add shadow_firewall_rules_log_config and shadow_firewall_rules_priority validation

splichy · splichy · commit 1b5ebbad23d5 · 2022-12-14T22:56:08.000+01:00
diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl
@@ -155,8 +155,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -178,8 +181,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
     ports    = ["10250", "443"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -210,8 +216,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     ports    = ["1-65535"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -222,7 +231,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  priority    = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
   direction   = "INGRESS"
 
   source_ranges = local.pod_all_ip_ranges
@@ -234,8 +243,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -246,7 +258,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  priority    = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
   direction   = "INGRESS"
 
   source_ranges = ["0.0.0.0/0"]
@@ -257,7 +269,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -475,9 +475,23 @@ variable "add_shadow_firewall_rules" {
 }
 
 variable "shadow_firewall_rules_priority" {
-  type = number
+  type        = number
   description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
-  default = 999
+  default     = 999
+  validation {
+    condition     = var.shadow_firewall_rules_priority < 1000
+    error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+  }
+}
+
+variable "shadow_firewall_rules_log_config" {
+  type = object({
+      metadata = string
+    })
+  description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+  default = {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
 }
 
 {% if beta_cluster %}

Original file line number	Diff line number	Diff line change
`@@ -155,8 +155,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {`
`155`	`155`	`allow { protocol = "esp" }`
`156`	`156`	`allow { protocol = "ah" }`
`157`	`157`
`158`		`- log_config {`
`159`		`- metadata = "INCLUDE_ALL_METADATA"`
	`158`	`+ dynamic "log_config" {`
	`159`	`+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]`
	`160`	`+ content {`
	`161`	`+ metadata = log_config.value.metadata`
	`162`	`+ }`
`160`	`163`	`}`
`161`	`164`	`}`
`162`	`165`
`@@ -178,8 +181,11 @@ resource "google_compute_firewall" "shadow_allow_master" {`
`178`	`181`	`ports = ["10250", "443"]`
`179`	`182`	`}`
`180`	`183`
`181`		`- log_config {`
`182`		`- metadata = "INCLUDE_ALL_METADATA"`
	`184`	`+ dynamic "log_config" {`
	`185`	`+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]`
	`186`	`+ content {`
	`187`	`+ metadata = log_config.value.metadata`
	`188`	`+ }`
`183`	`189`	`}`
`184`	`190`	`}`
`185`	`191`
`@@ -210,8 +216,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {`
`210`	`216`	`ports = ["1-65535"]`
`211`	`217`	`}`
`212`	`218`
`213`		`- log_config {`
`214`		`- metadata = "INCLUDE_ALL_METADATA"`
	`219`	`+ dynamic "log_config" {`
	`220`	`+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]`
	`221`	`+ content {`
	`222`	`+ metadata = log_config.value.metadata`
	`223`	`+ }`
`215`	`224`	`}`
`216`	`225`	`}`
`217`	`226`
`@@ -222,7 +231,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {`
`222`	`231`	`description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."`
`223`	`232`	`project = local.network_project_id`
`224`	`233`	`network = var.network`
`225`		`- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999`
	`234`	`+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999`
`226`	`235`	`direction = "INGRESS"`
`227`	`236`
`228`	`237`	`source_ranges = local.pod_all_ip_ranges`
`@@ -234,8 +243,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {`
`234`	`243`	`ports = ["10255"]`
`235`	`244`	`}`
`236`	`245`
`237`		`- log_config {`
`238`		`- metadata = "INCLUDE_ALL_METADATA"`
	`246`	`+ dynamic "log_config" {`
	`247`	`+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]`
	`248`	`+ content {`
	`249`	`+ metadata = log_config.value.metadata`
	`250`	`+ }`
`239`	`251`	`}`
`240`	`252`	`}`
`241`	`253`
`@@ -246,7 +258,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {`
`246`	`258`	`description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."`
`247`	`259`	`project = local.network_project_id`
`248`	`260`	`network = var.network`
`249`		`- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000`
	`261`	`+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000`
`250`	`262`	`direction = "INGRESS"`
`251`	`263`
`252`	`264`	`source_ranges = ["0.0.0.0/0"]`
`@@ -257,7 +269,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {`
`257`	`269`	`ports = ["10255"]`
`258`	`270`	`}`
`259`	`271`
`260`		`- log_config {`
`261`		`- metadata = "INCLUDE_ALL_METADATA"`
	`272`	`+ dynamic "log_config" {`
	`273`	`+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]`
	`274`	`+ content {`
	`275`	`+ metadata = log_config.value.metadata`
	`276`	`+ }`
`262`	`277`	`}`
`263`	`278`	`}`