feat: added advanced network ddos protection & network edge security …

…policy sub-modules (#113)
GoogleCloudPlatform · Apr 23, 2024 · 8e1ecb5 · 8e1ecb5
1 parent c386c74
commit 8e1ecb5
Show file tree

Hide file tree

Showing 54 changed files with 1,780 additions and 304 deletions.
diff --git a/README.md b/README.md
@@ -1,12 +1,21 @@
 # Cloud Armor Terraform Module
-This module makes it easy to setup [Cloud Armor Security Policy](https://cloud.google.com/armor/docs/cloud-armor-overview#security_policies) with Security rules. There are `five` type of rules you can create in each policy:
+This module makes it easy to setup [Cloud Armor global Security Policy](https://cloud.google.com/armor/docs/cloud-armor-overview#security_policies) with Security rules. You can attach the global Security Policy policy to backend services exposed by the following load balancer types:
+- Global external Application Load Balancer (HTTP/HTTPS)
+- Classic Application Load Balancer (HTTP/HTTPS)
+- Global external proxy Network Load Balancer (TCP/SSL)
+- Classic proxy Network Load Balancer (TCP/SSL)
+
+There are `five` type of rules you can create in each policy:
 1) [Pre-Configured Rules](#pre_configured_rules): These are based on [pre-configured waf rules](https://cloud.google.com/armor/docs/waf-rules).
 2) [Security Rules](#security_rules): Allow or Deny traffic from list of IP addresses or IP adress ranges.
 3) [Custom Rules](#custom_rules): You can create your own rules using [Common Expression Language (CEL)](https://cloud.google.com/armor/docs/rules-language-reference).
 4) [Threat Intelligence Rules](#threat_intelligence_rules): Add Rules based on [threat intelligence](https://cloud.google.com/armor/docs/threat-intelligence). [Managed protection plus](https://cloud.google.com/armor/docs/managed-protection-overview) subscription is needed to use this feature.
 5) [Automatically deploy Adaptive Protection Suggested Rules](#adaptive_protection_auto_deploy); When enable module will create a rule for automatically deploying the suggested rules that [Adaptive Protection generates](https://cloud.google.com/armor/docs/adaptive-protection-auto-deploy).
 
 
+NOTE: For `external passthrough Network Load Balancers`, `protocol forwarding` and `VMs with public IP addresses` create [network Edge Security policy](https://cloud.google.com/armor/docs/security-policy-overview#network-edge-policies) using [advanced network DDoS protection](./modules/advanced-network-ddos-protection/) and [network edge security policy](./modules/network-edge-security-policy/) sub-modules.
+
+
 ## Compatibility
 
 This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.
@@ -74,55 +83,6 @@ module "security_policy" {
 
       sensitivity_level = 4
       description       = "sqli-v33-stable Sensitivity Level 4 and 2 preconfigured_waf_config_exclusions"
-
-      preconfigured_waf_config_exclusions = {
-        exclusion_1 = {
-          target_rule_set = "sqli-v33-stable"
-          target_rule_ids = ["owasp-crs-v030301-id942120-sqli", "owasp-crs-v030301-id942130-sqli"]
-          request_cookie = [
-            {
-              operator = "STARTS_WITH"
-              value    = "abc"
-            }
-          ]
-          request_header = [
-            {
-              operator = "STARTS_WITH"
-              value    = "xyz"
-            },
-            {
-              operator = "STARTS_WITH"
-              value    = "uvw"
-            }
-          ]
-        }
-
-        exclusion_2 = {
-          target_rule_set = "sqli-v33-stable"
-          target_rule_ids = ["owasp-crs-v030301-id942150-sqli", "owasp-crs-v030301-id942180-sqli"]
-          request_header = [
-            {
-              operator = "STARTS_WITH"
-              value    = "lmn"
-            },
-            {
-              operator = "ENDS_WITH"
-              value    = "opq"
-            }
-          ]
-          request_uri = [
-            {
-              operator = "CONTAINS"
-              value    = "https://hashicorp.com"
-            },
-            {
-              operator = "CONTAINS"
-              value    = "https://xyz.com"
-            },
-          ]
-        }
-
-      }
     }
 
     "xss-stable_level_2_with_exclude" = {
@@ -157,15 +117,6 @@ module "security_policy" {
       preview       = true
     }
 
-    "redirect_project_rd" = {
-      action        = "redirect"
-      priority      = 12
-      description   = "Redirect IP address from project RD"
-      src_ip_ranges = ["190.217.68.215", "45.116.227.99", ]
-      redirect_type = "EXTERNAL_302"
-      redirect_target = "https://www.example.com"
-    }
-
     "rate_ban_project_actor3" = {
       action        = "rate_based_ban"
       priority      = 14
@@ -181,29 +132,6 @@ module "security_policy" {
         enforce_on_key                       = "ALL"
       }
     }
-
-    "throttle_project_droptwenty" = {
-      action        = "throttle"
-      priority      = 15
-      description   = "Throttle IP addresses from project droptwenty"
-      src_ip_ranges = ["190.217.68.214", "45.116.227.71", ]
-
-      rate_limit_options = {
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-        enforce_on_key_configs = [
-          {
-            enforce_on_key_type = "HTTP_PATH"
-          },
-          {
-            enforce_on_key_type = "HTTP_COOKIE"
-            enforce_on_key_name = "site_id"
-          }
-        ]
-      }
-
-    }
   }
 
   # Custom Rules using CEL
@@ -228,20 +156,6 @@ module "security_policy" {
       EOT
     }
 
-    throttle_specific_ip_region = {
-      action      = "throttle"
-      priority    = 23
-      description = "Throttle specific IP address in US Region"
-      expression  = <<-EOT
-        origin.region_code == "US" && inIpRange(origin.ip, '47.185.201.159/32')
-      EOT
-      rate_limit_options = {
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-      }
-    }
-
     allow_path_token_header = {
       action      = "allow"
       priority    = 25
@@ -263,17 +177,6 @@ module "security_policy" {
       ]
 
     }
-
-    deny_java_level3_with_exclude = {
-      action      = "deny(502)"
-      priority    = 100
-      description = "Deny pre-configured rule java-v33-stable at sensitivity level 3"
-      preview     = true
-      expression  = <<-EOT
-        evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3, 'opt_out_rule_ids': ['owasp-crs-v030301-id944240-java', 'owasp-crs-v030301-id944120-java']})
-      EOT
-    }
-
   }
 
   # Threat Intelligence Rules
@@ -288,18 +191,32 @@ module "security_policy" {
       feed        = "iplist-known-malicious-ips"
       exclude_ip  = "['47.100.100.100', '47.189.12.139']"
     }
+  }
 
-    deny_tor_exit_ips = {
-      action      = "deny(502)"
-      priority    = 210
-      description = "Deny Tor exit nodes IP addresses"
-      preview     = false
-      feed        = "iplist-tor-exit-nodes"
-    }
+}
+
+resource "google_compute_backend_service" "backend_service" {
+  provider = google-beta
+
+  ## Attach Cloud Armor policy to the backend service
+  security_policy = module.cloud_armor.policy.self_link
 
+  project = var.project_id
+
+  name        = "glb-ca-web-backend-svc-a"
+  port_name   = "http"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  backend {
+    group           = google_compute_instance_group.ca_vm_1_ig.self_link
+    max_utilization = 0.5
   }
 
+  health_checks         = [google_compute_http_health_check.default.id]
+  load_balancing_scheme = "EXTERNAL"
 }
+
 ```
 
 
@@ -785,6 +702,11 @@ The following dependencies must be available:
 A service account with the following permission must be used to provision
 the resources of this module:
 
+- compute.networkEdgeSecurityServices.create
+- compute.networkEdgeSecurityServices.update
+- compute.networkEdgeSecurityServices.get
+- compute.networkEdgeSecurityServices.delete
+- compute.networkEdgeSecurityServices.list
 - compute.securityPolicies.create
 - compute.securityPolicies.delete
 - compute.securityPolicies.get

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -35,17 +35,17 @@ steps:
   waitFor:
     - init-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage apply --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage apply --verbose']
 - id: security-policy-all-verify
   waitFor:
     - security-policy-all-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage verify --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage verify --verbose']
 - id: security-policy-all-teardown
   waitFor:
     - security-policy-all-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage teardown --verbose']
 
 - id: simple-example-apply
   waitFor:

diff --git a/examples/security-policy-edge/README.md → ...ackend-security-policy-complete/README.md b/examples/security-policy-edge/README.md → ...ackend-security-policy-complete/README.md
@@ -1,6 +1,10 @@
-# Cloud Armor Edge Security Policy with custom rule
+# Cloud Armor Policy with preconfigured rules, custom rules and security rules
 
-This example configures a single Cloud Armor Edge Security Policy with a custom rule.
+This example performs the following:
+- Network (VPC/Subnets/Firewall-rules/NAT).
+- Creates a `global cloud armor security policy`.
+- Creates a VM instance behind a `global external application load balancer`.
+- Attaches `security policy` to the backend service  by passing security policy link in `security_policy` parameter in `google_compute_backend_service` resource.
 
 ## Usage
 

diff --git a/examples/global-backend-security-policy-complete/glb.tf b/examples/global-backend-security-policy-complete/glb.tf
@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# # ############## Healthcheck
+
+resource "google_compute_http_health_check" "default" {
+  provider = google-beta
+  project  = var.project_id
+
+  name               = "glb-ca-health-check"
+  check_interval_sec = 5
+  timeout_sec        = 3
+}
+
+resource "google_compute_backend_service" "backend_service" {
+  provider = google-beta
+
+  project = var.project_id
+
+  name        = "glb-ca-web-backend-svc-a"
+  port_name   = "http"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  backend {
+    group           = google_compute_instance_group.ca_vm_1_ig.self_link
+    max_utilization = 0.5
+  }
+
+  health_checks         = [google_compute_http_health_check.default.id]
+  load_balancing_scheme = "EXTERNAL"
+
+  ## Attach Cloud Armor policy to the backend service
+  security_policy = module.cloud_armor.policy.self_link
+}
+
+resource "google_compute_url_map" "default" {
+  provider = google-beta
+
+  project     = var.project_id
+  name        = "glb-ca-https"
+  description = "global ca url map"
+
+  default_service = google_compute_backend_service.backend_service.id
+}
+
+resource "google_compute_target_http_proxy" "http_glb_proxy" {
+  name    = "glb-ca-http-proxy"
+  url_map = google_compute_url_map.default.id
+  project = var.project_id
+}
+
+resource "google_compute_global_address" "glb_external_address" {
+  name    = "glb-ca-http-global-ip"
+  project = var.project_id
+}
+
+
+resource "google_compute_global_forwarding_rule" "glb_forwarding_rule" {
+  name       = "glb-ca-http-global-fr"
+  target     = google_compute_target_http_proxy.http_glb_proxy.self_link
+  ip_address = google_compute_global_address.glb_external_address.address
+  port_range = "80"
+  project    = var.project_id
+}