1: remove unnecessary firewall rules related to intranode traffic in …

…Composer (these files were revived by merge) and 2: remove hardcoding in dpu-subnet module
GoogleCloudPlatform · Jan 23, 2025 · e5dfb6a · e5dfb6a
1 parent ade7880
commit e5dfb6a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 86 deletions.
diff --git a/components/common-infra/terraform/vpc.tf b/components/common-infra/terraform/vpc.tf
@@ -115,78 +115,6 @@ resource "google_compute_network_firewall_policy_rule" "default-deny" {
   }
 }
 
-resource "google_compute_network_firewall_policy_rule" "allow-subnet-internal" {
-  count           = var.create_vpc_network ? 1 : 0
-  description     = "Allow internal traffic within the composer subnet"
-  action          = "allow"
-  direction       = "EGRESS"
-  enable_logging  = true
-  firewall_policy = google_compute_network_firewall_policy.policy[0].name
-  priority        = 1001
-  rule_name       = "allow-subnet-internal"
-
-  match {
-    dest_ip_ranges = [var.composer_cidr.subnet_primary]
-    layer4_configs {
-      ip_protocol = "all"
-    }
-  }
-}
-
-resource "google_compute_network_firewall_policy_rule" "allow-composer-cluster-secondary-range" {
-  count           = var.create_vpc_network ? 1 : 0
-  description     = "Allow internal traffic to reach Composer's cluster pods on the secondary subnet range"
-  action          = "allow"
-  direction       = "EGRESS"
-  enable_logging  = true
-  firewall_policy = google_compute_network_firewall_policy.policy[0].name
-  priority        = 1002
-  rule_name       = "allow-composer-cluster-secondary-range"
-
-  match {
-    dest_ip_ranges = [var.composer_cidr.cluster_secondary_range]
-    layer4_configs {
-      ip_protocol = "all"
-    }
-  }
-}
-
-resource "google_compute_network_firewall_policy_rule" "allow-composer-services-secondary-range" {
-  count           = var.create_vpc_network ? 1 : 0
-  description     = "Allow internal traffic to reach services on the secondary subnet range"
-  action          = "allow"
-  direction       = "EGRESS"
-  enable_logging  = true
-  firewall_policy = google_compute_network_firewall_policy.policy[0].name
-  priority        = 1003
-  rule_name       = "allow-composer-services-secondary-range"
-
-  match {
-    dest_ip_ranges = [var.composer_cidr.services_secondary_range]
-    layer4_configs {
-      ip_protocol = "all"
-    }
-  }
-}
-
-resource "google_compute_network_firewall_policy_rule" "allow-composer-control-plane" {
-  count           = var.create_vpc_network ? 1 : 0
-  description     = "Allow internal traffic to reach the composer control plane"
-  action          = "allow"
-  direction       = "EGRESS"
-  enable_logging  = true
-  firewall_policy = google_compute_network_firewall_policy.policy[0].name
-  priority        = 1004
-  rule_name       = "allow-composer-control-plane"
-
-  match {
-    dest_ip_ranges = [var.composer_cidr.control_plane]
-    layer4_configs {
-      ip_protocol = "all"
-    }
-  }
-}
-
 module "dns-private-zone-googleapis" {
   count      = var.create_vpc_network ? 1 : 0
   source     = "github.com/terraform-google-modules/terraform-google-cloud-dns?ref=92bd8140d059388c6c22742ffcb5f4ab2c24cee9" #commit hash of version 5.3.0

diff --git a/components/dpu-workflow/terraform/main.tf b/components/dpu-workflow/terraform/main.tf
@@ -51,19 +51,17 @@ module "composer_service_account" {
   project_roles = local.composer_sa_roles
 }
 
-module "dpu-subnet" {
-  source = "github.com/terraform-google-modules/terraform-google-network.git//modules/subnets?ref=2477e469c9734638c9ed83e69fe8822452dacbc6" #commit hash of version 9.2.0
-
-  project_id   = module.project_services.project_id
-  network_name = var.vpc_network_name
-
-  subnets = [{
-    subnet_name           = "composer-subnet"
-    subnet_ip             = var.composer_cidr.subnet_primary
-    subnet_region         = var.region
-    subnet_private_access = "true"
-    subnet_flow_logs      = "true"
-  }]
+resource "google_compute_subnetwork" "composer_connector_subnet" {
+  name                     = var.composer_connector_subnet
+  ip_cidr_range            = var.composer_cidr.subnet_primary
+  region                   = var.region
+  network                  = var.vpc_network_name
+  private_ip_google_access = true
+  log_config {
+    aggregation_interval = "INTERVAL_10_MIN"
+    flow_sampling        = 0.5
+    metadata             = "INCLUDE_ALL_METADATA"
+  }
 }
 
 resource "google_composer_environment" "composer_env" {
@@ -103,7 +101,7 @@ resource "google_composer_environment" "composer_env" {
     environment_size = var.composer_environment_size
     node_config {
       network         = var.vpc_network_id
-      subnetwork      = module.dpu-subnet.subnets["${var.region}/composer-subnet"].id
+      subnetwork      = google_compute_subnetwork.composer_connector_subnet.id
       service_account = module.composer_service_account.email
     }
   }

diff --git a/components/dpu-workflow/terraform/variables.tf b/components/dpu-workflow/terraform/variables.tf
@@ -153,3 +153,9 @@ variable "composer_cidr" {
     subnet_primary = string
   })
 }
+
+variable "composer_connector_subnet" {
+  description = "Name of the VPC subnet used for VPC connectivity to Composer 3 in a service producer project"
+  type        = string
+  default     = "composer-subnet"
+}