-
Notifications
You must be signed in to change notification settings - Fork 17
/
firewall.tf
77 lines (62 loc) · 2.54 KB
/
firewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
resource "google_compute_firewall" "ssh" {
count = var.runners_allow_ssh_access ? 1 : 0
name = "${var.prefix}-gitlab-runner-allow-ssh"
description = "Allow SSH to Runner instances"
network = data.google_compute_network.this.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = var.runners_ssh_allowed_cidr_blocks
target_tags = [local.firewall_tag]
}
resource "google_compute_firewall" "docker_machine" {
count = var.create_docker_machines_firewall ? 1 : 0
name = "docker-machines"
description = "Allow docker-machine traffic within on port 2376"
network = data.google_compute_network.this.name
allow {
protocol = "tcp"
ports = ["2376"]
}
source_tags = concat([local.firewall_tag], var.docker_machine_tags)
target_tags = concat(["docker-machine", local.firewall_tag], var.runners_tags)
}
# Gitlab-Runner requires a firewall rule with name docker-machines to be created.
# However, when you have multiple deployments of the runner within different VPCs, issues arise
# because one firewall rule replaces the other since they have the same name. Creating another
# specialized firewall rule here to ignore changes made to the docker-machine rule.
# See https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/issues/47 and
# https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/issues/55
resource "google_compute_firewall" "docker_machines" {
name = "${var.prefix}-docker-machines"
description = "Allow docker-machine traffic within on port 2376"
network = data.google_compute_network.this.name
allow {
protocol = "tcp"
ports = ["2376"]
}
source_tags = concat([local.firewall_tag], var.docker_machine_tags)
target_tags = concat(["docker-machines", local.firewall_tag], var.runners_tags)
}
resource "google_compute_firewall" "docker_machine_ssh" {
name = "${var.prefix}-gitlab-runner-docker-machine-allow-ssh"
description = "Allow ssh to docker-machine from runner "
network = data.google_compute_network.this.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_tags = concat([local.firewall_tag], var.docker_machine_tags)
target_tags = concat(["docker-machine", local.firewall_tag], var.runners_tags)
}
resource "google_compute_firewall" "internet" {
name = "${var.prefix}-gitlab-runner-allow-internet"
description = "Allow connection to internet"
network = data.google_compute_network.this.name
direction = "EGRESS"
allow {
protocol = "tcp"
}
target_tags = [local.firewall_tag]
}