-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfirewalls.tf
106 lines (97 loc) · 2.97 KB
/
firewalls.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
resource "google_compute_firewall" "allow_metastore_egress" {
count = var.enable_dataproc_network ? 1 : 0
project = google_compute_network.vpc_network[0].project
name = "allow-${var.installation_name}-metastore-egress"
network = google_compute_network.vpc_network[0].name
direction = "EGRESS"
priority = "1000"
description = "Allow EGRESS to Identity Engine Metastore CloudSQL instance"
allow {
protocol = "tcp"
ports = [
"3306"
]
}
destination_ranges = [
var.metastore_cidr_ip_address
]
}
resource "google_compute_firewall" "allow_idapi_egress" {
count = var.enable_dataproc_network ? 1 : 0
project = google_compute_network.vpc_network[0].project
name = "allow-${var.installation_name}-idapi-egress"
network = google_compute_network.vpc_network[0].name
direction = "EGRESS"
priority = "1000"
description = "Allow EGRESS to LiveRamp ID-API instance"
allow {
protocol = "tcp"
ports = [
"443"
]
}
destination_ranges = var.idapi_cidr_ip_addresses
}
module "dataproc-firewall-rules" {
count = var.enable_dataproc_network ? 1 : 0
source = "terraform-google-modules/network/google//modules/firewall-rules"
version = "6.0.1"
project_id = var.data_plane_project
network_name = google_compute_network.vpc_network[0].name
rules = [
{
name = "${var.installation_name}-dataproc-allow-ingress-from-subnet"
description = "Allow Dataproc clusters to communicate over private IP to google APIs and other nodes"
direction = "INGRESS"
priority = 1000
ranges = [var.dataproc_subnet_ip4_cidr]
source_tags = null
source_service_accounts = null
target_tags = null
target_service_accounts = null
allow = [
{
protocol = "tcp"
ports = ["0-65535"]
},
{
protocol = "udp"
ports = ["0-65535"]
},
{
protocol = "icmp"
ports = []
},
]
deny = []
log_config = null
},
{
name = "${var.installation_name}-dataproc-allow-egress-to-subnet"
description = "Allow Dataproc clusters to communicate over private IP to google APIs and other nodes"
direction = "EGRESS"
priority = 1000
ranges = [var.dataproc_subnet_ip4_cidr]
source_tags = null
source_service_accounts = null
target_tags = null
target_service_accounts = null
allow = [
{
protocol = "tcp"
ports = ["0-65535"]
},
{
protocol = "udp"
ports = ["0-65535"]
},
{
protocol = "icmp"
ports = []
},
]
deny = []
log_config = null
}
]
}