kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for allow- and deny-lists

Browse Source
This commit is contained in:
Julio Castillo
2021-02-15 17:27:21 +01:00
parent d32937f263
commit abf61fa7e2
5 changed files with 53 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/cloud-config-container/squid/README.md
View File

@@ -8,7 +8,7 @@ The resulting `cloud-config` can be customized in a number of ways:
- additional files (e.g. additional acls) can be passed in via the `files` variable
- a completely custom `cloud-config` can be passed in via the `cloud_config` variable, and additional template variables can be passed in via `config_variables`
The default instance configuration inserts iptables rules to allow traffic on TCP port 3128.
The default instance configuration inserts iptables rules to allow traffic on TCP port 3128. With the default `squid.conf`, deny rules take precedence over allow rules.
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the Squid container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
@@ -61,15 +61,17 @@ module "cos-squid" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| *clients* | List of CIDRs from which Squid will allow connections | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *allow* | List of domains Squid will allow connections to. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *clients* | List of CIDR ranges from which Squid will allow connections. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *cloud_config* | Cloud config template path. If null default will be used. | <code title="">string</code> | | <code title="">null</code> |
| *config_variables* | Additional variables used to render the cloud-config and Squid templates. | <code title="map&#40;any&#41;">map(any)</code> | | <code title="">{}</code> |
| *default_action* | Default action for domains not matching neither the allow or deny lists | <code title="">string</code> | | <code title="deny&#10;validation &#123;&#10;condition &#61; var.default_action &#61;&#61; &#34;deny&#34; &#124;&#124; var.default_action &#61;&#61; &#34;allow&#34;&#10;error_message &#61; &#34;Default action must be allow or deny.&#34;&#10;&#125;">...</code> |
| *deny* | List of domains Squid will deny connections to. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *file_defaults* | Default owner and permissions for files. | <code title="object&#40;&#123;&#10;owner &#61; string&#10;permissions &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;owner &#61; &#34;root&#34;&#10;permissions &#61; &#34;0644&#34;&#10;&#125;">...</code> |
| *files* | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10;content &#61; string&#10;owner &#61; string&#10;permissions &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *squid_config* | Squid configuration path, if null default will be used. | <code title="">string</code> | | <code title="">null</code> |
| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10;project_id &#61; string&#10;zone &#61; string&#10;name &#61; string&#10;type &#61; string&#10;network &#61; string&#10;subnetwork &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10;disks &#61; map&#40;object&#40;&#123;&#10;read_only &#61; bool&#10;size &#61; number&#10;&#125;&#41;&#41;&#10;image &#61; string&#10;metadata &#61; map&#40;string&#41;&#10;nat &#61; bool&#10;service_account_roles &#61; list&#40;string&#41;&#10;tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;disks &#61; &#123;&#125;&#10;image &#61; null&#10;metadata &#61; &#123;&#125;&#10;nat &#61; false&#10;service_account_roles &#61; &#91;&#10;&#34;roles&#47;logging.logWriter&#34;,&#10;&#34;roles&#47;monitoring.metricWriter&#34;&#10;&#93;&#10;tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">...</code> |
| *whitelist* | List of domains Squid will allow connections to | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
## Outputs