feat: Firewall policy rule with resource manager tag (#1005)

Co-authored-by: Daniel Andrade <dandrade@ciandt.com>

4-projects/business_unit_1/development/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
 | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
 | env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
 | keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |

4-projects/business_unit_1/development/main.tf

@@ -17,11 +17,14 @@
 module "env" {
   source = "../../modules/base_env"
 
-  env                       = "development"
-  business_code             = "bu1"
-  business_unit             = "business_unit_1"
-  remote_state_bucket       = var.remote_state_bucket
-  location_kms              = var.location_kms
-  location_gcs              = var.location_gcs
-  peering_module_depends_on = var.peering_module_depends_on
+  env                          = "development"
+  business_code                = "bu1"
+  business_unit                = "business_unit_1"
+  remote_state_bucket          = var.remote_state_bucket
+  location_kms                 = var.location_kms
+  location_gcs                 = var.location_gcs
+  peering_iap_fw_rules_enabled = true
+  subnet_region                = var.instance_region
+  subnet_ip_range              = "10.3.64.0/21"
+  peering_module_depends_on    = var.peering_module_depends_on
 }

4-projects/business_unit_1/development/outputs.tf

@@ -95,6 +95,16 @@ output "keys" {
 }
 
 output "bucket" {
-  description = "The created storage bucket"
+  description = "The created storage bucket."
   value       = module.env.bucket
 }
+
+output "peering_subnetwork_self_link" {
+  description = "The subnetwork self link of the peering network."
+  value       = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+  description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+  value       = module.env.iap_firewall_tags
+}

4-projects/business_unit_1/development/variables.tf

@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "instance_region" {
+  description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+  type        = string
+  default     = "us-central1"
+}

4-projects/business_unit_1/non-production/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
 | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
 | env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
 | keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |

4-projects/business_unit_1/non-production/main.tf

@@ -17,11 +17,14 @@
 module "env" {
   source = "../../modules/base_env"
 
-  env                       = "non-production"
-  business_code             = "bu1"
-  business_unit             = "business_unit_1"
-  remote_state_bucket       = var.remote_state_bucket
-  location_kms              = var.location_kms
-  location_gcs              = var.location_gcs
-  peering_module_depends_on = var.peering_module_depends_on
+  env                          = "non-production"
+  business_code                = "bu1"
+  business_unit                = "business_unit_1"
+  remote_state_bucket          = var.remote_state_bucket
+  location_kms                 = var.location_kms
+  location_gcs                 = var.location_gcs
+  peering_iap_fw_rules_enabled = true
+  subnet_region                = var.instance_region
+  subnet_ip_range              = "10.3.128.0/21"
+  peering_module_depends_on    = var.peering_module_depends_on
 }

4-projects/business_unit_1/non-production/outputs.tf

@@ -95,6 +95,16 @@ output "keys" {
 }
 
 output "bucket" {
-  description = "The created storage bucket"
+  description = "The created storage bucket."
   value       = module.env.bucket
 }
+
+output "peering_subnetwork_self_link" {
+  description = "The subnetwork self link of the peering network."
+  value       = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+  description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+  value       = module.env.iap_firewall_tags
+}

4-projects/business_unit_1/non-production/variables.tf

@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "instance_region" {
+  description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+  type        = string
+  default     = "us-central1"
+}

4-projects/business_unit_1/production/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
 | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
 | env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
 | keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |

4-projects/business_unit_1/production/main.tf

@@ -17,11 +17,14 @@
 module "env" {
   source = "../../modules/base_env"
 
-  env                       = "production"
-  business_code             = "bu1"
-  business_unit             = "business_unit_1"
-  remote_state_bucket       = var.remote_state_bucket
-  location_kms              = var.location_kms
-  location_gcs              = var.location_gcs
-  peering_module_depends_on = var.peering_module_depends_on
+  env                          = "production"
+  business_code                = "bu1"
+  business_unit                = "business_unit_1"
+  remote_state_bucket          = var.remote_state_bucket
+  location_kms                 = var.location_kms
+  location_gcs                 = var.location_gcs
+  peering_iap_fw_rules_enabled = true
+  subnet_region                = var.instance_region
+  subnet_ip_range              = "10.3.192.0/21"
+  peering_module_depends_on    = var.peering_module_depends_on
 }

4-projects/business_unit_1/production/outputs.tf

@@ -95,6 +95,16 @@ output "keys" {
 }
 
 output "bucket" {
-  description = "The created storage bucket"
+  description = "The created storage bucket."
   value       = module.env.bucket
 }
+
+output "peering_subnetwork_self_link" {
+  description = "The subnetwork self link of the peering network."
+  value       = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+  description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+  value       = module.env.iap_firewall_tags
+}

4-projects/business_unit_1/production/variables.tf

@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "instance_region" {
+  description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+  type        = string
+  default     = "us-central1"
+}

4-projects/business_unit_2/development/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
 | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
 | env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
 | keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |

4-projects/business_unit_2/development/main.tf

@@ -17,11 +17,14 @@
 module "env" {
   source = "../../modules/base_env"
 
-  env                       = "development"
-  business_code             = "bu2"
-  business_unit             = "business_unit_2"
-  remote_state_bucket       = var.remote_state_bucket
-  location_kms              = var.location_kms
-  location_gcs              = var.location_gcs
-  peering_module_depends_on = var.peering_module_depends_on
+  env                          = "development"
+  business_code                = "bu2"
+  business_unit                = "business_unit_2"
+  remote_state_bucket          = var.remote_state_bucket
+  location_kms                 = var.location_kms
+  location_gcs                 = var.location_gcs
+  peering_iap_fw_rules_enabled = true
+  subnet_region                = var.instance_region
+  subnet_ip_range              = "10.4.64.0/21"
+  peering_module_depends_on    = var.peering_module_depends_on
 }

4-projects/business_unit_2/development/outputs.tf

@@ -95,6 +95,16 @@ output "keys" {
 }
 
 output "bucket" {
-  description = "The created storage bucket"
+  description = "The created storage bucket."
   value       = module.env.bucket
 }
+
+output "peering_subnetwork_self_link" {
+  description = "The subnetwork self link of the peering network."
+  value       = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+  description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+  value       = module.env.iap_firewall_tags
+}

4-projects/business_unit_2/development/variables.tf

@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "instance_region" {
+  description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+  type        = string
+  default     = "us-central1"
+}

4-projects/business_unit_2/non-production/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
 | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
 | env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
 | keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
 | restricted\_enabled\_apis | Activated APIs. |
 | restricted\_shared\_vpc\_project | Project sample restricted project id. |
 | restricted\_shared\_vpc\_project\_number | Project sample restricted project. |

4-projects/business_unit_2/non-production/main.tf

@@ -17,11 +17,14 @@
 module "env" {
   source = "../../modules/base_env"
 
-  env                       = "non-production"
-  business_code             = "bu2"
-  business_unit             = "business_unit_2"
-  remote_state_bucket       = var.remote_state_bucket
-  location_kms              = var.location_kms
-  location_gcs              = var.location_gcs
-  peering_module_depends_on = var.peering_module_depends_on
+  env                          = "non-production"
+  business_code                = "bu2"
+  business_unit                = "business_unit_2"
+  remote_state_bucket          = var.remote_state_bucket
+  location_kms                 = var.location_kms
+  location_gcs                 = var.location_gcs
+  peering_iap_fw_rules_enabled = true
+  subnet_region                = var.instance_region
+  subnet_ip_range              = "10.4.128.0/21"
+  peering_module_depends_on    = var.peering_module_depends_on
 }

4-projects/business_unit_2/non-production/outputs.tf

@@ -95,6 +95,16 @@ output "keys" {
 }
 
 output "bucket" {
-  description = "The created storage bucket"
+  description = "The created storage bucket."
   value       = module.env.bucket
 }
+
+output "peering_subnetwork_self_link" {
+  description = "The subnetwork self link of the peering network."
+  value       = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+  description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+  value       = module.env.iap_firewall_tags
+}

4-projects/business_unit_2/non-production/variables.tf

@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "instance_region" {
+  description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+  type        = string
+  default     = "us-central1"
+}