feat: add allowed_ip_ranges variable (#21)

terraform-google-modules · Oct 19, 2021 · b91c587 · b91c587
1 parent 1fba8c7
commit b91c587
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/modules/create_environment/README.md b/modules/create_environment/README.md
@@ -53,6 +53,7 @@ module "composer" {
 | subnetwork\_region | The subnetwork region of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | tags | Tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls. | `set(string)` | `[]` | no |
 | use\_ip\_aliases | Enable Alias IPs in the GKE cluster. If true, a VPC-native cluster is created. | `bool` | `false` | no |
+| web\_server\_allowed\_ip\_ranges | The network-level access control policy for the Airflow web server. If unspecified, no network-level access restrictions will be applied. | <pre>list(object({<br>    value       = string,<br>    description = string<br>  }))</pre> | `null` | no |
 | web\_server\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for the web server. | `string` | `null` | no |
 | zone | Zone where the Cloud Composer nodes are created. | `string` | `"us-central1-f"` | no |
 

diff --git a/modules/create_environment/main.tf b/modules/create_environment/main.tf
@@ -50,6 +50,19 @@ resource "google_composer_environment" "composer_env" {
       }
     }
 
+    dynamic "web_server_network_access_control" {
+      for_each = var.web_server_allowed_ip_ranges == null ? [] : [1]
+      content {
+        dynamic "allowed_ip_range" {
+          for_each = var.web_server_allowed_ip_ranges
+          content {
+            value       = allowed_ip_range.value.value
+            description = allowed_ip_range.value.description
+          }
+        }
+      }
+    }
+
     dynamic "private_environment_config" {
       for_each = var.use_ip_aliases ? [
         {

diff --git a/modules/create_environment/variables.tf b/modules/create_environment/variables.tf
@@ -177,3 +177,12 @@ variable "kms_key_name" {
   type        = string
   default     = null
 }
+
+variable "web_server_allowed_ip_ranges" {
+  description = "The network-level access control policy for the Airflow web server. If unspecified, no network-level access restrictions will be applied."
+  default     = null
+  type = list(object({
+    value       = string,
+    description = string
+  }))
+}