Merge pull request #24 from rjerrems/net-refactor

refactor: Harden network & add default example subnets

Author: morgante

2-networks/main.tf

@@ -40,15 +40,59 @@ module "shared_vpc_nonprod" {
   project_id           = local.nonprod_host_project_id
   default_region       = var.default_region
   network_name         = "shared-vpc-nonprod"
-  private_service_cidr = "10.1.0.0/16"
+  private_service_cidr = "10.200.0.0/22"
   bgp_asn              = 64512
+  subnets = [
+    {
+      subnet_name           = "example-subnet"
+      subnet_ip             = "10.200.4.0/22"
+      subnet_region         = var.default_region
+      subnet_private_access = "true"
+      subnet_flow_logs      = "false"
+      description           = "Non prod example subnet."
+    },
+  ]
+  secondary_ranges = {
+    example-subnet = [
+      {
+        range_name    = "example-subnet-gke-pod"
+        ip_cidr_range = "192.168.0.0/19"
+      },
+      {
+        range_name    = "example-subnet-gke-svc"
+        ip_cidr_range = "192.168.32.0/23"
+      },
+    ]
+  }
 }
 
 module "shared_vpc_prod" {
   source               = "./modules/standard_shared_vpc"
   project_id           = local.prod_host_project_id
   default_region       = var.default_region
   network_name         = "shared-vpc-prod"
-  private_service_cidr = "10.2.0.0/16"
+  private_service_cidr = "10.20.0.0/22"
   bgp_asn              = 64513
+  subnets = [
+    {
+      subnet_name           = "example-subnet"
+      subnet_ip             = "10.20.20.0/22"
+      subnet_region         = var.default_region
+      subnet_private_access = "true"
+      subnet_flow_logs      = "false"
+      description           = "Prod example subnet."
+    },
+  ]
+  secondary_ranges = {
+    example-subnet = [
+      {
+        range_name    = "example-subnet-gke-pod"
+        ip_cidr_range = "192.168.96.0/19"
+      },
+      {
+        range_name    = "example-subnet-gke-svc"
+        ip_cidr_range = "192.168.128.0/23"
+      },
+    ]
+  }
 }

2-networks/modules/standard_shared_vpc/README.md

@@ -4,7 +4,11 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | bgp\_asn | BGP ASN for default cloud router. | string | n/a | yes |
+| default\_fw\_rules\_enabled | Toggle creation of default firewall rules. | bool | `"true"` | no |
 | default\_region | Default subnet region standard_shared_vpc currently only configures one region. | string | n/a | yes |
+| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | bool | `"true"` | no |
+| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | bool | `"true"` | no |
+| nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | number | `"2"` | no |
 | network\_name | Name for VPC. | string | n/a | yes |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | string | n/a | yes |
 | project\_id | Project ID for Shared VPC. | string | n/a | yes |

2-networks/modules/standard_shared_vpc/dns.tf

@@ -0,0 +1,96 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Default DNS Policy
+ *****************************************/
+
+resource "google_dns_policy" "default_policy" {
+  provider                  = google-beta
+  project                   = var.project_id
+  name                      = "default-policy"
+  enable_inbound_forwarding = var.dns_enable_inbound_forwarding
+  enable_logging            = var.dns_enable_logging
+  networks {
+    network_url = module.main.network_self_link
+  }
+}
+
+/******************************************
+  Private Google APIs DNS Zone & records.
+ *****************************************/
+
+module "private_googleapis" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 3.0"
+  project_id  = var.project_id
+  type        = "private"
+  name        = "private-googleapis"
+  domain      = "googleapis.com."
+  description = "Private DNS zone to configure private.googleapis.com"
+
+  private_visibility_config_networks = [
+    module.main.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = ["private.googleapis.com."]
+    },
+    {
+      name    = "private"
+      type    = "A"
+      ttl     = 300
+      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
+    },
+  ]
+}
+
+/******************************************
+  Private GCR DNS Zone & records.
+ *****************************************/
+
+module "private_gcr" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 3.0"
+  project_id  = var.project_id
+  type        = "private"
+  name        = "private-gcr"
+  domain      = "gcr.io."
+  description = "Private DNS zone to configure gcr.io"
+
+  private_visibility_config_networks = [
+    module.main.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = ["gcr.io."]
+    },
+    {
+      name    = ""
+      type    = "A"
+      ttl     = 300
+      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
+    },
+  ]
+}

2-networks/modules/standard_shared_vpc/firewall.tf

@@ -0,0 +1,73 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Default firewall rules
+ *****************************************/
+
+// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads.
+resource "google_compute_firewall" "allow_iap_ssh" {
+  count   = var.default_fw_rules_enabled ? 1 : 0
+  name    = "allow-iap-ssh"
+  network = module.main.network_name
+  project = var.project_id
+
+  // Cloud IAP's TCP forwarding netblock
+  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  target_tags = ["allow-iap-ssh"]
+}
+
+// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads.
+resource "google_compute_firewall" "allow_iap_rdp" {
+  count   = var.default_fw_rules_enabled ? 1 : 0
+  name    = "allow-iap-rdp"
+  network = module.main.network_name
+  project = var.project_id
+
+  // Cloud IAP's TCP forwarding netblock
+  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
+
+  allow {
+    protocol = "tcp"
+    ports    = ["3389"]
+  }
+
+  target_tags = ["allow-iap-rdp"]
+}
+
+// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges.
+resource "google_compute_firewall" "allow_lb" {
+  count   = var.default_fw_rules_enabled ? 1 : 0
+  name    = "allow-lb"
+  network = module.main.network_name
+  project = var.project_id
+
+  source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)
+
+  // Allow common app ports by default.
+  allow {
+    protocol = "tcp"
+    ports    = ["80", "8080", "443"]
+  }
+
+  target_tags = ["allow-lb"]
+}

2-networks/modules/standard_shared_vpc/main.tf

@@ -19,41 +19,39 @@
  *****************************************/
 
 module "main" {
-  source          = "terraform-google-modules/network/google"
-  version         = "~> 2.0"
-  project_id      = var.project_id
-  network_name    = var.network_name
-  shared_vpc_host = "true"
+  source                                 = "terraform-google-modules/network/google"
+  version                                = "~> 2.0"
+  project_id                             = var.project_id
+  network_name                           = var.network_name
+  shared_vpc_host                        = "true"
+  delete_default_internet_gateway_routes = "true"
 
   subnets          = var.subnets
   secondary_ranges = var.secondary_ranges
 
   routes = [
     {
-      name              = "gcp-windows-activation"
-      description       = "Route through IGW to allow Windows kms activation."
+      name              = "egress-internet"
+      description       = "Tag based route through IGW to access internet"
+      destination_range = "0.0.0.0/0"
+      tags              = "egress-internet"
+      next_hop_internet = "true"
+    },
+    {
+      name              = "private-google-access"
+      description       = "Route through IGW to allow private google api access."
+      destination_range = "199.36.153.8/30"
+      next_hop_internet = "true"
+    },
+    {
+      name              = "windows-activation"
+      description       = "Route through IGW to allow Windows KMS activation for GCP."
       destination_range = "35.190.247.13/32"
       next_hop_internet = "true"
     },
   ]
 }
 
-/******************************************
-  Default DNS Policy
- *****************************************/
-
-resource "google_dns_policy" "default_policy" {
-  provider                  = google-beta
-  project                   = var.project_id
-  name                      = "default-policy"
-  enable_inbound_forwarding = true
-  enable_logging            = true
-  networks {
-    network_url = module.main.network_self_link
-  }
-}
-
-
 /***************************************************************
   Configure Service Networking for Cloud SQL & future services.
  **************************************************************/
@@ -93,7 +91,7 @@ resource "google_compute_router" "default_router" {
 }
 
 resource "google_compute_address" "nat_external_addresses" {
-  count   = 2
+  count   = var.nat_num_addresses
   project = var.project_id
   name    = "nat-external-address-${count.index}"
   region  = var.default_region
@@ -113,59 +111,3 @@ resource "google_compute_router_nat" "default_nat" {
     enable = true
   }
 }
-
-/******************************************
-  Default firewall rules
- *****************************************/
-
-
-// Allow SSH when using the allow-ssh tag for Linux workloads.
-resource "google_compute_firewall" "allow_ssh" {
-  name    = "allow-ssh"
-  network = module.main.network_name
-  project = var.project_id
-
-  // Cloud IAP's TCP forwarding netblock
-  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
-
-  allow {
-    protocol = "tcp"
-    ports    = ["22"]
-  }
-
-  target_tags = ["allow-ssh"]
-}
-
-// Allow RDP when using the allow-rdp tag for Windows workloads.
-resource "google_compute_firewall" "allow_rdp" {
-  name    = "allow-rdp"
-  network = module.main.network_name
-  project = var.project_id
-
-  // Cloud IAP's TCP forwarding netblock
-  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
-
-  allow {
-    protocol = "tcp"
-    ports    = ["3389"]
-  }
-
-  target_tags = ["allow-rdp"]
-}
-
-// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges.
-resource "google_compute_firewall" "allow_lb" {
-  name    = "lb-healthcheck"
-  network = module.main.network_name
-  project = var.project_id
-
-  source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)
-
-  // Allow common app ports by default.
-  allow {
-    protocol = "tcp"
-    ports    = ["80", "8080", "443"]
-  }
-
-  target_tags = ["allow-lb"]
-}