Skip to content

Commit fe1cfeb

Browse files
ludookarpok78
ludoo
authored and
karpok78
committed
Small fixes and improvements to FAST netsec/net (GoogleCloudPlatform#2810)
* remove obsolete stage-links script * update networking stages fast envs * add security policy groups FAST variable and context to net stages * small networking/ngfw fixes
1 parent d5cb7d5 commit fe1cfeb

22 files changed

+50
-207
lines changed

fast/stage-links.sh

-187
This file was deleted.

fast/stages/2-networking-a-simple/.fast-stage.env

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@ FAST_STAGE_DESCRIPTION="networking (simple)"
22
FAST_STAGE_LEVEL=2
33
FAST_STAGE_NAME=networking
44
FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman"
5-
FAST_STAGE_OPTIONAL="2-nsec"
5+
FAST_STAGE_OPTIONAL="2-networking-ngfw"

fast/stages/2-networking-a-simple/README.md

+3-2
Original file line numberDiff line numberDiff line change
@@ -513,9 +513,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
513513
| [outputs_location](variables.tf#L84) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
514514
| [psa_ranges](variables.tf#L90) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;list&#40;object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; export_routes &#61; optional&#40;bool, false&#41;&#10; import_routes &#61; optional&#40;bool, false&#41;&#10; peered_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; prod &#61; optional&#40;list&#40;object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; export_routes &#61; optional&#40;bool, false&#41;&#10; import_routes &#61; optional&#40;bool, false&#41;&#10; peered_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
515515
| [regions](variables.tf#L110) | Region definitions. | <code title="object&#40;&#123;&#10; primary &#61; string&#10; secondary &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; primary &#61; &#34;europe-west1&#34;&#10; secondary &#61; &#34;europe-west4&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
516+
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> | <code>2-networking-ngfw</code> |
516517
| [spoke_configs](variables.tf#L122) | Spoke connectivity configurations. | <code title="object&#40;&#123;&#10; ncc_configs &#61; optional&#40;object&#40;&#123;&#10; export_psc &#61; optional&#40;bool, true&#41;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; exclude_export_ranges &#61; list&#40;string&#41;&#10; &#125;&#41;, &#123;&#10; exclude_export_ranges &#61; &#91;&#93;&#10; &#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; exclude_export_ranges &#61; list&#40;string&#41;&#10; &#125;&#41;, &#123;&#10; exclude_export_ranges &#61; &#91;&#93;&#10; &#125;&#41;&#10; &#125;&#41;&#41;&#10; peering_configs &#61; optional&#40;object&#40;&#123;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; export &#61; optional&#40;bool, true&#41;&#10; import &#61; optional&#40;bool, true&#41;&#10; public_export &#61; optional&#40;bool&#41;&#10; public_import &#61; optional&#40;bool&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; export &#61; optional&#40;bool, true&#41;&#10; import &#61; optional&#40;bool, true&#41;&#10; public_export &#61; optional&#40;bool&#41;&#10; public_import &#61; optional&#40;bool&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#10; vpn_configs &#61; optional&#40;object&#40;&#123;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; asn &#61; optional&#40;number, 65501&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; landing &#61; optional&#40;object&#40;&#123;&#10; asn &#61; optional&#40;number, 65500&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; asn &#61; optional&#40;number, 65502&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; peering_configs &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
517-
| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | <code title="object&#40;&#123;&#10; networking &#61; optional&#40;object&#40;&#123;&#10; short_name &#61; optional&#40;string&#41;&#10; iam_delegated_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_viewer_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>1-resman</code> |
518-
| [tag_values](variables-fast.tf#L100) | Root-level tag values. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> | <code>1-resman</code> |
518+
| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | <code title="object&#40;&#123;&#10; networking &#61; optional&#40;object&#40;&#123;&#10; short_name &#61; optional&#40;string&#41;&#10; iam_delegated_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_viewer_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>1-resman</code> |
519+
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> | <code>1-resman</code> |
519520
| [vpc_configs](variables.tf#L191) | Optional VPC network configurations. | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; mtu &#61; optional&#40;number, 1500&#41;&#10; cloudnat &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; create_inbound_policy &#61; optional&#40;bool, true&#41;&#10; enable_logging &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; firewall &#61; optional&#40;object&#40;&#123;&#10; create_policy &#61; optional&#40;bool, false&#41;&#10; policy_has_priority &#61; optional&#40;bool, false&#41;&#10; use_classic &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; landing &#61; optional&#40;object&#40;&#123;&#10; mtu &#61; optional&#40;number, 1500&#41;&#10; cloudnat &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; create_inbound_policy &#61; optional&#40;bool, true&#41;&#10; enable_logging &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; firewall &#61; optional&#40;object&#40;&#123;&#10; create_policy &#61; optional&#40;bool, false&#41;&#10; policy_has_priority &#61; optional&#40;bool, false&#41;&#10; use_classic &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; mtu &#61; optional&#40;number, 1500&#41;&#10; cloudnat &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; create_inbound_policy &#61; optional&#40;bool, true&#41;&#10; enable_logging &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; firewall &#61; optional&#40;object&#40;&#123;&#10; create_policy &#61; optional&#40;bool, false&#41;&#10; policy_has_priority &#61; optional&#40;bool, false&#41;&#10; use_classic &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
520521
| [vpn_onprem_primary_config](variables.tf#L244) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object&#40;&#123;&#10; peer_external_gateways &#61; map&#40;object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;&#10; router_config &#61; object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; asn &#61; number&#10; name &#61; optional&#40;string&#41;&#10; keepalive &#61; optional&#40;number&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; tunnels &#61; map&#40;object&#40;&#123;&#10; bgp_peer &#61; object&#40;&#123;&#10; address &#61; string&#10; asn &#61; number&#10; route_priority &#61; optional&#40;number, 1000&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; all_vpc_subnets &#61; bool&#10; all_peer_vpc_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; bgp_session_range &#61; string&#10; ike_version &#61; optional&#40;number, 2&#41;&#10; peer_external_gateway_interface &#61; optional&#40;number&#41;&#10; peer_gateway &#61; optional&#40;string, &#34;default&#34;&#41;&#10; router &#61; optional&#40;string&#41;&#10; shared_secret &#61; optional&#40;string&#41;&#10; vpn_gateway_interface &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
521522

fast/stages/2-networking-a-simple/net-dev.tf

+1-1
Original file line numberDiff line numberDiff line change
@@ -136,12 +136,12 @@ module "dev-firewall-policy" {
136136
attachments = {
137137
dev-spoke-0 = module.dev-spoke-vpc.id
138138
}
139-
# TODO: add context for security groups
140139
factories_config = {
141140
cidr_file_path = var.factories_config.firewall.cidr_file
142141
egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml"
143142
ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml"
144143
}
144+
security_profile_group_ids = var.security_profile_groups
145145
}
146146

147147
module "dev-spoke-cloudnat" {

fast/stages/2-networking-a-simple/net-landing.tf

+1-1
Original file line numberDiff line numberDiff line change
@@ -114,12 +114,12 @@ module "landing-firewall-policy" {
114114
attachments = {
115115
landing-0 = module.landing-vpc.id
116116
}
117-
# TODO: add context for security groups
118117
factories_config = {
119118
cidr_file_path = var.factories_config.firewall.cidr_file
120119
egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/egress.yaml"
121120
ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/ingress.yaml"
122121
}
122+
security_profile_group_ids = var.security_profile_groups
123123
}
124124

125125
module "landing-nat-primary" {

fast/stages/2-networking-a-simple/net-prod.tf

+1-1
Original file line numberDiff line numberDiff line change
@@ -131,12 +131,12 @@ module "prod-firewall-policy" {
131131
attachments = {
132132
prod-spoke-0 = module.prod-spoke-vpc.id
133133
}
134-
# TODO: add context for security groups
135134
factories_config = {
136135
cidr_file_path = var.factories_config.firewall.cidr_file
137136
egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml"
138137
ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml"
139138
}
139+
security_profile_group_ids = var.security_profile_groups
140140
}
141141

142142
module "prod-spoke-cloudnat" {

fast/stages/2-networking-a-simple/schemas/firewall-policy-rules.schema.json

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
../../../../modules/net-firewall-policy/schemas/firewall-policy-rules.schema.json

fast/stages/2-networking-a-simple/variables-fast.tf

+8
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,14 @@ variable "prefix" {
8383
}
8484
}
8585

86+
variable "security_profile_groups" {
87+
# tfdoc:variable:source 2-networking-ngfw
88+
description = "Security profile group ids used for policy rule substitutions."
89+
type = map(string)
90+
nullable = false
91+
default = {}
92+
}
93+
8694
variable "stage_config" {
8795
# tfdoc:variable:source 1-resman
8896
description = "FAST stage configuration."

fast/stages/2-networking-b-nva/.fast-stage.env

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@ FAST_STAGE_DESCRIPTION="networking (nva)"
22
FAST_STAGE_LEVEL=2
33
FAST_STAGE_NAME=networking
44
FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman"
5-
FAST_STAGE_OPTIONAL="2-nsec"
5+
FAST_STAGE_OPTIONAL="2-networking-ngfw"

0 commit comments

Comments
 (0)