-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall.tf
61 lines (58 loc) · 1.59 KB
/
firewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Defines the firewall rules
# Allow open access to client(s) on port 80
resource "google_compute_firewall" "client_http" {
project = var.project_id
name = format("%s-allow-client-http-ingress", var.nonce)
network = data.google_compute_subnetwork.client.network
description = format("Allow HTTP ingress to client (%s)", var.nonce)
direction = "INGRESS"
source_ranges = [
"0.0.0.0/0",
]
target_service_accounts = [
var.client_sa,
]
allow {
protocol = "tcp"
ports = [
80,
]
}
}
# Only allow ingress to BIG-IP VMs from client network
resource "google_compute_firewall" "bigip_ingress" {
project = var.project_id
name = format("%s-allow-client-bigip-ingress", var.nonce)
network = data.google_compute_subnetwork.dmz.network
description = format("Allow HTTP from client CIDR to BIG-IP (%s)", var.nonce)
direction = "INGRESS"
source_ranges = [
data.google_compute_subnetwork.client.ip_cidr_range,
]
target_service_accounts = [
var.bigip_sa,
]
allow {
protocol = "tcp"
ports = [
80,
]
}
}
# Only allow ingress to service instances from BIG-IP VMs
resource "google_compute_firewall" "bigip_service" {
project = var.project_id
name = format("%s-allow-bigip-service-ingress", var.nonce)
network = data.google_compute_subnetwork.service.network
description = format("Allow all from BIG-IP to service (%s)", var.nonce)
direction = "INGRESS"
source_service_accounts = [
var.bigip_sa,
]
target_service_accounts = [
var.service_sa,
]
allow {
protocol = "all"
}
}