Skip to content

Firewall

In this exercise you will create firewall rules to allow SSH and HTTP access to the Compute Engine instance created in your custom VPC.

Exercises

  1. Create resource block with type google_compute_firewall named allow-http
    • name = "${var.name}-fw-allow-http"
    • network = google_compute_network.default.name
    • target_tags= ["http"]
    • source_ranges = ["0.0.0.0/0"]
    • Remember to set the project as well
    • In the allow block, set protocol to tcp and port to the usual HTTP port 80
  2. Create another google_compute_firewall resource named allow-ssh
    • name = "${var.name}-fw-allow-ssh"
    • network = google_compute_network.default.name
    • target_tags = ["ssh"]
    • source_ranges = ["0.0.0.0/0"]
    • Remember to set the project as well
    • In the allow block, set protocol to tcp and port to the usual SSH port 22

Extra

  1. Move the project configuration to the provider's configuration
    • This way, you don't have to specify it explicitly in each of the resources now that all resources are in the same project
  2. Create a reusable module called my-firewall in a subdirectory called modules/
    • Put the two firewall resources there, and define the needed inputs in variables.tf
      • Hint: At least the name is used. What other parameters need to be referenced?
    • Using modules is similar to resources, but have a module block with a "name"
      • Hint: module "firewall" {}
    • You will also need to specify a source in the compute_engine.tf file to reference your module
      • Hint: source = "./modules/my-firewall"
    • Remember to terraform init again, after adding a new module to be used

Check your configuration

Once again check your configuration first:

terraform plan

Apply your configuration

And to apply, the usual:

terraform apply

Note

If you did the extra exercise above after the initial terraform apply, you will have the resource in the state already.

You can then use terraform state mv to move the resource within the state, so it is not recreated!

The instance is now accessible from everywhere, since we added 0.0.0.0/0 as the source_ranges. How do we access it? Unless an output is added, we don't know the IP address. Or do we?

It is in the Terraform state:

terraform state show google_compute_instance.default

Get the IP address there, from the network_interface access_config block, and try it out with your browser. You should see the default page of Apache2.

Answer

terraform/iam.tf

resource "google_compute_firewall" "allow-http" {
    name    = "${var.name}-fw-allow-http"
    network = google_compute_network.default.name
    project = var.project

    allow {
        protocol = "tcp"
        ports    = ["80"]
    }
    target_tags = ["http"]
    source_ranges = ["0.0.0.0/0"]
}

resource "google_compute_firewall" "allow-ssh" {
    name    = "${var.name}-fw-allow-ssh"
    network = google_compute_network.default.name
    project = var.project

    allow {
        protocol = "tcp"
        ports    = ["22"]
    }
    target_tags = ["ssh"]
    source_ranges = ["0.0.0.0/0"]
}

Next

Next, we create a Load Balancer in front of the Compute Engine instance.