gitlab-analysis vpc peering and firewall rules

parent 1d7150c7
##################################
#
# DR
#
#################################
resource "google_compute_firewall" "allow-dr-postgres" {
name = "allow-dr-postgres"
description = "Allows postgres traffic from our DR environment into gprd"
......@@ -33,3 +39,53 @@ data "google_iam_policy" "dr-sa-access" {
]
}
}
##################################
#
# gitlab-analysis
#
#################################
#resource "google_compute_network_peering" "peering-gitlab-analysis" {
# name = "peering-gitlab-analysis"
# network = "${var.network_env}"
# peer_network = "https://www.googleapis.com/compute/v1/projects/gitlab-analysis/global/networks/default"
#}
#
#resource "google_compute_firewall" "allow-postgres-gitlab-analysis" {
# name = "allow-postgres-gitlab-analysis"
# description = "allow gitlab-analysis default network to access gprd network"
# network = "${var.network_env}"
#
# source_ranges = [
# "10.138.0.0/20", # only from us-west-1 default subnet
# ]
#
# target_tags = [
# "postgres-dr-archive",
# ]
#
# allow {
# protocol = "tcp"
# ports = ["5432"]
# }
#}
#
## adding a subnet in gitlab-analysis is sufficient to bypass this rule
#resource "google_compute_firewall" "block-all-gitlab-analysis" {
# name = "block-all-gitlab-analysis"
# description = "block all traffic from gitlab-analysis"
# network = "${var.network_env}"
# priority = 65000
#
# target_tags = [
# "${var.network_env}",
# ]
#
# deny {
# protocol = "*"
# ports = ["*"]
# }
#}
##################################
#
# gitlab-analysis
#
#################################
resource "google_compute_network_peering" "peering-gitlab-analysis" {
name = "peering-gitlab-analysis"
network = "${var.network_env}"
peer_network = "https://www.googleapis.com/compute/v1/projects/gitlab-analysis/global/networks/default"
}
resource "google_compute_firewall" "allow-postgres-gitlab-analysis" {
name = "allow-postgres-gitlab-analysis"
description = "allow gitlab-analysis default network to access gprd network"
network = "${var.network_env}"
source_ranges = [
"10.138.0.0/20", # only from us-west-1 default subnet
]
target_tags = [
"postgres-dr-archive",
]
allow {
protocol = "tcp"
ports = ["5432"]
}
}
resource "google_compute_firewall" "block-all-gitlab-analysis" {
name = "block-all-gitlab-analysis"
description = "block all traffic from gitlab-analysis"
network = "${var.network_env}"
priority = 65000
target_tags = [
"${var.network_env}",
]
deny {
protocol = "*"
ports = ["*"]
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment