Skip to content

Latest commit

 

History

History
 
 

net-vpc-firewall

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Google Cloud VPC Firewall

This module allows creation and management of different types of firewall rules for a single VPC network:

  • blanket ingress rules based on IP ranges that allow all traffic via the admin_ranges variable
  • simplified tag-based ingress rules for the HTTP, HTTPS and SSH protocols via the xxx_source_ranges variables; HTTP and HTTPS tags match those set by the console via the "Allow HTTP(S) traffic" instance flags
  • custom rules via the custom_rules variables

The simplified tag-based rules are enabled by default, set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. To disable them set the corresponding variables to empty lists.

Examples

Minimal open firewall

This is often useful for prototyping or testing infrastructure, allowing open ingress from the private range, enabling SSH to private addresses from IAP, and HTTP/HTTPS from the health checkers.

module "firewall" {
  source               = "./modules/net-vpc-firewall"
  project_id           = "my-project"
  network              = "my-network"
  admin_ranges_enabled = true
  admin_ranges         = ["10.0.0.0/8"]
}
# tftest:modules=1:resources=4

Custom rules

This is an example of how to define custom rules, with a sample rule allowing open ingress for the NTP protocol to instances with the ntp-svc tag.

module "firewall" {
  source               = "./modules/net-vpc-firewall"
  project_id           = "my-project"
  network              = "my-network"
  admin_ranges_enabled = true
  admin_ranges         = ["10.0.0.0/8"]
  custom_rules = {
    ntp-svc = {
      description          = "NTP service."
      direction            = "INGRESS"
      action               = "allow"
      sources              = []
      ranges               = ["0.0.0.0/0"]
      targets              = ["ntp-svc"]
      use_service_accounts = false
      rules                = [{ protocol = "udp", ports = [123] }]
      extra_attributes     = {}
    }
  }
}
# tftest:modules=1:resources=5

Variables

name description type required default
network Name of the network this set of firewall rules applies to. string
project_id Project id of the project that holds the network. string
admin_ranges IP CIDR ranges that have complete access to all subnets. list(string) []
admin_ranges_enabled Enable admin ranges-based rules. bool false
custom_rules List of custom rule definitions (refer to variables file for syntax). map(object({...})) {}
http_source_ranges List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. list(string) ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
https_source_ranges List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. list(string) ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
ssh_source_ranges List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. list(string) ["35.235.240.0/20"]

Outputs

name description sensitive
admin_ranges Admin ranges data.
custom_egress_allow_rules Custom egress rules with allow blocks.
custom_egress_deny_rules Custom egress rules with allow blocks.
custom_ingress_allow_rules Custom ingress rules with allow blocks.
custom_ingress_deny_rules Custom ingress rules with deny blocks.