Skip to content

Commit

Permalink
feat: add destination_ranges and source_ranges in firewall rules (#464)
Browse files Browse the repository at this point in the history
  • Loading branch information
@imrannayer
imrannayer authored Jun 27, 2023
1 parent 764cbaa commit 83a7e85
Show file tree
Hide file tree
Showing 9 changed files with 502 additions and 11 deletions.
15 changes: 15 additions & 0 deletions build/int.cloudbuild.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,21 @@ steps:
- verify regional-firewall-policy
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkFirewallPolicy --stage teardown --verbose']
- id: converge firewall-rule
waitFor:
- create all
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage apply --verbose']
- id: verify firewall-rule
waitFor:
- converge firewall-rule
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage verify --verbose']
- id: destroy firewall-rule
waitFor:
- verify firewall-rule
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage teardown --verbose']
tags:
- 'ci'
- 'integration'
Expand Down
30 changes: 30 additions & 0 deletions examples/bidirectional-firewall-rules/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Simple Project With Firewall

This example configures a single simple VPC inside of a project, and adds a ingress/egress firewall rules.

This VPC has two subnets, with no secondary ranges.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| network\_name | The name of the VPC network being created | `string` | `"test-fw-rules"` | no |
| project\_id | The project ID to host the network in | `any` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| network\_name | The name of the VPC being created |
| network\_self\_link | The URI of the VPC being created |
| project\_id | VPC project id |
| route\_names | The routes associated with this VPC |
| subnets\_flow\_logs | Whether the subnets will have VPC flow logs enabled |
| subnets\_ips | The IP and cidrs of the subnets being created |
| subnets\_names | The names of the subnets being created |
| subnets\_private\_access | Whether the subnets will have access to Google API's without a public IP |
| subnets\_regions | The region where subnets will be created |
| subnets\_secondary\_ranges | The secondary ranges associated with these subnets |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
213 changes: 213 additions & 0 deletions examples/bidirectional-firewall-rules/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

locals {
subnet_01 = "${var.network_name}-subnet-01"
subnet_02 = "${var.network_name}-subnet-02"

custom_rules = [
// Example of custom tcp/udp rule
{
name = "fwtest-deny-ingress-6534-6566"
description = "Deny all INGRESS to port 6534-6566"
direction = "INGRESS"
ranges = ["0.0.0.0/0"]
deny = [{
protocol = "tcp"
ports = ["6534-6566"]
},
{
protocol = "udp"
ports = ["6534-6566"]
}]

},

{
name = "fwtest-deny-egress-6534-6566"
description = "Deny all EGRESS to 47.189.12.139/32 port 6534-6566"
direction = "EGRESS"
ranges = ["47.189.12.139/32"]
deny = [{
protocol = "tcp"
ports = ["6534-6566"]
},
{
protocol = "udp"
ports = ["6534-6566"]
}]

},

// Example how to allow connection from instances with `backend` tag, to instances with `databases` tag
{
name = "fwtest-allow-backend-to-databases"
description = "Allow backend nodes connection to databases instances"
direction = "INGRESS"
target_tags = ["databases"]
source_tags = ["backed"]
allow = [{
protocol = "tcp"
ports = ["3306", "5432", "1521", "1433"]
}]

},

// Example how to allow connection from an instance with a given service account
{
name = "fwtest-allow-all-admin-sa"
description = "Allow all traffic from admin sa instances"
direction = "INGRESS"
source_service_accounts = ["[email protected]"]
allow = [{
protocol = "tcp"
ports = null # all ports
},
{
protocol = "udp"
ports = null # all ports
}
]
},

]


custom_rules_ingress = [
// Example of custom tcp/udp rule
{
name = "fwtest-deny-ingress-6500-6566"
description = "Deny all INGRESS to port 6500-6566"
source_ranges = ["0.0.0.0/0"]
deny = [{
protocol = "tcp"
ports = ["6500-6566"]
},
{
protocol = "udp"
ports = ["6500-6566"]
}]

},
{
name = "fwtest-allow-backend-to-db"
description = "Allow backend nodes connection to databases instances"
target_tags = ["db"] # target_tags
source_tags = ["backed"] # source_tags
allow = [{
protocol = "tcp"
ports = ["3306", "5432", "1521", "1433"]
}]

},
{
name = "fwtest-allow-admin-svc-acct"
description = "Allow all traffic from admin sa instances"
source_service_accounts = ["[email protected]"]
allow = [{
protocol = "tcp"
ports = null # all ports
},
{
protocol = "udp"
ports = null # all ports
}
]
},
{
name = "fwtest-allow-ssh-ing"
description = "Allow all traffic from 10.2.0.0/24 to 10.3.0.0/24"
ranges = null
destination_ranges = ["10.2.0.0/24"]
source_ranges = ["10.3.0.0/24"]
allow = [{
protocol = "tcp"
ports = ["22"]
}]
},

]


custom_rules_egress = [
{
name = "fwtest-deny-egress-6400-6466"
description = "Deny all EGRESS to 47.190.12.139/32 port 6400-6466"
destination_ranges = ["47.190.12.139/32"]
deny = [{
protocol = "tcp"
ports = ["6400-6466"]
},
{
protocol = "udp"
ports = ["6400-6466"]
}]

},

{
name = "fwtest-deny-ssh-egr"
description = "Deny all traffic to 10.10.0.0/24 to 10.11.0.0/24"
destination_ranges = ["10.10.0.0/24"]
source_ranges = ["10.11.0.0/24"]
deny = [{
protocol = "tcp"
ports = ["22"]
}]
},


]


}

module "test-vpc-module" {
source = "../../"
project_id = var.project_id
network_name = var.network_name

subnets = [
{
subnet_name = local.subnet_01
subnet_ip = "10.10.10.0/24"
subnet_region = "us-west1"
},
{
subnet_name = local.subnet_02
subnet_ip = "10.10.20.0/24"
subnet_region = "us-west1"
subnet_private_access = "true"
subnet_flow_logs = "true"
},
]
}


module "test-firewall-submodule" {
source = "../../modules/firewall-rules"
project_id = var.project_id
network_name = module.test-vpc-module.network_name
rules = local.custom_rules
}

module "test-firewall-submodule-ing-egr" {
source = "../../modules/firewall-rules"
project_id = var.project_id
network_name = module.test-vpc-module.network_name
ingress_rules = local.custom_rules_ingress
egress_rules = local.custom_rules_egress
}
65 changes: 65 additions & 0 deletions examples/bidirectional-firewall-rules/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

output "network_name" {
value = module.test-vpc-module.network_name
description = "The name of the VPC being created"
}

output "network_self_link" {
value = module.test-vpc-module.network_self_link
description = "The URI of the VPC being created"
}

output "project_id" {
value = module.test-vpc-module.project_id
description = "VPC project id"
}

output "subnets_names" {
value = module.test-vpc-module.subnets_names
description = "The names of the subnets being created"
}

output "subnets_ips" {
value = module.test-vpc-module.subnets_ips
description = "The IP and cidrs of the subnets being created"
}

output "subnets_regions" {
value = module.test-vpc-module.subnets_regions
description = "The region where subnets will be created"
}

output "subnets_private_access" {
value = module.test-vpc-module.subnets_private_access
description = "Whether the subnets will have access to Google API's without a public IP"
}

output "subnets_flow_logs" {
value = module.test-vpc-module.subnets_flow_logs
description = "Whether the subnets will have VPC flow logs enabled"
}

output "subnets_secondary_ranges" {
value = module.test-vpc-module.subnets_secondary_ranges
description = "The secondary ranges associated with these subnets"
}

output "route_names" {
value = module.test-vpc-module.route_names
description = "The routes associated with this VPC"
}
24 changes: 24 additions & 0 deletions examples/bidirectional-firewall-rules/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

variable "project_id" {
description = "The project ID to host the network in"
}

variable "network_name" {
description = "The name of the VPC network being created"
default = "test-fw-rules"
}
28 changes: 28 additions & 0 deletions examples/bidirectional-firewall-rules/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_version = ">= 1.3.0"

required_providers {
google = {
version = ">= 4.0.0"
}
null = {
version = ">= 2.1.0"
}
}
}
Loading

0 comments on commit 83a7e85

Please sign in to comment.