feat: add destination_ranges and source_ranges in firewall rules (#464)

imrannayer · web-flow · commit 83a7e85ec008 · 2023-06-26T20:28:46.000-05:00
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -196,6 +196,21 @@ steps:
     - verify regional-firewall-policy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkFirewallPolicy --stage teardown --verbose']
+- id: converge firewall-rule
+  waitFor:
+    - create all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage apply --verbose']
+- id: verify firewall-rule
+  waitFor:
+    - converge firewall-rule
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage verify --verbose']
+- id: destroy firewall-rule
+  waitFor:
+    - verify firewall-rule
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/bidirectional-firewall-rules --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'
diff --git a/examples/bidirectional-firewall-rules/README.md b/examples/bidirectional-firewall-rules/README.md
@@ -0,0 +1,30 @@
+# Simple Project With Firewall
+
+This example configures a single simple VPC inside of a project, and adds a ingress/egress firewall rules.
+
+This VPC has two subnets, with no secondary ranges.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| network\_name | The name of the VPC network being created | `string` | `"test-fw-rules"` | no |
+| project\_id | The project ID to host the network in | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| network\_name | The name of the VPC being created |
+| network\_self\_link | The URI of the VPC being created |
+| project\_id | VPC project id |
+| route\_names | The routes associated with this VPC |
+| subnets\_flow\_logs | Whether the subnets will have VPC flow logs enabled |
+| subnets\_ips | The IP and cidrs of the subnets being created |
+| subnets\_names | The names of the subnets being created |
+| subnets\_private\_access | Whether the subnets will have access to Google API's without a public IP |
+| subnets\_regions | The region where subnets will be created |
+| subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/bidirectional-firewall-rules/main.tf b/examples/bidirectional-firewall-rules/main.tf
@@ -0,0 +1,213 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  subnet_01 = "${var.network_name}-subnet-01"
+  subnet_02 = "${var.network_name}-subnet-02"
+
+  custom_rules = [
+    // Example of custom tcp/udp rule
+    {
+      name        = "fwtest-deny-ingress-6534-6566"
+      description = "Deny all INGRESS to port 6534-6566"
+      direction   = "INGRESS"
+      ranges      = ["0.0.0.0/0"]
+      deny = [{
+        protocol = "tcp"
+        ports    = ["6534-6566"]
+        },
+        {
+          protocol = "udp"
+          ports    = ["6534-6566"]
+      }]
+
+    },
+
+    {
+      name        = "fwtest-deny-egress-6534-6566"
+      description = "Deny all EGRESS to 47.189.12.139/32 port 6534-6566"
+      direction   = "EGRESS"
+      ranges      = ["47.189.12.139/32"]
+      deny = [{
+        protocol = "tcp"
+        ports    = ["6534-6566"]
+        },
+        {
+          protocol = "udp"
+          ports    = ["6534-6566"]
+      }]
+
+    },
+
+    // Example how to allow connection from instances with `backend` tag, to instances with `databases` tag
+    {
+      name        = "fwtest-allow-backend-to-databases"
+      description = "Allow backend nodes connection to databases instances"
+      direction   = "INGRESS"
+      target_tags = ["databases"]
+      source_tags = ["backed"]
+      allow = [{
+        protocol = "tcp"
+        ports    = ["3306", "5432", "1521", "1433"]
+      }]
+
+    },
+
+    // Example how to allow connection from an instance with a given service account
+    {
+      name                    = "fwtest-allow-all-admin-sa"
+      description             = "Allow all traffic from admin sa instances"
+      direction               = "INGRESS"
+      source_service_accounts = ["admin@my-shiny-org.iam.gserviceaccount.com"]
+      allow = [{
+        protocol = "tcp"
+        ports    = null # all ports
+        },
+        {
+          protocol = "udp"
+          ports    = null # all ports
+        }
+      ]
+    },
+
+  ]
+
+
+  custom_rules_ingress = [
+    // Example of custom tcp/udp rule
+    {
+      name          = "fwtest-deny-ingress-6500-6566"
+      description   = "Deny all INGRESS to port 6500-6566"
+      source_ranges = ["0.0.0.0/0"]
+      deny = [{
+        protocol = "tcp"
+        ports    = ["6500-6566"]
+        },
+        {
+          protocol = "udp"
+          ports    = ["6500-6566"]
+      }]
+
+    },
+    {
+      name        = "fwtest-allow-backend-to-db"
+      description = "Allow backend nodes connection to databases instances"
+      target_tags = ["db"]     # target_tags
+      source_tags = ["backed"] # source_tags
+      allow = [{
+        protocol = "tcp"
+        ports    = ["3306", "5432", "1521", "1433"]
+      }]
+
+    },
+    {
+      name                    = "fwtest-allow-admin-svc-acct"
+      description             = "Allow all traffic from admin sa instances"
+      source_service_accounts = ["admin@my-shiny-org.iam.gserviceaccount.com"]
+      allow = [{
+        protocol = "tcp"
+        ports    = null # all ports
+        },
+        {
+          protocol = "udp"
+          ports    = null # all ports
+        }
+      ]
+    },
+    {
+      name               = "fwtest-allow-ssh-ing"
+      description        = "Allow all traffic from 10.2.0.0/24 to 10.3.0.0/24"
+      ranges             = null
+      destination_ranges = ["10.2.0.0/24"]
+      source_ranges      = ["10.3.0.0/24"]
+      allow = [{
+        protocol = "tcp"
+        ports    = ["22"]
+      }]
+    },
+
+  ]
+
+
+  custom_rules_egress = [
+    {
+      name               = "fwtest-deny-egress-6400-6466"
+      description        = "Deny all EGRESS to 47.190.12.139/32 port 6400-6466"
+      destination_ranges = ["47.190.12.139/32"]
+      deny = [{
+        protocol = "tcp"
+        ports    = ["6400-6466"]
+        },
+        {
+          protocol = "udp"
+          ports    = ["6400-6466"]
+      }]
+
+    },
+
+    {
+      name               = "fwtest-deny-ssh-egr"
+      description        = "Deny all traffic to 10.10.0.0/24 to 10.11.0.0/24"
+      destination_ranges = ["10.10.0.0/24"]
+      source_ranges      = ["10.11.0.0/24"]
+      deny = [{
+        protocol = "tcp"
+        ports    = ["22"]
+      }]
+    },
+
+
+  ]
+
+
+}
+
+module "test-vpc-module" {
+  source       = "../../"
+  project_id   = var.project_id
+  network_name = var.network_name
+
+  subnets = [
+    {
+      subnet_name   = local.subnet_01
+      subnet_ip     = "10.10.10.0/24"
+      subnet_region = "us-west1"
+    },
+    {
+      subnet_name           = local.subnet_02
+      subnet_ip             = "10.10.20.0/24"
+      subnet_region         = "us-west1"
+      subnet_private_access = "true"
+      subnet_flow_logs      = "true"
+    },
+  ]
+}
+
+
+module "test-firewall-submodule" {
+  source       = "../../modules/firewall-rules"
+  project_id   = var.project_id
+  network_name = module.test-vpc-module.network_name
+  rules        = local.custom_rules
+}
+
+module "test-firewall-submodule-ing-egr" {
+  source        = "../../modules/firewall-rules"
+  project_id    = var.project_id
+  network_name  = module.test-vpc-module.network_name
+  ingress_rules = local.custom_rules_ingress
+  egress_rules  = local.custom_rules_egress
+}
diff --git a/examples/bidirectional-firewall-rules/outputs.tf b/examples/bidirectional-firewall-rules/outputs.tf
@@ -0,0 +1,65 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "network_name" {
+  value       = module.test-vpc-module.network_name
+  description = "The name of the VPC being created"
+}
+
+output "network_self_link" {
+  value       = module.test-vpc-module.network_self_link
+  description = "The URI of the VPC being created"
+}
+
+output "project_id" {
+  value       = module.test-vpc-module.project_id
+  description = "VPC project id"
+}
+
+output "subnets_names" {
+  value       = module.test-vpc-module.subnets_names
+  description = "The names of the subnets being created"
+}
+
+output "subnets_ips" {
+  value       = module.test-vpc-module.subnets_ips
+  description = "The IP and cidrs of the subnets being created"
+}
+
+output "subnets_regions" {
+  value       = module.test-vpc-module.subnets_regions
+  description = "The region where subnets will be created"
+}
+
+output "subnets_private_access" {
+  value       = module.test-vpc-module.subnets_private_access
+  description = "Whether the subnets will have access to Google API's without a public IP"
+}
+
+output "subnets_flow_logs" {
+  value       = module.test-vpc-module.subnets_flow_logs
+  description = "Whether the subnets will have VPC flow logs enabled"
+}
+
+output "subnets_secondary_ranges" {
+  value       = module.test-vpc-module.subnets_secondary_ranges
+  description = "The secondary ranges associated with these subnets"
+}
+
+output "route_names" {
+  value       = module.test-vpc-module.route_names
+  description = "The routes associated with this VPC"
+}
diff --git a/examples/bidirectional-firewall-rules/variables.tf b/examples/bidirectional-firewall-rules/variables.tf
@@ -0,0 +1,24 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the network in"
+}
+
+variable "network_name" {
+  description = "The name of the VPC network being created"
+  default     = "test-fw-rules"
+}
diff --git a/examples/bidirectional-firewall-rules/versions.tf b/examples/bidirectional-firewall-rules/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    google = {
+      version = ">= 4.0.0"
+    }
+    null = {
+      version = ">= 2.1.0"
+    }
+  }
+}
diff --git a/modules/firewall-rules/README.md b/modules/firewall-rules/README.md
diff --git a/modules/firewall-rules/main.tf b/modules/firewall-rules/main.tf
diff --git a/modules/firewall-rules/variables.tf b/modules/firewall-rules/variables.tf
