Support CIDR range sets in firewall modules context (#3424)
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
509b715a09
commit
8e8be1eda5
@@ -269,14 +269,14 @@ module "firewall" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [network](variables.tf#L123) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L128) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [context](variables.tf#L17) | Context-specific interpolations. | <code title="object({ cidr_ranges = optional(map(string), {}) iam_principals = optional(map(string), {}) networks = optional(map(string), {}) project_ids = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [default_rules_config](variables.tf#L29) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_rules](variables.tf#L49) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L72) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L82) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270 disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L106) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
| [network](variables.tf#L124) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L129) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [context](variables.tf#L17) | Context-specific interpolations. | <code title="object({ cidr_ranges = optional(map(string), {}) cidr_ranges_sets = optional(map(list(string)), {}) iam_principals = optional(map(string), {}) networks = optional(map(string), {}) project_ids = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [default_rules_config](variables.tf#L30) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | <code title="object({ admin_ranges = optional(list(string)) disabled = optional(bool, false) http_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) http_tags = optional(list(string), ["http-server"]) https_ranges = optional(list(string), [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] ) https_tags = optional(list(string), ["https-server"]) ssh_ranges = optional(list(string), ["35.235.240.0/20"]) ssh_tags = optional(list(string), ["ssh"]) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_rules](variables.tf#L50) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, true) description = optional(string) destination_ranges = optional(list(string)) disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L73) | Paths to data files and folders that enable factory functionality. | <code title="object({ cidr_tpl_file = optional(string) rules_folder = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ingress_rules](variables.tf#L83) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | <code title="map(object({ deny = optional(bool, false) description = optional(string) destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270 disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) priority = optional(number, 1000) source_ranges = optional(list(string)) sources = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ protocol = string ports = optional(list(string)) })), [{ protocol = "all" }]) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [named_ranges](variables.tf#L107) | Define mapping of names to ranges that can be used in custom rules. | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = [ "35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22" ] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -47,6 +47,7 @@ locals {
|
||||
for r in local._factory_rule_list : r.name => r
|
||||
if contains(["EGRESS", "INGRESS"], r.direction)
|
||||
}
|
||||
# TODO: deprecate once FAST does not need this anymore
|
||||
_named_ranges = merge(
|
||||
(
|
||||
var.factories_config.cidr_tpl_file != null
|
||||
@@ -83,19 +84,25 @@ locals {
|
||||
destination_ranges = (
|
||||
try(rule.destination_ranges, null) == null
|
||||
? null
|
||||
: flatten([
|
||||
for range in rule.destination_ranges :
|
||||
try(local._named_ranges[range], range)
|
||||
])
|
||||
: distinct(flatten([
|
||||
for range in rule.destination_ranges : try(
|
||||
local.ctx.cidr_ranges_sets[range],
|
||||
local._named_ranges[range],
|
||||
range
|
||||
)
|
||||
]))
|
||||
)
|
||||
rules = { for k, v in rule.rules : k => v }
|
||||
source_ranges = (
|
||||
try(rule.source_ranges, null) == null
|
||||
? null
|
||||
: flatten([
|
||||
for range in rule.source_ranges :
|
||||
try(local._named_ranges[range], range)
|
||||
])
|
||||
: distinct(flatten([
|
||||
for range in rule.source_ranges : try(
|
||||
local.ctx.cidr_ranges_sets[range],
|
||||
local._named_ranges[range],
|
||||
range
|
||||
)
|
||||
]))
|
||||
)
|
||||
})
|
||||
}
|
||||
|
||||
@@ -17,10 +17,11 @@
|
||||
variable "context" {
|
||||
description = "Context-specific interpolations."
|
||||
type = object({
|
||||
cidr_ranges = optional(map(string), {})
|
||||
iam_principals = optional(map(string), {})
|
||||
networks = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
cidr_ranges = optional(map(string), {})
|
||||
cidr_ranges_sets = optional(map(list(string)), {})
|
||||
iam_principals = optional(map(string), {})
|
||||
networks = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
|
||||
Reference in New Issue
Block a user