Split out Firewall Rules into a separate module.

This was necessary in order to support the Nomad and Consul servers
being colocated on the same cluster.

Author: josh-padnick

main.tf

@@ -54,6 +54,21 @@ module "nomad_and_consul_servers" {
   allowed_inbound_tags_dns = ["${var.nomad_client_cluster_name}"]
 }
 
+# Enable Firewall Rules to open up Nomad-specific ports
+module "nomad_firewall_rules" {
+  source = "modules/nomad-firewall-rules"
+
+  gcp_zone = "${var.gcp_zone}"
+  cluster_name = "${var.nomad_consul_server_cluster_name}"
+  cluster_tag_name = "${var.nomad_consul_server_cluster_name}"
+
+  http_port = 4646
+  rpc_port = 4647
+  serf_port = 4648
+
+  allowed_inbound_cidr_blocks_http = ["0.0.0.0/0"]
+}
+
 # Render the Startup Script that will run on each Nomad Instance on boot. This script will configure and start Nomad.
 data "template_file" "startup_script_nomad_consul_server" {
   template = "${file("${path.module}/examples/root-example/startup-script-nomad-consul-server.sh")}"

modules/nomad-cluster/main.tf

@@ -137,74 +137,18 @@ resource "google_compute_instance_template" "nomad_private" {
 
 # ---------------------------------------------------------------------------------------------------------------------
 # CREATE FIREWALL RULES
-# - These Firewall Rules may be redundant depending on the settings of your VPC Network, but if your Network is locked
-#   down, these Rules will open up the appropriate ports.
-# - Note that public access to your Nomad cluster will only be permitted if var.assign_public_ip_addresses is true.
-# - Each Firewall Rule is only created if at least one source tag or source CIDR block for that Firewall Rule is specified.
 # ---------------------------------------------------------------------------------------------------------------------
 
-# Specify which traffic is allowed into the Nomad cluster for inbound HTTP requests
-resource "google_compute_firewall" "allow_inbound_http" {
-  count = "${length(var.allowed_inbound_cidr_blocks_http) + length(var.allowed_inbound_tags_http) > 0 ? 1 : 0}"
+module "firewall_rules" {
+  source = "../nomad-firewall-rules"
 
-  name    = "${var.cluster_name}-rule-external-http-access"
-  network = "${var.network_name}"
+  gcp_zone = "${var.gcp_zone}"
+  cluster_name = "${var.cluster_name}"
+  cluster_tag_name = "${var.cluster_tag_name}"
 
-  allow {
-    protocol = "tcp"
-    ports    = [
-      "${var.http_port}",
-    ]
-  }
-
-  source_ranges = "${var.allowed_inbound_cidr_blocks_http}"
-  source_tags = "${var.allowed_inbound_tags_http}"
-  target_tags = ["${var.cluster_tag_name}"]
-}
-
-# Specify which traffic is allowed into the Nomad cluster for inbound RPC requests
-resource "google_compute_firewall" "allow_inbound_rpc" {
-  count = "${length(var.allowed_inbound_cidr_blocks_rpc) + length(var.allowed_inbound_tags_rpc) > 0 ? 1 : 0}"
-
-  name    = "${var.cluster_name}-rule-external-rpc-access"
-  network = "${var.network_name}"
-
-  allow {
-    protocol = "tcp"
-    ports    = [
-      "${var.rpc_port}",
-    ]
-  }
-
-  source_ranges = "${var.allowed_inbound_cidr_blocks_rpc}"
-  source_tags = "${var.allowed_inbound_tags_rpc}"
-  target_tags = ["${var.cluster_tag_name}"]
-}
-
-# Specify which traffic is allowed into the Nomad cluster for inbound serf requests
-resource "google_compute_firewall" "allow_inbound_serf" {
-  count = "${length(var.allowed_inbound_cidr_blocks_serf) + length(var.allowed_inbound_tags_serf) > 0 ? 1 : 0}"
-
-  name    = "${var.cluster_name}-rule-external-serf-access"
-  network = "${var.network_name}"
-
-  allow {
-    protocol = "tcp"
-    ports    = [
-      "${var.serf_port}",
-    ]
-  }
-
-  allow {
-    protocol = "udp"
-    ports    = [
-      "${var.serf_port}",
-    ]
-  }
-
-  source_ranges = "${var.allowed_inbound_cidr_blocks_serf}"
-  source_tags = "${var.allowed_inbound_tags_serf}"
-  target_tags = ["${var.cluster_tag_name}"]
+  http_port = 4646
+  rpc_port = 4647
+  serf_port = 4648
 }
 
 # ---------------------------------------------------------------------------------------------------------------------

modules/nomad-cluster/outputs.tf

@@ -1,3 +1,7 @@
+output "cluster_name" {
+  value = "${var.cluster_name}"
+}
+
 output "cluster_tag_name" {
   value = "${var.cluster_name}"
 }
@@ -15,25 +19,25 @@ output "instance_template_url" {
 }
 
 output "firewall_rule_allow_inbound_http_url" {
-  value = "${google_compute_firewall.allow_inbound_http.self_link}"
+  value = "${module.firewall_rules.firewall_rule_allow_inbound_http_url}"
 }
 
 output "firewall_rule_allow_inbound_http_id" {
-  value = "${google_compute_firewall.allow_inbound_http.id}"
+  value = "${module.firewall_rules.firewall_rule_allow_inbound_http_id}"
 }
 
 output "firewall_rule_allow_inbound_rpc_url" {
-  value = "${google_compute_firewall.allow_inbound_rpc.self_link}"
+  value = "${module.firewall_rules.firewall_rule_allow_inbound_rpc_url}"
 }
 
 output "firewall_rule_allow_inbound_rpc_id" {
-  value = "${google_compute_firewall.allow_inbound_rpc.id}"
+  value = "${module.firewall_rules.firewall_rule_allow_inbound_rpc_id}"
 }
 
 output "firewall_rule_allow_inbound_serf_url" {
-  value = "${google_compute_firewall.allow_inbound_serf.self_link}"
+  value = "${module.firewall_rules.firewall_rule_allow_inbound_serf_url}"
 }
 
 output "firewall_rule_allow_inbound_serf_id" {
-  value = "${google_compute_firewall.allow_inbound_serf.id}"
+  value = "${module.firewall_rules.firewall_rule_allow_inbound_serf_id}"
 }

modules/nomad-firewall-rules/README.md

@@ -0,0 +1,53 @@
+# Nomad Firewall Rules Module
+
+This folder contains a [Terraform](https://www.terraform.io/) module that defines the Firewall Rules used by a 
+[Nomad](https://www.nomadproject.io/) cluster to control the traffic that is allowed to go in and out of the cluster. 
+
+Normally, you'd get these rules by default if you're using the [nomad-cluster module](
+https://github.com/hashicorp/terraform-google-nomad/tree/master/examples/nomad-cluster), but if 
+you're running Nomad on top of a different cluster, then you can use this module to add the necessary Firewall Rules 
+rules that cluster needs. For example, imagine you were using the [consul-cluster 
+module](https://github.com/hashicorp/terraform-google-consul/tree/master/modules/consul-cluster) to run a cluster of 
+servers that have both Nomad and Consul on each node:
+
+```hcl
+module "consul_servers" {
+  source = "git::git@github.com:hashicorp/terraform-google-consul.git//modules/consul-cluster?ref=v0.0.1"
+  
+  # This Image has both Nomad and Consul installed
+  source_image = "nomad-consul-xyz123"
+}
+```
+
+The `consul-cluster` module will provide the Firewall Rules for Consul, but not for Nomad. To ensure those 
+servers have the necessary ports open for using Nomad, you can use this module as follows:
+
+
+```hcl
+module "security_group_rules" {
+  source = "git::git@github.com:hashicorp/terraform-google-nomad.git//modules/nomad-firewall-rules?ref=v0.0.1"
+
+  cluster_name = "${module.consul_servers.cluster_name}"
+  cluster_tag_name = "${module.consul_servers.cluster_tag_name}"
+  
+  # ... (other params omitted) ...
+}
+```
+
+Note the following parameters:
+
+* `source`: Use this parameter to specify the URL of this module. The double slash (`//`) is intentional 
+  and required. Terraform uses it to specify subfolders within a Git repo (see [module 
+  sources](https://www.terraform.io/docs/modules/sources.html)). The `ref` parameter specifies a specific Git tag in 
+  this repo. That way, instead of using the latest version of this module from the `master` branch, which 
+  will change every time you run Terraform, you're using a fixed version of the repo.
+
+* `cluster_name`: Use this parameter to specify the name of the cluster for which these Firewall Rules will apply; this
+  allows us to name these resources in an intuitive way.
+
+* `cluster_tag_name`: Use this parameter to indicate the cluster to which these Firewall Rules should apply.
+  
+You can find the other parameters in [variables.tf](variables.tf).
+
+Check out the [nomad-consul-colocated-cluster example](
+https://github.com/hashicorp/terraform-google-nomad/tree/master/examples/root-example) for working sample code.

modules/nomad-firewall-rules/main.tf

@@ -0,0 +1,81 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# THESE TEMPLATES REQUIRE TERRAFORM VERSION 0.10.3 AND ABOVE
+# This way we can take advantage of Terraform GCP functionality as a separate provider via
+# https://github.com/terraform-providers/terraform-provider-google
+# ---------------------------------------------------------------------------------------------------------------------
+
+terraform {
+  required_version = ">= 0.10.3"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CREATE FIREWALL RULES
+# - These Firewall Rules may be redundant depending on the settings of your VPC Network, but if your Network is locked
+#   down, these Rules will open up the appropriate ports.
+# - Note that public access to your Nomad cluster will only be permitted if var.assign_public_ip_addresses is true.
+# - Each Firewall Rule is only created if at least one source tag or source CIDR block for that Firewall Rule is specified.
+# ---------------------------------------------------------------------------------------------------------------------
+
+# Specify which traffic is allowed into the Nomad cluster for inbound HTTP requests
+resource "google_compute_firewall" "allow_inbound_http" {
+  count = "${length(var.allowed_inbound_cidr_blocks_http) + length(var.allowed_inbound_tags_http) > 0 ? 1 : 0}"
+
+  name    = "${var.cluster_name}-rule-external-http-access"
+  network = "${var.network_name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [
+      "${var.http_port}",
+    ]
+  }
+
+  source_ranges = "${var.allowed_inbound_cidr_blocks_http}"
+  source_tags = "${var.allowed_inbound_tags_http}"
+  target_tags = ["${var.cluster_tag_name}"]
+}
+
+# Specify which traffic is allowed into the Nomad cluster for inbound RPC requests
+resource "google_compute_firewall" "allow_inbound_rpc" {
+  count = "${length(var.allowed_inbound_cidr_blocks_rpc) + length(var.allowed_inbound_tags_rpc) > 0 ? 1 : 0}"
+
+  name    = "${var.cluster_name}-rule-external-rpc-access"
+  network = "${var.network_name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [
+      "${var.rpc_port}",
+    ]
+  }
+
+  source_ranges = "${var.allowed_inbound_cidr_blocks_rpc}"
+  source_tags = "${var.allowed_inbound_tags_rpc}"
+  target_tags = ["${var.cluster_tag_name}"]
+}
+
+# Specify which traffic is allowed into the Nomad cluster for inbound serf requests
+resource "google_compute_firewall" "allow_inbound_serf" {
+  count = "${length(var.allowed_inbound_cidr_blocks_serf) + length(var.allowed_inbound_tags_serf) > 0 ? 1 : 0}"
+
+  name    = "${var.cluster_name}-rule-external-serf-access"
+  network = "${var.network_name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [
+      "${var.serf_port}",
+    ]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = [
+      "${var.serf_port}",
+    ]
+  }
+
+  source_ranges = "${var.allowed_inbound_cidr_blocks_serf}"
+  source_tags = "${var.allowed_inbound_tags_serf}"
+  target_tags = ["${var.cluster_tag_name}"]
+}

modules/nomad-firewall-rules/outputs.tf

@@ -0,0 +1,23 @@
+output "firewall_rule_allow_inbound_http_url" {
+  value = "${google_compute_firewall.allow_inbound_http.self_link}"
+}
+
+output "firewall_rule_allow_inbound_http_id" {
+  value = "${google_compute_firewall.allow_inbound_http.id}"
+}
+
+output "firewall_rule_allow_inbound_rpc_url" {
+  value = "${google_compute_firewall.allow_inbound_rpc.self_link}"
+}
+
+output "firewall_rule_allow_inbound_rpc_id" {
+  value = "${google_compute_firewall.allow_inbound_rpc.id}"
+}
+
+output "firewall_rule_allow_inbound_serf_url" {
+  value = "${google_compute_firewall.allow_inbound_serf.self_link}"
+}
+
+output "firewall_rule_allow_inbound_serf_id" {
+  value = "${google_compute_firewall.allow_inbound_serf.id}"
+}

modules/nomad-firewall-rules/variables.tf

@@ -0,0 +1,79 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# REQUIRED PARAMETERS
+# You must provide a value for each of these parameters.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "gcp_zone" {
+  description = "All GCP resources will be launched in this Zone."
+}
+
+variable "cluster_name" {
+  description = "The name of the Nomad cluster (e.g. nomad-stage). This variable is used to namespace all resources created by this module."
+}
+
+variable "cluster_tag_name" {
+  description = "The tag name the Compute Instances will look for to automatically discover each other and form a cluster. TIP: If running more than one Nomad cluster, each cluster should have its own unique tag name."
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# OPTIONAL PARAMETERS
+# These parameters have reasonable defaults.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "network_name" {
+  description = "The name of the VPC Network where all resources should be created."
+  default = "default"
+}
+
+# Firewall Ports
+
+variable "http_port" {
+  description = "The port used by Nomad to handle incoming HTPT (API) requests."
+  default = 4646
+}
+
+variable "rpc_port" {
+  description = "The port used by Nomad to handle incoming RPC requests."
+  default = 4647
+}
+
+variable "serf_port" {
+  description = "The port used by Nomad to handle incoming serf requests."
+  default = 4648
+}
+
+variable "allowed_inbound_cidr_blocks_http" {
+  description = "A list of CIDR-formatted IP address ranges from which the Compute Instances will allow connections to Nomad on the port specified by var.http_port."
+  type = "list"
+  default = []
+}
+
+variable "allowed_inbound_tags_http" {
+  description = "A list of tags from which the Compute Instances will allow connections to Nomad on the port specified by var.http_port."
+  type = "list"
+  default = []
+}
+
+variable "allowed_inbound_cidr_blocks_rpc" {
+  description = "A list of CIDR-formatted IP address ranges from which the Compute Instances will allow connections to Nomad on the port specified by var.rpc_port."
+  type = "list"
+  default = []
+}
+
+variable "allowed_inbound_tags_rpc" {
+  description = "A list of tags from which the Compute Instances will allow connections to Nomad on the port specified by var.rpc_port."
+  type = "list"
+  default = []
+}
+
+variable "allowed_inbound_cidr_blocks_serf" {
+  description = "A list of CIDR-formatted IP address ranges from which the Compute Instances will allow connections to Nomad on the port specified by var.serf_port."
+  type = "list"
+  default = []
+}
+
+variable "allowed_inbound_tags_serf" {
+  description = "A list of tags from which the Compute Instances will allow connections to Nomad on the port specified by var.serf_port."
+  type = "list"
+  default = []
+}