added network edge security policy sub-module

README.md

@@ -785,6 +785,11 @@ The following dependencies must be available:
 A service account with the following permission must be used to provision
 the resources of this module:
 
+- compute.networkEdgeSecurityServices.create
+- compute.networkEdgeSecurityServices.update
+- compute.networkEdgeSecurityServices.get
+- compute.networkEdgeSecurityServices.delete
+- compute.networkEdgeSecurityServices.list
 - compute.securityPolicies.create
 - compute.securityPolicies.delete
 - compute.securityPolicies.get

examples/advanced-network-ddos-protection/main.tf

@@ -24,6 +24,6 @@ module "advanced_network_ddos_protection" {
 
   project_id                         = var.project_id
   regions                            = ["us-central1", "us-east1"]
-  policy_name                        = "adv-network-ddos-protection-${random_id.suffix.hex}"
-  network_edge_security_service_name = "adv-network-ddos-protection-${random_id.suffix.hex}"
+  policy_name                        = "test-adv-network-ddos-protection-${random_id.suffix.hex}"
+  network_edge_security_service_name = "test-network-edge-security-svc-${random_id.suffix.hex}"
 }

examples/network-edge-security-policy/README.md

@@ -0,0 +1,33 @@
+# Enable Cloud Armor Network Edge Security Policy
+
+This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [example](../advanced-network-ddos-protection/) to deploy advanced newtork ddos protection.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+export TF_VAR_project_id="your_project_id"
+```
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project in which the resource belongs | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| policy\_rules | Security policy rules created |
+| security\_policy | Regional Network Security policy created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/network-edge-security-policy/main.tf

@@ -0,0 +1,84 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_id" "suffix" {
+  byte_length = 4
+}
+
+module "network_edge_security_policy" {
+  source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
+  version = "~> 2.0"
+
+  project_id  = var.project_id
+  region      = "us-central1"
+  policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}"
+
+  policy_user_defined_fields = [
+    {
+      name   = "SIG1_AT_0"
+      base   = "UDP"
+      offset = 8
+      size   = 2
+      mask   = "0x8F00"
+    },
+    {
+      name   = "SIG2_AT_8"
+      base   = "TCP"
+      offset = 16
+      size   = 4
+      mask   = "0xFFFFFFFF"
+    },
+    {
+      name   = "IPv4-TTL"
+      base   = "IPV4"
+      offset = 8
+      size   = 1
+      mask   = "0xFF"
+    },
+
+  ]
+
+  policy_rules = [
+    {
+      priority         = 100
+      action           = "deny"
+      preview          = true
+      description      = "custom rule 100"
+      src_ip_ranges    = ["10.10.0.0/16"]
+      src_asns         = [15169]
+      src_region_codes = ["AU"]
+      ip_protocols     = ["TCP"]
+      src_ports        = [80]
+      dest_ports       = ["8080"]
+      dest_ip_ranges   = ["10.100.0.0/16"]
+      user_defined_fields = [
+        {
+          name   = "SIG1_AT_0"
+          values = ["0x8F00"]
+        },
+      ]
+    },
+    {
+      priority       = 200
+      action         = "deny"
+      preview        = false
+      priority       = 200
+      src_asns       = [15269]
+      dest_ports     = ["80"]
+      dest_ip_ranges = ["10.100.0.0/16"]
+    },
+  ]
+}

examples/network-edge-security-policy/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "security_policy" {
+  value       = module.network_edge_security_policy.security_policy
+  description = "Regional Network Security policy created"
+}
+
+output "policy_rules" {
+  value       = module.network_edge_security_policy.policy_rules
+  description = "Security policy rules created"
+}

examples/network-edge-security-policy/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project in which the resource belongs"
+  type        = string
+}

modules/advanced-network-ddos-protection/README.md

@@ -1,4 +1,4 @@
-# Cloud Armor Terraform Module
+# Enable Cloud Armor Advanced Network DDoS Protection
 This module enables [advanced network DDoS protection](https://cloud.google.com/armor/docs/armor-enterprise-overview#advanced_network_ddos_protection) in specified region(s). Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Advanced network DDoS protection feature protects workloads using [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. When enabled for a particular region, Google Cloud Armor provides always-on targeted volumetric attack detection and mitigation for external passthrough Network Load Balancer, protocol forwarding, and VMs with public IP addresses in that region. This module creates security policy of type `CLOUD_ARMOR_NETWORK` and a a network edge security service in the specified region(s).
 
 ## Compatibility
@@ -45,46 +45,3 @@ module "advanced_network_ddos_protection" {
 | network\_edge\_security\_services | Network edge security services created |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
-## Requirements
-
-These sections describe requirements for using this module.
-
-### Software
-
-The following dependencies must be available:
-
-- [Terraform][terraform] v1.3+
-- [Terraform Provider for GCP][terraform-provider-gcp] plugin v4.80+
-
-### Service Account
-
-A service account with the following permission must be used to provision
-the resources of this module:
-
-- compute.networkEdgeSecurityServices.create
-- compute.networkEdgeSecurityServices.update
-- compute.networkEdgeSecurityServices.get
-- compute.networkEdgeSecurityServices.delete
-- compute.networkEdgeSecurityServices.list
-- compute.regionSecurityPolicies.create
-- compute.regionSecurityPolicies.delete
-- compute.regionSecurityPolicies.get
-- compute.regionSecurityPolicies.list
-- compute.regionSecurityPolicies.use
-- compute.regionSecurityPolicies.update
-
-Following roles contain above mentioned permissions. You can either assing one of the following role or create custom roles with above permissions.
-
-- Compute Security Admin: `roles/compute.securityAdmin`
-- Compute Admin: `roles/compute.admin`
-
-### Enable API's
-In order to operate with the Service Account you must activate the following API on the project where the Service Account was created:
-
-- Compute Engine API - compute.googleapis.com
-
-## Contributing
-
-Refer to the [contribution guidelines](./CONTRIBUTING.md) for
-information on contributing to this module.

modules/advanced-network-ddos-protection/main.tf

@@ -14,8 +14,6 @@
  * limitations under the License.
  */
 
-### Adding custom rules to network security policies requires advanced network DDoS protection to be enabled in the region. Advanced protection can be enabled in preview mode.
-
 resource "google_compute_region_security_policy" "adv_ddos_protection" {
   provider = google-beta
   for_each = toset(var.regions)