Commit 8f92d912 authored by John Jarvis's avatar John Jarvis

Refacting firewall rules

This moves firewall definitions out of the environment main.tf files and
into the corresponding modules.

* We previously hardcoded ips for google lbs, this uses the data source
instead
* Moves the internal and vpn firewall rule to the vpc module since it is
for the entire network.
parent 1d9b1555
......@@ -19,46 +19,6 @@ provider "google" {
region = "${var.region}"
}
##################################
#
# Allow internal traffic
#
#################################
resource "google_compute_firewall" "allow-internal" {
name = "allow-internal-${var.environment}"
network = "${module.network.self_link}"
allow {
protocol = "all"
}
source_ranges = ["10.0.0.0/8"]
}
resource "google_compute_firewall" "allow-azure-vpn" {
name = "allow-vpn-${var.environment}"
network = "${module.network.self_link}"
allow {
protocol = "tcp"
ports = ["22", "80", "443"]
}
source_ranges = ["52.177.194.133/32", "52.177.192.239/32"]
}
resource "google_compute_firewall" "allow-lb-traffic" {
name = "allow-lb-traffic-${var.environment}"
network = "${module.network.self_link}"
allow {
protocol = "all"
}
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
}
/*
##################################
#
......@@ -828,19 +788,6 @@ resource "google_compute_subnetwork" "monitoring" {
private_ip_google_access = true
}
# resource "google_compute_firewall" "monitoring" {
# name = "${format("monitoring-%v", var.environment)}"
# network = "${module.network.self_link}"
#
# allow {
# protocol = "tcp"
# ports = ["${var.public_ports["monitoring"]}"]
# }
#
# source_ranges = ["0.0.0.0/0"]
# target_tags = ["${keys(var.monitoring_hosts)}"]
# }
#######################
#
# load balancer for all hosts in this section
......@@ -860,6 +807,7 @@ module "monitoring-lb" {
service_ports = ["${values(var.monitoring_hosts)}"]
url_map = "${google_compute_url_map.monitoring-lb.self_link}"
hosts = ["${keys(var.monitoring_hosts)}"]
targets = ["${keys(var.monitoring_hosts)}"]
}
#######################
......@@ -882,7 +830,7 @@ module "performance" {
project = "${var.project}"
region = "${var.region}"
service_path = "/login"
service_port = "${var.monitoring_hosts["performance.${var.environment}"]}"
service_port = "${var.monitoring_hosts["performance"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......@@ -908,7 +856,7 @@ module "prometheus" {
project = "${var.project}"
region = "${var.region}"
service_path = "/graph"
service_port = "${var.monitoring_hosts["prometheus.${var.environment}"]}"
service_port = "${var.monitoring_hosts["prometheus"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......@@ -934,7 +882,7 @@ module "prometheus-app" {
project = "${var.project}"
region = "${var.region}"
service_path = "/graph"
service_port = "${var.monitoring_hosts["prometheus-app.${var.environment}"]}"
service_port = "${var.monitoring_hosts["prometheus-app"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......@@ -960,7 +908,7 @@ module "alerts" {
source = "../../modules/google/monitoring-with-count"
tier = "inf"
persistent_disk_path = "/opt"
service_port = "${var.monitoring_hosts["alerts.${var.environment}"]}"
service_port = "${var.monitoring_hosts["alerts"]}"
oauth2_client_id = "${var.oauth2_client_id_monitoring}"
oauth2_client_secret = "${var.oauth2_client_secret_monitoring}"
health_check = "tcp"
......
......@@ -5,10 +5,10 @@ variable "monitoring_hosts" {
type = "map"
default = {
"performance.gprd" = "80"
"prometheus.gprd" = "9090"
"prometheus-app.gprd" = "9090"
"alerts.gprd" = "9093"
"performance" = "80"
"prometheus" = "9090"
"prometheus-app" = "9090"
"alerts" = "9093"
}
}
......
......@@ -15,46 +15,6 @@ provider "google" {
region = "${var.region}"
}
##################################
#
# Allow internal traffic
#
#################################
resource "google_compute_firewall" "allow-internal" {
name = "allow-internal-${var.environment}"
network = "${module.network.self_link}"
allow {
protocol = "all"
}
source_ranges = ["10.0.0.0/8"]
}
resource "google_compute_firewall" "allow-azure-vpn" {
name = "allow-vpn-${var.environment}"
network = "${module.network.self_link}"
allow {
protocol = "tcp"
ports = ["22", "80", "443"]
}
source_ranges = ["52.177.194.133/32", "52.177.192.239/32"]
}
resource "google_compute_firewall" "allow-lb-traffic" {
name = "allow-lb-traffic-${var.environment}"
network = "${module.network.self_link}"
allow {
protocol = "all"
}
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
}
/*
##################################
#
......@@ -858,19 +818,6 @@ resource "google_compute_subnetwork" "monitoring" {
private_ip_google_access = true
}
# resource "google_compute_firewall" "monitoring" {
# name = "${format("monitoring-%v", var.environment)}"
# network = "${module.network.self_link}"
#
# allow {
# protocol = "tcp"
# ports = ["${var.public_ports["monitoring"]}"]
# }
#
# source_ranges = ["0.0.0.0/0"]
# target_tags = ["${keys(var.monitoring_hosts)}"]
# }
#######################
#
# load balancer for all hosts in this section
......@@ -890,6 +837,7 @@ module "monitoring-lb" {
service_ports = ["${values(var.monitoring_hosts)}"]
url_map = "${google_compute_url_map.monitoring-lb.self_link}"
hosts = ["${keys(var.monitoring_hosts)}"]
targets = ["${keys(var.monitoring_hosts)}"]
}
module "performance" {
......@@ -911,7 +859,7 @@ module "performance" {
region = "${var.region}"
service_account_email = "${var.service_account_email}"
service_path = "/login"
service_port = "${var.monitoring_hosts["performance.${var.environment}"]}"
service_port = "${var.monitoring_hosts["performance"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......@@ -938,7 +886,7 @@ module "prometheus" {
region = "${var.region}"
service_account_email = "${var.service_account_email}"
service_path = "/graph"
service_port = "${var.monitoring_hosts["prometheus.${var.environment}"]}"
service_port = "${var.monitoring_hosts["prometheus"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......@@ -965,7 +913,7 @@ module "prometheus-app" {
region = "${var.region}"
service_account_email = "${var.service_account_email}"
service_path = "/graph"
service_port = "${var.monitoring_hosts["prometheus-app.${var.environment}"]}"
service_port = "${var.monitoring_hosts["prometheus-app"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......@@ -992,7 +940,7 @@ module "alerts" {
project = "${var.project}"
region = "${var.region}"
service_account_email = "${var.service_account_email}"
service_port = "${var.monitoring_hosts["alerts.${var.environment}"]}"
service_port = "${var.monitoring_hosts["alerts"]}"
source = "../../modules/google/monitoring-with-count"
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
tier = "inf"
......
......@@ -51,10 +51,10 @@ variable "monitoring_hosts" {
type = "map"
default = {
"performance.gstg" = "80"
"prometheus.gstg" = "9090"
"prometheus-app.gstg" = "9090"
"alerts.gstg" = "9093"
"performance" = "80"
"prometheus" = "9090"
"prometheus-app" = "9090"
"alerts" = "9093"
}
}
......
......@@ -3,7 +3,7 @@ data "google_compute_lb_ip_ranges" "ranges" {}
resource "aws_route53_record" "default" {
count = "${length(var.hosts)}"
zone_id = "${var.gitlab_net_zone_id}"
name = "${var.hosts[count.index]}.gitlab.net."
name = "${var.hosts[count.index]}.${var.environment}.gitlab.net."
type = "A"
ttl = "300"
records = ["${google_compute_global_address.default.address}"]
......@@ -36,6 +36,6 @@ resource "google_compute_firewall" "default" {
ports = ["${var.service_ports}"]
}
source_ranges = ["${data.google_compute_lb_ip_ranges.ranges.network}"]
target_tags = ["${var.name}"]
source_ranges = ["${concat(data.google_compute_lb_ip_ranges.ranges.network, data.google_compute_lb_ip_ranges.ranges.http_ssl_tcp_internal)}"]
target_tags = ["${var.targets}"]
}
......@@ -48,3 +48,8 @@ variable "zone" {
type = "string"
default = ""
}
variable "targets" {
type = "list"
description = "target tags for the load balancer"
}
......@@ -34,7 +34,7 @@ resource "google_compute_firewall" "default" {
ports = ["${var.health_check_ports}"]
}
source_ranges = ["${data.google_compute_lb_ip_ranges.ranges.network}"]
source_ranges = ["${concat(data.google_compute_lb_ip_ranges.ranges.network, data.google_compute_lb_ip_ranges.ranges.http_ssl_tcp_internal)}"]
target_tags = ["${var.targets}"]
}
......
##################################
#
# Allow internal traffic
#
##################################
resource "google_compute_firewall" "allow-internal" {
name = "allow-internal-${var.environment}"
network = "${google_compute_network.main.self_link}"
allow {
protocol = "all"
}
source_ranges = ["10.0.0.0/8"]
}
##################################
#
# Allow azure vpn
#
##################################
resource "google_compute_firewall" "allow-azure-vpn" {
name = "allow-vpn-${var.environment}"
network = "${google_compute_network.main.self_link}"
allow {
protocol = "tcp"
ports = ["22", "80", "443"]
}
source_ranges = ["52.177.194.133/32", "52.177.192.239/32"]
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment