Merge pull request #383 from terraform-google-modules/sruffilli-net-vpc-firewall-minifactory

net-vpc-firewall mini rules-factory

CHANGELOG.md

@@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file.
 ## [Unreleased]
 - new `cloud-run` module
 - added gVNIC support to `compute-vm` module
+- added a rule factory to `net-vpc-firewall` module
+- added a subnet factory to `net-vpc` module
 
 ## [8.0.0] - 2021-10-21
 

modules/net-vpc-firewall/README.md

@@ -81,6 +81,49 @@ module "firewall" {
 # tftest:modules=1:resources=1
 ```
 
+
+### Rules Factory
+The module includes a rules factory (see [Resource Factories](../../factories/)) for the massive creation of rules leveraging YaML configuration files. Each configuration file can optionally contain more than one rule which a structure that reflects the `custom_rules` variable.
+
+```hcl
+module "firewall" {
+  source             = "./modules/net-vpc-firewall"
+  project_id         = "my-project"
+  network            = "my-network"
+  data_folder        = "config/firewall"
+  cidr_template_file = "config/cidr_template.yaml"
+}
+# tftest:skip
+```
+
+```yaml
+# ./config/firewall/load_balancers.yaml
+allow-healthchecks:
+  description: Allow ingress from healthchecks.
+  direction: INGRESS
+  action: allow
+  sources: []
+  ranges:
+    - $healthchecks
+  targets: ["lb-backends"]
+  use_service_accounts: false
+  rules:
+    - protocol: tcp
+      ports:
+        - 80
+        - 443
+```
+
+```yaml
+# ./config/cidr_template.yaml
+healthchecks:
+  - 35.191.0.0/16
+  - 130.211.0.0/22
+  - 209.85.152.0/22
+  - 209.85.204.0/22
+
+```
+
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -89,7 +132,9 @@ module "firewall" {
 | network | Name of the network this set of firewall rules applies to. | <code title="">string</code> | ✓ |  |
 | project_id | Project id of the project that holds the network. | <code title="">string</code> | ✓ |  |
 | *admin_ranges* | IP CIDR ranges that have complete access to all subnets. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *cidr_template_file* | Path for optional file containing name->cidr_list map to be used by the rules factory. | <code title="">string</code> |  | <code title="">null</code> |
 | *custom_rules* | List of custom rule definitions (refer to variables file for syntax). | <code title="map&#40;object&#40;&#123;&#10;description          &#61; string&#10;direction            &#61; string&#10;action               &#61; string &#35; &#40;allow&#124;deny&#41;&#10;ranges               &#61; list&#40;string&#41;&#10;sources              &#61; list&#40;string&#41;&#10;targets              &#61; list&#40;string&#41;&#10;use_service_accounts &#61; bool&#10;rules &#61; list&#40;object&#40;&#123;&#10;protocol &#61; string&#10;ports    &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;&#10;extra_attributes &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+| *data_folder* | Path for optional folder containing firewall rules defined as YaML objects used by the rules factory. | <code title="">string</code> |  | <code title="">null</code> |
 | *http_source_ranges* | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
 | *https_source_ranges* | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
 | *named_ranges* | Names that can be used of valid values for the `ranges` field of `custom_rules` | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="&#123;&#10;any                   &#61; &#91;&#34;0.0.0.0&#47;0&#34;&#93;&#10;dns-forwarders        &#61; &#91;&#34;35.199.192.0&#47;19&#34;&#93;&#10;health-checkers       &#61; &#91;&#34;35.191.0.0&#47;16&#34;, &#34;130.211.0.0&#47;22&#34;, &#34;209.85.152.0&#47;22&#34;, &#34;209.85.204.0&#47;22&#34;&#93;&#10;iap-forwarders        &#61; &#91;&#34;35.235.240.0&#47;20&#34;&#93;&#10;private-googleapis    &#61; &#91;&#34;199.36.153.8&#47;30&#34;&#93;&#10;restricted-googleapis &#61; &#91;&#34;199.36.153.4&#47;30&#34;&#93;&#10;rfc1918               &#61; &#91;&#34;10.0.0.0&#47;8&#34;, &#34;172.16.0.0&#47;12&#34;, &#34;192.168.0.0&#47;16&#34;&#93;&#10;&#125;">...</code> |

modules/net-vpc-firewall/main.tf

@@ -15,7 +15,7 @@
  */
 
 locals {
-  custom_rules = {
+  _custom_rules = {
     for id, rule in var.custom_rules :
     id => merge(rule, {
       # make rules a map so we use it in a for_each
@@ -27,8 +27,36 @@ locals {
       ])
     })
   }
+
+  cidrs = try({ for name, cidrs in yamldecode(file("${var.cidr_template_file}")) :
+    name => cidrs
+  }, {})
+
+  _factory_rules_raw = flatten([
+    for file in try(fileset(var.data_folder, "**/*.yaml"), []) : [
+      for key, ruleset in yamldecode(file("${var.data_folder}/${file}")) :
+      merge(ruleset, {
+        name  = "${key}"
+        rules = { for index, ports in ruleset.rules : index => ports }
+        ranges = try(ruleset.ranges, null) == null ? null : flatten(
+          [for cidr in ruleset.ranges :
+            can(regex("^\\$", cidr))
+            ? local.cidrs[trimprefix(cidr, "$")]
+            : [cidr]
+        ])
+        extra_attributes = try(ruleset.extra_attributes, {})
+      })
+    ]
+  ])
+
+  _factory_rules = {
+    for d in local._factory_rules_raw : d["name"] => d
+  }
+
+  custom_rules = merge(local._custom_rules, local._factory_rules)
 }
 
+
 ###############################################################################
 #                            rules based on IP ranges
 ###############################################################################

modules/net-vpc-firewall/variables.tf

@@ -20,6 +20,12 @@ variable "admin_ranges" {
   default     = []
 }
 
+variable "cidr_template_file" {
+  description = "Path for optional file containing name->cidr_list map to be used by the rules factory."
+  type        = string
+  default     = null
+}
+
 variable "custom_rules" {
   description = "List of custom rule definitions (refer to variables file for syntax)."
   type = map(object({
@@ -39,6 +45,12 @@ variable "custom_rules" {
   default = {}
 }
 
+variable "data_folder" {
+  description = "Path for optional folder containing firewall rules defined as YaML objects used by the rules factory."
+  type        = string
+  default     = null
+}
+
 variable "http_source_ranges" {
   description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
   type        = list(string)
@@ -80,3 +92,4 @@ variable "ssh_source_ranges" {
   type        = list(string)
   default     = ["35.235.240.0/20"]
 }
+

tests/modules/net_vpc_firewall/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/modules/net_vpc_firewall/fixture/config/cidr_template.yaml

@@ -0,0 +1,19 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+healthchecks:
+  - 35.191.0.0/16
+  - 130.211.0.0/22
+  - 209.85.152.0/22
+  - 209.85.204.0/22

tests/modules/net_vpc_firewall/fixture/config/firewall/load_balancers.yaml

@@ -0,0 +1,28 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow-healthchecks:
+  description: Allow ingress from healthchecks.
+  direction: INGRESS
+  action: allow
+  sources: []
+  ranges:
+    - $healthchecks
+  targets: ["lb-backends"]
+  use_service_accounts: false
+  rules:
+    - protocol: tcp
+      ports:
+        - 80
+        - 443

tests/modules/net_vpc_firewall/fixture/main.tf

@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "firewall" {
+  source              = "../../../../modules/net-vpc-firewall"
+  project_id          = var.project_id
+  network             = var.network
+  admin_ranges        = var.admin_ranges
+  http_source_ranges  = var.http_source_ranges
+  https_source_ranges = var.https_source_ranges
+  ssh_source_ranges   = var.ssh_source_ranges
+  custom_rules        = var.custom_rules
+  data_folder         = var.data_folder
+  cidr_template_file  = var.cidr_template_file
+}

tests/modules/net_vpc_firewall/fixture/variables.tf

@@ -0,0 +1,97 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "admin_ranges" {
+  description = "IP CIDR ranges that have complete access to all subnets."
+  type        = list(string)
+  default     = []
+}
+
+variable "cidr_template_file" {
+  description = "Path for optional file containing name->cidr_list map to be used by the rules factory."
+  type        = string
+  default     = null
+}
+
+variable "custom_rules" {
+  description = "List of custom rule definitions (refer to variables file for syntax)."
+  type = map(object({
+    description          = string
+    direction            = string
+    action               = string # (allow|deny)
+    ranges               = list(string)
+    sources              = list(string)
+    targets              = list(string)
+    use_service_accounts = bool
+    rules = list(object({
+      protocol = string
+      ports    = list(string)
+    }))
+    extra_attributes = map(string)
+  }))
+  default = {}
+}
+
+variable "data_folder" {
+  description = "Path for optional folder containing firewall rules defined as YaML objects used by the rules factory."
+  type        = string
+  default     = null
+}
+
+variable "http_source_ranges" {
+  description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges."
+  type        = list(string)
+  default     = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+}
+
+variable "https_source_ranges" {
+  description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges."
+  type        = list(string)
+  default     = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+}
+
+variable "named_ranges" {
+  description = "Names that can be used of valid values for the `ranges` field of `custom_rules`"
+  type        = map(list(string))
+  default = {
+    any                   = ["0.0.0.0/0"]
+    dns-forwarders        = ["35.199.192.0/19"]
+    health-checkers       = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
+    iap-forwarders        = ["35.235.240.0/20"]
+    private-googleapis    = ["199.36.153.8/30"]
+    restricted-googleapis = ["199.36.153.4/30"]
+    rfc1918               = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  }
+}
+
+variable "network" {
+  description = "Name of the network this set of firewall rules applies to."
+  type        = string
+  default     = "vpc"
+}
+
+variable "project_id" {
+  description = "Project id of the project that holds the network."
+  type        = string
+  default     = "project"
+}
+
+variable "ssh_source_ranges" {
+  description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range."
+  type        = list(string)
+  default     = ["35.235.240.0/20"]
+}
+

tests/modules/net_vpc_firewall/test_plan.py

@@ -0,0 +1,44 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+def test_vpc_firewall_simple(plan_runner):
+  "Test vpc with no extra options."
+  _, resources = plan_runner(FIXTURES_DIR)
+  assert len(resources) == 3
+  assert set([r['type'] for r in resources]) == set(
+      ['google_compute_firewall'])
+  assert set([r['values']['name'] for r in resources]) == set(
+      ['vpc-ingress-tag-http', 'vpc-ingress-tag-https', 'vpc-ingress-tag-ssh'])
+  assert set([r['values']['project'] for r in resources]) == set(['project'])
+  assert set([r['values']['network'] for r in resources]) == set(['vpc'])
+
+
+def test_vpc_firewall_factory(plan_runner):
+  "Test shared vpc variables."
+  _, resources = plan_runner(
+      FIXTURES_DIR, data_folder="config/firewall", cidr_template_file="config/cidr_template.yaml")
+  assert len(resources) == 4
+  factory_rule = [r for r in resources if r["values"]
+                  ["name"] == "allow-healthchecks"][0]["values"]
+  assert set(factory_rule["source_ranges"]) == set(
+      ["130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"])
+  assert set(factory_rule["target_tags"]) == set(["lb-backends"])