feat: add web_server_network_access_control (#102)

imrannayer · web-flow · commit 60648169ee59 · 2023-11-30T14:50:21.000-05:00
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -28,48 +28,11 @@ steps:
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
 
-# ----- SUITE airflow-connection-local
-
-- id: converge airflow-connection-local
-  waitFor:
-    - create all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge airflow-connection-local']
-- id: verify airflow-connection-local
-  waitFor:
-    - converge airflow-connection-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify airflow-connection-local']
-# - id: destroy airflow-connection-local
-#   waitFor:
-#     - verify airflow-connection-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy airflow-connection-local']
-
-
-# ----- SUITE airflow-pool-local
-
-- id: converge airflow-pool-local
-  waitFor:
-    - create all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge airflow-pool-local']
-- id: verify airflow-pool-local
-  waitFor:
-    - converge airflow-pool-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify airflow-pool-local']
-# - id: destroy airflow-pool-local
-#   waitFor:
-#     - verify airflow-pool-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy airflow-pool-local']
-
-  # ----- SUITE simple-composer-env-v2-local
+  # ----- SUITE simple-composer-env-v2
 
 - id: init-simple-composer-env-v2
   waitFor:
-    - verify airflow-pool-local
+    - create all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage init --verbose']
 - id: apply-simple-composer-env-v2
@@ -88,6 +51,7 @@ steps:
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage destroy --verbose']
 
+
 # ----- SUITE composer-v2-sharedvpc-prereq-local
 
 - id: init-composer-v2-sharedvpc-prereq
@@ -115,7 +79,7 @@ steps:
 
 - id: init-simple-composer-env-v1
   waitFor:
-    - destroy-composer-v2-sharedvpc-prereq
+    - destroy-simple-composer-env-v2
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage init --verbose']
 - id: apply-simple-composer-env-v1
@@ -133,6 +97,42 @@ steps:
     - verify-simple-composer-env-v1
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage destroy --verbose']
+# ----- SUITE airflow-connection-local
+
+- id: converge airflow-connection-local
+  waitFor:
+    - destroy-simple-composer-env-v1
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge airflow-connection-local']
+- id: verify airflow-connection-local
+  waitFor:
+    - converge airflow-connection-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify airflow-connection-local']
+# - id: destroy airflow-connection-local
+#   waitFor:
+#     - verify airflow-connection-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy airflow-connection-local']
+
+
+# ----- SUITE airflow-pool-local
+
+- id: converge airflow-pool-local
+  waitFor:
+    - destroy-simple-composer-env-v1
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge airflow-pool-local']
+- id: verify airflow-pool-local
+  waitFor:
+    - converge airflow-pool-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify airflow-pool-local']
+# - id: destroy airflow-pool-local
+#   waitFor:
+#     - verify airflow-pool-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy airflow-pool-local']
 tags:
 - 'ci'
 - 'integration'
diff --git a/examples/simple_composer_env_v2/main.tf b/examples/simple_composer_env_v2/main.tf
@@ -94,4 +94,14 @@ module "simple-composer-environment" {
   depends_on = [
     google_storage_bucket_iam_member.object_admin,
   ]
+  web_server_network_access_control = [
+    {
+      allowed_ip_range = "192.0.2.0/24"
+      description      = "office net 1"
+    },
+    {
+      allowed_ip_range = "192.0.4.0/24"
+      description      = "office net 2"
+    },
+  ]
 }
diff --git a/modules/create_environment_v2/README.md b/modules/create_environment_v2/README.md
@@ -92,6 +92,7 @@ module "simple-composer-environment" {
 | triggerer | Configuration for resources used by Airflow triggerer | <pre>object({<br>    cpu       = string<br>    memory_gb = number<br>    count     = number<br>  })</pre> | `null` | no |
 | use\_private\_environment | Create a private environment. | `bool` | `false` | no |
 | web\_server | Configuration for resources used by Airflow web server. | <pre>object({<br>    cpu        = string<br>    memory_gb  = number<br>    storage_gb = number<br>  })</pre> | <pre>{<br>  "cpu": 2,<br>  "memory_gb": 7.5,<br>  "storage_gb": 5<br>}</pre> | no |
+| web\_server\_network\_access\_control | The network-level access control policy for the Airflow web server. If unspecified, no network-level access restrictions are applied | <pre>list(object({<br>    allowed_ip_range = string<br>    description      = string<br>  }))</pre> | `null` | no |
 | worker | Configuration for resources used by Airflow workers. | <pre>object({<br>    cpu        = string<br>    memory_gb  = number<br>    storage_gb = number<br>    min_count  = number<br>    max_count  = number<br>  })</pre> | <pre>{<br>  "cpu": 2,<br>  "max_count": 6,<br>  "memory_gb": 7.5,<br>  "min_count": 2,<br>  "storage_gb": 5<br>}</pre> | no |
 
 ## Outputs
diff --git a/modules/create_environment_v2/main.tf b/modules/create_environment_v2/main.tf
@@ -186,6 +186,19 @@ resource "google_composer_environment" "composer_env" {
       }
     }
 
+    dynamic "web_server_network_access_control" {
+      for_each = var.web_server_network_access_control == null ? [] : ["web_server_network_access_control"]
+      content {
+        dynamic "allowed_ip_range" {
+          for_each = { for x in var.web_server_network_access_control : x.allowed_ip_range => x }
+          content {
+            value       = allowed_ip_range.value["allowed_ip_range"]
+            description = allowed_ip_range.value["description"]
+          }
+        }
+      }
+    }
+
   }
 
   depends_on = [google_project_iam_member.composer_agent_service_account]
diff --git a/modules/create_environment_v2/variables.tf b/modules/create_environment_v2/variables.tf
@@ -273,3 +273,12 @@ variable "cloud_data_lineage_integration" {
   type        = bool
   default     = false
 }
+
+variable "web_server_network_access_control" {
+  type = list(object({
+    allowed_ip_range = string
+    description      = string
+  }))
+  default     = null
+  description = "The network-level access control policy for the Airflow web server. If unspecified, no network-level access restrictions are applied"
+}

Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,19 @@ resource "google_composer_environment" "composer_env" {`
`186`	`186`	`}`
`187`	`187`	`}`
`188`	`188`
	`189`	`+ dynamic "web_server_network_access_control" {`
	`190`	`+ for_each = var.web_server_network_access_control == null ? [] : ["web_server_network_access_control"]`
	`191`	`+ content {`
	`192`	`+ dynamic "allowed_ip_range" {`
	`193`	`+ for_each = { for x in var.web_server_network_access_control : x.allowed_ip_range => x }`
	`194`	`+ content {`
	`195`	`+ value = allowed_ip_range.value["allowed_ip_range"]`
	`196`	`+ description = allowed_ip_range.value["description"]`
	`197`	`+ }`
	`198`	`+ }`
	`199`	`+ }`
	`200`	`+ }`
	`201`	`+`
`189`	`202`	`}`
`190`	`203`
`191`	`204`	`depends_on = [google_project_iam_member.composer_agent_service_account]`