From 663f1d892ce4dd74b46b7a69767eb29731882e0d Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 8 Aug 2023 22:42:37 -0500 Subject: [PATCH] feat: add ingress and egress firewall rules to main module (#485) --- README.md | 4 ++- main.tf | 10 ++++--- variables.tf | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++-- versions.tf | 2 +- 4 files changed, 90 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 774e8544..5ea4faa5 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,9 @@ Then perform the following commands on the root folder: | auto\_create\_subnetworks | When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. | `bool` | `false` | no | | delete\_default\_internet\_gateway\_routes | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no | | description | An optional description of this resource. The resource must be recreated to modify this field. | `string` | `""` | no | -| firewall\_rules | List of firewall rules | `any` | `[]` | no | +| egress\_rules | List of egress rules. This will be ignored if variable 'rules' is non-empty |
list(object({
name = string
description = optional(string, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))

allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))
| `[]` | no | +| firewall\_rules | This is DEPRICATED and available for backward compatiblity. Use ingress\_rules and egress\_rules variables. List of firewall rules |
list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))

allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))
| `[]` | no | +| ingress\_rules | List of ingress rules. This will be ignored if variable 'rules' is non-empty |
list(object({
name = string
description = optional(string, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))

allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))
| `[]` | no | | mtu | The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively. | `number` | `0` | no | | network\_name | The name of the network being created | `string` | n/a | yes | | project\_id | The ID of the project where this VPC will be created | `string` | n/a | yes | diff --git a/main.tf b/main.tf index 6e8d31cb..e84669cd 100644 --- a/main.tf +++ b/main.tf @@ -74,8 +74,10 @@ locals { } module "firewall_rules" { - source = "./modules/firewall-rules" - project_id = var.project_id - network_name = module.vpc.network_name - rules = local.rules + source = "./modules/firewall-rules" + project_id = var.project_id + network_name = module.vpc.network_name + rules = local.rules + ingress_rules = var.ingress_rules + egress_rules = var.egress_rules } diff --git a/variables.tf b/variables.tf index 0db1606c..fb30e62c 100644 --- a/variables.tf +++ b/variables.tf @@ -71,8 +71,30 @@ variable "routes" { } variable "firewall_rules" { - type = any - description = "List of firewall rules" + type = list(object({ + name = string + description = optional(string, null) + direction = optional(string, "INGRESS") + priority = optional(number, null) + ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + description = "This is DEPRICATED and available for backward compatiblity. Use ingress_rules and egress_rules variables. List of firewall rules" default = [] } @@ -100,3 +122,59 @@ variable "mtu" { description = "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." default = 0 } + +variable "ingress_rules" { + description = "List of ingress rules. This will be ignored if variable 'rules' is non-empty" + default = [] + type = list(object({ + name = string + description = optional(string, null) + priority = optional(number, null) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) +} + +variable "egress_rules" { + description = "List of egress rules. This will be ignored if variable 'rules' is non-empty" + default = [] + type = list(object({ + name = string + description = optional(string, null) + priority = optional(number, null) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) +} diff --git a/versions.tf b/versions.tf index df423767..298b58cd 100644 --- a/versions.tf +++ b/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google = { source = "hashicorp/google"