ivantorrellas
diff --git a/‎.kitchen.yml‎
Lines changed: 6 additions & 0 deletions b/‎.kitchen.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎autogen/main/cluster.tf.tmpl‎
Lines changed: 1 addition & 1 deletion b/‎autogen/main/cluster.tf.tmpl‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎autogen/main/firewall.tf.tmpl‎
Lines changed: 4 additions & 0 deletions b/‎autogen/main/firewall.tf.tmpl‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎autogen/safer-cluster/main.tf.tmpl‎
Lines changed: 4 additions & 0 deletions b/‎autogen/safer-cluster/main.tf.tmpl‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎autogen/safer-cluster/variables.tf.tmpl‎
Lines changed: 18 additions & 0 deletions b/‎autogen/safer-cluster/variables.tf.tmpl‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎examples/safer_cluster/main.tf‎
Lines changed: 2 additions & 0 deletions b/‎examples/safer_cluster/main.tf‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/beta-private-cluster-update-variant/firewall.tf‎
Lines changed: 0 additions & 6 deletions b/‎modules/beta-private-cluster-update-variant/firewall.tf‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎modules/beta-private-cluster/firewall.tf‎
Lines changed: 0 additions & 6 deletions b/‎modules/beta-private-cluster/firewall.tf‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎modules/private-cluster-update-variant/firewall.tf‎
Lines changed: 0 additions & 6 deletions b/‎modules/private-cluster-update-variant/firewall.tf‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎modules/private-cluster/firewall.tf‎
Lines changed: 0 additions & 6 deletions b/‎modules/private-cluster/firewall.tf‎
Lines changed: 0 additions & 6 deletions
@@ -51,6 +51,12 @@ suites:
  systems:
  - name: safer_cluster
  backend: local
+ controls:
+ - gcloud
+ - name: inspec-gcp
+ backend: gcp
+ controls:
+ - network
  - name: "simple_regional"
  driver:
  root_module_directory: test/fixtures/simple_regional
 
@@ -509,7 +509,7 @@ resource "google_container_node_pool" "pools" {
  {% endif %}
 
  shielded_instance_config {
- enable_secure_boot =  lookup(each.value, "enable_secure_boot", false)
+ enable_secure_boot  = lookup(each.value, "enable_secure_boot", false)
  enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
  }
  }
 
@@ -48,9 +48,11 @@ resource "google_compute_firewall" "intra_egress" {
  allow { protocol = "esp" }
  allow { protocol = "ah" }
 
+ {% if not private_cluster %}
  depends_on = [
  google_container_cluster.primary,
  ]
+ {% endif %}
 }
 
 
@@ -77,8 +79,10 @@ resource "google_compute_firewall" "master_webhooks" {
  ports = var.firewall_inbound_ports
  }
 
+ {% if not private_cluster %}
  depends_on = [
  google_container_cluster.primary,
  ]
+ {% endif %}
 
 }
@@ -49,6 +49,10 @@ module "gke" {
  ip_range_pods = var.ip_range_pods
  ip_range_services = var.ip_range_services
 
+ add_cluster_firewall_rules = var.add_cluster_firewall_rules
+ firewall_priority = var.firewall_priority
+ firewall_inbound_ports = var.firewall_inbound_ports
+
  horizontal_pod_autoscaling = var.horizontal_pod_autoscaling
  http_load_balancing = var.http_load_balancing
 
 
@@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" {
  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
  default = true
 }
+
+variable "add_cluster_firewall_rules" {
+ type = bool
+ description = "Create additional firewall rules"
+ default = false
+}
+
+variable "firewall_priority" {
+ type = number
+ description = "Priority rule for firewall rules"
+ default = 1000
+}
+
+variable "firewall_inbound_ports" {
+ type = list(string)
+ description = "List of TCP ports for admission/webhook controllers"
+ default = ["8443", "9443", "15017"]
+}
@@ -49,6 +49,8 @@ module "gke" {
  ip_range_services = local.svc_range_name
  compute_engine_service_account = var.compute_engine_service_account
  master_ipv4_cidr_block = "172.16.0.0/28"
+ add_cluster_firewall_rules = true
+ firewall_inbound_ports = ["9443", "15017"]
 
  master_authorized_networks = [
  {
 
@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
  allow { protocol = "esp" }
  allow { protocol = "ah" }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
  ports = var.firewall_inbound_ports
  }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 
 }
@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
  allow { protocol = "esp" }
  allow { protocol = "ah" }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
  ports = var.firewall_inbound_ports
  }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 
 }
@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
  allow { protocol = "esp" }
  allow { protocol = "ah" }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
  ports = var.firewall_inbound_ports
  }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 
 }
@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
  allow { protocol = "esp" }
  allow { protocol = "ah" }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
  ports = var.firewall_inbound_ports
  }
 
- depends_on = [
- google_container_cluster.primary,
- ]
 
 }
Original file line number	Diff line number	Diff line change
`@@ -509,7 +509,7 @@ resource "google_container_node_pool" "pools" {`
`509`	`509`	`{% endif %}`
`510`	`510`
`511`	`511`	`shielded_instance_config {`
`512`		`- enable_secure_boot = lookup(each.value, "enable_secure_boot", false)`
	`512`	`+ enable_secure_boot = lookup(each.value, "enable_secure_boot", false)`
`513`	`513`	`enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)`
`514`	`514`	`}`
`515`	`515`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,9 +48,11 @@ resource "google_compute_firewall" "intra_egress" {`
`48`	`48`	`allow { protocol = "esp" }`
`49`	`49`	`allow { protocol = "ah" }`
`50`	`50`
	`51`	`+ {% if not private_cluster %}`
`51`	`52`	`depends_on = [`
`52`	`53`	`google_container_cluster.primary,`
`53`	`54`	`]`
	`55`	`+ {% endif %}`
`54`	`56`	`}`
`55`	`57`
`56`	`58`
`@@ -77,8 +79,10 @@ resource "google_compute_firewall" "master_webhooks" {`
`77`	`79`	`ports = var.firewall_inbound_ports`
`78`	`80`	`}`
`79`	`81`
	`82`	`+ {% if not private_cluster %}`
`80`	`83`	`depends_on = [`
`81`	`84`	`google_container_cluster.primary,`
`82`	`85`	`]`
	`86`	`+ {% endif %}`
`83`	`87`
`84`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,8 @@ module "gke" {`
`49`	`49`	`ip_range_services = local.svc_range_name`
`50`	`50`	`compute_engine_service_account = var.compute_engine_service_account`
`51`	`51`	`master_ipv4_cidr_block = "172.16.0.0/28"`
	`52`	`+ add_cluster_firewall_rules = true`
	`53`	`+ firewall_inbound_ports = ["9443", "15017"]`
`52`	`54`
`53`	`55`	`master_authorized_networks = [`
`54`	`56`	`{`
Original file line number	Diff line number	Diff line change
`@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {`
`48`	`48`	`allow { protocol = "esp" }`
`49`	`49`	`allow { protocol = "ah" }`
`50`	`50`
`51`		`- depends_on = [`
`52`		`- google_container_cluster.primary,`
`53`		`- ]`
`54`	`51`	`}`
`55`	`52`
`56`	`53`
`@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {`
`77`	`74`	`ports = var.firewall_inbound_ports`
`78`	`75`	`}`
`79`	`76`
`80`		`- depends_on = [`
`81`		`- google_container_cluster.primary,`
`82`		`- ]`
`83`	`77`
`84`	`78`	`}`