Merge pull request #40 from terraform-google-modules/fabric-firewall

Initial import of net-firewall submodule from internal version.

Author: aaron-lane

.kitchen.yml

@@ -93,3 +93,20 @@ suites:
           backend: local
           controls:
             - gcloud
+  - name: "submodule_firewall"
+    driver:
+      name: "terraform"
+      command_timeout: 1800
+      root_module_directory: test/fixtures/submodule_firewall/
+    verifier:
+      name: terraform
+      color: true
+      systems:
+        - name: inspec-gcp
+          backend: gcp
+          controls:
+            - gcp
+        - name: local
+          backend: local
+          controls:
+            - gcloud

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning][semver-site].
 
 ## [Unreleased]
 
+### Added
+
+- New firewall submodule [#40]
+
 ## [0.6.0] - 2019-02-21
 
 ### Added

examples/submodule_firewall/README.md

@@ -0,0 +1,24 @@
+# Simple Project With Firewall
+
+This example configures a single simple VPC inside of a project, and adds a basic firewall.
+
+This VPC has two subnets, with no secondary ranges.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| network\_name | The name of the VPC network being created | string | n/a | yes |
+| project\_id | The project ID to host the network in | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| admin\_ranges | Firewall attributes for admin ranges. |
+| internal\_ranges | Firewall attributes for internal ranges. |
+| network\_name | The name of the VPC being created |
+
+[^]: (autogen_docs_end)

examples/submodule_firewall/main.tf

@@ -0,0 +1,64 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+locals {
+  subnet_01 = "${var.network_name}-subnet-01"
+  subnet_02 = "${var.network_name}-subnet-02"
+}
+
+module "test-vpc-module" {
+  source       = "../../"
+  project_id   = "${var.project_id}"
+  network_name = "${var.network_name}"
+
+  subnets = [
+    {
+      subnet_name   = "${local.subnet_01}"
+      subnet_ip     = "10.10.10.0/24"
+      subnet_region = "us-west1"
+    },
+    {
+      subnet_name           = "${local.subnet_02}"
+      subnet_ip             = "10.10.20.0/24"
+      subnet_region         = "us-west1"
+      subnet_private_access = "true"
+      subnet_flow_logs      = "true"
+    },
+  ]
+
+  secondary_ranges = {
+    "${local.subnet_01}" = []
+    "${local.subnet_02}" = []
+  }
+}
+
+module "test-firewall-submodule" {
+  source                  = "../../modules/fabric-net-firewall"
+  project_id              = "${var.project_id}"
+  network                 = "${module.test-vpc-module.network_name}"
+  internal_ranges_enabled = true
+  internal_ranges         = ["${module.test-vpc-module.subnets_ips}"]
+
+  internal_allow = [{
+    protocol = "icmp"
+  },
+    {
+      protocol = "tcp"
+    },
+    {
+      protocol = "udp"
+    },
+  ]
+}

examples/submodule_firewall/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "network_name" {
+  value       = "${module.test-vpc-module.network_name}"
+  description = "The name of the VPC being created"
+}
+
+output "internal_ranges" {
+  description = "Firewall attributes for internal ranges."
+  value       = "${module.test-firewall-submodule.internal_ranges}"
+}
+
+output "admin_ranges" {
+  description = "Firewall attributes for admin ranges."
+  value       = "${module.test-firewall-submodule.admin_ranges}"
+}

examples/submodule_firewall/variables.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the network in"
+}
+
+variable "network_name" {
+  description = "The name of the VPC network being created"
+}

modules/fabric-net-firewall/README.md

@@ -0,0 +1,56 @@
+# Google Cloud Simple VPC Firewall Creation
+
+This module allows creation of a minimal VPC firewall, supporting basic configurable rules for IP range-based intra-VPC and administrator ingress, and tag-based SSH, HTTP, and HTTPS ingress.
+
+The HTTP and HTTPS rules use the same network tags network tags that are assigned to instances when flaggging the "Allow HTTP[S] traffic" checkbox in the Cloud Console. The SSH rule uses a generic `ssh` tag.
+
+All IP source ranges are configurable through variables, and are set by default to `0.0.0.0/0` for tag-based rules. Allowed protocols and/or ports for the intra-VPC rule are also configurable through a variable.
+
+The resources created/managed by this module are:
+
+- one optional ingress rule from internal CIDR ranges, only allowing ICMP by default
+- one optional ingress rule from admin CIDR ranges, allowing all protocols on all ports
+- one optional ingress rule for SSH on network tag `ssh`
+- one optional ingress rule for HTTP on network tag `http-server`
+- one optional ingress rule for HTTPS on network tag `https-server`
+
+
+## Usage
+
+Basic usage of this module is as follows:
+
+```hcl
+module "net-firewall" {
+  source                  = "terraform-google-modules/terraform-google-network/google//modules/fabric-net-firewall"
+  project_id              = "my-project"
+  network                 = "my-vpc"
+  internal_ranges_enabled = true
+  internal_ranges         = ["10.0.0.0/0"]
+}
+```
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| admin\_ranges | IP CIDR ranges that have complete access to all subnets. | list | `<list>` | no |
+| admin\_ranges\_enabled | Enable admin ranges-based rules. | string | `"false"` | no |
+| http\_source\_ranges | List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
+| https\_source\_ranges | List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
+| internal\_allow | Allow rules for internal ranges. | list | `<list>` | no |
+| internal\_ranges | IP CIDR ranges for intra-VPC rules. | list | `<list>` | no |
+| internal\_ranges\_enabled | Create rules for intra-VPC ranges. | string | `"false"` | no |
+| network | Name of the network this set of firewall rules applies to. | string | n/a | yes |
+| project\_id | Project id of the project that holds the network. | string | n/a | yes |
+| ssh\_source\_ranges | List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| admin\_ranges | Admin ranges data. |
+| internal\_ranges | Internal ranges. |
+
+[^]: (autogen_docs_end)

modules/fabric-net-firewall/main.tf

@@ -0,0 +1,99 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+###############################################################################
+#                            rules based on IP ranges
+###############################################################################
+
+resource "google_compute_firewall" "allow-internal" {
+  count         = "${var.internal_ranges_enabled && length(var.internal_allow) > 0 ? 1 : 0}"
+  name          = "${var.network}-ingress-internal"
+  description   = "Allow ingress traffic from internal IP ranges"
+  network       = "${var.network}"
+  project       = "${var.project_id}"
+  source_ranges = ["${var.internal_ranges}"]
+  allow         = ["${var.internal_allow}"]
+}
+
+resource "google_compute_firewall" "allow-admins" {
+  count         = "${var.admin_ranges_enabled > 0 ? 1 : 0}"
+  name          = "${var.network}-ingress-admins"
+  description   = "Access from the admin subnet to all subnets"
+  network       = "${var.network}"
+  project       = "${var.project_id}"
+  source_ranges = ["${var.admin_ranges}"]
+
+  allow {
+    protocol = "icmp"
+  }
+
+  allow {
+    protocol = "tcp"
+  }
+
+  allow {
+    protocol = "udp"
+  }
+}
+
+###############################################################################
+#                              rules based on tags
+###############################################################################
+
+resource "google_compute_firewall" "allow-tag-ssh" {
+  count         = "${length(var.ssh_source_ranges) > 0 ? 1 : 0}"
+  name          = "${var.network}-ingress-tag-ssh"
+  description   = "Allow SSH to machines with the 'ssh' tag"
+  network       = "${var.network}"
+  project       = "${var.project_id}"
+  source_ranges = ["${var.ssh_source_ranges}"]
+  target_tags   = ["ssh"]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+}
+
+resource "google_compute_firewall" "allow-tag-http" {
+  count         = "${length(var.http_source_ranges) > 0 ? 1 : 0}"
+  name          = "${var.network}-ingress-tag-http"
+  description   = "Allow HTTP to machines with the 'http-server' tag"
+  network       = "${var.network}"
+  project       = "${var.project_id}"
+  source_ranges = ["${var.http_source_ranges}"]
+  target_tags   = ["http-server"]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["80"]
+  }
+}
+
+resource "google_compute_firewall" "allow-tag-https" {
+  count         = "${length(var.https_source_ranges) > 0 ? 1 : 0}"
+  name          = "${var.network}-ingress-tag-https"
+  description   = "Allow HTTPS to machines with the 'https' tag"
+  network       = "${var.network}"
+  project       = "${var.project_id}"
+  source_ranges = ["${var.https_source_ranges}"]
+  target_tags   = ["https-server"]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["443"]
+  }
+}

modules/fabric-net-firewall/outputs.tf

@@ -0,0 +1,33 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "internal_ranges" {
+  description = "Internal ranges."
+
+  value = {
+    enabled = "${var.internal_ranges_enabled}"
+    ranges  = "${var.internal_ranges_enabled ? join(",", var.internal_ranges) : ""}"
+  }
+}
+
+output "admin_ranges" {
+  description = "Admin ranges data."
+
+  value = {
+    enabled = "${var.admin_ranges_enabled}"
+    ranges  = "${var.admin_ranges_enabled ? join(",", var.admin_ranges) : ""}"
+  }
+}