From 18f1e8ebb1217536cc9582f09b1cc23d3eb70bdb Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Mon, 10 Apr 2023 10:47:51 +0000 Subject: [PATCH 01/10] added source and destination ranges to both ingress and egress fw rules --- modules/net-vpc-firewall/variables.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf index 9f750cc839..e6a07205fe 100644 --- a/modules/net-vpc-firewall/variables.tf +++ b/modules/net-vpc-firewall/variables.tf @@ -45,6 +45,7 @@ variable "egress_rules" { include_metadata = optional(bool) })) priority = optional(number, 1000) + source_ranges = optional(list(string)) targets = optional(list(string)) use_service_accounts = optional(bool, false) rules = optional(list(object({ @@ -68,9 +69,10 @@ variable "factories_config" { variable "ingress_rules" { description = "List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0." type = map(object({ - deny = optional(bool, false) - description = optional(string) - disabled = optional(bool, false) + deny = optional(bool, false) + description = optional(string) + destination_ranges = optional(list(string)) + disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) })) From adb88d8a875003fc3576966cb5230c2a050058b7 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Mon, 10 Apr 2023 14:00:55 +0000 Subject: [PATCH 02/10] allow destination_range variable in ingress rules and source_range in egress rules --- modules/net-vpc-firewall/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf index e525ceb4b4..aed1208789 100644 --- a/modules/net-vpc-firewall/main.tf +++ b/modules/net-vpc-firewall/main.tf @@ -101,7 +101,7 @@ resource "google_compute_firewall" "custom-rules" { ? ["0.0.0.0/0"] : each.value.source_ranges ) - : null + : each.value.source_ranges #for egress, we will include the range only if != null. Previously, always included a null ) destination_ranges = ( each.value.direction == "EGRESS" @@ -110,7 +110,7 @@ resource "google_compute_firewall" "custom-rules" { ? ["0.0.0.0/0"] : each.value.destination_ranges ) - : null + : each.value.destination_ranges #for ingress, we will include the range only if != null. Previously, always included a null ) source_tags = ( each.value.use_service_accounts || each.value.direction == "EGRESS" From 4ccf9f936131fd6c80af5a87f795335f8c7cc0df Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 10:22:08 +0000 Subject: [PATCH 03/10] included an empty list as default in the ingress_rules.destination_ranges variable --- modules/net-vpc-firewall/main.tf | 6 ++++-- modules/net-vpc-firewall/variables.tf | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf index aed1208789..bd528b029f 100644 --- a/modules/net-vpc-firewall/main.tf +++ b/modules/net-vpc-firewall/main.tf @@ -101,7 +101,8 @@ resource "google_compute_firewall" "custom-rules" { ? ["0.0.0.0/0"] : each.value.source_ranges ) - : each.value.source_ranges #for egress, we will include the range only if != null. Previously, always included a null + #for egress, we will include the source_ranges when provided. Previously, null was forced + : each.value.source_ranges ) destination_ranges = ( each.value.direction == "EGRESS" @@ -110,7 +111,8 @@ resource "google_compute_firewall" "custom-rules" { ? ["0.0.0.0/0"] : each.value.destination_ranges ) - : each.value.destination_ranges #for ingress, we will include the range only if != null. Previously, always included a null + #for ingress, we will include the destination_ranges when provided. Previously, null was forced + : each.value.destination_ranges ) source_tags = ( each.value.use_service_accounts || each.value.direction == "EGRESS" diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf index e6a07205fe..3b21fb5f13 100644 --- a/modules/net-vpc-firewall/variables.tf +++ b/modules/net-vpc-firewall/variables.tf @@ -71,7 +71,7 @@ variable "ingress_rules" { type = map(object({ deny = optional(bool, false) description = optional(string) - destination_ranges = optional(list(string)) + destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) From b809b315f613b866a5af993c283071c49a6cae98 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 10:43:32 +0000 Subject: [PATCH 04/10] added example for source&destination ranges usage in fw rules --- modules/net-vpc-firewall/README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index f886035ba7..52c6b32866 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -136,6 +136,36 @@ module "firewall" { # tftest modules=0 resources=0 ``` +#### Including source & destination ranges + +Custom rules now support including both source & destination ranges in Ingress and Egress rules: + +```hcl +module "firewall" { + source = "./fabric/modules/net-vpc-firewall" + project_id = "my-project" + network = "my-network" + default_rules_config = { + disabled = true + } + egress_rules = { + allow-egress-source-destination-ranges = { + description = "Deny egress using source and destination ranges" + source_ranges = ["10.132.0.0/20", "10.138.0.0/20"] + destination_ranges = ["172.16.0.0/12"] + } + } + ingress_rules = { + allow-ingress-source-destination-ranges = { + description = "Allow ingress using source and destination ranges" + source_ranges = ["172.16.0.0/12"] + destination_ranges = ["10.132.0.0/20", "10.138.0.0/20"] + } + } +} +# tftest modules=1 resources=2 +``` + ### Rules Factory The module includes a rules factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of rules leveraging YaML configuration files. Each configuration file can optionally contain more than one rule which a structure that reflects the `custom_rules` variable. From 6f1e531af0b64b61ddda86f118de0a5bda5cd7eb Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 10:45:45 +0000 Subject: [PATCH 05/10] added example for source&destination ranges usage in fw rules --- modules/net-vpc-firewall/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 52c6b32866..8831bbb394 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -136,7 +136,7 @@ module "firewall" { # tftest modules=0 resources=0 ``` -#### Including source & destination ranges +### Including source & destination ranges Custom rules now support including both source & destination ranges in Ingress and Egress rules: From 4e426a990afd6d776006a0adea35dbfa78f904d4 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 10:48:56 +0000 Subject: [PATCH 06/10] correct naming in source destination egress fw rule --- modules/net-vpc-firewall/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 8831bbb394..66bc83ce57 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -149,7 +149,7 @@ module "firewall" { disabled = true } egress_rules = { - allow-egress-source-destination-ranges = { + deny-egress-source-destination-ranges = { description = "Deny egress using source and destination ranges" source_ranges = ["10.132.0.0/20", "10.138.0.0/20"] destination_ranges = ["172.16.0.0/12"] From d150f03b41cc0105960dc958be3d499b384ffe99 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 11:30:12 +0000 Subject: [PATCH 07/10] included link to the tf resource bug in a comment --- modules/net-vpc-firewall/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf index 3b21fb5f13..132f00ed9e 100644 --- a/modules/net-vpc-firewall/variables.tf +++ b/modules/net-vpc-firewall/variables.tf @@ -71,7 +71,7 @@ variable "ingress_rules" { type = map(object({ deny = optional(bool, false) description = optional(string) - destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value + destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value. See https://github.com/hashicorp/terraform-provider-google/issues/14270 disabled = optional(bool, false) enable_logging = optional(object({ include_metadata = optional(bool) From 6db1a5f5d3e6e4f92033d99c525fecb4d5fc7ed8 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 11:39:47 +0000 Subject: [PATCH 08/10] updated variables doc --- modules/net-vpc-firewall/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 66bc83ce57..9036a6bc08 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -232,13 +232,13 @@ healthchecks: | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [network](variables.tf#L108) | Name of the network this set of firewall rules applies to. | string | ✓ | | -| [project_id](variables.tf#L113) | Project id of the project that holds the network. | string | ✓ | | +| [network](variables.tf#L110) | Name of the network this set of firewall rules applies to. | string | ✓ | | +| [project_id](variables.tf#L115) | Project id of the project that holds the network. | string | ✓ | | | [default_rules_config](variables.tf#L17) | Optionally created convenience rules. Set the 'disabled' attribute to true, or individual rule attributes to empty lists to disable. | object({…}) | | {} | -| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | map(object({…})) | | {} | -| [factories_config](variables.tf#L59) | Paths to data files and folders that enable factory functionality. | object({…}) | | null | -| [ingress_rules](variables.tf#L68) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | map(object({…})) | | {} | -| [named_ranges](variables.tf#L91) | Define mapping of names to ranges that can be used in custom rules. | map(list(string)) | | {…} | +| [egress_rules](variables.tf#L37) | List of egress rule definitions, default to deny action. Null destination ranges will be replaced with 0/0. | map(object({…})) | | {} | +| [factories_config](variables.tf#L60) | Paths to data files and folders that enable factory functionality. | object({…}) | | null | +| [ingress_rules](variables.tf#L69) | List of ingress rule definitions, default to allow action. Null source ranges will be replaced with 0/0. | map(object({…})) | | {} | +| [named_ranges](variables.tf#L93) | Define mapping of names to ranges that can be used in custom rules. | map(list(string)) | | {…} | ## Outputs From df789db9bd0de0d3bfbd2cdd9d6a9380f9134a2f Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Tue, 11 Apr 2023 21:59:36 +0000 Subject: [PATCH 09/10] updated spaces --- modules/net-vpc-firewall/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 9036a6bc08..a393a66148 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -150,15 +150,15 @@ module "firewall" { } egress_rules = { deny-egress-source-destination-ranges = { - description = "Deny egress using source and destination ranges" - source_ranges = ["10.132.0.0/20", "10.138.0.0/20"] + description = "Deny egress using source and destination ranges" + source_ranges = ["10.132.0.0/20", "10.138.0.0/20"] destination_ranges = ["172.16.0.0/12"] } } ingress_rules = { allow-ingress-source-destination-ranges = { - description = "Allow ingress using source and destination ranges" - source_ranges = ["172.16.0.0/12"] + description = "Allow ingress using source and destination ranges" + source_ranges = ["172.16.0.0/12"] destination_ranges = ["10.132.0.0/20", "10.138.0.0/20"] } } From 063c5061c80ebf4ff36e34bcb83201b1be838d2c Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Wed, 12 Apr 2023 08:25:33 +0000 Subject: [PATCH 10/10] lowercase text --- modules/net-vpc-firewall/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index a393a66148..af04343f39 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -138,7 +138,7 @@ module "firewall" { ### Including source & destination ranges -Custom rules now support including both source & destination ranges in Ingress and Egress rules: +Custom rules now support including both source & destination ranges in ingress and egress rules: ```hcl module "firewall" {