fix: make fw more specific and toggleable, use CFT for DNS

Author: rjerrems

2-networks/modules/standard_shared_vpc/README.md

@@ -4,6 +4,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | bgp\_asn | BGP ASN for default cloud router. | string | n/a | yes |
+| default\_fw\_rules\_enabled | Toggle creation of default firewall rules. | bool | `"true"` | no |
 | default\_region | Default subnet region standard_shared_vpc currently only configures one region. | string | n/a | yes |
 | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | bool | `"true"` | no |
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | bool | `"true"` | no |

2-networks/modules/standard_shared_vpc/dns.tf

@@ -33,80 +33,64 @@ resource "google_dns_policy" "default_policy" {
   Private Google APIs DNS Zone & records.
  *****************************************/
 
-resource "google_dns_managed_zone" "private_googleapis" {
-  provider    = google-beta
-  project     = var.project_id
+module "private_googleapis" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 3.0"
+  project_id  = var.project_id
+  type        = "private"
   name        = "private-googleapis"
-  dns_name    = "googleapis.com."
+  domain      = "googleapis.com."
   description = "Private DNS zone to configure private.googleapis.com"
 
-  visibility = "private"
-
-  private_visibility_config {
-    networks {
-      network_url = module.main.network_self_link
-    }
-  }
-}
-
-resource "google_dns_record_set" "googleapis_cname" {
-  provider     = google-beta
-  project      = var.project_id
-  name         = "*.googleapis.com."
-  managed_zone = google_dns_managed_zone.private_googleapis.name
-  type         = "CNAME"
-  ttl          = 300
-  rrdatas      = ["private.googleapis.com."]
-}
-
-resource "google_dns_record_set" "private_googleapis_a" {
-  provider     = google-beta
-  project      = var.project_id
-  name         = "private.googleapis.com."
-  managed_zone = google_dns_managed_zone.private_googleapis.name
-  type         = "A"
-  ttl          = 300
-
-  rrdatas = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
+  private_visibility_config_networks = [
+    module.main.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = ["private.googleapis.com."]
+    },
+    {
+      name    = "private"
+      type    = "A"
+      ttl     = 300
+      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
+    },
+  ]
 }
 
 /******************************************
   Private GCR DNS Zone & records.
  *****************************************/
 
-resource "google_dns_managed_zone" "private_gcr" {
-  provider    = google-beta
-  project     = var.project_id
+module "private_gcr" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 3.0"
+  project_id  = var.project_id
+  type        = "private"
   name        = "private-gcr"
-  dns_name    = "gcr.io."
+  domain      = "gcr.io."
   description = "Private DNS zone to configure gcr.io"
 
-  visibility = "private"
-
-  private_visibility_config {
-    networks {
-      network_url = module.main.network_self_link
-    }
-  }
-}
-
-resource "google_dns_record_set" "gcr_cname" {
-  provider     = google-beta
-  project      = var.project_id
-  name         = "*.gcr.io."
-  managed_zone = google_dns_managed_zone.private_gcr.name
-  type         = "CNAME"
-  ttl          = 300
-  rrdatas      = ["gcr.io."]
-}
-
-resource "google_dns_record_set" "private_gcr_a" {
-  provider     = google-beta
-  project      = var.project_id
-  name         = "gcr.io."
-  managed_zone = google_dns_managed_zone.private_gcr.name
-  type         = "A"
-  ttl          = 300
-
-  rrdatas = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
+  private_visibility_config_networks = [
+    module.main.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = ["gcr.io."]
+    },
+    {
+      name    = ""
+      type    = "A"
+      ttl     = 300
+      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
+    },
+  ]
 }

2-networks/modules/standard_shared_vpc/firewall.tf

@@ -19,8 +19,9 @@
  *****************************************/
 
 // Allow SSH when using the allow-ssh tag for Linux workloads.
-resource "google_compute_firewall" "allow_ssh" {
-  name    = "allow-ssh"
+resource "google_compute_firewall" "allow_iap_ssh" {
+  count   = var.default_fw_rules_enabled ? 1 : 0
+  name    = "allow-iap-ssh"
   network = module.main.network_name
   project = var.project_id
 
@@ -32,12 +33,13 @@ resource "google_compute_firewall" "allow_ssh" {
     ports    = ["22"]
   }
 
-  target_tags = ["allow-ssh"]
+  target_tags = ["allow-iap-ssh"]
 }
 
 // Allow RDP when using the allow-rdp tag for Windows workloads.
-resource "google_compute_firewall" "allow_rdp" {
-  name    = "allow-rdp"
+resource "google_compute_firewall" "allow_iap_rdp" {
+  count   = var.default_fw_rules_enabled ? 1 : 0
+  name    = "allow-iap-rdp"
   network = module.main.network_name
   project = var.project_id
 
@@ -49,11 +51,12 @@ resource "google_compute_firewall" "allow_rdp" {
     ports    = ["3389"]
   }
 
-  target_tags = ["allow-rdp"]
+  target_tags = ["allow-iap-rdp"]
 }
 
 // Allow traffic for Internal & Global load balancing health check and load balancing IP ranges.
 resource "google_compute_firewall" "allow_lb" {
+  count   = var.default_fw_rules_enabled ? 1 : 0
   name    = "allow-lb"
   network = module.main.network_name
   project = var.project_id

2-networks/modules/standard_shared_vpc/variables.tf

@@ -68,3 +68,9 @@ variable "nat_num_addresses" {
   description = "Number of external IPs to reserve for Cloud NAT."
   default     = 2
 }
+
+variable "default_fw_rules_enabled" {
+  type        = bool
+  description = "Toggle creation of default firewall rules."
+  default     = true
+}