Remove firewall policy management from resource management modules

README.md

@@ -30,7 +30,7 @@ The current list of modules supports most of the core foundational and networkin
 Currently available modules:
 
 - **foundational** - [billing budget](./modules/billing-budget), [Cloud Identity group](./modules/cloud-identity-group/), [folder](./modules/folder), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [organization](./modules/organization), [project](./modules/project), [projects-data-source](./modules/projects-data-source)
-- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [Internal Application LB](./modules/net-lb-app-int), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC firewall policy](./modules/net-vpc-firewall-policy), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
+- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [Firewall policy](./modules/net-firewall-policy), [Internal Application LB](./modules/net-lb-app-int), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
 - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool)
 - **data** - [AlloyDB instance](./modules/alloydb-instance), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan/), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
 - **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)

blueprints/data-solutions/shielded-folder/README.md

@@ -209,5 +209,5 @@ module "test" {
     billing_account_id = "123456-123456-123456"
   }
 }
-# tftest modules=6 resources=38 inventory=simple.yaml
+# tftest modules=7 resources=38
 ```

blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml

@@ -0,0 +1,37 @@
+# skip boilerplate check
+
+allow-admins:
+  description: Access from the admin subnet to all subnets
+  priority: 1000
+  match:
+    source_ranges:
+      - rfc1918
+
+allow-healthchecks:
+  description: Enable HTTP and HTTPS healthchecks
+  priority: 1001
+  match:
+    source_ranges:
+      - healthchecks
+  layer4_configs:
+  - protocol: tcp
+    ports: ["80", "443"]
+
+allow-ssh-from-iap:
+  description: Enable SSH from IAP
+  priority: 1002
+  match:
+    source_ranges:
+      - 35.235.240.0/20
+  layer4_configs:
+  - protocol: tcp
+    ports: ["22"]
+
+allow-icmp:
+  description: Enable ICMP
+  priority: 1003
+  match:
+    source_ranges:
+      - 0.0.0.0/0
+  layer4_configs:
+  - protocol: icmp

blueprints/data-solutions/shielded-folder/main.tf

@@ -78,11 +78,6 @@ module "folder" {
   id                     = var.folder_config.folder_create != null ? null : var.folder_config.folder_id
   group_iam              = local.group_iam
   org_policies_data_path = var.data_dir != null ? "${var.data_dir}/org-policies" : null
-  firewall_policy_factory = var.data_dir != null ? {
-    cidr_file   = "${var.data_dir}/firewall-policies/cidrs.yaml"
-    policy_name = "${var.prefix}-fw-policy"
-    rules_file  = "${var.data_dir}/firewall-policies/hierarchical-policy-rules.yaml"
-  } : null
   logging_sinks = var.enable_features.log_sink ? {
     for name, attrs in var.log_sinks : name => {
       bq_partitioned_table = attrs.type == "bigquery"
@@ -93,14 +88,24 @@ module "folder" {
   } : null
 }
 
+module "firewall-policy" {
+  source    = "../../../modules/net-firewall-policy"
+  name      = "default"
+  parent_id = module.folder.id
+  rules_factory_config = var.data_dir == null ? {} : {
+    cidr_file_path          = "${var.data_dir}/firewall-policies/cidrs.yaml"
+    ingress_rules_file_path = "${var.data_dir}/firewall-policies/hierarchical-ingress-rules.yaml"
+  }
+}
+
 module "folder-workload" {
   source = "../../../modules/folder"
   parent = module.folder.id
   name   = "${var.prefix}-workload"
 }
 
+#TODO VPCSC: Access levels
 
-#TODO VPCSC: Access levels 
 data "google_projects" "folder-projects" {
   filter = "parent.id:${split("/", module.folder.id)[1]}"
 

fast/stages/2-networking-a-peering/README.md

@@ -172,7 +172,7 @@ Static routes are defined in `vpc-*.tf` files, in the `routes` section of each `
 **VPC firewall rules** ([`net-vpc-firewall`](../../../modules/net-vpc-firewall)) are defined per-vpc on each `vpc-*.tf` file and leverage a resource factory to massively create rules.
 To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/landing](./data/firewall-rules/landing) and can be easily customised.
 
-**Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf`, and managed through a policy factory implemented by the `folder` module, which applies the defined hierarchical to the `Networking` folder, which contains all the core networking infrastructure. Policies are defined in the `rules_file` file - to define a new one simply use the instructions found on "[Firewall policy factory](../../../modules/organization#firewall-policy-factory)". Sample hierarchical firewall policies are shipped in [data/hierarchical-policy-rules.yaml](./data/hierarchical-policy-rules.yaml) and can be easily customised.
+**Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf` and managed through a policy factory implemented by the `net-firewall-policy` module, which is then applied to the `Networking` folder containing all the core networking infrastructure. Policies are defined in the `rules_file` file, to define a new one simply use the [firewall policy module documentation](../../../modules/net-firewall-policy/README.md#factory)". Sample hierarchical firewall rules are shipped in [data/hierarchical-ingress-rules.yaml](./data/hierarchical-ingress-rules.yaml) and can be easily customised.
 
 ### DNS architecture
 
@@ -378,7 +378,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> |  |
 | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> |  |
 | [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
-| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |
+| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> |  |
 | [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. |  | <code>google_monitoring_alert_policy</code> |
 | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. |  | <code>google_monitoring_dashboard</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>google_storage_bucket_object</code> · <code>local_file</code> |

fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml

@@ -0,0 +1,37 @@
+# skip boilerplate check
+
+allow-admins:
+  description: Access from the admin subnet to all subnets
+  priority: 1000
+  match:
+    source_ranges:
+      - rfc1918
+
+allow-healthchecks:
+  description: Enable HTTP and HTTPS healthchecks
+  priority: 1001
+  match:
+    source_ranges:
+      - healthchecks
+  layer4_configs:
+  - protocol: tcp
+    ports: ["80", "443"]
+
+allow-ssh-from-iap:
+  description: Enable SSH from IAP
+  priority: 1002
+  match:
+    source_ranges:
+      - 35.235.240.0/20
+  layer4_configs:
+  - protocol: tcp
+    ports: ["22"]
+
+allow-icmp:
+  description: Enable ICMP
+  priority: 1003
+  match:
+    source_ranges:
+      - 0.0.0.0/0
+  layer4_configs:
+  - protocol: icmp

fast/stages/2-networking-a-peering/main.tf

@@ -45,13 +45,18 @@ module "folder" {
   name          = "Networking"
   folder_create = var.folder_ids.networking == null
   id            = var.folder_ids.networking
-  firewall_policy_factory = {
-    cidr_file   = "${var.factories_config.data_dir}/cidrs.yaml"
-    policy_name = var.factories_config.firewall_policy_name
-    rules_file  = "${var.factories_config.data_dir}/hierarchical-policy-rules.yaml"
+  firewall_policy_associations = {
+    default = module.firewall-policy-default.id
   }
-  firewall_policy_association = {
-    factory-policy = "factory"
+}
+
+module "firewall-policy-default" {
+  source    = "../../../modules/net-firewall-policy"
+  name      = "net-default"
+  parent_id = module.folder.id
+  rules_factory_config = {
+    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
+    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
   }
 }
 

fast/stages/2-networking-b-vpn/README.md

@@ -186,7 +186,7 @@ BGP sessions for landing-spoke are configured through variable `vpn_spoke_config
 **VPC firewall rules** ([`net-vpc-firewall`](../../../modules/net-vpc-firewall)) are defined per-vpc on each `vpc-*.tf` file and leverage a resource factory to massively create rules.
 To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/landing](./data/firewall-rules/landing) and can be easily customised.
 
-**Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf`, and managed through a policy factory implemented by the `folder` module, which applies the defined hierarchical to the `Networking` folder, which contains all the core networking infrastructure. Policies are defined in the `rules_file` file - to define a new one simply use the instructions found on "[Firewall policy factory](../../../modules/organization#firewall-policy-factory)". Sample hierarchical firewall policies are shipped in [data/hierarchical-policy-rules.yaml](./data/hierarchical-policy-rules.yaml) and can be easily customised.
+**Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf` and managed through a policy factory implemented by the `net-firewall-policy` module, which is then applied to the `Networking` folder containing all the core networking infrastructure. Policies are defined in the `rules_file` file, to define a new one simply use the [firewall policy module documentation](../../../modules/net-firewall-policy/README.md#factory)". Sample hierarchical firewall rules are shipped in [data/hierarchical-ingress-rules.yaml](./data/hierarchical-ingress-rules.yaml) and can be easily customised.
 
 ### DNS architecture
 
@@ -393,7 +393,6 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 
 <!-- TFDOC OPTS files:1 show_extra:1 -->
 <!-- BEGIN TFDOC -->
-
 ## Files
 
 | name | description | modules | resources |
@@ -402,7 +401,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> |  |
 | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> |  |
 | [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
-| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |
+| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> |  |
 | [monitoring-vpn.tf](./monitoring-vpn.tf) | VPN monitoring alerts. |  | <code>google_monitoring_alert_policy</code> |
 | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. |  | <code>google_monitoring_dashboard</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>google_storage_bucket_object</code> · <code>local_file</code> |
@@ -447,5 +446,4 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | [shared_vpc_self_links](outputs.tf#L78) | Shared VPC host projects. |  |  |
 | [tfvars](outputs.tf#L83) | Terraform variables file for the following stages. | ✓ |  |
 | [vpn_gateway_endpoints](outputs.tf#L89) | External IP Addresses for the GCP VPN gateways. |  |  |
-
 <!-- END TFDOC -->

fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml

@@ -0,0 +1,37 @@
+# skip boilerplate check
+
+allow-admins:
+  description: Access from the admin subnet to all subnets
+  priority: 1000
+  match:
+    source_ranges:
+      - rfc1918
+
+allow-healthchecks:
+  description: Enable HTTP and HTTPS healthchecks
+  priority: 1001
+  match:
+    source_ranges:
+      - healthchecks
+  layer4_configs:
+  - protocol: tcp
+    ports: ["80", "443"]
+
+allow-ssh-from-iap:
+  description: Enable SSH from IAP
+  priority: 1002
+  match:
+    source_ranges:
+      - 35.235.240.0/20
+  layer4_configs:
+  - protocol: tcp
+    ports: ["22"]
+
+allow-icmp:
+  description: Enable ICMP
+  priority: 1003
+  match:
+    source_ranges:
+      - 0.0.0.0/0
+  layer4_configs:
+  - protocol: icmp