Add firewall to VM + required changes

- Add firewall holes to VM setup - Add extra variables - Export the proxy subnet range from the network module - Adjust tests in network and vm modules - Add pre-commit docs check for VM module
ivy-net · Oct 10, 2024 · 2871574 · 2871574
1 parent 5b0d08a
commit 2871574
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 18 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -27,3 +27,6 @@ repos:
       - id: terraform-docs-go
         name: tfdocs - network module
         args: ["network"]
+      - id: terraform-docs-go
+        name: tfdocs - vm module
+        args: ["vm"]
diff --git a/network/README.md b/network/README.md
@@ -46,6 +46,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_network-id"></a> [network-id](#output\_network-id) | ID of the network |
-| <a name="output_subnet-backend"></a> [subnet-backend](#output\_subnet-backend) | ID of the backend subnet |
-| <a name="output_subnet-proxy"></a> [subnet-proxy](#output\_subnet-proxy) | ID of the backend subnet |
+| <a name="output_subnet-cidr-proxy"></a> [subnet-cidr-proxy](#output\_subnet-cidr-proxy) | CIDR of the proxy subnet |
+| <a name="output_subnet-id-backend"></a> [subnet-id-backend](#output\_subnet-id-backend) | ID of the backend subnet |
+| <a name="output_subnet-id-proxy"></a> [subnet-id-proxy](#output\_subnet-id-proxy) | ID of the proxy subnet |
 <!-- END_TF_DOCS -->
diff --git a/network/outputs.tf b/network/outputs.tf
@@ -3,12 +3,17 @@ output "network-id" {
   value       = google_compute_network.this.id
 }
 
-output "subnet-backend" {
+output "subnet-cidr-proxy" {
+  description = "CIDR of the proxy subnet"
+  value       = google_compute_subnetwork.backend.ip_cidr_range
+}
+
+output "subnet-id-backend" {
   description = "ID of the backend subnet"
   value       = google_compute_subnetwork.backend.id
 }
 
-output "subnet-proxy" {
-  description = "ID of the backend subnet"
+output "subnet-id-proxy" {
+  description = "ID of the proxy subnet"
   value       = google_compute_subnetwork.backend.id
 }
diff --git a/vm/README.md b/vm/README.md
@@ -15,7 +15,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.6.0 |
 
 ## Modules
 
@@ -25,15 +25,21 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_compute_instance.backend](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
-| [google_compute_instance_group.backend](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group) | resource |
+| [google_compute_firewall.backend_services](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.healh_check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.ssh](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_instance.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
+| [google_compute_instance_group.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group) | resource |
+| [google_compute_image.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_dns_zone"></a> [dns\_zone](#input\_dns\_zone) | Zone for DNS and SSL | `string` | `"test.ivynet.dev."` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name of the VM (and instance group) | `string` | n/a | yes |
 | <a name="input_network-id"></a> [network-id](#input\_network-id) | The ID of the network to add VM to | `string` | n/a | yes |
+| <a name="input_network-proxy-cidr"></a> [network-proxy-cidr](#input\_network-proxy-cidr) | The CIDR range of the proxy (load balancer) | `string` | n/a | yes |
 | <a name="input_network-subnet-id"></a> [network-subnet-id](#input\_network-subnet-id) | The ID of the subnet toadd VM to | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Name of the GCP project | `string` | `"ivynet-tests"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Name of the region | `string` | `"us-central1"` | no |

diff --git a/vm/firewall.tf b/vm/firewall.tf
@@ -0,0 +1,44 @@
+resource "google_compute_firewall" "ssh" {
+  name = "${var.name}-allow-ssh"
+  allow {
+    ports    = ["22"]
+    protocol = "tcp"
+  }
+  direction     = "INGRESS"
+  network       = var.network-id
+  priority      = 1000
+  project       = var.project
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["ssh"]
+}
+
+resource "google_compute_firewall" "healh_check" {
+  name = "${var.name}-allow-health-check"
+  allow {
+    protocol = "tcp"
+  }
+  direction     = "INGRESS"
+  network       = var.network-id
+  priority      = 100
+  project       = var.project
+  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
+  target_tags   = ["ivynet-backend"]
+}
+
+resource "google_compute_firewall" "backend_services" {
+  name = "${var.name}-allow-backend-services"
+  allow {
+    ports    = ["8080"]
+    protocol = "tcp"
+  }
+  allow {
+    ports    = ["50050"]
+    protocol = "tcp"
+  }
+  direction     = "INGRESS"
+  network       = var.network-id
+  priority      = 200
+  project       = var.project
+  source_ranges = [var.network-proxy-cidr]
+  target_tags   = ["ivynet-backend"]
+}
diff --git a/vm/tests/main.tftest.hcl b/vm/tests/main.tftest.hcl
@@ -20,17 +20,19 @@ run "setup" {
 run "plan_ok" {
   command = plan
   variables {
-    name              = "test44"
-    network-id        = run.setup.net
-    network-subnet-id = run.setup.back
+    name               = "test44"
+    network-id         = run.setup.net
+    network-subnet-id  = run.setup.back-id
+    network-proxy-cidr = run.setup.proxy-cidr
   }
 }
 
 run "apply" {
   command = apply
   variables {
-    name              = "test44"
-    network-id        = run.setup.net
-    network-subnet-id = run.setup.back
+    name               = "test44"
+    network-id         = run.setup.net
+    network-subnet-id  = run.setup.back-id
+    network-proxy-cidr = run.setup.proxy-cidr
   }
 }
diff --git a/vm/tests/setup/main.tf b/vm/tests/setup/main.tf
@@ -7,10 +7,10 @@ output "net" {
   value = module.network.network-id
 }
 
-output "back" {
-  value = module.network.subnet-backend
+output "back-id" {
+  value = module.network.subnet-id-backend
 }
 
-output "proxy" {
-  value = module.network.subnet-proxy
+output "proxy-cidr" {
+  value = module.network.subnet-cidr-proxy
 }
diff --git a/vm/variables.tf b/vm/variables.tf
@@ -13,6 +13,10 @@ variable "network-id" {
   description = "The ID of the network to add VM to"
   type        = string
 }
+variable "network-proxy-cidr" {
+  description = "The CIDR range of the proxy (load balancer)"
+  type        = string
+}
 
 variable "network-subnet-id" {
   description = "The ID of the subnet toadd VM to"