Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Firewall policy rule with resource manager tag #1

Open
wants to merge 48 commits into
base: master
Choose a base branch
from
Open

feat: Firewall policy rule with resource manager tag #1

wants to merge 48 commits into from

Conversation

Samir-Cit
Copy link
Owner

@Samir-Cit Samir-Cit commented Oct 2, 2023
edited
Loading

Hello folks.

This PR is regarding the usage of resource manager tags for firewall policy rules and on VMs.

Two new resource manager tags created for the two firewall rules that were refactored, allowing IAP SSH and IAP RDP. The peering network project was used as an example, creating a new sub network on the peered network to be used by the VM.

@Samir-Cit
First version of network firewall tags.
7f61a83
@Samir-Cit
Tag for each BU and outputs.
696ff48
@Samir-Cit
Readme
8d0832b
@Samir-Cit
Lint and default value for business_unit
0c063bd
@Samir-Cit
Using tarrget secure tags
8eaedfa
@Samir-Cit
Using firewall tags on peering project.
47d45fc
@Samir-Cit
Change firewall key and value to use on VMs.
7c5d9e2
@Samir-Cit
Small changes on 4-projects for the firewalls
3091131
@Samir-Cit
Force envs to use new firewall rules
251022d
@Samir-Cit
Update VMs module to 10.0 to use resource manager tags
2f09a15
@Samir-Cit
Merge remote-tracking branch 'origin/master' into feat/firewall-tags
5a4c8a2
@Samir-Cit
Fix secure tags and remove unnecessary firewalls
f69ceb3
@Samir-Cit
Rollback envs, using only development
61023ac
@Samir-Cit
Create VM for peering using tags
77746f6
@Samir-Cit
Changes after first deployment of foundations with the tags.
27f2eac
@Samir-Cit
Add roles for app infra pipeline sa. (deployment SA)
59c1e3a
@Samir-Cit
Subnetwork IP range.
8705499
@Samir-Cit
Changing IP ranges to not overlap
9a19941
@Samir-Cit
Enable Cloud Build deploy on peering project
a425351
@Samir-Cit
Change variable subnet_region to be filled when optional IAP rules is…
1dd6da2 
… true
@Samir-Cit
Merge branch 'master' into feat/firewall-tags
0c30b7c
daniel-cit
daniel-cit reviewed Oct 5, 2023
View reviewed changes
4-projects/modules/base_env/example_peering_project.tf Outdated
project = module.peering_project.project_id
}

resource "google_compute_network_firewall_policy_rule" "allow_iap_ssh" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a module for this type of firewall rule?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a module:
https://github.com/terraform-google-modules/terraform-google-network/tree/master/modules/network-firewall-policy

But it's not working as expected so I open an issue:
terraform-google-modules/terraform-google-network#505

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR 514 will fix the issue.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Samir-Cit since network firewall policy module is fixed is it possible to call the module instead of resource?

@Samir-Cit Samir-Cit changed the title Feat/firewall tags feat: Firewall policy rule with resource manager tag Oct 6, 2023
romanini-ciandt
romanini-ciandt reviewed Oct 9, 2023
View reviewed changes
Copy link

@romanini-ciandt romanini-ciandt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your PR looks really good :) congrats!

Question: Since we are adding new resources (tags, subnets, etc), don't we need to update any .go tests to reflect/expect these new resources?

4-projects/modules/base_env/example_peering_project.tf Outdated
// (https://github.com/terraform-google-modules/terraform-google-bootstrap/tree/master/modules/tf_cloudbuild_workspace)
// in the 4-projects shared environment of each business unit.
// the repository name is the same key used for the app_infra_pipeline_service_accounts map and the
// roles will be granted to the service account with the same key.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about improve a little this comment block? Looks like the written is not super fluid here.
Example: instead of ...permissions to deploy the resources, a Compute Engine instance..., how about ...permissions to deploy a Compute Engine instance...

Also, maybe skipping a line between one idea and another could be easier to understand, instead of multiple non-breaking lines of text.

4-projects/modules/base_env/example_peering_project.tf Outdated Show resolved Hide resolved
Samir-Cit and others added 21 commits October 9, 2023 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romanini-ciandt romanini-ciandt romanini-ciandt left review comments

@renato-rudnicki renato-rudnicki renato-rudnicki left review comments

@daniel-cit daniel-cit daniel-cit left review comments

@imrannayer imrannayer imrannayer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Samir-Cit @imrannayer @daniel-cit @renato-rudnicki @romanini-ciandt