Skip to content

Commit

Permalink
Merge branch 'master' into feature/service_networking_1
Browse files Browse the repository at this point in the history
  • Loading branch information
q2w authored Aug 22, 2024
2 parents a207449 + 830b09c commit 3caad76
Show file tree
Hide file tree
Showing 19 changed files with 2,183 additions and 1,422 deletions.
483 changes: 303 additions & 180 deletions metadata.yaml

Large diffs are not rendered by default.

368 changes: 188 additions & 180 deletions modules/fabric-net-firewall/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -19,183 +19,191 @@ metadata:
annotations:
config.kubernetes.io/local-config: "true"
spec:
title: Google Cloud VPC Firewall
source:
repo: https://github.com/terraform-google-modules/terraform-google-network
sourceType: git
version: 9.1.0
actuationTool:
type: Terraform
version: '>= 0.13.0'
examples:
- name: basic_auto_mode
location: examples/basic_auto_mode
- name: basic_custom_mode
location: examples/basic_custom_mode
- name: basic_firewall_rule
location: examples/basic_firewall_rule
- name: basic_secondary_ranges
location: examples/basic_secondary_ranges
- name: basic_shared_vpc
location: examples/basic_shared_vpc
- name: basic_vpc_peering
location: examples/basic_vpc_peering
- name: delete_default_gateway_routes
location: examples/delete_default_gateway_routes
- name: firewall_logging
location: examples/firewall_logging
- name: ilb_routing
location: examples/ilb_routing
- name: multi_vpc
location: examples/multi_vpc
- name: network_service_tiers
location: examples/network_service_tiers
- name: packet_mirroring
location: examples/packet_mirroring
- name: private_service_connect
location: examples/private_service_connect
- name: private_service_connect_google_apis
location: examples/private_service_connect_google_apis
- name: routes
location: examples/routes
- name: secondary_ranges
location: examples/secondary_ranges
- name: simple_project
location: examples/simple_project
- name: simple_project_with_regional_network
location: examples/simple_project_with_regional_network
- name: submodule_firewall
location: examples/submodule_firewall
- name: submodule_network_peering
location: examples/submodule_network_peering
- name: submodule_svpc_access
location: examples/submodule_svpc_access
- name: submodule_vpc_serverless_connector
location: examples/submodule_vpc_serverless_connector
variables:
- name: admin_ranges
description: IP CIDR ranges that have complete access to all subnets.
type: list(string)
default: []
required: false
- name: admin_ranges_enabled
description: Enable admin ranges-based rules.
type: bool
default: false
required: false
- name: custom_rules
description: List of custom rule definitions (refer to variables file for syntax).
type: |-
map(object({
description = string
direction = string
action = string # (allow|deny)
ranges = list(string)
sources = list(string)
targets = list(string)
use_service_accounts = bool
rules = list(object({
protocol = string
ports = list(string)
}))
extra_attributes = map(string)
}))
default: {}
required: false
- name: http_source_ranges
description: List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0.
type: list(string)
default:
- 0.0.0.0/0
required: false
- name: http_target_tags
description: List of target tags for tag-based HTTP rule, defaults to http-server.
type: list(string)
default:
- http-server
required: false
- name: https_source_ranges
description: List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0.
type: list(string)
default:
- 0.0.0.0/0
required: false
- name: https_target_tags
description: List of target tags for tag-based HTTPS rule, defaults to https-server.
type: list(string)
default:
- https-server
required: false
- name: internal_allow
description: Allow rules for internal ranges.
type: |-
list(object({
protocol = string
ports = optional(list(string))
}))
default:
- protocol: icmp
required: false
- name: internal_ranges
description: IP CIDR ranges for intra-VPC rules.
type: list(string)
default: []
required: false
- name: internal_ranges_enabled
description: Create rules for intra-VPC ranges.
type: bool
default: false
required: false
- name: internal_target_tags
description: List of target tags for intra-VPC rules.
type: list(string)
default: []
required: false
- name: network
description: Name of the network this set of firewall rules applies to.
type: string
required: true
- name: project_id
description: Project id of the project that holds the network.
type: string
required: true
- name: ssh_source_ranges
description: List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0.
type: list(string)
default:
- 0.0.0.0/0
required: false
- name: ssh_target_tags
description: List of target tags for tag-based SSH rule, defaults to ssh.
type: list(string)
default:
- ssh
required: false
outputs:
- name: admin_ranges
description: Admin ranges data.
- name: custom_egress_allow_rules
description: Custom egress rules with allow blocks.
- name: custom_egress_deny_rules
description: Custom egress rules with allow blocks.
- name: custom_ingress_allow_rules
description: Custom ingress rules with allow blocks.
- name: custom_ingress_deny_rules
description: Custom ingress rules with deny blocks.
- name: internal_ranges
description: Internal ranges.
roles:
- level: Project
info:
title: Google Cloud VPC Firewall
source:
repo: https://github.com/terraform-google-modules/terraform-google-network.git
sourceType: git
dir: /modules/fabric-net-firewall
version: 9.1.0
actuationTool:
flavor: Terraform
version: ">= 1.3"
description: {}
content:
examples:
- name: basic_auto_mode
location: examples/basic_auto_mode
- name: basic_custom_mode
location: examples/basic_custom_mode
- name: basic_firewall_rule
location: examples/basic_firewall_rule
- name: basic_secondary_ranges
location: examples/basic_secondary_ranges
- name: basic_shared_vpc
location: examples/basic_shared_vpc
- name: basic_vpc_peering
location: examples/basic_vpc_peering
- name: bidirectional-firewall-rules
location: examples/bidirectional-firewall-rules
- name: delete_default_gateway_routes
location: examples/delete_default_gateway_routes
- name: firewall_logging
location: examples/firewall_logging
- name: global-network-firewall-policy
location: examples/global-network-firewall-policy
- name: hierarchical-firewall-policy
location: examples/hierarchical-firewall-policy
- name: ilb_routing
location: examples/ilb_routing
- name: multi_vpc
location: examples/multi_vpc
- name: network_service_tiers
location: examples/network_service_tiers
- name: packet_mirroring
location: examples/packet_mirroring
- name: private_service_connect
location: examples/private_service_connect
- name: private_service_connect_google_apis
location: examples/private_service_connect_google_apis
- name: regional-network-firewall-policy
location: examples/regional-network-firewall-policy
- name: routes
location: examples/routes
- name: secondary_ranges
location: examples/secondary_ranges
- name: simple_ipv6_project
location: examples/simple_ipv6_project
- name: simple_project
location: examples/simple_project
- name: simple_project_with_regional_network
location: examples/simple_project_with_regional_network
- name: submodule_firewall
location: examples/submodule_firewall
- name: submodule_network_peering
location: examples/submodule_network_peering
- name: submodule_svpc_access
location: examples/submodule_svpc_access
- name: submodule_vpc_serverless_connector
location: examples/submodule_vpc_serverless_connector
interfaces:
variables:
- name: admin_ranges
description: IP CIDR ranges that have complete access to all subnets.
varType: list(string)
defaultValue: []
- name: admin_ranges_enabled
description: Enable admin ranges-based rules.
varType: bool
defaultValue: false
- name: custom_rules
description: List of custom rule definitions (refer to variables file for syntax).
varType: |-
map(object({
description = string
direction = string
action = string # (allow|deny)
ranges = list(string)
sources = list(string)
targets = list(string)
use_service_accounts = bool
rules = list(object({
protocol = string
ports = list(string)
}))
extra_attributes = map(string)
}))
defaultValue: {}
- name: http_source_ranges
description: List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0.
varType: list(string)
defaultValue:
- 0.0.0.0/0
- name: http_target_tags
description: List of target tags for tag-based HTTP rule, defaults to http-server.
varType: list(string)
defaultValue:
- http-server
- name: https_source_ranges
description: List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0.
varType: list(string)
defaultValue:
- 0.0.0.0/0
- name: https_target_tags
description: List of target tags for tag-based HTTPS rule, defaults to https-server.
varType: list(string)
defaultValue:
- https-server
- name: internal_allow
description: Allow rules for internal ranges.
varType: |-
list(object({
protocol = string
ports = optional(list(string))
}))
defaultValue:
- protocol: icmp
- name: internal_ranges
description: IP CIDR ranges for intra-VPC rules.
varType: list(string)
defaultValue: []
- name: internal_ranges_enabled
description: Create rules for intra-VPC ranges.
varType: bool
defaultValue: false
- name: internal_target_tags
description: List of target tags for intra-VPC rules.
varType: list(string)
defaultValue: []
- name: network
description: Name of the network this set of firewall rules applies to.
varType: string
required: true
- name: project_id
description: Project id of the project that holds the network.
varType: string
required: true
- name: ssh_source_ranges
description: List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0.
varType: list(string)
defaultValue:
- 0.0.0.0/0
- name: ssh_target_tags
description: List of target tags for tag-based SSH rule, defaults to ssh.
varType: list(string)
defaultValue:
- ssh
outputs:
- name: admin_ranges
description: Admin ranges data.
- name: custom_egress_allow_rules
description: Custom egress rules with allow blocks.
- name: custom_egress_deny_rules
description: Custom egress rules with allow blocks.
- name: custom_ingress_allow_rules
description: Custom ingress rules with allow blocks.
- name: custom_ingress_deny_rules
description: Custom ingress rules with deny blocks.
- name: internal_ranges
description: Internal ranges.
requirements:
roles:
- roles/compute.networkAdmin
- roles/compute.securityAdmin
- roles/iam.serviceAccountUser
- roles/vpcaccess.admin
- roles/serviceusage.serviceUsageAdmin
- roles/dns.admin
services:
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- serviceusage.googleapis.com
- vpcaccess.googleapis.com
- dns.googleapis.com
- level: Project
roles:
- roles/compute.networkAdmin
- roles/compute.securityAdmin
- roles/iam.serviceAccountUser
- roles/vpcaccess.admin
- roles/serviceusage.serviceUsageAdmin
- roles/dns.admin
- roles/resourcemanager.tagAdmin
- roles/iam.serviceAccountAdmin
- roles/compute.orgFirewallPolicyAdmin
services:
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- serviceusage.googleapis.com
- vpcaccess.googleapis.com
- dns.googleapis.com
- networksecurity.googleapis.com
- iam.googleapis.com
Loading

0 comments on commit 3caad76

Please sign in to comment.