add: VPC Firewall ingress rule for Anyscale Machine Pools (#33)

Anyscale Machine Pools requires a specific set of ports to be open from the AMP Node into (ingress) the head node running in the cloud. This update includes an optional parameter `ingress_from_machine_pool_cidr_ranges` which, when provided, will create a new Firewall Rule allowing the appropriate ports for Anyscale Machine Poolss. Changes to be committed: modified: README.md modified: examples/anyscale-v2-kitchensink/README.md modified: examples/anyscale-v2-kitchensink/main.tf modified: main.tf modified: modules/google-anyscale-vpc-firewall/README.md modified: modules/google-anyscale-vpc-firewall/examples/main.tf modified: modules/google-anyscale-vpc-firewall/main.tf modified: modules/google-anyscale-vpc-firewall/variables.tf modified: test/test_cloud_register_manual.py modified: variables.tf
anyscale · Sep 30, 2024 · 1f28ddb · 1f28ddb
1 parent d1e839b
commit 1f28ddb
Show file tree

Hide file tree

Showing 10 changed files with 144 additions and 60 deletions.
diff --git a/README.md b/README.md
@@ -94,8 +94,8 @@ None
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.38.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.4.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
 
 ## Modules
 
@@ -190,7 +190,7 @@ None
 | <a name="input_enable_anyscale_iam"></a> [enable\_anyscale\_iam](#input\_enable\_anyscale\_iam) | (Optional) Determines if the Anyscale IAM resources are created.<br/><br/>ex:<pre>enable_anyscale_iam = true</pre> | `bool` | `true` | no |
 | <a name="input_enable_anyscale_loggingsink"></a> [enable\_anyscale\_loggingsink](#input\_enable\_anyscale\_loggingsink) | (Optional) Determines if the Anyscale Logging Sink is executed.<br/><br/>This sub-module will disable sending syslog events to the `_Default` Log Sink.<br/><br/>ex:<pre>enable_anyscale_loggingsink = true</pre> | `bool` | `true` | no |
 | <a name="input_enable_anyscale_memorystore"></a> [enable\_anyscale\_memorystore](#input\_enable\_anyscale\_memorystore) | (Optional) Determines if the Anyscale Memorystore is created.<br/><br/>ex:<pre>enable_anyscale_memorystore = true</pre> | `bool` | `false` | no |
-| <a name="input_enable_anyscale_vpc_firewall"></a> [enable\_anyscale\_vpc\_firewall](#input\_enable\_anyscale\_vpc\_firewall) | (Optional) Determines if the Anyscale VPC Firewall is created.<br/><br/>ex:<pre>enable_anyscale_vpc_firewall = true</pre> | `bool` | `true` | no |
+| <a name="input_enable_anyscale_vpc_firewall"></a> [enable\_anyscale\_vpc\_firewall](#input\_enable\_anyscale\_vpc\_firewall) | (Optional) Determines if the Anyscale VPC Firewall is created.<br/><br/>The Anyscale VPC Firewall is a Google Cloud VPC Firewall Policy that allows access to Anyscale resources.<br/><br/>ex:<pre>enable_anyscale_vpc_firewall = true</pre> | `bool` | `true` | no |
 | <a name="input_enable_cloud_logging_monitoring"></a> [enable\_cloud\_logging\_monitoring](#input\_enable\_cloud\_logging\_monitoring) | (Optional) Determines if the Google Cloud Logging and Monitoring APIs are enabled.<br/><br/>If this is set to `true`, the following APIs will be enabled:<br/>  - logging.googleapis.com<br/>  - monitoring.googleapis.com<br/><br/>Additionally, the Anyscale Cluster Role will be granted access to the following roles:<br/>  - logging.logWriter<br/>  - monitoring.metricWriter<br/>  - monitoring.viewer<br/><br/>ex:<pre>enable_cloud_logging_monitoring = true</pre> | `bool` | `false` | no |
 | <a name="input_enable_google_apis"></a> [enable\_google\_apis](#input\_enable\_google\_apis) | (Optional) Determines if the required Google APIs are enabled.<br/><br/>ex:<pre>enable_google_apis = true</pre> | `bool` | `true` | no |
 | <a name="input_existing_cloudstorage_bucket_name"></a> [existing\_cloudstorage\_bucket\_name](#input\_existing\_cloudstorage\_bucket\_name) | (Optional) Existing Cloud Storage Bucket Name.<br/><br/>The name of an existing Cloud Storage bucket that you'd like to use. Please make sure that it meets the minimum requirements for Anyscale including:<br/>  - Bucket Policy<br/>  - CORS Policy<br/>  - Encryption configuration<br/><br/>If provided, this will skip creating a new Cloud Storage bucket with the Anyscale Cloud Storage module.<br/><br/>ex:<pre>existing_cloudstorage_bucket_name = "anyscale-bucket"</pre> | `string` | `null` | no |
@@ -201,6 +201,7 @@ None
 | <a name="input_existing_vpc_name"></a> [existing\_vpc\_name](#input\_existing\_vpc\_name) | (Optional) An existing VPC Name.<br/><br/>If provided, this module will skip creating a new VPC with the Anyscale VPC module.<br/>An existing VPC Subnet Name (`existing_vpc_subnet_name`) is also required if this is provided.<br/><br/>ex:<pre>existing_vpc_name = "anyscale-vpc"</pre> | `string` | `null` | no |
 | <a name="input_existing_vpc_subnet_name"></a> [existing\_vpc\_subnet\_name](#input\_existing\_vpc\_subnet\_name) | (Optional) Existing subnet name to create Anyscale resources in.<br/><br/>If provided, this will skip creating resources with the Anyscale VPC module.<br/>An existing VPC Name (`existing_vpc_name`) is also required if this is provided.<br/><br/>ex:<pre>existing_vpc_subnet_name = "anyscale-subnet"</pre> | `string` | `null` | no |
 | <a name="input_existing_workload_identity_provider_name"></a> [existing\_workload\_identity\_provider\_name](#input\_existing\_workload\_identity\_provider\_name) | (Optional) The name of an existing workload identity provider to use.<br/><br/>If provided, will skip creating the workload identity pool and provider. The Workload Identity Provider can be in a different project.<br/><br/>You can retrieve the name of an existing Workload Identity Provider by running the following command:<pre>gcloud iam workload-identity-pools providers list --location global --workload-identity-pool anyscale-access-pool</pre>ex:<pre>existing_workload_identity_provider_name = "projects/1234567890/locations/global/workloadIdentityPools/anyscale-access-pool/providers/anyscale-access-provider"</pre> | `string` | `null` | no |
+| <a name="input_ingress_from_machine_pool_cidr_ranges"></a> [ingress\_from\_machine\_pool\_cidr\_ranges](#input\_ingress\_from\_machine\_pool\_cidr\_ranges) | (Optional) CIDR Range for Anyscale Machine Pools.<br/><br/>If a CIDR range is provided, a firewall rule will be created to support [Anyscale Machine Pools](https://docs.anyscale.com/administration/cloud-deployment/machine-pools/).<br/><br/>ex:<pre>ingress_from_machine_pool_cidr_ranges = ["10.100.1.0/24","10.102.1.0/24"]</pre> | `list(string)` | `[]` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | (Optional) A map of labels.<br/><br/>Labels to be added to all resources that accept labels.<br/>Resource dependent labels will be appended to this list.<br/><br/>ex:<pre>labels = {<br/>  application = "Anyscale",<br/>  environment = "prod"<br/>}</pre>Default is an empty map. | `map(string)` | `{}` | no |
 | <a name="input_random_char_length"></a> [random\_char\_length](#input\_random\_char\_length) | (Optional) Random suffix character length<br/><br/>Determines the random suffix length that is used to generate a common name.<br/><br/>Certain Google resources have a hard limit on name lengths and this will allow<br/>the ability to control how many characters are added as a suffix.<br/>Many Google resources have a limit of 28 characters in length.<br/>Keep that in mind while setting this value.<br/>Must be >= 2 and <= 12.<br/><br/>ex:<pre>random_char_length = 4</pre> | `number` | `4` | no |
 | <a name="input_shared_vpc_project_id"></a> [shared\_vpc\_project\_id](#input\_shared\_vpc\_project\_id) | (Optional) The ID of the project that hosts the shared VPC.<br/><br/>If provided, this will set the Project ID to the Shared VPC for the `google-anyscale-vpc-firewall` submodule.<br/>An existing VPC Name (`existing_vpc_name`) and VPC Subnet Name (`existing_vpc_subnet_name`) are also required if this is provided.<br/><br/>ex:<pre>shared_vpc_project_id = "anyscale-sharedvpc"</pre> | `string` | `null` | no |

diff --git a/examples/anyscale-v2-kitchensink/README.md b/examples/anyscale-v2-kitchensink/README.md
@@ -56,4 +56,4 @@ No resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_registration_command"></a> [registration\_command](#output\_registration\_command) | The Anyscale registration command. |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
diff --git a/examples/anyscale-v2-kitchensink/main.tf b/examples/anyscale-v2-kitchensink/main.tf
@@ -52,7 +52,8 @@ module "google_anyscale_v2_kitchensink" {
   anyscale_vpc_firewall_policy_name             = "anyscale-tf-ks-vpc-fw-policy"
   anyscale_vpc_firewall_policy_description      = "Anyscale Terraform KitchenSink VPC Firewall Policy"
   anyscale_vpc_firewall_allow_access_from_cidrs = var.customer_ingress_cidr_ranges
-  allow_ssh_from_google_ui                      = false
+  allow_ssh_from_google_ui                      = true
+  ingress_from_machine_pool_cidr_ranges         = ["10.100.1.0/24"]
 
   # Cloud Storage (Bucket) Related
   enable_anyscale_gcs           = true

diff --git a/main.tf b/main.tf
@@ -127,7 +127,7 @@ module "google_anyscale_vpc" {
 # AnyScale VPC Firewall Module
 # ------------------------------
 locals {
-  execute_vpc_firewall_sub_module = local.create_new_vpc || var.enable_anyscale_vpc_firewall ? true : false
+  execute_vpc_firewall_sub_module = var.enable_anyscale_vpc_firewall ? true : false
 
   firewall_policy_name = coalesce(var.anyscale_vpc_firewall_policy_name, var.existing_vpc_name, var.anyscale_vpc_name, local.common_name, "anyscale-firewall-policy")
 
@@ -193,6 +193,8 @@ module "google_anyscale_vpc_firewall_policy" {
   ingress_with_self_cidr_range = local.ingress_from_self_cidr_range
 
   ingress_from_gcp_health_checks = local.ingress_from_gcp_health_checks
+
+  ingress_from_machine_pool_cidr_ranges = var.ingress_from_machine_pool_cidr_ranges
 }
 
 # ------------------------------

diff --git a/modules/google-anyscale-vpc-firewall/README.md b/modules/google-anyscale-vpc-firewall/README.md
@@ -32,6 +32,7 @@ No modules.
 | [google_compute_network_firewall_policy_association.anyscale_firewall_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_association) | resource |
 | [google_compute_network_firewall_policy_rule.ingress_allow_from_cidr_blocks](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_rule) | resource |
 | [google_compute_network_firewall_policy_rule.ingress_allow_from_gcp_health_checks](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_rule) | resource |
+| [google_compute_network_firewall_policy_rule.ingress_from_machinepools](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_rule) | resource |
 | [google_compute_network_firewall_policy_rule.ingress_with_self](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_rule) | resource |
 
 ## Inputs
@@ -45,10 +46,11 @@ No modules.
 | <a name="input_firewall_policy_name"></a> [firewall\_policy\_name](#input\_firewall\_policy\_name) | (Optional) The name of the firewall policy.<br/><br/>If left `null`, the firewall name will default to the vpc name.<br/><br/>ex:<pre>firewall_policy_name = "anyscale-vpc-firewall-policy"</pre> | `string` | `null` | no |
 | <a name="input_ingress_from_cidr_map"></a> [ingress\_from\_cidr\_map](#input\_ingress\_from\_cidr\_map) | (Optional) List of ingress rules to create with cidr ranges.<br/>This can use rules from `predefined_firewall_rules` or custom rules.<br/><br/>ex:<pre>ingress_from_cidr_map = [<br/>  {<br/>    rule        = "https-443-tcp"<br/>    cidr_blocks = "10.100.10.10/32"<br/>  },<br/>  { rule = "nfs-tcp" },<br/>  {<br/>    ports       = "10,20,30"<br/>    protocol    = "tcp"<br/>    description = "Service name is TEST"<br/>    cidr_blocks = "10.100.10.11/32"<br/>  },<br/>  {<br/>    ports       = "82-84"<br/>    protocol    = "tcp"<br/>    description = "Service name is TEST"<br/>    cidr_blocks = "10.100.10.12/32"<br/>  }<br/>]</pre>Default is an empty list. | `list(map(string))` | `[]` | no |
 | <a name="input_ingress_from_gcp_health_checks"></a> [ingress\_from\_gcp\_health\_checks](#input\_ingress\_from\_gcp\_health\_checks) | (Optional) List of ingress rules to create to allow GCP health check probes.<br/><br/>This only uses rules from `predefined_firewall_rules`.<br/>More information on GCP health checks can be found here:<br/>https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges<br/><br/>ex:<pre>ingress_from_gcp_health_checks = [<br/>  {<br/>    rule        = "health-checks"<br/>    cidr_blocks = "35.191.0.0/16, 130.211.0.0/22"<br/>  }<br/>]</pre> | `list(map(string))` | <pre>[<br/>  {<br/>    "cidr_blocks": "35.191.0.0/16,130.211.0.0/22",<br/>    "rule": "health-checks"<br/>  }<br/>]</pre> | no |
+| <a name="input_ingress_from_machine_pool_cidr_ranges"></a> [ingress\_from\_machine\_pool\_cidr\_ranges](#input\_ingress\_from\_machine\_pool\_cidr\_ranges) | (Optional) List of CIDR ranges to allow ingress from machine pools.<br/><br/>ex:<pre>ingress_from_machine_pool_cidr_ranges = ["10.100.10.0/24", "10.100.11.0/24"]</pre> | `list(string)` | `[]` | no |
 | <a name="input_ingress_with_self_cidr_range"></a> [ingress\_with\_self\_cidr\_range](#input\_ingress\_with\_self\_cidr\_range) | (Optional) List of CIDR range to default to if a specific mapping isn't provided.<br/><br/>ex:<pre>ingress_with_self_cidr_range = ["10.10.0.0/16","10.20.0.0/16"]</pre> | `list(string)` | `[]` | no |
 | <a name="input_ingress_with_self_map"></a> [ingress\_with\_self\_map](#input\_ingress\_with\_self\_map) | (Optional) List of ingress rules to create where 'self' is defined.<br/><br/>Default rule is `all-all` as this firewall rule is used for all Anyscale resources.<br/><br/>ex:<pre>ingress_with_self_map = [<br/>  {<br/>    rule        = "https-443-tcp"<br/>  },<br/>  {<br/>    rule        = "http-80-tcp"<br/>  },<br/>  {<br/>    rule        = "ssh-tcp"<br/>  },<br/>  {<br/>    rule        = "nfs-tcp"<br/>  }<br/>]</pre> | `list(map(string))` | <pre>[<br/>  {<br/>    "rule": "all-all"<br/>  }<br/>]</pre> | no |
 | <a name="input_module_enabled"></a> [module\_enabled](#input\_module\_enabled) | (Optional) Determines whether to create the resources inside this module.<br/><br/>ex:<pre>module_enabled = true</pre> | `bool` | `true` | no |
-| <a name="input_predefined_firewall_rules"></a> [predefined\_firewall\_rules](#input\_predefined\_firewall\_rules) | (Required) Map of predefined firewall rules. | `map(list(any))` | <pre>{<br/>  "all-all": [<br/>    "",<br/>    "all",<br/>    "All protocols",<br/>    1000<br/>  ],<br/>  "health-checks": [<br/>    8000,<br/>    "tcp",<br/>    "Health Checks",<br/>    1005<br/>  ],<br/>  "http-80-tcp": [<br/>    80,<br/>    "tcp",<br/>    "HTTP",<br/>    1001<br/>  ],<br/>  "https-443-tcp": [<br/>    443,<br/>    "tcp",<br/>    "HTTPS",<br/>    1002<br/>  ],<br/>  "machine-pools": [<br/>    "9480,9481,9482",<br/>    "tcp",<br/>    "Machine Pools",<br/>    1006<br/>  ],<br/>  "nfs-tcp": [<br/>    2049,<br/>    "tcp",<br/>    "NFS/EFS",<br/>    1004<br/>  ],<br/>  "ssh-tcp": [<br/>    22,<br/>    "tcp",<br/>    "SSH",<br/>    1003<br/>  ]<br/>}</pre> | no |
+| <a name="input_predefined_firewall_rules"></a> [predefined\_firewall\_rules](#input\_predefined\_firewall\_rules) | (Required) Map of predefined firewall rules. | <pre>map(object({<br/>    ports       = string<br/>    protocol    = string<br/>    description = string<br/>    priority    = number<br/>  }))</pre> | <pre>{<br/>  "all-all": {<br/>    "description": "All protocols",<br/>    "ports": "",<br/>    "priority": 1000,<br/>    "protocol": "all"<br/>  },<br/>  "health-checks": {<br/>    "description": "Health Checks",<br/>    "ports": "8000",<br/>    "priority": 1005,<br/>    "protocol": "tcp"<br/>  },<br/>  "http-80-tcp": {<br/>    "description": "HTTP",<br/>    "ports": "80",<br/>    "priority": 1001,<br/>    "protocol": "tcp"<br/>  },<br/>  "https-443-tcp": {<br/>    "description": "HTTPS",<br/>    "ports": "443",<br/>    "priority": 1002,<br/>    "protocol": "tcp"<br/>  },<br/>  "machine-pools": {<br/>    "description": "Machine Pools",<br/>    "ports": "80,443,1010,1012,2222,5555,5903,6379,6822,6823,6824,6826,7878,8000,8076,8085,8201,8265,8266,8686,8687,8912,8999,9090,9092,9100,9478,9479,9480,9481,9482",<br/>    "priority": 1011,<br/>    "protocol": "tcp"<br/>  },<br/>  "nfs-tcp": {<br/>    "description": "NFS/EFS",<br/>    "ports": "2049",<br/>    "priority": 1004,<br/>    "protocol": "tcp"<br/>  },<br/>  "ssh-tcp": {<br/>    "description": "SSH",<br/>    "ports": "22",<br/>    "priority": 1003,<br/>    "protocol": "tcp"<br/>  }<br/>}</pre> | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | (Required) The ID or SelfLink of the VPC to apply the Firewall Policy to.<br/><br/>ex:<pre>vpc_id = "projects/anyscale/global/networks/anyscale-network"</pre> | `string` | n/a | yes |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | (Required) The name of the VPC to apply the Firewall Policy to.<br/><br/>ex:<pre>vpc_name = "anyscale-vpc"</pre> | `string` | n/a | yes |
 

diff --git a/modules/google-anyscale-vpc-firewall/examples/main.tf b/modules/google-anyscale-vpc-firewall/examples/main.tf
@@ -163,12 +163,7 @@ module "kitchen_sink" {
     }
   ]
 
-  # ingress_from_machine_pools = [
-  #   {
-  #     rule        = "machine-pools"
-  #     cidr_blocks = "10.100.10.0/24,10.100.11.0/24"
-  #   }
-  # ]
+  ingress_from_machine_pool_cidr_ranges = ["10.100.10.0/24,10.100.11.0/24"]
 }
 
 # --------------------------------------------------------------