Merge pull request #2 from ava-labs/firewall-allow-creating-unique-na…

…mes-via-autogen

fix(firewal-rules): add possibility to configure unique fw names with…

README.md

@@ -139,6 +139,7 @@ Then perform the following commands on the root folder:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_firewall\_rule\_name\_unique\_suffix | Create additional firewall rule unique suffix | `bool` | `false` | no |
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |

autogen/main/firewall.tf.tmpl

@@ -24,9 +24,25 @@
   Required for clusters when VPCs enforce
   a default-deny egress rule
  *****************************************/
+locals {
+  rule_name_base = (
+    var.add_firewall_rule_name_unique_suffix ?
+    "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" :
+    substr(var.name, 0, min(36, length(var.name)))
+  )
+}
+
+resource "random_string" "google_compute_firewall_suffix" {
+  count   = var.add_firewall_rule_name_unique_suffix ? 1 : 0
+  upper   = false
+  lower   = true
+  special = false
+  length  = 4
+}
+
 resource "google_compute_firewall" "intra_egress" {
   count       = var.add_cluster_firewall_rules ? 1 : 0
-  name        = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress"
+  name        = "gke-${local.rule_name_base}-intra-cluster-egress"
   description = "Managed by terraform gke module: Allow pods to communicate with each other and the master"
   project     = local.network_project_id
   network     = var.network
@@ -102,7 +118,7 @@ resource "google_compute_firewall" "tpu_egress" {
  *****************************************/
 resource "google_compute_firewall" "master_webhooks" {
   count       = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
-  name        = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks"
+  name        = "gke-${local.rule_name_base}-webhooks"
   description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
   project     = local.network_project_id
   network     = var.network
@@ -134,7 +150,7 @@ resource "google_compute_firewall" "master_webhooks" {
 resource "google_compute_firewall" "shadow_allow_pods" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all"
+  name        = "gke-shadow-${local.rule_name_base}-all"
   description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
   project     = local.network_project_id
   network     = var.network
@@ -163,7 +179,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
 resource "google_compute_firewall" "shadow_allow_master" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master"
+  name        = "gke-shadow-${local.rule_name_base}-master"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
   project     = local.network_project_id
   network     = var.network
@@ -189,7 +205,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
 resource "google_compute_firewall" "shadow_allow_nodes" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms"
+  name        = "gke-shadow-${local.rule_name_base}-vms"
   description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
   project     = local.network_project_id
   network     = var.network
@@ -224,7 +240,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
 resource "google_compute_firewall" "shadow_allow_inkubelet" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet"
+  name        = "gke-shadow-${local.rule_name_base}-inkubelet"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
@@ -251,7 +267,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
 resource "google_compute_firewall" "shadow_deny_exkubelet" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet"
+  name        = "gke-shadow-${local.rule_name_base}-exkubelet"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network

autogen/main/variables.tf.tmpl

@@ -556,6 +556,12 @@ variable "add_master_webhook_firewall_rules" {
   default     = false
 }
 
+variable "add_firewall_rule_name_unique_suffix" {
+  type        = bool
+  description = "Create additional firewall rule unique suffix"
+  default     = false
+}
+
 variable "firewall_priority" {
   type        = number
   description = "Priority rule for firewall rules"

firewall.tf

@@ -24,9 +24,25 @@
   Required for clusters when VPCs enforce
   a default-deny egress rule
  *****************************************/
+locals {
+  rule_name_base = (
+    var.add_firewall_rule_name_unique_suffix ?
+    "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" :
+    substr(var.name, 0, min(36, length(var.name)))
+  )
+}
+
+resource "random_string" "google_compute_firewall_suffix" {
+  count   = var.add_firewall_rule_name_unique_suffix ? 1 : 0
+  upper   = false
+  lower   = true
+  special = false
+  length  = 4
+}
+
 resource "google_compute_firewall" "intra_egress" {
   count       = var.add_cluster_firewall_rules ? 1 : 0
-  name        = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress"
+  name        = "gke-${local.rule_name_base}-intra-cluster-egress"
   description = "Managed by terraform gke module: Allow pods to communicate with each other and the master"
   project     = local.network_project_id
   network     = var.network
@@ -98,7 +114,7 @@ resource "google_compute_firewall" "tpu_egress" {
  *****************************************/
 resource "google_compute_firewall" "master_webhooks" {
   count       = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
-  name        = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks"
+  name        = "gke-${local.rule_name_base}-webhooks"
   description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
   project     = local.network_project_id
   network     = var.network
@@ -128,7 +144,7 @@ resource "google_compute_firewall" "master_webhooks" {
 resource "google_compute_firewall" "shadow_allow_pods" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all"
+  name        = "gke-shadow-${local.rule_name_base}-all"
   description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
   project     = local.network_project_id
   network     = var.network
@@ -157,7 +173,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
 resource "google_compute_firewall" "shadow_allow_master" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master"
+  name        = "gke-shadow-${local.rule_name_base}-master"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
   project     = local.network_project_id
   network     = var.network
@@ -183,7 +199,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
 resource "google_compute_firewall" "shadow_allow_nodes" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms"
+  name        = "gke-shadow-${local.rule_name_base}-vms"
   description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
   project     = local.network_project_id
   network     = var.network
@@ -218,7 +234,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
 resource "google_compute_firewall" "shadow_allow_inkubelet" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet"
+  name        = "gke-shadow-${local.rule_name_base}-inkubelet"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
@@ -245,7 +261,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
 resource "google_compute_firewall" "shadow_deny_exkubelet" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet"
+  name        = "gke-shadow-${local.rule_name_base}-exkubelet"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network

modules/beta-autopilot-private-cluster/README.md

@@ -73,6 +73,7 @@ Then perform the following commands on the root folder:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_firewall\_rule\_name\_unique\_suffix | Create additional firewall rule unique suffix | `bool` | `false` | no |
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |

modules/beta-autopilot-private-cluster/firewall.tf

@@ -24,9 +24,25 @@
   Required for clusters when VPCs enforce
   a default-deny egress rule
  *****************************************/
+locals {
+  rule_name_base = (
+    var.add_firewall_rule_name_unique_suffix ?
+    "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" :
+    substr(var.name, 0, min(36, length(var.name)))
+  )
+}
+
+resource "random_string" "google_compute_firewall_suffix" {
+  count   = var.add_firewall_rule_name_unique_suffix ? 1 : 0
+  upper   = false
+  lower   = true
+  special = false
+  length  = 4
+}
+
 resource "google_compute_firewall" "intra_egress" {
   count       = var.add_cluster_firewall_rules ? 1 : 0
-  name        = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress"
+  name        = "gke-${local.rule_name_base}-intra-cluster-egress"
   description = "Managed by terraform gke module: Allow pods to communicate with each other and the master"
   project     = local.network_project_id
   network     = var.network
@@ -92,7 +108,7 @@ resource "google_compute_firewall" "tpu_egress" {
  *****************************************/
 resource "google_compute_firewall" "master_webhooks" {
   count       = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
-  name        = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks"
+  name        = "gke-${local.rule_name_base}-webhooks"
   description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
   project     = local.network_project_id
   network     = var.network
@@ -119,7 +135,7 @@ resource "google_compute_firewall" "master_webhooks" {
 resource "google_compute_firewall" "shadow_allow_pods" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all"
+  name        = "gke-shadow-${local.rule_name_base}-all"
   description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
   project     = local.network_project_id
   network     = var.network
@@ -148,7 +164,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
 resource "google_compute_firewall" "shadow_allow_master" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master"
+  name        = "gke-shadow-${local.rule_name_base}-master"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
   project     = local.network_project_id
   network     = var.network
@@ -174,7 +190,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
 resource "google_compute_firewall" "shadow_allow_nodes" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms"
+  name        = "gke-shadow-${local.rule_name_base}-vms"
   description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
   project     = local.network_project_id
   network     = var.network
@@ -209,7 +225,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
 resource "google_compute_firewall" "shadow_allow_inkubelet" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet"
+  name        = "gke-shadow-${local.rule_name_base}-inkubelet"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
@@ -236,7 +252,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
 resource "google_compute_firewall" "shadow_deny_exkubelet" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
-  name        = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet"
+  name        = "gke-shadow-${local.rule_name_base}-exkubelet"
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network

modules/beta-autopilot-private-cluster/variables.tf

@@ -343,6 +343,12 @@ variable "add_master_webhook_firewall_rules" {
   default     = false
 }
 
+variable "add_firewall_rule_name_unique_suffix" {
+  type        = bool
+  description = "Create additional firewall rule unique suffix"
+  default     = false
+}
+
 variable "firewall_priority" {
   type        = number
   description = "Priority rule for firewall rules"

modules/beta-autopilot-public-cluster/README.md

@@ -67,6 +67,7 @@ Then perform the following commands on the root folder:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_firewall\_rule\_name\_unique\_suffix | Create additional firewall rule unique suffix | `bool` | `false` | no |
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |