diff --git a/examples/data-solutions/data-platform-foundations/03-composer.tf b/examples/data-solutions/data-platform-foundations/03-composer.tf index 26cd7199b..6a23a6a10 100644 --- a/examples/data-solutions/data-platform-foundations/03-composer.tf +++ b/examples/data-solutions/data-platform-foundations/03-composer.tf @@ -34,11 +34,12 @@ resource "google_composer_environment" "orch-cmp-0" { config { node_count = var.composer_config.node_count node_config { - zone = "${var.region}-b" - service_account = module.orch-sa-cmp-0.email - network = local.orch_vpc - subnetwork = local.orch_subnet - tags = ["composer-worker", "http-server", "https-server"] + zone = "${var.region}-b" + service_account = module.orch-sa-cmp-0.email + network = local.orch_vpc + subnetwork = local.orch_subnet + tags = ["composer-worker", "http-server", "https-server"] + enable_ip_masq_agent = true ip_allocation_policy { use_ip_aliases = "true" cluster_secondary_range_name = try( @@ -49,6 +50,18 @@ resource "google_composer_environment" "orch-cmp-0" { ) } } + private_environment_config { + enable_private_endpoint = "true" + cloud_sql_ipv4_cidr_block = try( + var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24" + ) + master_ipv4_cidr_block = try( + var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28" + ) + web_server_ipv4_cidr_block = try( + var.network_config.composer_ip_ranges.web_server, "10.20.11.16/28" + ) + } software_config { image_version = var.composer_config.airflow_version env_variables = merge( @@ -87,18 +100,6 @@ resource "google_composer_environment" "orch-cmp-0" { } ) } - private_environment_config { - enable_private_endpoint = "true" - cloud_sql_ipv4_cidr_block = try( - var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24" - ) - master_ipv4_cidr_block = try( - var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28" - ) - web_server_ipv4_cidr_block = try( - var.network_config.composer_ip_ranges.web_server, "10.20.11.16/28" - ) - } dynamic "encryption_config" { for_each = ( @@ -111,12 +112,22 @@ resource "google_composer_environment" "orch-cmp-0" { } } - # web_server_network_access_control { - # allowed_ip_range { - # value = "172.16.0.0/12" - # description = "Allowed ip range" + # dynamic "web_server_network_access_control" { + # for_each = toset( + # var.network_config.web_server_network_access_control == null + # ? [] + # : [var.network_config.web_server_network_access_control] + # ) + # content { + # dynamic "allowed_ip_range" { + # for_each = toset(web_server_network_access_control.key) + # content { + # value = allowed_ip_range.key + # } + # } # } # } + } depends_on = [ google_project_iam_member.shared_vpc, diff --git a/examples/data-solutions/data-platform-foundations/variables.tf b/examples/data-solutions/data-platform-foundations/variables.tf index 037471dfd..39a9cbfb2 100644 --- a/examples/data-solutions/data-platform-foundations/variables.tf +++ b/examples/data-solutions/data-platform-foundations/variables.tf @@ -79,6 +79,7 @@ variable "network_config" { pods = string services = string }) + # web_server_network_access_control = list(string) }) default = null } diff --git a/fast/stages/02-networking-vpn/data/firewall-rules/dev/rules.yaml b/fast/stages/02-networking-vpn/data/firewall-rules/dev/rules.yaml index d0863d4c1..dcc36d3e1 100644 --- a/fast/stages/02-networking-vpn/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/02-networking-vpn/data/firewall-rules/dev/rules.yaml @@ -1,6 +1,24 @@ # skip boilerplate check -allow-dataflow-load-ingress-traffic: +ingress-allow-composer-nodes: + description: "Allow traffic on Cloud Dataflow subnet" + direction: INGRESS + action: allow + sources: [] + ranges: + - 10.128.48.0/24 + targets: + - composer-worker + use_service_accounts: false + rules: + - protocol: tcp + ports: + - 80 + - 443 + - 3306 + - 3307 + +ingress-allow-dataflow-load: description: "Allow traffic on Cloud Dataflow subnet" direction: INGRESS action: allow