feat: allow config sync to access source repository for synchronizati…

…on (#479) fix: minor changes to comply with pr review Co-authored-by: Laurent Grangeau <[email protected]>
GoogleCloudPlatform · Aug 30, 2024 · 62de1b8 · 62de1b8
1 parent c79a980
commit 62de1b8
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -128,10 +128,11 @@ Users and teams managing tenant apps should not have permissions to change clust
 1. Initialize the following Terraform variables:
 
    ```hcl
-   project_id          = # Google Cloud project ID where to provision resources with the blueprint.
-   acm_repository_path = # Path on the host running Terraform to store environment configuration
-   acm_repository_url  = # URL of the repository to store environment configuration
-   acm_secret_type     = # Secret type to authenticate with the Config Sync Git repository
+   project_id                  = # Google Cloud project ID where to provision resources with the blueprint.
+   acm_repository_path         = # Path on the host running Terraform to store environment configuration
+   acm_repository_url          = # URL of the repository to store environment configuration
+   acm_secret_type             = # Secret type to authenticate with the Config Sync Git repository
+   acm_source_repository_fqdns = # FQDNs of source repository for Config Sync to allow in the Network Firewall Policy
    ```
 
    For more information about setting `acm_secret_type`, see

diff --git a/config/lint/.checkov.baseline b/config/lint/.checkov.baseline
@@ -200,6 +200,17 @@
                 }
             ]
         },
+        {
+            "file": "/terraform/network.tf",
+            "findings": [
+                {
+                    "resource": "fedlearn-fw-policies",
+                    "check_ids": [
+                        "CKV_TF_1"
+                    ]
+                }
+            ]
+        },
         {
             "file": "/terraform/cross-device/iam.tf",
             "findings": [

diff --git a/terraform/network.tf b/terraform/network.tf
@@ -29,20 +29,6 @@ module "fedlearn-vpc" {
   routing_mode = "GLOBAL"
 
   firewall_rules = [
-    {
-      description             = "Default deny egress from node pools"
-      direction               = "EGRESS"
-      name                    = "node-pools-deny-egress"
-      priority                = 65535
-      ranges                  = ["0.0.0.0/0"]
-      target_service_accounts = local.list_nodepool_sa_emails
-
-      deny = [
-        {
-          protocol = "all"
-        }
-      ]
-    },
     {
       description             = "Allow egress from node pools to cluster nodes, pods and services"
       direction               = "EGRESS"
@@ -133,6 +119,46 @@ module "fedlearn-vpc" {
   ]
 }
 
+module "fedlearn-fw-policies" {
+  source  = "terraform-google-modules/network/google//modules/network-firewall-policy"
+  version = "9.0.0"
+
+  project_id  = data.google_project.project.project_id
+  policy_name = "network-firewall-policies-federated-learning"
+  target_vpcs = [module.fedlearn-vpc.network_id]
+
+  rules = [
+    {
+      priority                = 1000
+      direction               = "EGRESS"
+      action                  = "allow"
+      rule_name               = "node-pools-allow-egress-configsync-source-repository"
+      description             = "Allow egress from node pools to Config Sync source repository"
+      target_service_accounts = local.list_nodepool_sa_emails
+      match = {
+        dest_fqdns = var.acm_source_repository_fqdns # Allow FQDN for Config Sync source repository
+        layer4_configs = [
+          {
+            ip_protocol = "tcp"
+            ports       = ["22", "443"] # Allow both SSH and HTTPS access
+          }
+        ]
+      }
+    },
+    {
+      priority                = 65535
+      direction               = "EGRESS"
+      action                  = "deny"
+      rule_name               = "node-pools-deny-egress"
+      description             = "Default deny egress from node pools" # Required to add the deny rule in the network firewall policies as they are evaluated after the classical ones
+      target_service_accounts = local.list_nodepool_sa_emails
+      match = {
+        dest_ip_ranges = ["0.0.0.0/0"]
+      }
+    }
+  ]
+}
+
 resource "google_compute_address" "nat_ip" {
   name   = "nat-manual-ip"
   region = module.fedlearn-vpc.subnets[local.fedlearn_subnet_key].region

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -141,6 +141,11 @@ variable "acm_secret_type" {
   type        = string
 }
 
+variable "acm_source_repository_fqdns" {
+  description = "FQDNs of source repository for Config Sync to allow in the Network Firewall Policy"
+  type        = list(string)
+}
+
 # We can't validate if this directory exists because the fileexists function
 # doesn't support directories (yet?)
 # Ref: https://github.com/hashicorp/terraform/issues/33394