Terraform Essentials: Firewall Policy - gem-terraform-fw-rule-create

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

Click Activate Cloud Shell

at the top of the Google Cloud console.

When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:

Your Cloud Platform project in this session is set to YOUR_PROJECT_ID

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

(Optional) You can list the active account name with this command:

gcloud auth list

Click Authorize.
Your output should now look like this:

Output:

ACTIVE: *
ACCOUNT: student-01-xxxxxxxxxxxx@qwiklabs.net

To set the active account, run:
    $ gcloud config set account `ACCOUNT`

(Optional) You can list the project ID with this command:

gcloud config list project

Output:

[core]
project = <project_ID>

Example output:

[core]
project = qwiklabs-gcp-44776a13dea667a6

Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Overview

This lab guides you through creating a firewall rule in Google Cloud using Terraform. You will learn how to define a firewall rule resource, configure its properties, and apply it to your Google Cloud project. This lab assumes you have a basic understanding of Google Cloud and Terraform.

Task 1. Configure Google Cloud Project

Before you begin, configure your Google Cloud project. This includes setting the project ID, region, and zone. Also, enable the IAM API.

Set your Project ID: qwiklabs-gcp-03-1a83fda8d753
```
 gcloud config set project qwiklabs-gcp-03-1a83fda8d753
```
Note:
This command sets your active project.
Set your default region to us-central1
```
 gcloud config set compute/region us-central1
```
Note:
This command sets your active compute region.
Set your default zone to us-central1-b
```
 gcloud config set compute/zone us-central1-b
```
Note:
This command sets your active compute zone.

Task 2. Create a Cloud Storage Bucket for Terraform State

Terraform uses a state file to track the resources it manages. For collaboration and persistence, it's best to store this state file in a remote backend like Google Cloud Storage (GCS).

Create a Cloud Storage bucket. Ensure the bucket name is globally unique and prefixed with your project ID: qwiklabs-gcp-03-1a83fda8d753
```
 gcloud storage buckets create gs://qwiklabs-gcp-03-1a83fda8d753-tf-state --project=qwiklabs-gcp-03-1a83fda8d753 --location=us-central1 --uniform-bucket-level-access
```
Note:
This command creates a Cloud Storage bucket in the specified region to store the Terraform state file.
Enable versioning on the GCS bucket:
```
 gsutil versioning set on gs://qwiklabs-gcp-03-1a83fda8d753-tf-state
```
Note:
This enables versioning on the bucket.

Task 3. Defining the Firewall Rule in Terraform

Now, you will define the firewall rule using Terraform's configuration language.

Create a new directory for your Terraform configuration files.
```
 mkdir terraform-firewall && cd $_
```
Note:
This creates a new directory and changes the current directory to it.

Create a file named firewall.tf and add the following code to define a firewall rule that allows SSH traffic (port 22) to instances with the tag ssh-allowed.

 resource "google_compute_firewall" "allow_ssh" {
   name    = "allow-ssh-from-anywhere"
   network = "default"
   project = "qwiklabs-gcp-03-1a83fda8d753"

   allow {
     protocol = "tcp"
     ports    = ["22"]
   }

   source_ranges = ["0.0.0.0/0"]
   target_tags   = ["ssh-allowed"]
 }

Note:
This configuration creates a firewall rule named allow-ssh-from-anywhere that allows TCP traffic on port 22 from any source IP address (0.0.0.0/0) to instances tagged with ssh-allowed.

Create a variables.tf file to define variables used in firewall.tf and main.tf.

 variable "project_id" {
   type = string
   default = "qwiklabs-gcp-03-1a83fda8d753"
 }

 variable "bucket_name" {
   type = string
   default = "qwiklabs-gcp-03-1a83fda8d753-tf-state"
 }

 variable "region" {
   type = string
   default = "us-central1"
 }

Note:
This creates variables for the project ID, bucket name, and region.

Create an outputs.tf file to output the firewall rule name.
```
 output "firewall_name" {
   value = google_compute_firewall.allow_ssh.name
 }
```
Note:
This outputs the name of the firewall rule.

Task 4. Applying the Terraform Configuration

Now you will apply the Terraform configuration to create the firewall rule in your Google Cloud project.

Run terraform init to enable Terraform.
```
 terraform init
```
Note:
This command downloads the Terraform provider for the configuration files.
Run terraform plan to preview the changes Terraform will make.
```
 terraform plan
```
Note:
This command shows the planned changes without applying them.
Run terraform apply to apply the configuration and create the firewall rule.
```
 terraform apply
```
Note:
Type yes when prompted to confirm the changes.

Verify that the firewall rule has been created in the Google Cloud Console.

 Navigate to **VPC network > Firewall** in the Google Cloud Console and verify the existence of the `allow-ssh-from-anywhere` firewall rule.

Note:
This is a manual verification step.

Task 5. Cleaning Up Resources

To avoid incurring unnecessary costs, destroy the resources created in this lab.

Run terraform destroy to remove the firewall rule.
```
 terraform destroy
```
Note:
Type yes when prompted to confirm the destruction.

Solution of Lab

https://youtu.be/xSBKXOOjA_A

curl -LO raw.githubusercontent.com/ePlus-DEV/storage/refs/heads/main/labs/gem-terraform-fw-rule-create/lab.sh
sudo chmod +x lab.sh
./lab.sh

Script alternative

curl -LO raw.githubusercontent.com/gcpsolution99/GCP-solution/refs/heads/main/GSP/Abhi_Firewall_Policy.sh
sudo chmod +x Abhi_Firewall_Policy.sh
./Abhi_Firewall_Policy.sh