Adopt firewall-rules module in ml-slurm example

GoogleCloudPlatform · Feb 15, 2024 · a3045c7 · a3045c7
1 parent b6cae6b
commit a3045c7
Showing 1 changed file with 42 additions and 7 deletions.
diff --git a/examples/ml-slurm.yaml b/examples/ml-slurm.yaml
@@ -41,16 +41,51 @@ vars:
 deployment_groups:
 - group: primary
   modules:
-  - id: network1
+  - id: network
     source: modules/network/pre-existing-vpc
+
+  # this example anticipates that the VPC default network has internal traffic
+  # allowed and IAP tunneling for SSH connections
+  - id: firewall_rule
+    source: modules/network/firewall-rules
+    use:
+    - network
+    settings:
+      ingress_rules:
+      - name: $(vars.deployment_name)-allow-internal-traffic
+        description: Allow internal traffic
+        destination_ranges:
+        - $(network.subnetwork_address)
+        source_ranges:
+        - $(network.subnetwork_address)
+        allow:
+        - protocol: tcp
+          ports:
+          - 0-65535
+        - protocol: udp
+          ports:
+          - 0-65535
+        - protocol: icmp
+      - name: $(vars.deployment_name)-allow-iap-ssh
+        description: Allow IAP-tunneled SSH connections
+        destination_ranges:
+        - $(network.subnetwork_address)
+        source_ranges:
+        - 35.235.240.0/20
+        allow:
+        - protocol: tcp
+          ports:
+          - 22
+
   - id: homefs
     source: modules/file-system/filestore
     use:
-    - network1
+    - network
     settings:
       local_mount: /home
       size_gb: 2560
       filestore_tier: BASIC_SSD
+
   - id: script
     source: modules/scripts/startup-script
     settings:
@@ -129,7 +164,7 @@ deployment_groups:
     source: modules/packer/custom-image
     kind: packer
     use:
-    - network1
+    - network
     - script
     settings:
       # give VM a public IP to ensure startup script can reach public internet
@@ -208,7 +243,7 @@ deployment_groups:
     use:
     - a2_node_group
     - homefs
-    - network1
+    - network
     settings:
       partition_name: a2
       is_default: true
@@ -227,7 +262,7 @@ deployment_groups:
     use:
     - g2_node_group
     - homefs
-    - network1
+    - network
     settings:
       partition_name: g2
       enable_placement: false
@@ -236,7 +271,7 @@ deployment_groups:
   - id: slurm_controller
     source: community/modules/scheduler/schedmd-slurm-gcp-v5-controller
     use:
-    - network1
+    - network
     - a2_partition
     - g2_partition
     - homefs
@@ -249,7 +284,7 @@ deployment_groups:
     source: community/modules/scheduler/schedmd-slurm-gcp-v5-login
     use:
     - examples
-    - network1
+    - network
     - slurm_controller
     settings:
       disable_login_public_ips: false