kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Decenrtalized firewall management example added.

Browse Source
This commit is contained in:
averbukh
2021-07-26 09:22:40 +02:00
parent 1c6707b982
commit c0aab69bb7
19 changed files with 528 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
modules/net-vpc-firewall-yaml/README.md
View File

@@ -4,7 +4,7 @@ This module allows creation and management of different types of firewall rules
Yaml abstraction for FW rules can simplify users onboarding and also makes rules definition simpler and clearer comparing to HCL.
Nested folder structure for yaml configurations is supported, which allows better and structured code management.
Nested folder structure for yaml configurations is supported, which allows better and structured code management for multiple teams and environments.
## Example
@@ -12,20 +12,29 @@ Nested folder structure for yaml configurations is supported, which allows bette
```hcl
module "prod-firewall" {
source = "./modules/net-vpc-firewall-yaml"
project_id = "my-prod-project"
network = "my-prod-network"
config_path = "./prod"
source = "./modules/net-vpc-firewall-yaml"
project_id = "my-prod-project"
network = "my-prod-network"
config_directories = [
"./prod",
"./common"
]
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
}
module "dev-firewall" {
source = "./modules/net-vpc-firewall-yaml"
project_id = "my-dev-project"
network = "my-dev-network"
config_path = "./dev"
source = "./modules/net-vpc-firewall-yaml"
project_id = "my-dev-project"
network = "my-dev-network"
config_directories = [
"./prod",
"./common"
]
}
# tftest:skip
```
@@ -33,9 +42,11 @@ module "dev-firewall" {
### Configuration Structure
```bash
├── common
│ ├── default-egress.yaml
│   ├── lb-rules.yaml
│   └── iap-ingress.yaml
├── dev
│   ├── core
│   │   └── common-rules.yaml
│   ├── team-a
│   │   ├── databases.yaml
│   │   └── webb-app-a.yaml
@@ -43,8 +54,6 @@ module "dev-firewall" {
│   ├── backend.yaml
│   └── frontend.yaml
└── prod
├── core
│   └── common-rules.yaml
├── team-a
│   ├── databases.yaml
│   └── webb-app-a.yaml
@@ -63,7 +72,7 @@ rule-name: # descriptive name, naming convention is adjusted by the module
- ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports
protocol: tcp # protocol, put `all` for any protocol
direction: EGRESS # EGRESS or INGRESS
disabled: false # `false` or `true`, FW rule is disabled when `true`, default value is `true`
disabled: false # `false` or `true`, FW rule is disabled when `true`, default value is `false`
priority: 1000 # rule priority value, default value is 1000
source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
- 0.0.0.0/0
@@ -131,7 +140,7 @@ web-app-a-ingress:
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| config_path | Path to a folder where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | <code title="">string</code> | ✓ | |
| config_directories | List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | <code title="list&#40;string&#41;">list(string)</code> | ✓ | |
| network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ | |
| project_id | Project Id. | <code title="">string</code> | ✓ | |
| *log_config* | Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging. | <code title="object&#40;&#123;&#10;metadata &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |

17
modules/net-vpc-firewall-yaml/main.tf
View File

@@ -15,10 +15,23 @@
*/
locals {
firewall_rule_files = flatten(
[
for config_path in var.config_directories :
concat(
[
for config_file in fileset("${path.root}/${config_path}", "**/*.yaml") :
"${path.root}/${config_path}/${config_file}"
]
)
]
)
firewall_rules = merge(
[
for config_file in fileset("${path.root}/${var.config_path}", "**/*.yaml") :
try(yamldecode(file("${path.root}/${var.config_path}/${config_file}")), {})
for config_file in local.firewall_rule_files :
try(yamldecode(file(config_file)), {})
]...
)
}

8
modules/net-vpc-firewall-yaml/outputs.tf
View File

@@ -18,7 +18,7 @@ output "ingress_allow_rules" {
description = "Ingress rules with allow blocks."
value = [
for rule in google_compute_firewall.rules :
rule.name if rule.direction == "INGRESS" && length(rule.allow) > 0
rule if rule.direction == "INGRESS" && length(rule.allow) > 0
]
}
@@ -26,7 +26,7 @@ output "ingress_deny_rules" {
description = "Ingress rules with deny blocks."
value = [
for rule in google_compute_firewall.rules :
rule.name if rule.direction == "INGRESS" && length(rule.deny) > 0
rule if rule.direction == "INGRESS" && length(rule.deny) > 0
]
}
@@ -34,7 +34,7 @@ output "egress_allow_rules" {
description = "Egress rules with allow blocks."
value = [
for rule in google_compute_firewall.rules :
rule.name if rule.direction == "EGRESS" && length(rule.allow) > 0
rule if rule.direction == "EGRESS" && length(rule.allow) > 0
]
}
@@ -42,6 +42,6 @@ output "egress_deny_rules" {
description = "Egress rules with allow blocks."
value = [
for rule in google_compute_firewall.rules :
rule.name if rule.direction == "EGRESS" && length(rule.deny) > 0
rule if rule.direction == "EGRESS" && length(rule.deny) > 0
]
}

6
modules/net-vpc-firewall-yaml/variables.tf
View File

@@ -24,9 +24,9 @@ variable "project_id" {
type = string
}
variable "config_path" {
description = "Path to a folder where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml`"
type = string
variable "config_directories" {
description = "List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml`"
type = list(string)
}
variable "log_config" {