Add optional support for fw policies via new vpc_configs variable, refactor factories variable in net stages (GoogleCloudPlatform#2801)

* net a

* extend change to other networking stages

* refactor factories config variable in net a

* net b and c

* complete net b

* fix errors, add mtu

* fix

* fix

* fix errors

Author: ludoo

fast/stages/2-networking-a-simple/README.md

@@ -68,7 +68,7 @@ module "landing-dns-policy-googleapis" {
   project_id = module.landing-project.project_id
   name       = "googleapis"
   factories_config = {
-    rules = var.factories_config.dns_policy_rules_file
+    rules = var.factories_config.dns_policy_rules
   }
   networks = {
     landing = module.landing-vpc.self_link

fast/stages/2-networking-a-simple/dns-landing.tf

@@ -67,11 +67,11 @@ module "folder" {
 
 module "firewall-policy-default" {
   source    = "../../../modules/net-firewall-policy"
-  name      = var.factories_config.firewall_policy_name
+  name      = var.factories_config.firewall.hierarchical.policy_name
   parent_id = module.folder.id
   factories_config = {
-    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
-    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
+    cidr_file_path          = var.factories_config.firewall.cidr_file
+    ingress_rules_file_path = var.factories_config.firewall.hierarchical.ingress_rules
   }
 }
 

fast/stages/2-networking-a-simple/main.tf

@@ -17,11 +17,10 @@
 # tfdoc:file:description Network monitoring dashboards.
 
 locals {
-  dashboard_path  = "${var.factories_config.data_dir}/dashboards"
-  dashboard_files = fileset(local.dashboard_path, "*.json")
+  dashboard_files = fileset(var.factories_config.dashboards, "*.json")
   dashboards = {
     for filename in local.dashboard_files :
-    filename => "${local.dashboard_path}/${filename}"
+    filename => "${var.factories_config.dashboards}/${filename}"
   }
 }
 

fast/stages/2-networking-a-simple/monitoring.tf

@@ -16,6 +16,22 @@
 
 # tfdoc:file:description Dev spoke VPC and related resources.
 
+locals {
+  # streamline VPC configuration conditionals for modules by moving them here
+  dev_cfg = {
+    cloudnat    = var.vpc_configs.dev.cloudnat.enable == true
+    dns_logging = var.vpc_configs.dev.dns.enable_logging == true
+    dns_policy  = var.vpc_configs.dev.dns.create_inbound_policy == true
+    fw_classic  = var.vpc_configs.dev.firewall.use_classic == true
+    fw_order = (
+      var.vpc_configs.dev.firewall.policy_has_priority == true
+      ? "BEFORE_CLASSIC_FIREWALL"
+      : "AFTER_CLASSIC_FIREWALL"
+    )
+    fw_policy = var.vpc_configs.dev.firewall.create_policy == true
+  }
+}
+
 module "dev-spoke-project" {
   source          = "../../../modules/project"
   billing_account = var.billing_account.id
@@ -67,24 +83,26 @@ module "dev-spoke-project" {
 }
 
 module "dev-spoke-vpc" {
-  source     = "../../../modules/net-vpc"
-  project_id = module.dev-spoke-project.project_id
-  name       = "dev-spoke-0"
-  mtu        = 1500
-  dns_policy = {
-    logging = var.dns.enable_logging
+  source                          = "../../../modules/net-vpc"
+  project_id                      = module.dev-spoke-project.project_id
+  name                            = "dev-spoke-0"
+  mtu                             = var.vpc_configs.dev.mtu
+  delete_default_routes_on_create = true
+  dns_policy = !local.dev_cfg.dns_policy ? {} : {
+    inbound = true
+    logging = local.dev_cfg.dns_logging
   }
   factories_config = {
     context        = { regions = var.regions }
-    subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
+    subnets_folder = "${var.factories_config.subnets}/dev"
   }
-  psa_configs = var.psa_ranges.dev
+  firewall_policy_enforcement_order = local.dev_cfg.fw_order
+  psa_configs                       = var.psa_ranges.dev
   # set explicit routes for googleapis in case the default route is deleted
   create_googleapis_routes = {
     private    = true
     restricted = true
   }
-  delete_default_routes_on_create = true
   routes = {
     default = {
       dest_range    = "0.0.0.0/0"
@@ -97,20 +115,40 @@ module "dev-spoke-vpc" {
 
 module "dev-spoke-firewall" {
   source     = "../../../modules/net-vpc-firewall"
+  count      = local.dev_cfg.fw_classic ? 1 : 0
   project_id = module.dev-spoke-project.project_id
   network    = module.dev-spoke-vpc.name
   default_rules_config = {
     disabled = true
   }
   factories_config = {
-    cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
-    rules_folder  = "${var.factories_config.data_dir}/firewall-rules/dev"
+    cidr_tpl_file = var.factories_config.firewall.cidr_file
+    rules_folder  = "${var.factories_config.firewall.classic_rules}/dev"
+  }
+}
+
+module "dev-firewall-policy" {
+  source    = "../../../modules/net-firewall-policy"
+  count     = local.dev_cfg.fw_policy ? 1 : 0
+  name      = "dev-spoke-0"
+  parent_id = module.dev-spoke-project.project_id
+  region    = "global"
+  attachments = {
+    dev-spoke-0 = module.dev-spoke-vpc.id
+  }
+  # TODO: add context for security groups
+  factories_config = {
+    cidr_file_path          = var.factories_config.firewall.cidr_file
+    egress_rules_file_path  = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml"
+    ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml"
   }
 }
 
 module "dev-spoke-cloudnat" {
-  source         = "../../../modules/net-cloudnat"
-  for_each       = toset(var.enable_cloud_nat ? values(module.dev-spoke-vpc.subnet_regions) : [])
+  source = "../../../modules/net-cloudnat"
+  for_each = toset(
+    local.dev_cfg.cloudnat ? values(module.dev-spoke-vpc.subnet_regions) : []
+  )
   project_id     = module.dev-spoke-project.project_id
   region         = each.value
   name           = "dev-nat-${local.region_shortnames[each.value]}"

fast/stages/2-networking-a-simple/net-dev.tf

@@ -16,6 +16,31 @@
 
 # tfdoc:file:description Landing VPC and related resources.
 
+locals {
+  # streamline VPC configuration conditionals for modules by moving them here
+  landing_cfg = {
+    cloudnat = (
+      local.spoke_connection != "ncc" &&
+      var.vpc_configs.landing.cloudnat.enable == true
+    )
+    dns_logging = var.vpc_configs.landing.dns.enable_logging == true
+    dns_policy  = var.vpc_configs.landing.dns.create_inbound_policy == true
+    fw_classic = (
+      local.spoke_connection != "ncc" &&
+      var.vpc_configs.landing.firewall.use_classic == true
+    )
+    fw_order = (
+      var.vpc_configs.landing.firewall.policy_has_priority == true
+      ? "BEFORE_CLASSIC_FIREWALL"
+      : "AFTER_CLASSIC_FIREWALL"
+    )
+    fw_policy = (
+      local.spoke_connection != "ncc" &&
+      var.vpc_configs.landing.firewall.create_policy == true
+    )
+  }
+}
+
 module "landing-project" {
   source          = "../../../modules/project"
   billing_account = var.billing_account.id
@@ -42,19 +67,20 @@ module "landing-project" {
 }
 
 module "landing-vpc" {
-  source     = "../../../modules/net-vpc"
-  project_id = module.landing-project.project_id
-  name       = "prod-landing-0"
-  mtu        = 1500
-  dns_policy = {
+  source                          = "../../../modules/net-vpc"
+  project_id                      = module.landing-project.project_id
+  name                            = "prod-landing-0"
+  mtu                             = var.vpc_configs.landing.mtu
+  delete_default_routes_on_create = true
+  dns_policy = !local.landing_cfg.dns_policy ? {} : {
     inbound = true
-    logging = var.dns.enable_logging
+    logging = local.landing_cfg.dns_logging
   }
   factories_config = {
     context        = { regions = var.regions }
-    subnets_folder = "${var.factories_config.data_dir}/subnets/landing"
+    subnets_folder = "${var.factories_config.subnets}/landing"
   }
-  delete_default_routes_on_create = true
+  firewall_policy_enforcement_order = local.landing_cfg.fw_order
   routes = {
     default = {
       dest_range    = "0.0.0.0/0"
@@ -66,22 +92,39 @@ module "landing-vpc" {
 }
 
 module "landing-firewall" {
-  count      = local.spoke_connection != "ncc" ? 1 : 0
   source     = "../../../modules/net-vpc-firewall"
+  count      = local.landing_cfg.fw_classic ? 1 : 0
   project_id = module.landing-project.project_id
   network    = module.landing-vpc.name
   default_rules_config = {
     disabled = true
   }
   factories_config = {
-    cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
-    rules_folder  = "${var.factories_config.data_dir}/firewall-rules/landing"
+    cidr_tpl_file = var.factories_config.firewall.cidr_file
+    rules_folder  = "${var.factories_config.firewall.classic_rules}/landing"
+  }
+}
+
+module "landing-firewall-policy" {
+  source    = "../../../modules/net-firewall-policy"
+  count     = local.landing_cfg.fw_policy ? 1 : 0
+  name      = "prod-landing-0"
+  parent_id = module.landing-project.project_id
+  region    = "global"
+  attachments = {
+    landing-0 = module.landing-vpc.id
+  }
+  # TODO: add context for security groups
+  factories_config = {
+    cidr_file_path          = var.factories_config.firewall.cidr_file
+    egress_rules_file_path  = "${var.factories_config.firewall.policy_rules}/landing/egress.yaml"
+    ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/ingress.yaml"
   }
 }
 
 module "landing-nat-primary" {
   source         = "../../../modules/net-cloudnat"
-  count          = var.enable_cloud_nat && local.spoke_connection != "ncc" ? 1 : 0
+  count          = local.landing_cfg.cloudnat ? 1 : 0
   project_id     = module.landing-project.project_id
   region         = var.regions.primary
   name           = local.region_shortnames[var.regions.primary]

fast/stages/2-networking-a-simple/net-landing.tf

@@ -16,6 +16,22 @@
 
 # tfdoc:file:description Production spoke VPC and related resources.
 
+locals {
+  # streamline VPC configuration conditionals for modules by moving them here
+  prod_cfg = {
+    cloudnat    = var.vpc_configs.prod.cloudnat.enable == true
+    dns_logging = var.vpc_configs.prod.dns.enable_logging == true
+    dns_policy  = var.vpc_configs.prod.dns.create_inbound_policy == true
+    fw_classic  = var.vpc_configs.prod.firewall.use_classic == true
+    fw_order = (
+      var.vpc_configs.prod.firewall.policy_has_priority == true
+      ? "BEFORE_CLASSIC_FIREWALL"
+      : "AFTER_CLASSIC_FIREWALL"
+    )
+    fw_policy = var.vpc_configs.prod.firewall.create_policy == true
+  }
+}
+
 module "prod-spoke-project" {
   source          = "../../../modules/project"
   billing_account = var.billing_account.id
@@ -67,19 +83,21 @@ module "prod-spoke-project" {
 }
 
 module "prod-spoke-vpc" {
-  source     = "../../../modules/net-vpc"
-  project_id = module.prod-spoke-project.project_id
-  name       = "prod-spoke-0"
-  mtu        = 1500
-  dns_policy = {
-    logging = var.dns.enable_logging
+  source                          = "../../../modules/net-vpc"
+  project_id                      = module.prod-spoke-project.project_id
+  name                            = "prod-spoke-0"
+  mtu                             = var.vpc_configs.prod.mtu
+  delete_default_routes_on_create = true
+  dns_policy = !local.prod_cfg.dns_policy ? {} : {
+    inbound = true
+    logging = local.prod_cfg.dns_logging
   }
   factories_config = {
     context        = { regions = var.regions }
-    subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
+    subnets_folder = "${var.factories_config.subnets}/prod"
   }
-  psa_configs                     = var.psa_ranges.prod
-  delete_default_routes_on_create = true
+  firewall_policy_enforcement_order = local.prod_cfg.fw_order
+  psa_configs                       = var.psa_ranges.prod
   routes = {
     default = {
       dest_range    = "0.0.0.0/0"
@@ -92,20 +110,40 @@ module "prod-spoke-vpc" {
 
 module "prod-spoke-firewall" {
   source     = "../../../modules/net-vpc-firewall"
+  count      = local.prod_cfg.fw_classic ? 1 : 0
   project_id = module.prod-spoke-project.project_id
   network    = module.prod-spoke-vpc.name
   default_rules_config = {
     disabled = true
   }
   factories_config = {
-    cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
-    rules_folder  = "${var.factories_config.data_dir}/firewall-rules/prod"
+    cidr_tpl_file = var.factories_config.firewall.cidr_file
+    rules_folder  = "${var.factories_config.firewall.classic_rules}/prod"
+  }
+}
+
+module "prod-firewall-policy" {
+  source    = "../../../modules/net-firewall-policy"
+  count     = local.prod_cfg.fw_policy ? 1 : 0
+  name      = "prod-spoke-0"
+  parent_id = module.prod-spoke-project.project_id
+  region    = "global"
+  attachments = {
+    prod-spoke-0 = module.prod-spoke-vpc.id
+  }
+  # TODO: add context for security groups
+  factories_config = {
+    cidr_file_path          = var.factories_config.firewall.cidr_file
+    egress_rules_file_path  = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml"
+    ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml"
   }
 }
 
 module "prod-spoke-cloudnat" {
-  source         = "../../../modules/net-cloudnat"
-  for_each       = toset(var.enable_cloud_nat ? values(module.prod-spoke-vpc.subnet_regions) : [])
+  source = "../../../modules/net-cloudnat"
+  for_each = toset(
+    local.prod_cfg.cloudnat ? values(module.prod-spoke-vpc.subnet_regions) : []
+  )
   project_id     = module.prod-spoke-project.project_id
   region         = each.value
   name           = "prod-nat-${local.region_shortnames[each.value]}"