Reputation: 253
Use terraform to automatically create firewall rules along with Dataproc cluster creation
I am using Terraform templates to provision a Google Cloud Dataproc cluster. After that, I'm creating firewall rules to restrict ingress traffic to those compute engine instances.
I'm looking for a way to automatically create firewall rules along with the dataproc cluster. There does not seem to be a straightforward way as I have to mention the IPs in the firewall rules, which can be obtained only by looking at the created cluster.
Another way I was thinking is to create a VPC with security and create the dataproc cluster within that VPC.
Can anyone provide any expert advise on this?
Upvotes: 3
Views: 565
Answers (1)
Reputation: 26478
In addition to filtering by IPs, GCP firewall rules support filtering by tags 1 or service accounts 2. When creating a Dataproc cluster, you can add tags for the cluster VMs with --tags 3, or specify the service account used by the cluster VMs with --service-account 4, so they can be matched by the firewall rules to target the cluster VMs.
Note the implications between filtering by tags and filtering by services accounts in firewall rules. Simply put, the former is simpler, while the latter is more secure.
Upvotes: 2
Related Questions
- Terraform/GCP, how to create a firewall rule to deny all traffic without specify IP ranges?
- Securing GCP compute instance
- Dataproc cluster underlying VMs using default service account
- Google Cloud firewall
- Adding firewall rule for GKE nodes
- Component gateway enable issues with dataproc cluster thru terraform
- Create firewall on GCP through istio
- How to create a large (dataproc) cluster on Google Cloud Platform with very limited in-use IP address quota?
- With Terraform, how to create a google firewall from port to port
- dataproc cluster on google cloud