GCP: add support to firewall

Author: zbioe

deploys/consul/default.nix

@@ -37,11 +37,17 @@ let
       datacenter = elemAt name_match 0;
       replica = elemAt name_match 1;
     };
+  filterHostsBy = datacenter:
+    map (nodeName: nodes.${nodeName}.config.deployment.targetHost)
+    (filter (a: (strings.hasPrefix datacenter a)) (attrNames nodes));
+  primary_hosts = filterHostsBy primary_datacenter;
+  hosts = filterHostsBy datacenter;
+  isPrimary = primary_datacenter == datacenter;
 in {
   imports = [ ./gateway.nix ./templates.nix ];
   networking.hostName = name;
-  networking.extraHosts = concatMapStrings (hostName: ''
-    ${config.deployment.targetHost} ${hostName}
+  networking.extraHosts = concatMapStrings (name: ''
+    ${nodes.${name}.config.deployment.targetHost} ${name}
   '') (attrNames nodes);
 
   # use xlbs to build envoyPackage
@@ -86,14 +92,7 @@ in {
     enable = true;
     extraConfigFiles = [ "/etc/consul.d/encryption.hcl" ];
     leaveOnStop = true;
-    extraConfig = let
-      filterHostsBy = datacenter:
-        map (nodeName: nodes.${nodeName}.config.deployment.targetHost)
-        (filter (a: (strings.hasPrefix datacenter a)) (attrNames nodes));
-      primary_hosts = filterHostsBy primary_datacenter;
-      hosts = filterHostsBy datacenter;
-      isPrimary = primary_datacenter == datacenter;
-    in {
+    extraConfig = {
       inherit domain datacenter primary_datacenter;
       ui_config = { enabled = true; };
       server = true;

env/gcp/config.nix

@@ -30,6 +30,19 @@
       };
     };
 
+    firewall = {
+      test-allow-all-to-consul = {
+        description = "allow all consul ips to tagged consul machines";
+        source_tags = [ "consul" "test" ];
+        target_tags = [ "consul" "test" ];
+        network = "test";
+        allow = [{
+          protocol = "tcp";
+          ports = [ "0-65535" ];
+        }];
+      };
+    };
+
     replicas = {
       c1r1 = {
         tags = [ "consul" "server" "nixos" "test" ];

provision/gcp/default.nix

@@ -57,6 +57,26 @@ in {
         };
       });
 
+      firewallModule = submodule ({ config, name, ... }: {
+        options = {
+          project = mk' str gcp.project "project";
+          location = mk' str gcp.region "location";
+          source_tags = mk' (listOf str) [ name ] "tags";
+          target_tags = mk' (listOf str) [ name ] "tags";
+          description = mk' str "description ${name}" "rule description";
+          network = mk' str "default" "network interface used";
+          allow = mk' (listOf rulesModule) [ ] "allowed rules";
+          deny = mk' (listOf rulesModule) [ ] "denied rules";
+        };
+      });
+
+      rulesModule = submodule {
+        options = {
+          protocol = mk' str "all" "protocol";
+          ports = mk' (listOf str) [ ] "ports allowed";
+        };
+      };
+
       replicasModule = submodule ({ config, name, ... }: {
         options = {
           project = mk' str gcp.project "project";
@@ -100,6 +120,13 @@ in {
           description = "image options";
         };
 
+        # rules submodule
+        firewall = mkOption {
+          type = (attrsOf firewallModule);
+          default = { };
+          description = "rules options";
+        };
+
         # replica submodule
         replicas = mkOption {
           type = (attrsOf replicasModule);
@@ -117,7 +144,7 @@ in {
     networks = gcp.networks;
     images = gcp.images;
     replicas = gcp.replicas;
-
+    firewall = gcp.firewall;
   in {
     terraform.required_providers =
       mkIf gcp.enable { google.source = "hashicorp/google"; };
@@ -199,6 +226,13 @@ in {
         };
       });
 
+      google_compute_firewall = attrsMap firewall (name: {
+        ${name} = with firewall.${name}; {
+          inherit name project description network source_tags target_tags allow
+            deny;
+        };
+      });
+
     };
     output = attrsMap replicas (name:
       let