Add outbound firewall rule for metlo gcp cli(#134)

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metlo/cli",
-  "version": "0.0.10",
+  "version": "0.0.11",
   "license": "MIT",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

cli/src/gcp/cleanup.ts

@@ -84,7 +84,7 @@ export async function cleanupGCP(
     const backendName = backend.selfLink.split("/").at(-1)
     assert.ok(
         backendName == `metlo-backend-${metloUUID}`,
-        `Beckend service didn't match expected name.
+        `Load Balancer service didn't match expected name.
         Found ${backendName},expected metlo-backend-${metloUUID}`
     )
     // Delete GCP Backend Service
@@ -108,7 +108,7 @@ export async function cleanupGCP(
     const healthCheckName = check.selfLink.split("/").at(-1)
     assert.ok(
         healthCheckName == `metlo-health-check-${metloUUID}`,
-        `Beckend service didn't match expected name.
+        `Health Check service didn't match expected name.
         Found ${healthCheckName},expected metlo-health-check-${metloUUID}`
     )
     // Delete GCP Health Check
@@ -130,7 +130,7 @@ export async function cleanupGCP(
     const groupName = group.selfLink.split("/").at(-1)
     assert.ok(
         groupName == `metlo-mig-${metloUUID}`,
-        `Beckend service didn't match expected name.
+        `Instance Group didn't match expected name.
         Found ${groupName},expected metlo-mig-${metloUUID}`
     )
     // Delete GCP Instance Group Manager
@@ -154,7 +154,7 @@ export async function cleanupGCP(
     const templateName = template.selfLink.split("/").at(-1)
     assert.ok(
         templateName == `metlo-image-template-${metloUUID}`,
-        `Beckend service didn't match expected name.
+        `Instance Template didn't match expected name.
         Found ${templateName},expected metlo-image-template-${metloUUID}`
     )
     // Delete GCP Instance Template
@@ -189,27 +189,48 @@ export async function cleanupGCP(
     //   } catch (err) {
     //     throw new Error(`Couldn't delete subnet ${gcp.destination_subnetwork_url}`)
     //   }
-    spinner.start("Deleting Firewall Rule")
+    spinner.start("Deleting inbound Firewall Rule")
     const [firewalls, ,] = await conn.list_firewall_rules()
-    const firewall = firewalls.find((_firewall) => _firewall.name.includes(metloUUID))
-    const firewallName = firewall.selfLink.split("/").at(-1)
+    const firewallInbound = firewalls.find((_firewall) => _firewall.name.includes(`metlo-firewall-in-${metloUUID}`))
+    const firewallInboundName = firewallInbound.selfLink.split("/").at(-1)
     assert.ok(
-        firewallName == `metlo-firewall-${metloUUID}`,
-        `Beckend service didn't match expected name.
-        Found ${firewallName},expected metlo-firewall-${metloUUID}`
+        firewallInboundName == `metlo-firewall-in-${metloUUID}`,
+        `Inbound Firewall didn't match expected name.
+        Found ${firewallInboundName},expected metlo-firewall-in-${metloUUID}`
     )
     //   Delete GCP Firewall
     try {
         let resp_firewall = await conn.delete_firewall_rule({
-            firewallURL: firewallName,
+            firewallURL: firewallInboundName,
         })
         await wait_for_global_operation(resp_firewall[0].name, conn)
     } catch (err) {
         spinner.stop()
         console.warn(err)
-        throw new Error(`Couldn't delete Firewall rule ${firewall.name}`)
+        throw new Error(`Couldn't delete Firewall rule ${firewallInbound.name}`)
     }
-    spinner.succeed("Deleted Firewall Rule")
+    spinner.succeed("Deleted inbound Firewall Rule")
+
+    spinner.start("Deleting outbound Firewall Rule")
+    const firewallOutbound = firewalls.find((_firewall) => _firewall.name.includes(`metlo-firewall-out-${metloUUID}`))
+    const firewallOutboundName = firewallOutbound.selfLink.split("/").at(-1)
+    assert.ok(
+        firewallOutboundName == `metlo-firewall-out-${metloUUID}`,
+        `Outbound Firewall didn't match expected name.
+        Found ${firewallOutboundName},expected metlo-firewall-out-${metloUUID}`
+    )
+    //   Delete GCP Firewall
+    try {
+        let resp_firewall = await conn.delete_firewall_rule({
+            firewallURL: firewallOutboundName,
+        })
+        await wait_for_global_operation(resp_firewall[0].name, conn)
+    } catch (err) {
+        spinner.stop()
+        console.warn(err)
+        throw new Error(`Couldn't delete Firewall rule ${firewallOutbound.name}`)
+    }
+    spinner.succeed("Deleted inbound Firewall Rule")
 
     return `Deleted connection ${metloUUID}`
 }

cli/src/gcp/gcp_apis.ts

@@ -195,7 +195,7 @@ export class GCP_CONN {
     return resp
   }
 
-  public async create_firewall_rule({ firewallName, networkName, ipRange }) {
+  public async create_inbound_firewall_rule({ firewallName, networkName }) {
     const conn = new FirewallsClient({ credentials: this.keyfile })
     return conn.insert({
       project: this.project,
@@ -211,8 +211,30 @@ export class GCP_CONN {
         },
         allowed: [
           {
-            IPProtocol: "UDP",
-            ports: ["4789"]
+            IPProtocol: "all"
+          },
+        ],
+      },
+    })
+  }
+
+  public async create_outbound_firewall_rule({ firewallName, networkName }) {
+    const conn = new FirewallsClient({ credentials: this.keyfile })
+    return conn.insert({
+      project: this.project,
+      firewallResource: {
+        direction: "EGRESS",
+        network: networkName,
+        targetTags: [METLO_DATA_COLLECTOR_TAG],
+        sourceRanges: ["0.0.0.0/0"],
+        name: firewallName,
+        priority: 65534,
+        logConfig: {
+          enable: false,
+        },
+        allowed: [
+          {
+            IPProtocol: "all"
           },
         ],
       },

cli/src/gcp/setup.ts

@@ -199,18 +199,28 @@ const createFirewallRule = async (
     ip_range,
     id
 ) => {
-    const firewallName = `metlo-firewall-${id}`
-    spinner.text = "Creating Firewall rule"
-    spinner.start()
-    let resp = await conn.create_firewall_rule({
-        firewallName,
-        networkName: network_url,
-        ipRange: ip_range,
+    const firewallInboundName = `metlo-firewall-in-${id}`
+    const firewallOutboundName = `metlo-firewall-out-${id}`
+
+    spinner.start("Creating inbound firewall rule")
+    let [respInbound] = await conn.create_inbound_firewall_rule({
+        firewallName: firewallInboundName,
+        networkName: network_url
+    })
+    spinner.succeed("Created inbound firewall rule")
+
+    spinner.start("Creating outbound firewall rule")
+    let [respOutbound] = await conn.create_outbound_firewall_rule({
+        firewallName: firewallOutboundName,
+        networkName: network_url
     })
-    spinner.succeed("Created Firewall rule")
+    spinner.succeed("Created outbound firewall rule")
     spinner.stop()
     spinner.clear()
-    return { firewallRuleUrl: resp[0].latestResponse.targetLink }
+    return {
+        firewallInboundRuleUrl: respInbound.latestResponse.targetLink,
+        firewallOutboundRuleUrl: respOutbound.latestResponse.targetLink,
+    }
 }
 
 const createCloudRouter = async (
@@ -596,8 +606,9 @@ export const gcpTrafficMirrorSetup = async () => {
             const { ipRange, destinationSubnetworkUrl } = await getDestinationSubnet(conn, networkUrl, id)
             data["ipRange"] = ipRange
             data["destinationSubnetworkUrl"] = destinationSubnetworkUrl
-            const { firewallRuleUrl } = await createFirewallRule(conn, networkUrl, ipRange, id)
-            data["firewallRuleUrl"] = firewallRuleUrl
+            const { firewallInboundRuleUrl, firewallOutboundRuleUrl } = await createFirewallRule(conn, networkUrl, ipRange, id)
+            data["firewallInboundRuleUrl"] = firewallInboundRuleUrl
+            data["firewallOutboundRuleUrl"] = firewallOutboundRuleUrl
             const { routerURL } = await createCloudRouter(conn, networkUrl, destinationSubnetworkUrl, id)
             data["routerURL"] = routerURL
             const { imageTemplateUrl, instanceGroupName, instanceUrl } = await create_mig(conn, networkUrl, destinationSubnetworkUrl, resolveImageURL(zone), id)