Merge branch 'master' into tfhartmann-issue70

terraform-google-modules · Oct 24, 2019 · 45d31ce · 45d31ce
2 parents 1c99d28 + 0f84447
commit 45d31ce
Show file tree

Hide file tree

Showing 8 changed files with 155 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,16 @@ v2.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d
 - Fixes subnet recreation when a subnet is updated. [#73]
 
 
+## [1.4.0] - 2019-10-14
+
+### Added
+
+- Add dynamic firewall rules support to firewall submodule. [#79]
+
+### Fixed
+
+- Add `depends_on` to `created_subnets` data fetch (fixes issue [#80]). [#81]
+
 ## [1.3.0] - 2019-10-09
 
 ### Changed
@@ -118,7 +128,8 @@ v2.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d
 - Subnets within the VPC
 - Secondary ranges for the subnets (if applicable)
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.3.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.4.0...HEAD
+[1.4.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.3.0...v1.4.0
 [1.3.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.0.0...v1.1.0
@@ -132,6 +143,10 @@ v2.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d
 [0.2.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/terraform-google-modules/terraform-google-network/releases/tag/v0.1.0
 
+[#81]: https://github.com/terraform-google-modules/terraform-google-network/pull/81
+[#80]: https://github.com/terraform-google-modules/terraform-google-network/issues/80
+[#79]: https://github.com/terraform-google-modules/terraform-google-network/pull/79
+[#72]: https://github.com/terraform-google-modules/terraform-google-network/pull/72
 [#64]: https://github.com/terraform-google-modules/terraform-google-network/pull/64
 [#66]: https://github.com/terraform-google-modules/terraform-google-network/pull/66
 [#16]: https://github.com/terraform-google-modules/terraform-google-network/pull/16

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,4 +1,4 @@
-* @terraform-google-modules/cft-admins @andreyk-code
+* @terraform-google-modules/cft-admins @andreyk-code @jeanno
 
 # CFT Fabric
 /examples/submodule_svpc_access/ @terraform-google-modules/cft-fabric

diff --git a/modules/fabric-net-firewall/.gitignore b/modules/fabric-net-firewall/.gitignore
@@ -0,0 +1 @@
+terraform.tfvars
diff --git a/modules/fabric-net-firewall/README.md b/modules/fabric-net-firewall/README.md
@@ -1,18 +1,38 @@
-# Google Cloud Simple VPC Firewall Creation
+# Google Cloud VPC Firewall
 
-This module allows creation of a minimal VPC firewall, supporting basic configurable rules for IP range-based intra-VPC and administrator ingress, and tag-based SSH, HTTP, and HTTPS ingress.
+This module allows creation of a minimal VPC firewall, supporting basic configurable rules for IP range-based intra-VPC and administrator ingress,  tag-based SSH/HTTP/HTTPS ingress, and custom rule definitions.
 
-The HTTP and HTTPS rules use the same network tags network tags that are assigned to instances when flaggging the "Allow HTTP[S] traffic" checkbox in the Cloud Console. The SSH rule uses a generic `ssh` tag.
+The HTTP and HTTPS rules use the same network tags that are assigned to instances when the "Allow HTTP[S] traffic" checkbox is flagged in the Cloud Console. The SSH rule uses a generic `ssh` tag.
 
 All IP source ranges are configurable through variables, and are set by default to `0.0.0.0/0` for tag-based rules. Allowed protocols and/or ports for the intra-VPC rule are also configurable through a variable.
 
+Custom rules are set through a map where keys are rule names, and values use this custom type:
+
+```hcl
+map(object({
+  description          = string
+  direction            = string       # (INGRESS|EGRESS)
+  action               = string       # (allow|deny)
+  ranges               = list(string) # list of IP CIDR ranges
+  sources              = list(string) # tags or SAs (ignored for EGRESS)
+  targets              = list(string) # tags or SAs
+  use_service_accounts = bool         # use tags or SAs in sources/targets
+  rules = list(object({
+    protocol = string
+    ports    = list(string)
+  }))
+  extra_attributes = map(string)      # map, optional keys disabled or priority
+}))
+```
+
 The resources created/managed by this module are:
 
 - one optional ingress rule from internal CIDR ranges, only allowing ICMP by default
 - one optional ingress rule from admin CIDR ranges, allowing all protocols on all ports
 - one optional ingress rule for SSH on network tag `ssh`
 - one optional ingress rule for HTTP on network tag `http-server`
 - one optional ingress rule for HTTPS on network tag `https-server`
+- one or more optional custom rules
 
 
 ## Usage
@@ -26,6 +46,24 @@ module "net-firewall" {
   network                 = "my-vpc"
   internal_ranges_enabled = true
   internal_ranges         = ["10.0.0.0/0"]
+  custom_rules = {
+    ingress-sample = {
+      description          = "Dummy sample ingress rule, tag-based."
+      direction            = "INGRESS"
+      action               = "allow"
+      ranges               = ["192.168.0.0"]
+      sources              = ["spam-tag"]
+      targets              = ["foo-tag", "egg-tag"]
+      use_service_accounts = false
+      rules = [
+        {
+          protocol = "tcp"
+          ports    = []
+        }
+      ]
+      extra_attributes = {}
+    }
+  }
 }
 ```
 
@@ -36,6 +74,7 @@ module "net-firewall" {
 |------|-------------|:----:|:-----:|:-----:|
 | admin\_ranges | IP CIDR ranges that have complete access to all subnets. | list | `<list>` | no |
 | admin\_ranges\_enabled | Enable admin ranges-based rules. | string | `"false"` | no |
+| custom\_rules | List of custom rule definitions (refer to variables file for syntax). | map | `<map>` | no |
 | http\_source\_ranges | List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
 | https\_source\_ranges | List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
 | internal\_allow | Allow rules for internal ranges. | list | `<list>` | no |

diff --git a/modules/fabric-net-firewall/main.tf b/modules/fabric-net-firewall/main.tf
@@ -104,3 +104,44 @@ resource "google_compute_firewall" "allow-tag-https" {
     ports    = ["443"]
   }
 }
+
+################################################################################
+#                                dynamic rules                                 #
+################################################################################
+
+resource "google_compute_firewall" "custom" {
+  # provider                = "google-beta"
+  for_each                = var.custom_rules
+  name                    = each.key
+  description             = each.value.description
+  direction               = each.value.direction
+  network                 = var.network
+  project                 = var.project_id
+  source_ranges           = each.value.direction == "INGRESS" ? each.value.ranges : null
+  destination_ranges      = each.value.direction == "EGRESS" ? each.value.ranges : null
+  source_tags             = each.value.use_service_accounts || each.value.direction == "EGRESS" ? null : each.value.sources
+  source_service_accounts = each.value.use_service_accounts && each.value.direction == "INGRESS" ? each.value.sources : null
+  target_tags             = each.value.use_service_accounts ? null : each.value.targets
+  target_service_accounts = each.value.use_service_accounts ? each.value.targets : null
+  disabled                = lookup(each.value.extra_attributes, "disabled", false)
+  priority                = lookup(each.value.extra_attributes, "priority", 1000)
+  # enable_logging          = lookup(each.value.extra_attributes, "enable_logging", false)
+
+  dynamic "allow" {
+    for_each = [for rule in each.value.rules : rule if each.value.action == "allow"]
+    iterator = rule
+    content {
+      protocol = rule.value.protocol
+      ports    = rule.value.ports
+    }
+  }
+
+  dynamic "deny" {
+    for_each = [for rule in each.value.rules : rule if each.value.action == "deny"]
+    iterator = rule
+    content {
+      protocol = rule.value.protocol
+      ports    = rule.value.ports
+    }
+  }
+}
diff --git a/modules/fabric-net-firewall/outputs.tf b/modules/fabric-net-firewall/outputs.tf
@@ -32,3 +32,34 @@ output "admin_ranges" {
   }
 }
 
+output "custom_ingress_allow_rules" {
+  description = "Custom ingress rules with allow blocks."
+  value = [
+    for rule in google_compute_firewall.custom :
+    rule.name if rule.direction == "INGRESS" && length(rule.allow) > 0
+  ]
+}
+
+output "custom_ingress_deny_rules" {
+  description = "Custom ingress rules with deny blocks."
+  value = [
+    for rule in google_compute_firewall.custom :
+    rule.name if rule.direction == "INGRESS" && length(rule.deny) > 0
+  ]
+}
+
+output "custom_egress_allow_rules" {
+  description = "Custom egress rules with allow blocks."
+  value = [
+    for rule in google_compute_firewall.custom :
+    rule.name if rule.direction == "EGRESS" && length(rule.allow) > 0
+  ]
+}
+
+output "custom_egress_deny_rules" {
+  description = "Custom egress rules with allow blocks."
+  value = [
+    for rule in google_compute_firewall.custom :
+    rule.name if rule.direction == "EGRESS" && length(rule.deny) > 0
+  ]
+}
diff --git a/modules/fabric-net-firewall/variables.tf b/modules/fabric-net-firewall/variables.tf
@@ -65,3 +65,22 @@ variable "https_source_ranges" {
   description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0."
   default     = ["0.0.0.0/0"]
 }
+
+variable "custom_rules" {
+  description = "List of custom rule definitions (refer to variables file for syntax)."
+  default     = {}
+  type = map(object({
+    description          = string
+    direction            = string
+    action               = string # (allow|deny)
+    ranges               = list(string)
+    sources              = list(string)
+    targets              = list(string)
+    use_service_accounts = bool
+    rules = list(object({
+      protocol = string
+      ports    = list(string)
+    }))
+    extra_attributes = map(string)
+  }))
+}
diff --git a/scripts/delete-default-gateway-routes.sh b/scripts/delete-default-gateway-routes.sh
@@ -16,6 +16,10 @@
 
 set -e
 
+if [ -n "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then
+  export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${GOOGLE_APPLICATION_CREDENTIALS}
+fi
+
 PROJECT_ID=$1
 NETWORK_ID=$2
 FILTERED_ROUTES=$(gcloud compute routes list \
@@ -36,7 +40,6 @@ function delete_internet_gateway_routes {
   done
 }
 
-
 if [ -n "${FILTERED_ROUTES}" ]; then
   delete_internet_gateway_routes "${FILTERED_ROUTES}"
 else