feat: Change old firewall to new network-firewall (#1041)

Co-authored-by: Daniel Andrade <[email protected]>

Author: Samir-Cit

0-bootstrap/modules/jenkins-agent/main.tf

@@ -18,7 +18,6 @@ locals {
   cicd_project_name           = format("%s-%s", var.project_prefix, "b-cicd")
   impersonation_enabled_count = var.sa_enable_impersonation ? 1 : 0
   activate_apis               = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"]))
-  jenkins_gce_fw_tags         = ["ssh-jenkins-agent"]
 }
 
 resource "random_id" "suffix" {
@@ -70,7 +69,11 @@ resource "google_compute_instance" "jenkins_agent_gce_instance" {
   machine_type = var.jenkins_agent_gce_machine_type
   zone         = "${var.default_region}-a"
 
-  tags = local.jenkins_gce_fw_tags
+  params {
+    resource_manager_tags = {
+      "tagKeys/${google_tags_tag_key.jenkins_agents.name}" = "tagValues/${google_tags_tag_value.jenkins_agents.name}"
+    }
+  }
 
   boot_disk {
     initialize_params {
@@ -105,26 +108,52 @@ resource "google_compute_instance" "jenkins_agent_gce_instance" {
 }
 
 /******************************************
-  Jenkins Agent GCE Network and Firewall rules
+  Jenkins Agent GCE Network, Resource Manager Tags and Firewall rules
 *******************************************/
-
-resource "google_compute_firewall" "fw_allow_ssh_into_jenkins_agent" {
-  project       = module.cicd_project.project_id
-  name          = "fw-${google_compute_network.jenkins_agents.name}-1000-i-a-all-all-tcp-22"
-  description   = "Allow the Jenkins Controller (Client) to connect to the Jenkins Agents (Servers) using SSH."
-  network       = google_compute_network.jenkins_agents.name
-  source_ranges = var.jenkins_controller_subnetwork_cidr_range
-  target_tags   = local.jenkins_gce_fw_tags
-  priority      = 1000
-
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+resource "google_tags_tag_key" "jenkins_agents" {
+  description = "Tag Key to control the connection between Jenkins Controller (Client) and the Jenkins Agents (Servers) using SSH."
+  parent      = "organizations/${var.org_id}"
+  purpose     = "GCE_FIREWALL"
+  short_name  = "ssh-jenkins-agent"
+  purpose_data = {
+    network = "${module.cicd_project.project_id}/${google_compute_network.jenkins_agents.name}"
   }
+}
 
-  allow {
-    protocol = "tcp"
-    ports    = ["22"]
-  }
+resource "google_tags_tag_value" "jenkins_agents" {
+  description = "Allow the connection."
+  parent      = "tagKeys/${google_tags_tag_key.jenkins_agents.name}"
+  short_name  = "allow"
+}
+
+module "jenkins_firewall_rules" {
+  source      = "terraform-google-modules/network/google//modules/network-firewall-policy"
+  version     = "~> 8.0"
+  project_id  = module.cicd_project.project_id
+  policy_name = "fp-${google_compute_network.jenkins_agents.name}-jenkins-firewall"
+  description = "Jenkins Agent GCE network firewall rules."
+  target_vpcs = [google_compute_network.jenkins_agents.name]
+
+  rules = [
+    {
+      priority           = "1000"
+      direction          = "INGRESS"
+      action             = "allow"
+      rule_name          = "fw-${google_compute_network.jenkins_agents.name}-1000-i-a-all-all-tcp-22"
+      description        = "Allow the Jenkins Controller (Client) to connect to the Jenkins Agents (Servers) using SSH."
+      enable_logging     = true
+      target_secure_tags = ["tagValues/${google_tags_tag_value.jenkins_agents.name}"]
+      match = {
+        dest_ip_ranges = var.jenkins_controller_subnetwork_cidr_range
+        layer4_configs = [
+          {
+            ip_protocol = "tcp"
+            ports       = ["22"]
+          },
+        ]
+      }
+    }
+  ]
 }
 
 resource "google_compute_network" "jenkins_agents" {

3-networks-dual-svpc/modules/base_env/main.tf

@@ -241,8 +241,6 @@ module "restricted_shared_vpc" {
   secondary_ranges = {
     "sb-${var.environment_code}-shared-restricted-${var.default_region1}" = var.restricted_subnet_secondary_ranges[var.default_region1]
   }
-  allow_all_ingress_ranges = null
-  allow_all_egress_ranges  = null
 }
 
 /******************************************
@@ -312,6 +310,4 @@ module "base_shared_vpc" {
   secondary_ranges = {
     "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1]
   }
-  allow_all_ingress_ranges = null
-  allow_all_egress_ranges  = null
 }

3-networks-dual-svpc/modules/base_shared_vpc/README.md

@@ -3,15 +3,14 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| allow\_all\_egress\_ranges | List of network ranges to which all egress traffic will be allowed | `any` | `null` | no |
-| allow\_all\_ingress\_ranges | List of network ranges from which all ingress traffic will be allowed | `any` | `null` | no |
 | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
 | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes |
 | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes |
 | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
+| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no |
 | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |

3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf

@@ -15,108 +15,87 @@
  */
 
 /******************************************
-  Mandatory firewall rules
+  Mandatory and optional firewall rules
  *****************************************/
-
-resource "google_compute_firewall" "deny_all_egress" {
-  name      = "fw-${var.environment_code}-shared-base-65530-e-d-all-all-all"
-  network   = module.main.network_name
-  project   = var.project_id
-  direction = "EGRESS"
-  priority  = 65530
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  deny {
-    protocol = "all"
-  }
-
-  destination_ranges = ["0.0.0.0/0"]
-}
-
-
-resource "google_compute_firewall" "allow_private_api_egress" {
-  name      = "fw-${var.environment_code}-shared-base-65430-e-a-allow-google-apis-all-tcp-443"
-  network   = module.main.network_name
-  project   = var.project_id
-  direction = "EGRESS"
-  priority  = 65430
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  allow {
-    protocol = "tcp"
-    ports    = ["443"]
-  }
-
-  destination_ranges = [local.private_googleapis_cidr]
-
-  target_tags = ["allow-google-apis"]
-}
-
-
-resource "google_compute_firewall" "allow_all_egress" {
-  count     = var.allow_all_egress_ranges != null ? 1 : 0
-  name      = "fw-${var.environment_code}-shared-base-1000-e-a-all-all-all"
-  network   = module.main.network_name
-  project   = var.project_id
-  direction = "EGRESS"
-  priority  = 1000
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  allow {
-    protocol = "all"
-  }
-
-  destination_ranges = var.allow_all_egress_ranges
-}
-
-resource "google_compute_firewall" "allow_all_ingress" {
-  count     = var.allow_all_ingress_ranges != null ? 1 : 0
-  name      = "fw-${var.environment_code}-shared-base-1000-i-a-all"
-  network   = module.main.network_name
-  project   = var.project_id
-  direction = "INGRESS"
-  priority  = 1000
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  allow {
-    protocol = "all"
-  }
-
-  source_ranges = var.allow_all_ingress_ranges
+module "firewall_rules" {
+  source      = "terraform-google-modules/network/google//modules/network-firewall-policy"
+  version     = "~> 8.0"
+  project_id  = var.project_id
+  policy_name = "fp-${var.environment_code}-dual-svpc-base-firewalls"
+  description = "Firewall rules for base dual shared vpc: ${module.main.network_name}."
+  target_vpcs = ["projects/${var.project_id}/global/networks/${module.main.network_name}"]
+
+  rules = concat(
+    [
+      {
+        priority       = "65530"
+        direction      = "EGRESS"
+        action         = "deny"
+        rule_name      = "fw-${var.environment_code}-shared-base-65530-e-d-all-all-all"
+        description    = "Lower priority rule to deny all egress traffic."
+        enable_logging = var.firewall_enable_logging
+        match = {
+          dest_ip_ranges = ["0.0.0.0/0"]
+          layer4_configs = [
+            {
+              ip_protocol = "all"
+            },
+          ]
+        }
+      },
+      {
+        priority       = "1000"
+        direction      = "EGRESS"
+        action         = "allow"
+        rule_name      = "fw-${var.environment_code}-shared-base-1000-e-a-allow-google-apis-all-tcp-443"
+        description    = "Lower priority rule to allow private google apis on TCP port 443."
+        enable_logging = var.firewall_enable_logging
+        match = {
+          dest_ip_ranges = [local.private_googleapis_cidr]
+          layer4_configs = [
+            {
+              ip_protocol = "tcp"
+              ports       = ["443"]
+            },
+          ]
+        }
+      }
+    ],
+    !var.enable_all_vpc_internal_traffic ? [] : [
+      {
+        priority       = "10000"
+        direction      = "EGRESS"
+        action         = "allow"
+        rule_name      = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all"
+        description    = "Allow all egress to the provided IP range."
+        enable_logging = var.firewall_enable_logging
+        match = {
+          dest_ip_ranges = module.main.subnets_ips
+          layer4_configs = [
+            {
+              ip_protocol = "all"
+            },
+          ]
+        }
+      }
+    ],
+    !var.enable_all_vpc_internal_traffic ? [] : [
+      {
+        priority       = "10001"
+        direction      = "INGRESS"
+        action         = "allow"
+        rule_name      = "fw-${var.environment_code}-shared-base-10001-i-a-all"
+        description    = "Allow all ingress to the provided IP range."
+        enable_logging = var.firewall_enable_logging
+        match = {
+          src_ip_ranges = module.main.subnets_ips
+          layer4_configs = [
+            {
+              ip_protocol = "all"
+            },
+          ]
+        }
+      }
+    ]
+  )
 }

3-networks-dual-svpc/modules/base_shared_vpc/variables.tf

@@ -137,12 +137,8 @@ variable "windows_activation_enabled" {
   default     = false
 }
 
-variable "allow_all_egress_ranges" {
-  description = "List of network ranges to which all egress traffic will be allowed"
-  default     = null
-}
-
-variable "allow_all_ingress_ranges" {
-  description = "List of network ranges from which all ingress traffic will be allowed"
-  default     = null
+variable "enable_all_vpc_internal_traffic" {
+  type        = bool
+  description = "Enable firewall policy rule to allow internal traffic (ingress and egress)."
+  default     = false
 }

3-networks-dual-svpc/modules/restricted_shared_vpc/README.md

@@ -4,8 +4,6 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes |
-| allow\_all\_egress\_ranges | List of network ranges to which all egress traffic will be allowed | `any` | `null` | no |
-| allow\_all\_ingress\_ranges | List of network ranges from which all ingress traffic will be allowed | `any` | `null` | no |
 | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
 | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
 | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
@@ -14,6 +12,7 @@
 | dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
 | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
+| enable\_all\_vpc\_internal\_traffic | Enable firewall policy rule to allow internal traffic (ingress and egress). | `bool` | `false` | no |
 | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |