Skip to content

Commit

Permalink
feat: Change old firewall to new network-firewall (#1041)
Browse files Browse the repository at this point in the history
Co-authored-by: Daniel Andrade <[email protected]>
  • Loading branch information
Samir-Cit and daniel-cit authored Dec 27, 2023
1 parent 79b217e commit f2469c1
Show file tree
Hide file tree
Showing 25 changed files with 604 additions and 712 deletions.
67 changes: 48 additions & 19 deletions 0-bootstrap/modules/jenkins-agent/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ locals {
cicd_project_name = format("%s-%s", var.project_prefix, "b-cicd")
impersonation_enabled_count = var.sa_enable_impersonation ? 1 : 0
activate_apis = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"]))
jenkins_gce_fw_tags = ["ssh-jenkins-agent"]
}

resource "random_id" "suffix" {
Expand Down Expand Up @@ -70,7 +69,11 @@ resource "google_compute_instance" "jenkins_agent_gce_instance" {
machine_type = var.jenkins_agent_gce_machine_type
zone = "${var.default_region}-a"

tags = local.jenkins_gce_fw_tags
params {
resource_manager_tags = {
"tagKeys/${google_tags_tag_key.jenkins_agents.name}" = "tagValues/${google_tags_tag_value.jenkins_agents.name}"
}
}

boot_disk {
initialize_params {
Expand Down Expand Up @@ -105,26 +108,52 @@ resource "google_compute_instance" "jenkins_agent_gce_instance" {
}

/******************************************
Jenkins Agent GCE Network and Firewall rules
Jenkins Agent GCE Network, Resource Manager Tags and Firewall rules
*******************************************/

resource "google_compute_firewall" "fw_allow_ssh_into_jenkins_agent" {
project = module.cicd_project.project_id
name = "fw-${google_compute_network.jenkins_agents.name}-1000-i-a-all-all-tcp-22"
description = "Allow the Jenkins Controller (Client) to connect to the Jenkins Agents (Servers) using SSH."
network = google_compute_network.jenkins_agents.name
source_ranges = var.jenkins_controller_subnetwork_cidr_range
target_tags = local.jenkins_gce_fw_tags
priority = 1000

log_config {
metadata = "INCLUDE_ALL_METADATA"
resource "google_tags_tag_key" "jenkins_agents" {
description = "Tag Key to control the connection between Jenkins Controller (Client) and the Jenkins Agents (Servers) using SSH."
parent = "organizations/${var.org_id}"
purpose = "GCE_FIREWALL"
short_name = "ssh-jenkins-agent"
purpose_data = {
network = "${module.cicd_project.project_id}/${google_compute_network.jenkins_agents.name}"
}
}

allow {
protocol = "tcp"
ports = ["22"]
}
resource "google_tags_tag_value" "jenkins_agents" {
description = "Allow the connection."
parent = "tagKeys/${google_tags_tag_key.jenkins_agents.name}"
short_name = "allow"
}

module "jenkins_firewall_rules" {
source = "terraform-google-modules/network/google//modules/network-firewall-policy"
version = "~> 8.0"
project_id = module.cicd_project.project_id
policy_name = "fp-${google_compute_network.jenkins_agents.name}-jenkins-firewall"
description = "Jenkins Agent GCE network firewall rules."
target_vpcs = [google_compute_network.jenkins_agents.name]

rules = [
{
priority = "1000"
direction = "INGRESS"
action = "allow"
rule_name = "fw-${google_compute_network.jenkins_agents.name}-1000-i-a-all-all-tcp-22"
description = "Allow the Jenkins Controller (Client) to connect to the Jenkins Agents (Servers) using SSH."
enable_logging = true
target_secure_tags = ["tagValues/${google_tags_tag_value.jenkins_agents.name}"]
match = {
dest_ip_ranges = var.jenkins_controller_subnetwork_cidr_range
layer4_configs = [
{
ip_protocol = "tcp"
ports = ["22"]
},
]
}
}
]
}

resource "google_compute_network" "jenkins_agents" {
Expand Down
4 changes: 0 additions & 4 deletions 3-networks-dual-svpc/modules/base_env/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -241,8 +241,6 @@ module "restricted_shared_vpc" {
secondary_ranges = {
"sb-${var.environment_code}-shared-restricted-${var.default_region1}" = var.restricted_subnet_secondary_ranges[var.default_region1]
}
allow_all_ingress_ranges = null
allow_all_egress_ranges = null
}

/******************************************
Expand Down Expand Up @@ -312,6 +310,4 @@ module "base_shared_vpc" {
secondary_ranges = {
"sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1]
}
allow_all_ingress_ranges = null
allow_all_egress_ranges = null
}
3 changes: 1 addition & 2 deletions 3-networks-dual-svpc/modules/base_shared_vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,14 @@

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| allow\_all\_egress\_ranges | List of network ranges to which all egress traffic will be allowed | `any` | `null` | no |
| allow\_all\_ingress\_ranges | List of network ranges from which all ingress traffic will be allowed | `any` | `null` | no |
| bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
| default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes |
| default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes |
| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no |
| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes |
| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
| nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
Expand Down
185 changes: 82 additions & 103 deletions 3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,108 +15,87 @@
*/

/******************************************
Mandatory firewall rules
Mandatory and optional firewall rules
*****************************************/

resource "google_compute_firewall" "deny_all_egress" {
name = "fw-${var.environment_code}-shared-base-65530-e-d-all-all-all"
network = module.main.network_name
project = var.project_id
direction = "EGRESS"
priority = 65530

dynamic "log_config" {
for_each = var.firewall_enable_logging == true ? [{
metadata = "INCLUDE_ALL_METADATA"
}] : []

content {
metadata = log_config.value.metadata
}
}

deny {
protocol = "all"
}

destination_ranges = ["0.0.0.0/0"]
}


resource "google_compute_firewall" "allow_private_api_egress" {
name = "fw-${var.environment_code}-shared-base-65430-e-a-allow-google-apis-all-tcp-443"
network = module.main.network_name
project = var.project_id
direction = "EGRESS"
priority = 65430

dynamic "log_config" {
for_each = var.firewall_enable_logging == true ? [{
metadata = "INCLUDE_ALL_METADATA"
}] : []

content {
metadata = log_config.value.metadata
}
}

allow {
protocol = "tcp"
ports = ["443"]
}

destination_ranges = [local.private_googleapis_cidr]

target_tags = ["allow-google-apis"]
}


resource "google_compute_firewall" "allow_all_egress" {
count = var.allow_all_egress_ranges != null ? 1 : 0
name = "fw-${var.environment_code}-shared-base-1000-e-a-all-all-all"
network = module.main.network_name
project = var.project_id
direction = "EGRESS"
priority = 1000

dynamic "log_config" {
for_each = var.firewall_enable_logging == true ? [{
metadata = "INCLUDE_ALL_METADATA"
}] : []

content {
metadata = log_config.value.metadata
}
}

allow {
protocol = "all"
}

destination_ranges = var.allow_all_egress_ranges
}

resource "google_compute_firewall" "allow_all_ingress" {
count = var.allow_all_ingress_ranges != null ? 1 : 0
name = "fw-${var.environment_code}-shared-base-1000-i-a-all"
network = module.main.network_name
project = var.project_id
direction = "INGRESS"
priority = 1000

dynamic "log_config" {
for_each = var.firewall_enable_logging == true ? [{
metadata = "INCLUDE_ALL_METADATA"
}] : []

content {
metadata = log_config.value.metadata
}
}

allow {
protocol = "all"
}

source_ranges = var.allow_all_ingress_ranges
module "firewall_rules" {
source = "terraform-google-modules/network/google//modules/network-firewall-policy"
version = "~> 8.0"
project_id = var.project_id
policy_name = "fp-${var.environment_code}-dual-svpc-base-firewalls"
description = "Firewall rules for base dual shared vpc: ${module.main.network_name}."
target_vpcs = ["projects/${var.project_id}/global/networks/${module.main.network_name}"]

rules = concat(
[
{
priority = "65530"
direction = "EGRESS"
action = "deny"
rule_name = "fw-${var.environment_code}-shared-base-65530-e-d-all-all-all"
description = "Lower priority rule to deny all egress traffic."
enable_logging = var.firewall_enable_logging
match = {
dest_ip_ranges = ["0.0.0.0/0"]
layer4_configs = [
{
ip_protocol = "all"
},
]
}
},
{
priority = "1000"
direction = "EGRESS"
action = "allow"
rule_name = "fw-${var.environment_code}-shared-base-1000-e-a-allow-google-apis-all-tcp-443"
description = "Lower priority rule to allow private google apis on TCP port 443."
enable_logging = var.firewall_enable_logging
match = {
dest_ip_ranges = [local.private_googleapis_cidr]
layer4_configs = [
{
ip_protocol = "tcp"
ports = ["443"]
},
]
}
}
],
!var.enable_all_vpc_internal_traffic ? [] : [
{
priority = "10000"
direction = "EGRESS"
action = "allow"
rule_name = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all"
description = "Allow all egress to the provided IP range."
enable_logging = var.firewall_enable_logging
match = {
dest_ip_ranges = module.main.subnets_ips
layer4_configs = [
{
ip_protocol = "all"
},
]
}
}
],
!var.enable_all_vpc_internal_traffic ? [] : [
{
priority = "10001"
direction = "INGRESS"
action = "allow"
rule_name = "fw-${var.environment_code}-shared-base-10001-i-a-all"
description = "Allow all ingress to the provided IP range."
enable_logging = var.firewall_enable_logging
match = {
src_ip_ranges = module.main.subnets_ips
layer4_configs = [
{
ip_protocol = "all"
},
]
}
}
]
)
}
12 changes: 4 additions & 8 deletions 3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -137,12 +137,8 @@ variable "windows_activation_enabled" {
default = false
}

variable "allow_all_egress_ranges" {
description = "List of network ranges to which all egress traffic will be allowed"
default = null
}

variable "allow_all_ingress_ranges" {
description = "List of network ranges from which all ingress traffic will be allowed"
default = null
variable "enable_all_vpc_internal_traffic" {
type = bool
description = "Enable firewall policy rule to allow internal traffic (ingress and egress)."
default = false
}
3 changes: 1 addition & 2 deletions 3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes |
| allow\_all\_egress\_ranges | List of network ranges to which all egress traffic will be allowed | `any` | `null` | no |
| allow\_all\_ingress\_ranges | List of network ranges from which all ingress traffic will be allowed | `any` | `null` | no |
| bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
| default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
Expand All @@ -14,6 +12,7 @@
| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no |
| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes |
| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
Expand Down
Loading

0 comments on commit f2469c1

Please sign in to comment.