refs board#3052: create network-policy (#48)

sparkfabrik · Dec 19, 2024 · cade243 · cade243
1 parent 51fd389
commit cade243
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,12 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.20.0] - 2024-12-19
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-cloud-native-drupal-resources/compare/0.19.0...0.20.0)
+
+- Add feature to enable network policy between `isolated` and `restricted` at namespace level.
+
 ## [0.19.0] - 2024-12-3
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-cloud-native-drupal-resources/compare/0.18.0...0.19.0)

diff --git a/README.md b/README.md
@@ -132,7 +132,7 @@ the random suffix `bucket_append_random_suffix` for the bucket name.
 | <a name="input_create_clousql_dumps_bucket"></a> [create\_clousql\_dumps\_bucket](#input\_create\_clousql\_dumps\_bucket) | If true, the module will create a Google Storage bucket that can be used as a destination for CloudSQL dumps. The bucket will also be tagged with the global tags. | `bool` | `false` | no |
 | <a name="input_create_databases_and_users"></a> [create\_databases\_and\_users](#input\_create\_databases\_and\_users) | If true, the module will create a user and a database for each project. | `bool` | `true` | no |
 | <a name="input_default_k8s_labels"></a> [default\_k8s\_labels](#input\_default\_k8s\_labels) | A map of labels to be applied to all the kubernetes resources created by this module. If a resource specify a map of labels, the default labels will merged with those specified in the resource. | `map(string)` | <pre>{<br/>  "managed-by": "terraform"<br/>}</pre> | no |
-| <a name="input_drupal_projects_list"></a> [drupal\_projects\_list](#input\_drupal\_projects\_list) | The list of Drupal projects, add a project name and this will create all infrastructure resources needed to run your project (bucket, database, user with relative credentials). Database resources are created in the CloudSQL instance you specified. Please not that you can assign only a database to a single user, the same user cannot be assigned to multiple databases. The default values are thought for a production environment, they will need to be adjusted accordingly for a stage environment. | <pre>list(object({<br/>    project_name                         = string<br/>    gitlab_project_id                    = number<br/>    release_branch_name                  = optional(string, "main")<br/>    kubernetes_namespace                 = optional(string, null)<br/>    kubernetes_namespace_labels          = optional(map(string), {})<br/>    helm_release_name                    = optional(string, null)<br/>    database_name                        = optional(string, null)<br/>    database_user_name                   = optional(string, null)<br/>    database_host                        = optional(string, null)<br/>    database_port                        = optional(number, 3306)<br/>    bucket_name                          = optional(string, null)<br/>    bucket_host                          = optional(string, "storage.googleapis.com")<br/>    bucket_append_random_suffix          = optional(bool, true)<br/>    bucket_location                      = optional(string, null)<br/>    bucket_storage_class                 = optional(string, "STANDARD")<br/>    bucket_enable_versioning             = optional(bool, true)<br/>    bucket_enable_disaster_recovery      = optional(bool, true)<br/>    bucket_force_destroy                 = optional(bool, false)<br/>    bucket_legacy_public_files_path      = optional(string, "/public")<br/>    bucket_set_all_users_as_viewer       = optional(bool, false)<br/>    bucket_labels                        = optional(map(string), {})<br/>    bucket_tag_list                      = optional(list(string), [])<br/>    bucket_obj_adm                       = optional(list(string), [])<br/>    bucket_obj_vwr                       = optional(list(string), [])<br/>    bucket_soft_delete_retention_seconds = optional(number, 0)<br/>  }))</pre> | n/a | yes |
+| <a name="input_drupal_projects_list"></a> [drupal\_projects\_list](#input\_drupal\_projects\_list) | The list of Drupal projects, add a project name and this will create all infrastructure resources needed to run your project (bucket, database, user with relative credentials). Database resources are created in the CloudSQL instance you specified. Please not that you can assign only a database to a single user, the same user cannot be assigned to multiple databases. The default values are thought for a production environment, they will need to be adjusted accordingly for a stage environment. | <pre>list(object({<br/>    project_name                         = string<br/>    gitlab_project_id                    = number<br/>    release_branch_name                  = optional(string, "main")<br/>    kubernetes_namespace                 = optional(string, null)<br/>    kubernetes_namespace_labels          = optional(map(string), {})<br/>    helm_release_name                    = optional(string, null)<br/>    database_name                        = optional(string, null)<br/>    database_user_name                   = optional(string, null)<br/>    database_host                        = optional(string, null)<br/>    database_port                        = optional(number, 3306)<br/>    bucket_name                          = optional(string, null)<br/>    bucket_host                          = optional(string, "storage.googleapis.com")<br/>    bucket_append_random_suffix          = optional(bool, true)<br/>    bucket_location                      = optional(string, null)<br/>    bucket_storage_class                 = optional(string, "STANDARD")<br/>    bucket_enable_versioning             = optional(bool, true)<br/>    bucket_enable_disaster_recovery      = optional(bool, true)<br/>    bucket_force_destroy                 = optional(bool, false)<br/>    bucket_legacy_public_files_path      = optional(string, "/public")<br/>    bucket_set_all_users_as_viewer       = optional(bool, false)<br/>    bucket_labels                        = optional(map(string), {})<br/>    bucket_tag_list                      = optional(list(string), [])<br/>    bucket_obj_adm                       = optional(list(string), [])<br/>    bucket_obj_vwr                       = optional(list(string), [])<br/>    bucket_soft_delete_retention_seconds = optional(number, 0)<br/>    network_policy                       = optional(string, "")<br/>  }))</pre> | n/a | yes |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | A list of tags to be applied to all the drupal buckets, in the form <TAG\_KEY\_SHORTNAME>/<TAG\_VALUE\_SHORTNAME>. If a resource specify a list of tags, the global tags will be overridden and replaced by those specified in the resource. Please note that actually only the buckets are tagged by this module. | `list(string)` | `[]` | no |
 | <a name="input_logging_bucket_name"></a> [logging\_bucket\_name](#input\_logging\_bucket\_name) | The name of the logging bucket. If empty, no logging bucket will be added and bucket logs will be disabled. | `string` | `""` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project in which the resource belongs. | `string` | n/a | yes |
@@ -145,15 +145,16 @@ the random suffix `bucket_append_random_suffix` for the bucket name.
 | <a name="output_cloudsql_dumps_bucket_name"></a> [cloudsql\_dumps\_bucket\_name](#output\_cloudsql\_dumps\_bucket\_name) | CloudSQL dumps bucket name. |
 | <a name="output_details_of_used_tag_keys"></a> [details\_of\_used\_tag\_keys](#output\_details\_of\_used\_tag\_keys) | Details of the tag keys passed to this module. |
 | <a name="output_details_of_used_tag_values"></a> [details\_of\_used\_tag\_values](#output\_details\_of\_used\_tag\_values) | Details of the tag values passed to this module. |
-| <a name="output_drupal_apps_all_bucket_credentials"></a> [drupal\_apps\_all\_bucket\_credentials](#output\_drupal\_apps\_all\_bucket\_credentials) | Bucket credentials for each Drupal project |
-| <a name="output_drupal_apps_all_bucket_secrets"></a> [drupal\_apps\_all\_bucket\_secrets](#output\_drupal\_apps\_all\_bucket\_secrets) | Bucket kubernetes secrets for each Drupal project |
+| <a name="output_drupal_apps_all_bucket_credentials"></a> [drupal\_apps\_all\_bucket\_credentials](#output\_drupal\_apps\_all\_bucket\_credentials) | Bucket credentials for each Drupal project, indexed same as all\_data |
+| <a name="output_drupal_apps_all_bucket_secrets"></a> [drupal\_apps\_all\_bucket\_secrets](#output\_drupal\_apps\_all\_bucket\_secrets) | Bucket kubernetes secrets for each Drupal project, indexed same as all\_data |
 | <a name="output_drupal_apps_all_data"></a> [drupal\_apps\_all\_data](#output\_drupal\_apps\_all\_data) | All data for each Drupal project. |
-| <a name="output_drupal_apps_all_database_credentials"></a> [drupal\_apps\_all\_database\_credentials](#output\_drupal\_apps\_all\_database\_credentials) | Database credentials for each Drupal project |
-| <a name="output_drupal_apps_all_database_secrets"></a> [drupal\_apps\_all\_database\_secrets](#output\_drupal\_apps\_all\_database\_secrets) | Database kubernetes secrets for each Drupal project |
-| <a name="output_drupal_apps_all_namespaces"></a> [drupal\_apps\_all\_namespaces](#output\_drupal\_apps\_all\_namespaces) | Namespace for each Drupal project |
+| <a name="output_drupal_apps_all_database_credentials"></a> [drupal\_apps\_all\_database\_credentials](#output\_drupal\_apps\_all\_database\_credentials) | Database credentials for each Drupal project, indexed same as all\_data |
+| <a name="output_drupal_apps_all_database_secrets"></a> [drupal\_apps\_all\_database\_secrets](#output\_drupal\_apps\_all\_database\_secrets) | Database kubernetes secrets for each Drupal project, indexed same as all\_data |
+| <a name="output_drupal_apps_all_namespaces"></a> [drupal\_apps\_all\_namespaces](#output\_drupal\_apps\_all\_namespaces) | Map of all Kubernetes namespaces used by Drupal apps, indexed same as all\_data |
 | <a name="output_drupal_apps_bucket_credentials"></a> [drupal\_apps\_bucket\_credentials](#output\_drupal\_apps\_bucket\_credentials) | Drupal apps bucket credentials for each Drupal project. |
 | <a name="output_drupal_apps_database_credentials"></a> [drupal\_apps\_database\_credentials](#output\_drupal\_apps\_database\_credentials) | Drupal apps database credentials for each Drupal project. |
 | <a name="output_drupal_buckets_names_list"></a> [drupal\_buckets\_names\_list](#output\_drupal\_buckets\_names\_list) | The list with the names of the Drupal buckets managed by this module. |
+| <a name="output_namespaces_network_policy"></a> [namespaces\_network\_policy](#output\_namespaces\_network\_policy) | Namespaces with network policy enabled. |
 ## Resources
 
 | Name | Type |
@@ -162,6 +163,7 @@ the random suffix `bucket_append_random_suffix` for the bucket name.
 | [google_storage_bucket_iam_member.cloudsql_dumps_bucket_writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_tags_location_tag_binding.binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/tags_location_tag_binding) | resource |
 | [kubernetes_namespace.namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_network_policy_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy_v1) | resource |
 | [kubernetes_secret.bucket_secret_name](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.database_secret_name](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [random_id.cloudsql_dumps_bucket_name_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/id) | resource |

diff --git a/main.tf b/main.tf
@@ -51,6 +51,8 @@ locals {
         p.kubernetes_namespace_labels,
         var.default_k8s_labels
       )
+      project_name   = p.project_name
+      network_policy = p.network_policy
     }
   ]
 }
@@ -92,3 +94,37 @@ resource "kubernetes_namespace" "namespace" {
     labels = each.value.labels
   }
 }
+
+locals {
+  unique_namespaces = toset([for p in local.namespace_list : p.namespace if p.network_policy != ""])
+}
+
+resource "kubernetes_network_policy_v1" "this" {
+  for_each = {
+    for p in local.namespace_list : p.namespace => p.network_policy if contains(local.unique_namespaces, p.namespace)
+  }
+
+  metadata {
+    name      = "network-policy-${each.value}"
+    namespace = kubernetes_namespace.namespace[each.key].metadata[0].name
+  }
+
+  spec {
+    pod_selector {}
+
+    policy_types = ["Ingress"]
+
+    ingress {
+      dynamic "from" {
+        for_each = each.value == "isolated" ? { "isolated" : true } : {}
+        content {
+          pod_selector {}
+        }
+      }
+      dynamic "from" {
+        for_each = each.value == "restricted" ? { "restricted" : true } : {}
+        content {}
+      }
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -137,3 +137,12 @@ output "cloudsql_dumps_bucket_name" {
   description = "CloudSQL dumps bucket name."
   value       = local.cloudsql_dumps_bucket_name
 }
+
+output "namespaces_network_policy" {
+  description = "Namespaces with network policy enabled."
+  value = {
+    "isolated" : { for obj in local.namespace_list : obj.namespace => obj.project_name if obj.network_policy == "isolated" },
+    "restricted" : { for obj in local.namespace_list : obj.namespace => obj.project_name if obj.network_policy == "restricted" },
+    "none" : { for obj in local.namespace_list : obj.namespace => obj.project_name if obj.network_policy == "" }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -74,6 +74,7 @@ variable "drupal_projects_list" {
     bucket_obj_adm                       = optional(list(string), [])
     bucket_obj_vwr                       = optional(list(string), [])
     bucket_soft_delete_retention_seconds = optional(number, 0)
+    network_policy                       = optional(string, "")
   }))
 
   validation {
@@ -91,9 +92,13 @@ variable "drupal_projects_list" {
         (p.database_host != null && p.database_name == null && p.database_user_name == null && length(p.project_name) <= 16) ||
         (p.database_host != null && p.database_name != null && p.database_user_name != null && length(p.project_name) <= 23) ||
         (p.database_host == null && length(p.project_name) <= 23)
+      ) &&
+      (
+        (p.network_policy != "" && contains(["isolated", "restricted"], p.network_policy)) ||
+        (p.network_policy == "")
       )
     ])
-    error_message = "The project name is invalid. Must be 6 to 16 characters long, with only lowercase letters, numbers, hyphens and underscores if the database must be created by the module or 6 to 23 characters long if we pass database_host database_user_name and database_name to the module."
+    error_message = "The project name is invalid. Must be 6 to 16 characters long, with only lowercase letters, numbers, hyphens and underscores if the database must be created by the module or 6 to 23 characters long if we pass database_host database_user_name and database_name to the module. If a network policy is specified, it must be 'isolated' or 'restricted'."
   }
 
   validation {