From 19305bd5ffc35e37577c05f58c19138b3d0debc5 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Fri, 8 Nov 2024 15:56:31 -0600 Subject: [PATCH] fix: added example for address group in global security policy (#138) --- .../README.md | 5 +++- .../main.tf | 29 +++++++++++++++++-- .../outputs.tf | 4 +++ .../versions.tf | 29 +++++++++++++++++++ .../nlb.tf | 3 +- .../simple_example_test.go | 22 +++++++++----- test/setup/iam.tf | 1 + test/setup/main.tf | 4 ++- 8 files changed, 85 insertions(+), 12 deletions(-) create mode 100644 examples/global-backend-security-policy-example/versions.tf diff --git a/examples/global-backend-security-policy-example/README.md b/examples/global-backend-security-policy-example/README.md index 00fd053..f081e5d 100644 --- a/examples/global-backend-security-policy-example/README.md +++ b/examples/global-backend-security-policy-example/README.md @@ -1,4 +1,4 @@ -# Simple Cloud Armor Policy with preconfigured rules, custom rules and security rules +# Simple Cloud Armor Policy with pre-configured rules, custom rules and security rules This example configures a single cloud armor policy with following types of rules: - Pre-configured rules @@ -7,6 +7,8 @@ This example configures a single cloud armor policy with following types of rule - Threat Intelligence Rules (Requires [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Remove these rules if you dont have Cloud Armor Enterprise enabled for your project) - Rule for Automatically deploying Adaptive Protection suggested rules (Requires [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Remove these rules if you dont have Cloud Armor Enterprise enabled for your project) +This example also shows how you can deploy custom rules with [address groups](https://cloud.google.com/armor/docs/address-groups-using) + ## Usage To run this example you need to execute: @@ -32,6 +34,7 @@ terraform apply | Name | Description | |------|-------------| +| address\_group\_name | n/a | | policy\_name | Security Policy name | | security\_policy | Cloud Armor security policy created | diff --git a/examples/global-backend-security-policy-example/main.tf b/examples/global-backend-security-policy-example/main.tf index 216d6b5..f2ab7d9 100644 --- a/examples/global-backend-security-policy-example/main.tf +++ b/examples/global-backend-security-policy-example/main.tf @@ -18,6 +18,20 @@ resource "random_id" "suffix" { byte_length = 4 } +resource "google_network_security_address_group" "address_group" { + provider = google-beta + name = "address-groups-${random_id.suffix.hex}" + parent = "projects/${var.project_id}" + location = "global" + type = "IPV4" + capacity = "100" + purpose = ["CLOUD_ARMOR"] + items = [ + "208.80.154.224/32", + "47.185.201.160/32", + ] +} + module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" version = "~> 3.0" @@ -267,7 +281,7 @@ module "cloud_armor" { deny_java_level3_with_exclude = { action = "deny(502)" - priority = 100 + priority = 26 description = "Deny pre-configured rule java-v33-stable at sensitivity level 3" preview = true @@ -278,7 +292,7 @@ module "cloud_armor" { "methodenforcement-v33-stable_level_1" = { action = "deny(403)" - priority = 6 + priority = 27 description = "Method enforcement Level 1" preview = true expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')" @@ -294,6 +308,17 @@ module "cloud_armor" { ] } } + + deny_address_group = { + action = "deny(502)" + priority = 28 + description = "Deny address group" + + expression = <<-EOT + evaluateAddressGroup('${google_network_security_address_group.address_group.name}', origin.ip, ['47.185.201.160']) + EOT + } + } #adaptive protection auto deploy rules diff --git a/examples/global-backend-security-policy-example/outputs.tf b/examples/global-backend-security-policy-example/outputs.tf index 75193d7..4848cf1 100644 --- a/examples/global-backend-security-policy-example/outputs.tf +++ b/examples/global-backend-security-policy-example/outputs.tf @@ -23,3 +23,7 @@ output "policy_name" { value = module.cloud_armor.policy.name description = "Security Policy name" } + +output "address_group_name" { + value = google_network_security_address_group.address_group.name +} diff --git a/examples/global-backend-security-policy-example/versions.tf b/examples/global-backend-security-policy-example/versions.tf new file mode 100644 index 0000000..855bfd2 --- /dev/null +++ b/examples/global-backend-security-policy-example/versions.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3.0" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.74, < 7" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 4.74, < 7" + } + } +} diff --git a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/nlb.tf b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/nlb.tf index 3c727d6..09ba41a 100644 --- a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/nlb.tf +++ b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/nlb.tf @@ -41,7 +41,8 @@ resource "google_compute_region_backend_service" "backend" { load_balancing_scheme = "EXTERNAL" health_checks = [google_compute_region_health_check.default.id] backend { - group = google_compute_instance_group.ca_vm_1_ig.self_link + group = google_compute_instance_group.ca_vm_1_ig.self_link + balancing_mode = "CONNECTION" } log_config { diff --git a/test/integration/global-backend-security-policy-example/simple_example_test.go b/test/integration/global-backend-security-policy-example/simple_example_test.go index 56e20c8..2541e20 100644 --- a/test/integration/global-backend-security-policy-example/simple_example_test.go +++ b/test/integration/global-backend-security-policy-example/simple_example_test.go @@ -225,13 +225,21 @@ func TestGlobalSecurityPolicyExample(t *testing.T) { assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 24 rule has Rate limit threshold interval") } - // Rule 100 - spRule100 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 100 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule100.Array() { - assert.True(sp.Get("preview").Bool(), "priority 100 rule Preview is set to True") - assert.Equal("deny(502)", sp.Get("action").String(), "priority 100 rule has expected action") - assert.Equal("Deny pre-configured rule java-v33-stable at sensitivity level 3", sp.Get("description").String(), "priority 100 rule has expected description") - assert.Equal("evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3, 'opt_out_rule_ids': ['owasp-crs-v030301-id944240-java', 'owasp-crs-v030301-id944120-java']})\n", sp.Get("match.expr.expression").String(), "priority 100 rule has expected expression") + // Rule 26 + spRule26 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 26 --security-policy=%s --project %s", policyName, projectId)) + for _, sp := range spRule26.Array() { + assert.True(sp.Get("preview").Bool(), "priority 26 rule Preview is set to True") + assert.Equal("deny(502)", sp.Get("action").String(), "priority 28 rule has expected action") + assert.Equal("Deny pre-configured rule java-v33-stable at sensitivity level 3", sp.Get("description").String(), "priority 26 rule has expected description") + assert.Equal("evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3, 'opt_out_rule_ids': ['owasp-crs-v030301-id944240-java', 'owasp-crs-v030301-id944120-java']})\n", sp.Get("match.expr.expression").String(), "priority 26 rule has expected expression") + } + + // Rule 28 + spRule28 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 28 --security-policy=%s --project %s", policyName, projectId)) + for _, sp := range spRule28.Array() { + assert.False(sp.Get("preview").Bool(), "priority 28 rule Preview is set to False") + assert.Equal("deny(502)", sp.Get("action").String(), "priority 28 rule has expected action") + assert.Equal("Deny address group", sp.Get("description").String(), "priority 28 rule has expected description") } }) diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 03dbd5c..1557510 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -24,6 +24,7 @@ locals { "roles/servicenetworking.networksAdmin", "roles/iam.serviceAccountAdmin", "roles/iam.serviceAccountUser", + "roles/compute.networkAdmin", ] } diff --git a/test/setup/main.tf b/test/setup/main.tf index be37ffd..080d68e 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -16,13 +16,14 @@ module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-armor" random_project_id = "true" org_id = var.org_id folder_id = var.folder_id billing_account = var.billing_account + deletion_policy = "DELETE" activate_apis = [ "iam.googleapis.com", @@ -30,6 +31,7 @@ module "project" { "compute.googleapis.com", "serviceusage.googleapis.com", "recaptchaenterprise.googleapis.com", + "networksecurity.googleapis.com", ] }