feat: add support for hierarchical firewall policies (#343)

terraform-google-modules · Mar 31, 2021 · e7bb1bc · e7bb1bc
1 parent f6b0387
commit e7bb1bc
Show file tree

Hide file tree

Showing 10 changed files with 292 additions and 1 deletion.
diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf
@@ -178,6 +178,34 @@ resource "google_folder_iam_member" "folder_cb_sa_browser" {
   member = "serviceAccount:${data.google_project.cloudbuild.number}@cloudbuild.gserviceaccount.com"
 }
 
+resource "google_organization_iam_member" "org_tf_compute_security_policy_admin" {
+  count  = var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/compute.orgSecurityPolicyAdmin"
+  member = "serviceAccount:${module.seed_bootstrap.terraform_sa_email}"
+}
+
+resource "google_folder_iam_member" "folder_tf_compute_security_policy_admin" {
+  count  = var.parent_folder != "" ? 1 : 0
+  folder = var.parent_folder
+  role   = "roles/compute.orgSecurityPolicyAdmin"
+  member = "serviceAccount:${module.seed_bootstrap.terraform_sa_email}"
+}
+
+resource "google_organization_iam_member" "org_tf_compute_security_resource_admin" {
+  count  = var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/compute.orgSecurityResourceAdmin"
+  member = "serviceAccount:${module.seed_bootstrap.terraform_sa_email}"
+}
+
+resource "google_folder_iam_member" "folder_tf_compute_security_resource_admin" {
+  count  = var.parent_folder != "" ? 1 : 0
+  folder = var.parent_folder
+  role   = "roles/compute.orgSecurityResourceAdmin"
+  member = "serviceAccount:${module.seed_bootstrap.terraform_sa_email}"
+}
+
 ## Un-comment the jenkins_bootstrap module and its outputs if you want to use Jenkins instead of Cloud Build
 # module "jenkins_bootstrap" {
 #  source                                  = "./modules/jenkins-agent"

diff --git a/3-networks/envs/shared/README.md b/3-networks/envs/shared/README.md
@@ -30,6 +30,7 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
+| firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |

diff --git a/3-networks/envs/shared/dns-hub.tf b/3-networks/envs/shared/dns-hub.tf
@@ -18,6 +18,26 @@ locals {
   dns_hub_project_id = data.google_projects.dns_hub.projects[0].project_id
 }
 
+data "google_active_folder" "bootstrap" {
+  display_name = "${var.folder_prefix}-bootstrap"
+  parent       = local.parent_id
+}
+
+data "google_active_folder" "development" {
+  display_name = "${var.folder_prefix}-development"
+  parent       = local.parent_id
+}
+
+data "google_active_folder" "production" {
+  display_name = "${var.folder_prefix}-production"
+  parent       = local.parent_id
+}
+
+data "google_active_folder" "non-production" {
+  display_name = "${var.folder_prefix}-non-production"
+  parent       = local.parent_id
+}
+
 /******************************************
   DNS Hub Project
 *****************************************/

diff --git a/3-networks/envs/shared/hierarchical_firewall.tf b/3-networks/envs/shared/hierarchical_firewall.tf
@@ -0,0 +1,102 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "hierarchical_firewall_policy" {
+  source = "../../modules/hierarchical_firewall_policy/"
+  parent = data.google_active_folder.common.name
+  name   = "common-firewall-rules"
+  associations = [
+    data.google_active_folder.common.name,
+    data.google_active_folder.bootstrap.name,
+    data.google_active_folder.development.name,
+    data.google_active_folder.production.name,
+    data.google_active_folder.non-production.name,
+  ]
+  rules = {
+    delegate-rfc1918-ingress = {
+      description = "Delegate RFC1918 ingress"
+      direction   = "INGRESS"
+      action      = "goto_next"
+      priority    = 500
+      ranges = [
+        "192.168.0.0/16",
+        "10.0.0.0/8",
+        "172.16.0.0/12"
+      ]
+      ports                   = { "all" = [] }
+      target_service_accounts = null
+      target_resources        = null
+      logging                 = false
+    }
+    delegate-rfc1918-egress = {
+      description = "Delegate RFC1918 egress"
+      direction   = "EGRESS"
+      action      = "goto_next"
+      priority    = 510
+      ranges = [
+        "192.168.0.0/16",
+        "10.0.0.0/8",
+        "172.16.0.0/12"
+      ]
+      ports                   = { "all" = [] }
+      target_service_accounts = null
+      target_resources        = null
+      logging                 = false
+    }
+    allow-iap-ssh-rdp = {
+      description             = "Always allow SSH and RDP from IAP"
+      direction               = "INGRESS"
+      action                  = "allow"
+      priority                = 5000
+      ranges                  = ["35.235.240.0/20"]
+      ports                   = { "all" = [] }
+      target_service_accounts = null
+      target_resources        = null
+      logging                 = var.firewall_policies_enable_logging
+    }
+    allow-windows-activation = {
+      description = "Always outgoing Windows KMS traffic (required to validate Windows licenses)"
+      direction   = "EGRESS"
+      action      = "allow"
+      priority    = 5100
+      ranges      = ["35.190.247.13/32"]
+      ports = {
+        tcp = ["1688"]
+      }
+      target_service_accounts = null
+      target_resources        = null
+      logging                 = var.firewall_policies_enable_logging
+    }
+    allow-google-hbs-and-hcs = {
+      description = "Always allow connections from Google load balancer and health check ranges"
+      direction   = "INGRESS"
+      action      = "allow"
+      priority    = 5200
+      ranges = [
+        "35.191.0.0/16",
+        "130.211.0.0/22",
+        "209.85.152.0/22",
+        "209.85.204.0/22"
+      ]
+      ports = {
+        tcp = ["80", "443"]
+      }
+      target_service_accounts = null
+      target_resources        = null
+      logging                 = var.firewall_policies_enable_logging
+    }
+  }
+}
diff --git a/3-networks/envs/shared/variables.tf b/3-networks/envs/shared/variables.tf
@@ -199,6 +199,12 @@ variable "restricted_hub_nat_num_addresses_region2" {
   default     = 2
 }
 
+variable "firewall_policies_enable_logging" {
+  type        = bool
+  description = "Toggle hierarchical firewall logging."
+  default     = true
+}
+
 variable "enable_partner_interconnect" {
   description = "Enable Partner Interconnect in the environment."
   type        = bool

diff --git a/3-networks/modules/base_shared_vpc/firewall.tf b/3-networks/modules/base_shared_vpc/firewall.tf
@@ -70,7 +70,6 @@ resource "google_compute_firewall" "allow_private_api_egress" {
   target_tags = ["allow-google-apis"]
 }
 
-
 /******************************************
   Optional firewall rules
  *****************************************/

diff --git a/3-networks/modules/hierarchical_firewall_policy/main.tf b/3-networks/modules/hierarchical_firewall_policy/main.tf
@@ -0,0 +1,68 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  policy_id = google_compute_organization_security_policy.policy.id
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  upper   = false
+  special = false
+}
+
+resource "google_compute_organization_security_policy" "policy" {
+  provider     = google-beta
+  display_name = "${var.name}-${random_string.suffix.result}"
+  parent       = var.parent
+}
+
+resource "google_compute_organization_security_policy_rule" "rule" {
+  provider = google-beta
+  for_each = var.rules
+
+  policy_id               = google_compute_organization_security_policy.policy.id
+  action                  = each.value.action
+  direction               = each.value.direction
+  priority                = each.value.priority
+  target_resources        = each.value.target_resources
+  target_service_accounts = each.value.target_service_accounts
+  enable_logging          = each.value.logging
+  # preview                 = each.value.preview
+  match {
+    # description = each.value.description
+    config {
+      src_ip_ranges  = each.value.direction == "INGRESS" ? each.value.ranges : null
+      dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
+      dynamic "layer4_config" {
+        for_each = each.value.ports
+        iterator = port
+        content {
+          ip_protocol = port.key
+          ports       = port.value
+        }
+      }
+    }
+  }
+}
+
+resource "google_compute_organization_security_policy_association" "association" {
+  provider      = google-beta
+  for_each      = toset(var.associations)
+  name          = "${local.policy_id}-${each.value}"
+  policy_id     = local.policy_id
+  attachment_id = each.value
+}
diff --git a/3-networks/modules/hierarchical_firewall_policy/outputs.tf b/3-networks/modules/hierarchical_firewall_policy/outputs.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "id" {
+  value = google_compute_organization_security_policy.policy.id
+}
diff --git a/3-networks/modules/hierarchical_firewall_policy/variables.tf b/3-networks/modules/hierarchical_firewall_policy/variables.tf
@@ -0,0 +1,46 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "name" {
+  description = "Hierarchical policy name"
+  type        = string
+}
+
+variable "parent" {
+  description = "Where the firwall policy will be created (can be organizations/{organization_id} or folders/{folder_id})"
+  type        = string
+}
+
+variable "rules" {
+  description = "Firewall rules to add to the policy"
+  type = map(object({
+    description             = string
+    direction               = string
+    action                  = string
+    priority                = number
+    ranges                  = list(string)
+    ports                   = map(list(string))
+    target_service_accounts = list(string)
+    target_resources        = list(string)
+    logging                 = bool
+  }))
+  default = {}
+}
+
+variable "associations" {
+  description = "Resources to associate the policy to"
+  type        = list(string)
+}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -29,6 +29,8 @@ locals {
     "roles/accesscontextmanager.policyAdmin",
     "roles/securitycenter.admin",
     "roles/compute.xpnAdmin",
+    "roles/compute.orgSecurityPolicyAdmin",
+    "roles/compute.orgSecurityResourceAdmin",
   ]
 }