -63,13 +69,15 @@ resource "google_compute_firewall" "allow-tag-https" {
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "allow-tag-ssh" {
|
||||
count = length(local.default_rules.ssh_ranges) > 0 ? 1 : 0
|
||||
name = "${var.network}-ingress-tag-ssh"
|
||||
description = "Allow SSH to machines with matching tags."
|
||||
network = var.network
|
||||
project = var.project_id
|
||||
source_ranges = local.default_rules.ssh_ranges
|
||||
target_tags = local.default_rules.ssh_tags
|
||||
count = length(local.default_rules.ssh_ranges) > 0 ? 1 : 0
|
||||
project = local.project_id
|
||||
network = local.network
|
||||
name = "${local.network_name}-ingress-tag-ssh"
|
||||
description = "Allow SSH to machines with matching tags."
|
||||
source_ranges = [
|
||||
for r in local.default_rules.ssh_ranges : lookup(local.ctx.cidr_ranges, r, r)
|
||||
]
|
||||
target_tags = local.default_rules.ssh_tags
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
ports = ["22"]
|
||||
|
||||
@@ -66,6 +66,15 @@ locals {
|
||||
for name, rule in merge(var.ingress_rules) :
|
||||
name => merge(rule, { direction = "INGRESS" })
|
||||
}
|
||||
ctx = {
|
||||
for k, v in var.context : k => {
|
||||
for kk, vv in v : "${local.ctx_p}${k}:${kk}" => vv
|
||||
}
|
||||
}
|
||||
ctx_p = "$"
|
||||
network = lookup(local.ctx.networks, var.network, var.network)
|
||||
network_name = reverse(split("/", local.network))[0]
|
||||
project_id = lookup(local.ctx.project_ids, var.project_id, var.project_id)
|
||||
# convert rules data to resource format and replace range template variables
|
||||
rules = {
|
||||
for name, rule in local._rules :
|
||||
@@ -94,30 +103,32 @@ locals {
|
||||
|
||||
resource "google_compute_firewall" "custom-rules" {
|
||||
for_each = local.rules
|
||||
project = var.project_id
|
||||
network = var.network
|
||||
project = local.project_id
|
||||
network = local.network
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
direction = each.value.direction
|
||||
source_ranges = (
|
||||
each.value.direction == "INGRESS"
|
||||
each.value.source_ranges == null
|
||||
? (
|
||||
each.value.source_ranges == null && each.value.sources == null
|
||||
each.value.direction == "INGRESS" && each.value.sources == null
|
||||
? ["0.0.0.0/0"]
|
||||
: each.value.source_ranges
|
||||
: null
|
||||
)
|
||||
#for egress, we will include the source_ranges when provided. Previously, null was forced
|
||||
: each.value.source_ranges
|
||||
: [
|
||||
for r in each.value.source_ranges : lookup(local.ctx.cidr_ranges, r, r)
|
||||
]
|
||||
)
|
||||
destination_ranges = (
|
||||
each.value.direction == "EGRESS"
|
||||
each.value.destination_ranges == null
|
||||
? (
|
||||
each.value.destination_ranges == null
|
||||
each.value.direction == "EGRESS"
|
||||
? ["0.0.0.0/0"]
|
||||
: each.value.destination_ranges
|
||||
: null
|
||||
)
|
||||
#for ingress, we will include the destination_ranges when provided. Previously, null was forced
|
||||
: each.value.destination_ranges
|
||||
: [
|
||||
for r in each.value.destination_ranges : lookup(local.ctx.cidr_ranges, r, r)
|
||||
]
|
||||
)
|
||||
source_tags = (
|
||||
each.value.use_service_accounts || each.value.direction == "EGRESS"
|
||||
@@ -126,14 +137,19 @@ resource "google_compute_firewall" "custom-rules" {
|
||||
)
|
||||
source_service_accounts = (
|
||||
each.value.use_service_accounts && each.value.direction == "INGRESS"
|
||||
? each.value.sources
|
||||
? (each.value.sources == null ? null : [
|
||||
for s in each.value.sources : lookup(local.ctx.iam_principals, s, s)
|
||||
])
|
||||
: null
|
||||
)
|
||||
target_tags = (
|
||||
each.value.use_service_accounts ? null : each.value.targets
|
||||
!each.value.use_service_accounts ? each.value.targets : null
|
||||
)
|
||||
target_service_accounts = (
|
||||
each.value.use_service_accounts ? each.value.targets : null
|
||||
!each.value.use_service_accounts ? null : (
|
||||
each.value.targets == null ? null : [
|
||||
for s in each.value.targets : lookup(local.ctx.iam_principals, s, s)
|
||||
])
|
||||
)
|
||||
disabled = each.value.disabled == true
|
||||
priority = each.value.priority
|
||||
|
||||
@@ -14,6 +14,18 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "context" {
|
||||
description = "Context-specific interpolations."
|
||||
type = object({
|
||||
cidr_ranges = optional(map(string), {})
|
||||
iam_principals = optional(map(string), {})
|
||||
networks = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "default_rules_config" {
|
||||
description = "Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable."
|
||||
type = object({
|
||||
|
||||
Reference in New Issue
Block a user