update firewall submodule README

ludoo · ludoo · commit 13cd1858871d · 2019-10-11T07:53:04.000+02:00
diff --git a/modules/fabric-net-firewall/README.md b/modules/fabric-net-firewall/README.md
@@ -1,18 +1,38 @@
-# Google Cloud Simple VPC Firewall Creation
+# Google Cloud VPC Firewall
 
-This module allows creation of a minimal VPC firewall, supporting basic configurable rules for IP range-based intra-VPC and administrator ingress, and tag-based SSH, HTTP, and HTTPS ingress.
+This module allows creation of a minimal VPC firewall, supporting basic configurable rules for IP range-based intra-VPC and administrator ingress,  tag-based SSH/HTTP/HTTPS ingress, and custom rule definitions.
 
-The HTTP and HTTPS rules use the same network tags network tags that are assigned to instances when flaggging the "Allow HTTP[S] traffic" checkbox in the Cloud Console. The SSH rule uses a generic `ssh` tag.
+The HTTP and HTTPS rules use the same network tags that are assigned to instances when the "Allow HTTP[S] traffic" checkbox is flagged in the Cloud Console. The SSH rule uses a generic `ssh` tag.
 
 All IP source ranges are configurable through variables, and are set by default to `0.0.0.0/0` for tag-based rules. Allowed protocols and/or ports for the intra-VPC rule are also configurable through a variable.
 
+Custom rules are set through a map where key is the rule name, and values must match this custom type:
+
+```hcl
+map(object({
+  description          = string
+  direction            = string       # (INGRESS|EGRESS)
+  action               = string       # (allow|deny)
+  ranges               = list(string) # list of IP CIDR ranges
+  sources              = list(string) # tags or SAs (ignored for EGRESS)
+  targets              = list(string) # tags or SAs
+  use_service_accounts = bool         # defaults to false
+  rules = list(object({
+    protocol = string
+    ports    = list(string)
+  }))
+  extra_attributes = map(string)      # map, optional keys disabled or priority
+}))
+```
+
 The resources created/managed by this module are:
 
 - one optional ingress rule from internal CIDR ranges, only allowing ICMP by default
 - one optional ingress rule from admin CIDR ranges, allowing all protocols on all ports
 - one optional ingress rule for SSH on network tag `ssh`
 - one optional ingress rule for HTTP on network tag `http-server`
 - one optional ingress rule for HTTPS on network tag `https-server`
+- one or more optional custom rules
 
 
 ## Usage
@@ -26,6 +46,24 @@ module "net-firewall" {
   network                 = "my-vpc"
   internal_ranges_enabled = true
   internal_ranges         = ["10.0.0.0/0"]
+  custom_rules = {
+    ingress-sample = {
+      description          = "Dummy sample ingress rule, tag-based."
+      direction            = "INGRESS"
+      action               = "allow"
+      ranges               = ["192.168.0.0"]
+      sources              = ["spam-tag"]
+      targets              = ["foo-tag", "egg-tag"]
+      use_service_accounts = false
+      rules = [
+        {
+          protocol = "tcp"
+          ports    = []
+        }
+      ]
+      extra_attributes = {}
+    }
+  }
 }
 ```
 
