feat: Remove redundant optional firewall rules (#647)

* Remove optional firewall rules * Returns firewall rules related to hub and spoke * Moves code to firewall.tf
terraform-google-modules · Mar 8, 2022 · 6e17729 · 6e17729
1 parent 66d4c5b
commit 6e17729
Show file tree

Hide file tree

Showing 18 changed files with 6 additions and 296 deletions.
diff --git a/3-networks/envs/development/README.md b/3-networks/envs/development/README.md
@@ -31,7 +31,6 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
-| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no |
 | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |

diff --git a/3-networks/envs/development/main.tf b/3-networks/envs/development/main.tf
@@ -109,11 +109,10 @@ module "restricted_shared_vpc" {
   default_region1                  = var.default_region1
   default_region2                  = var.default_region2
   domain                           = var.domain
-  windows_activation_enabled       = var.windows_activation_enabled
   dns_enable_inbound_forwarding    = var.dns_enable_inbound_forwarding
   dns_enable_logging               = var.dns_enable_logging
   firewall_enable_logging          = var.firewall_enable_logging
-  optional_fw_rules_enabled        = var.optional_fw_rules_enabled
+  windows_activation_enabled       = var.windows_activation_enabled
   nat_enabled                      = var.nat_enabled
   nat_bgp_asn                      = var.nat_bgp_asn
   nat_num_addresses_region1        = var.nat_num_addresses_region1
@@ -161,11 +160,10 @@ module "base_shared_vpc" {
   default_region2               = var.default_region2
   domain                        = var.domain
   bgp_asn_subnet                = local.bgp_asn_number
-  windows_activation_enabled    = var.windows_activation_enabled
   dns_enable_inbound_forwarding = var.dns_enable_inbound_forwarding
   dns_enable_logging            = var.dns_enable_logging
   firewall_enable_logging       = var.firewall_enable_logging
-  optional_fw_rules_enabled     = var.optional_fw_rules_enabled
+  windows_activation_enabled    = var.windows_activation_enabled
   nat_enabled                   = var.nat_enabled
   nat_bgp_asn                   = var.nat_bgp_asn
   nat_num_addresses_region1     = var.nat_num_addresses_region1

diff --git a/3-networks/envs/development/variables.tf b/3-networks/envs/development/variables.tf
@@ -104,12 +104,6 @@ variable "nat_num_addresses" {
   default     = 2
 }
 
-variable "optional_fw_rules_enabled" {
-  type        = bool
-  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges."
-  default     = false
-}
-
 variable "parent_folder" {
   description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step."
   type        = string

diff --git a/3-networks/envs/non-production/README.md b/3-networks/envs/non-production/README.md
@@ -31,7 +31,6 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
-| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no |
 | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |

diff --git a/3-networks/envs/non-production/main.tf b/3-networks/envs/non-production/main.tf
@@ -109,11 +109,10 @@ module "restricted_shared_vpc" {
   default_region1                  = var.default_region1
   default_region2                  = var.default_region2
   domain                           = var.domain
-  windows_activation_enabled       = var.windows_activation_enabled
   dns_enable_inbound_forwarding    = var.dns_enable_inbound_forwarding
   dns_enable_logging               = var.dns_enable_logging
   firewall_enable_logging          = var.firewall_enable_logging
-  optional_fw_rules_enabled        = var.optional_fw_rules_enabled
+  windows_activation_enabled       = var.windows_activation_enabled
   nat_enabled                      = var.nat_enabled
   nat_bgp_asn                      = var.nat_bgp_asn
   nat_num_addresses_region1        = var.nat_num_addresses_region1
@@ -165,7 +164,6 @@ module "base_shared_vpc" {
   dns_enable_inbound_forwarding = var.dns_enable_inbound_forwarding
   dns_enable_logging            = var.dns_enable_logging
   firewall_enable_logging       = var.firewall_enable_logging
-  optional_fw_rules_enabled     = var.optional_fw_rules_enabled
   nat_enabled                   = var.nat_enabled
   nat_bgp_asn                   = var.nat_bgp_asn
   nat_num_addresses_region1     = var.nat_num_addresses_region1

diff --git a/3-networks/envs/non-production/variables.tf b/3-networks/envs/non-production/variables.tf
@@ -104,12 +104,6 @@ variable "nat_num_addresses" {
   default     = 2
 }
 
-variable "optional_fw_rules_enabled" {
-  type        = bool
-  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges."
-  default     = false
-}
-
 variable "parent_folder" {
   description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step."
   type        = string

diff --git a/3-networks/envs/production/README.md b/3-networks/envs/production/README.md
@@ -31,7 +31,6 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
-| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no |
 | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |

diff --git a/3-networks/envs/production/main.tf b/3-networks/envs/production/main.tf
@@ -109,11 +109,10 @@ module "restricted_shared_vpc" {
   default_region1                  = var.default_region1
   default_region2                  = var.default_region2
   domain                           = var.domain
-  windows_activation_enabled       = var.windows_activation_enabled
   dns_enable_inbound_forwarding    = var.dns_enable_inbound_forwarding
   dns_enable_logging               = var.dns_enable_logging
   firewall_enable_logging          = var.firewall_enable_logging
-  optional_fw_rules_enabled        = var.optional_fw_rules_enabled
+  windows_activation_enabled       = var.windows_activation_enabled
   nat_enabled                      = var.nat_enabled
   nat_bgp_asn                      = var.nat_bgp_asn
   nat_num_addresses_region1        = var.nat_num_addresses_region1
@@ -165,7 +164,6 @@ module "base_shared_vpc" {
   dns_enable_inbound_forwarding = var.dns_enable_inbound_forwarding
   dns_enable_logging            = var.dns_enable_logging
   firewall_enable_logging       = var.firewall_enable_logging
-  optional_fw_rules_enabled     = var.optional_fw_rules_enabled
   nat_enabled                   = var.nat_enabled
   nat_bgp_asn                   = var.nat_bgp_asn
   nat_num_addresses_region1     = var.nat_num_addresses_region1

diff --git a/3-networks/envs/production/variables.tf b/3-networks/envs/production/variables.tf
@@ -104,12 +104,6 @@ variable "nat_num_addresses" {
   default     = 2
 }
 
-variable "optional_fw_rules_enabled" {
-  type        = bool
-  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges."
-  default     = false
-}
-
 variable "parent_folder" {
   description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step."
   type        = string

diff --git a/3-networks/envs/shared/README.md b/3-networks/envs/shared/README.md
@@ -20,7 +20,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
 | base\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Base Hub. | `bool` | `false` | no |
 | base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no |
 | base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no |
-| base\_hub\_optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges in Base Hub VPC. | `bool` | `false` | no |
 | base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no |
 | bgp\_asn\_dns | BGP Autonomous System Number (ASN). | `number` | `64667` | no |
 | default\_region1 | First subnet region for DNS Hub network. | `string` | n/a | yes |
@@ -42,7 +41,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
 | restricted\_hub\_nat\_enabled | Toggle creation of NAT cloud router in Restricted Hub. | `bool` | `false` | no |
 | restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no |
 | restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no |
-| restricted\_hub\_optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges in Restricted Hub VPC. | `bool` | `false` | no |
 | restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no |
 | subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(string)` | n/a | yes |

diff --git a/3-networks/envs/shared/net-hubs.tf b/3-networks/envs/shared/net-hubs.tf
@@ -67,15 +67,14 @@ module "base_shared_vpc" {
   default_region1               = var.default_region1
   default_region2               = var.default_region2
   domain                        = var.domain
-  windows_activation_enabled    = var.base_hub_windows_activation_enabled
   dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding
   dns_enable_logging            = var.base_hub_dns_enable_logging
   firewall_enable_logging       = var.base_hub_firewall_enable_logging
-  optional_fw_rules_enabled     = var.base_hub_optional_fw_rules_enabled
   nat_enabled                   = var.base_hub_nat_enabled
   nat_bgp_asn                   = var.base_hub_nat_bgp_asn
   nat_num_addresses_region1     = var.base_hub_nat_num_addresses_region1
   nat_num_addresses_region2     = var.base_hub_nat_num_addresses_region2
+  windows_activation_enabled    = var.base_hub_windows_activation_enabled
   folder_prefix                 = var.folder_prefix
   mode                          = "hub"
 
@@ -121,16 +120,15 @@ module "restricted_shared_vpc" {
   default_region1                  = var.default_region1
   default_region2                  = var.default_region2
   domain                           = var.domain
-  windows_activation_enabled       = var.restricted_hub_windows_activation_enabled
   dns_enable_inbound_forwarding    = var.restricted_hub_dns_enable_inbound_forwarding
   dns_enable_logging               = var.restricted_hub_dns_enable_logging
   firewall_enable_logging          = var.restricted_hub_firewall_enable_logging
-  optional_fw_rules_enabled        = var.restricted_hub_optional_fw_rules_enabled
   nat_enabled                      = var.restricted_hub_nat_enabled
   nat_bgp_asn                      = var.restricted_hub_nat_bgp_asn
   nat_num_addresses_region1        = var.restricted_hub_nat_num_addresses_region1
   nat_num_addresses_region2        = var.restricted_hub_nat_num_addresses_region2
   folder_prefix                    = var.folder_prefix
+  windows_activation_enabled       = var.restricted_hub_windows_activation_enabled
   mode                             = "hub"
 
   subnets = [

diff --git a/3-networks/envs/shared/variables.tf b/3-networks/envs/shared/variables.tf
@@ -139,18 +139,6 @@ variable "restricted_hub_firewall_enable_logging" {
   default     = true
 }
 
-variable "base_hub_optional_fw_rules_enabled" {
-  type        = bool
-  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges in Base Hub VPC."
-  default     = false
-}
-
-variable "restricted_hub_optional_fw_rules_enabled" {
-  type        = bool
-  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges in Restricted Hub VPC."
-  default     = false
-}
-
 variable "base_hub_nat_enabled" {
   type        = bool
   description = "Toggle creation of NAT cloud router in Base Hub."

diff --git a/3-networks/modules/base_shared_vpc/README.md b/3-networks/modules/base_shared_vpc/README.md
@@ -20,7 +20,6 @@
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no |
 | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
-| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |

diff --git a/3-networks/modules/base_shared_vpc/firewall.tf b/3-networks/modules/base_shared_vpc/firewall.tf
@@ -70,122 +70,6 @@ resource "google_compute_firewall" "allow_private_api_egress" {
   target_tags = ["allow-google-apis"]
 }
 
-/******************************************
-  Optional firewall rules
- *****************************************/
-
-// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads.
-resource "google_compute_firewall" "allow_iap_ssh" {
-  count   = var.optional_fw_rules_enabled ? 1 : 0
-  name    = "fw-${var.environment_code}-shared-base-1000-i-a-all-allow-iap-ssh-tcp-22"
-  network = module.main.network_name
-  project = var.project_id
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  // Cloud IAP's TCP forwarding netblock
-  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
-
-  allow {
-    protocol = "tcp"
-    ports    = ["22"]
-  }
-
-  target_tags = ["allow-iap-ssh"]
-}
-
-// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads.
-resource "google_compute_firewall" "allow_iap_rdp" {
-  count   = var.optional_fw_rules_enabled ? 1 : 0
-  name    = "fw-${var.environment_code}-shared-base-1000-i-a-all-allow-iap-rdp-tcp-3389"
-  network = module.main.network_name
-  project = var.project_id
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  // Cloud IAP's TCP forwarding netblock
-  source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
-
-  allow {
-    protocol = "tcp"
-    ports    = ["3389"]
-  }
-
-  target_tags = ["allow-iap-rdp"]
-}
-
-// Allow access to kms.windows.googlecloud.com for Windows license activation
-resource "google_compute_firewall" "allow_windows_activation" {
-  count     = var.windows_activation_enabled ? 1 : 0
-  name      = "fw-${var.environment_code}-shared-base-0-e-a-allow-win-activation-all-tcp-1688"
-  network   = module.main.network_name
-  project   = var.project_id
-  direction = "EGRESS"
-  priority  = 0
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  allow {
-    protocol = "tcp"
-    ports    = ["1688"]
-  }
-
-  destination_ranges = ["35.190.247.13/32"]
-
-  target_tags = ["allow-win-activation"]
-}
-
-// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges.
-resource "google_compute_firewall" "allow_lb" {
-  count   = var.optional_fw_rules_enabled ? 1 : 0
-  name    = "fw-${var.environment_code}-shared-base-1000-i-a-all-allow-lb-tcp-80-8080-443"
-  network = module.main.network_name
-  project = var.project_id
-
-  dynamic "log_config" {
-    for_each = var.firewall_enable_logging == true ? [{
-      metadata = "INCLUDE_ALL_METADATA"
-    }] : []
-
-    content {
-      metadata = log_config.value.metadata
-    }
-  }
-
-  source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)
-
-  // Allow common app ports by default.
-  allow {
-    protocol = "tcp"
-    ports    = ["80", "8080", "443"]
-  }
-
-  target_tags = ["allow-lb"]
-}
 
 resource "google_compute_firewall" "allow_all_egress" {
   count     = var.allow_all_egress_ranges != null ? 1 : 0

diff --git a/3-networks/modules/base_shared_vpc/variables.tf b/3-networks/modules/base_shared_vpc/variables.tf
@@ -127,12 +127,6 @@ variable "nat_num_addresses" {
   default     = 2
 }
 
-variable "optional_fw_rules_enabled" {
-  type        = bool
-  description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges."
-  default     = false
-}
-
 variable "parent_folder" {
   description = "Optional - if using a folder for testing."
   type        = string