feat: Add dedicated custom firewall rules module (#200)

Author: umairidris

README.md

@@ -97,6 +97,7 @@ Then perform the following commands on the root folder:
 | auto\_create\_subnetworks | When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. | `bool` | `false` | no |
 | delete\_default\_internet\_gateway\_routes | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no |
 | description | An optional description of this resource. The resource must be recreated to modify this field. | `string` | `""` | no |
+| firewall\_rules | List of firewall rules | `any` | `[]` | no |
 | mtu | The network MTU. Must be a value between 1460 and 1500 inclusive. If set to 0 (meaning MTU is unset), the network will default to 1460 automatically. | `number` | `0` | no |
 | network\_name | The name of the network being created | `any` | n/a | yes |
 | project\_id | The ID of the project where this VPC will be created | `any` | n/a | yes |

examples/secondary_ranges/main.tf

@@ -84,4 +84,28 @@ module "vpc-secondary-ranges" {
       },
     ]
   }
+
+  firewall_rules = [
+    {
+      name      = "allow-ssh-ingress"
+      direction = "INGRESS"
+      ranges    = ["0.0.0.0/0"]
+      allow = [{
+        protocol = "tcp"
+        ports    = ["22"]
+      }]
+      log_config = {
+        metadata = "INCLUDE_ALL_METADATA"
+      }
+    },
+    {
+      name      = "deny-udp-egress"
+      direction = "INGRESS"
+      ranges    = ["0.0.0.0/0"]
+      deny = [{
+        protocol = "udp"
+        ports    = null
+      }]
+    },
+  ]
 }

main.tf

@@ -50,3 +50,32 @@ module "routes" {
   routes            = var.routes
   module_depends_on = [module.subnets.subnets]
 }
+
+/******************************************
+	Firewall rules
+ *****************************************/
+locals {
+  rules = [
+    for f in var.firewall_rules : {
+      name                    = f.name
+      direction               = f.direction
+      priority                = lookup(f, "priority", null)
+      description             = lookup(f, "description", null)
+      ranges                  = lookup(f, "ranges", null)
+      source_tags             = lookup(f, "source_tags", null)
+      source_service_accounts = lookup(f, "source_service_accounts", null)
+      target_tags             = lookup(f, "target_tags", null)
+      target_service_accounts = lookup(f, "target_service_accounts", null)
+      allow                   = lookup(f, "allow", [])
+      deny                    = lookup(f, "deny", [])
+      log_config              = lookup(f, "log_config", null)
+    }
+  ]
+}
+
+module "firewall_rules" {
+  source       = "./modules/firewall-rules"
+  project_id   = var.project_id
+  network_name = module.vpc.network_name
+  rules        = local.rules
+}

modules/firewall-rules/.gitignore

@@ -0,0 +1 @@
+terraform.tfvars

modules/firewall-rules/README.md

@@ -0,0 +1,56 @@
+# Google Cloud VPC Firewall Rules
+
+This module allows creation of custom VPC firewall rules.
+
+## Usage
+
+Basic usage of this module is as follows:
+
+```hcl
+module "firewall_rules" {
+  source       = "terraform-google-modules/network/google//modules/firewall-rules"
+  project_id   = var.project_id
+  network_name = module.vpc.network_name
+
+  rules = [{
+    name = "allow-ssh-ingress"
+    priority = null
+    description = null
+    direction = "INGRESS"
+    ranges = ["0.0.0.0/0"]
+    source = {
+      tags = null
+      service_accounts = null
+    }
+    target = {
+      tags = null
+      service_accounts = null
+    }
+    allow = [{
+      protocol = "tcp"
+      ports = ["22"]
+     }]
+    deny = []
+    log_config = {
+      metadata = "INCLUDE_ALL_METADATA"
+    }
+  }]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| network\_name | Name of the network this set of firewall rules applies to. | `any` | n/a | yes |
+| project\_id | Project id of the project that holds the network. | `any` | n/a | yes |
+| rules | List of custom rule definitions (refer to variables file for syntax). | <pre>list(object({<br>    name                    = string<br>    description             = string<br>    direction               = string<br>    priority                = number<br>    ranges                  = list(string)<br>    source_tags             = list(string)<br>    source_service_accounts = list(string)<br>    target_tags             = list(string)<br>    target_service_accounts = list(string)<br>    allow = list(object({<br>      protocol = string<br>      ports    = list(string)<br>    }))<br>    deny = list(object({<br>      protocol = string<br>      ports    = list(string)<br>    }))<br>    log_config = object({<br>      metadata = string<br>    })<br>  }))</pre> | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| firewall\_rules | The created firewall rule resources |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/firewall-rules/main.tf

@@ -0,0 +1,54 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_compute_firewall" "rules" {
+  for_each                = { for r in var.rules : "${r.name}" => r }
+  name                    = each.value.name
+  description             = each.value.description
+  direction               = each.value.direction
+  network                 = var.network_name
+  project                 = var.project_id
+  source_ranges           = each.value.direction == "INGRESS" ? each.value.ranges : null
+  destination_ranges      = each.value.direction == "EGRESS" ? each.value.ranges : null
+  source_tags             = each.value.source_tags
+  source_service_accounts = each.value.source_service_accounts
+  target_tags             = each.value.target_tags
+  target_service_accounts = each.value.target_service_accounts
+  priority                = each.value.priority
+
+  dynamic "log_config" {
+    for_each = lookup(each.value, "log_config") == null ? [] : [each.value.log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
+  }
+
+  dynamic "allow" {
+    for_each = lookup(each.value, "allow", [])
+    content {
+      protocol = allow.value.protocol
+      ports    = lookup(allow.value, "ports", null)
+    }
+  }
+
+  dynamic "deny" {
+    for_each = lookup(each.value, "deny", [])
+    content {
+      protocol = deny.value.protocol
+      ports    = lookup(deny.value, "ports", null)
+    }
+  }
+}

modules/firewall-rules/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "firewall_rules" {
+  value       = google_compute_firewall.rules
+  description = "The created firewall rule resources"
+}

modules/firewall-rules/variables.tf

@@ -0,0 +1,50 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "Project id of the project that holds the network."
+}
+
+variable "network_name" {
+  description = "Name of the network this set of firewall rules applies to."
+}
+
+variable "rules" {
+  description = "List of custom rule definitions (refer to variables file for syntax)."
+  default     = []
+  type = list(object({
+    name                    = string
+    description             = string
+    direction               = string
+    priority                = number
+    ranges                  = list(string)
+    source_tags             = list(string)
+    source_service_accounts = list(string)
+    target_tags             = list(string)
+    target_service_accounts = list(string)
+    allow = list(object({
+      protocol = string
+      ports    = list(string)
+    }))
+    deny = list(object({
+      protocol = string
+      ports    = list(string)
+    }))
+    log_config = object({
+      metadata = string
+    })
+  }))
+}

modules/firewall-rules/versions.tf

@@ -0,0 +1,22 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">=0.12.6, <0.14"
+  required_providers {
+    google = "<4.0,>= 2.12"
+  }
+}

test/integration/secondary_ranges/controls/gcloud.rb

@@ -98,4 +98,43 @@
       expect(data).not_to include("secondaryIpRanges")
     end
   end
+
+  describe command("gcloud compute firewall-rules describe allow-ssh-ingress --project=#{project_id} --format=json") do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should eq '' }
+
+    let(:data) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout)
+      else
+        {}
+      end
+    end
+
+    it "should have the correct allow rules" do
+      expect(data["allowed"][0]).to include(
+        "IPProtocol" => "tcp",
+        "ports"    => ["22"]
+      )
+    end
+  end
+
+  describe command("gcloud compute firewall-rules describe deny-udp-egress --project=#{project_id} --format=json") do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should eq '' }
+
+    let(:data) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout)
+      else
+        {}
+      end
+    end
+
+    it "should have the correct allow rules" do
+      expect(data["denied"][0]).to include(
+        "IPProtocol" => "udp",
+      )
+    end
+  end
 end