added end to end examples

build/int.cloudbuild.yaml

@@ -35,17 +35,17 @@ steps:
   waitFor:
     - init-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage apply --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage apply --verbose']
 - id: security-policy-all-verify
   waitFor:
     - security-policy-all-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage verify --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage verify --verbose']
 - id: security-policy-all-teardown
   waitFor:
     - security-policy-all-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage teardown --verbose']
 
 - id: simple-example-apply
   waitFor:

examples/security-policy-edge/README.md → examples/global-backend-security-policy-complete/README.md

@@ -1,6 +1,10 @@
-# Cloud Armor Edge Security Policy with custom rule
+# Cloud Armor Policy with preconfigured rules, custom rules and security rules
 
-This example configures a single Cloud Armor Edge Security Policy with a custom rule.
+This example performs the following:
+- Network (VPC/Subnets/Firewall-rules/NAT).
+- Creates a `global cloud armor security policy`.
+- Creates a VM instance behind a `global external application load balancer`.
+- Attaches `security policy` to the backend service.
 
 ## Usage
 

examples/global-backend-security-policy-complete/glb.tf

@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# # ############## Healthcheck
+
+resource "google_compute_http_health_check" "default" {
+  provider = google-beta
+  project  = var.project_id
+
+  name               = "glb-ca-health-check"
+  check_interval_sec = 5
+  timeout_sec        = 3
+}
+
+resource "google_compute_backend_service" "backend_service" {
+  provider = google-beta
+
+  project = var.project_id
+
+  name        = "glb-ca-web-backend-svc-a"
+  port_name   = "http"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  backend {
+    group           = google_compute_instance_group.ca_vm_1_ig.self_link
+    max_utilization = 0.5
+  }
+
+  health_checks         = [google_compute_http_health_check.default.id]
+  load_balancing_scheme = "EXTERNAL"
+
+  ## Attach Cloud Armor policy to the backend service
+  security_policy = module.cloud_armor.policy.self_link
+}
+
+resource "google_compute_url_map" "default" {
+  provider = google-beta
+
+  project     = var.project_id
+  name        = "glb-ca-https"
+  description = "global ca url map"
+
+  default_service = google_compute_backend_service.backend_service.id
+}
+
+resource "google_compute_target_http_proxy" "http_glb_proxy" {
+  name    = "glb-ca-http-proxy"
+  url_map = google_compute_url_map.default.id
+  project = var.project_id
+}
+
+resource "google_compute_global_address" "glb_external_address" {
+  name    = "glb-ca-http-global-ip"
+  project = var.project_id
+}
+
+
+resource "google_compute_global_forwarding_rule" "glb_forwarding_rule" {
+  name       = "glb-ca-http-global-fr"
+  target     = google_compute_target_http_proxy.http_glb_proxy.self_link
+  ip_address = google_compute_global_address.glb_external_address.address
+  port_range = "80"
+  project    = var.project_id
+}

examples/security-policy-all/main.tf → examples/global-backend-security-policy-complete/main.tf

@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+locals {
+  primary_region   = "us-central1"
+  secondary_region = "us-east1"
+}
+
 resource "random_id" "suffix" {
   byte_length = 4
 }
@@ -24,70 +29,19 @@ module "cloud_armor" {
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"
   description                          = "Test Cloud Armor security policy with preconfigured rules, security rules and custom rules"
-  default_rule_action                  = "allow"
+  default_rule_action                  = "deny(502)"
   type                                 = "CLOUD_ARMOR"
   layer_7_ddos_defense_enable          = true
   layer_7_ddos_defense_rule_visibility = "STANDARD"
   user_ip_request_headers              = ["True-Client-IP", ]
 
-  pre_configured_rules = {
-    "sqli_sensitivity_level_4" = {
-      action          = "deny(502)"
-      priority        = 1
-      target_rule_set = "sqli-v33-stable"
-    }
-
-    "xss-stable_level_2_with_exclude" = {
-      action                  = "throttle"
-      priority                = 2
-      description             = "XSS Sensitivity Level 2 with excluded rules"
-      preview                 = true
-      target_rule_set         = "xss-v33-stable"
-      sensitivity_level       = 2
-      exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941340-xss"]
-      rate_limit_options = {
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-      }
-    }
-
-    "php-stable_level_1_with_include" = {
-      action                  = "rate_based_ban"
-      priority                = 3
-      description             = "PHP Sensitivity Level 1 with included rules"
-      target_rule_set         = "php-v33-stable"
-      sensitivity_level       = 0
-      include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
-      exclude_target_rule_ids = []
-      rate_limit_options = {
-        ban_duration_sec                     = 600
-        enforce_on_key                       = "ALL"
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-        ban_http_request_count               = 1000
-        ban_http_request_interval_sec        = 300
-      }
-    }
-
-    "rfi_sensitivity_level_4" = {
-      action          = "redirect"
-      priority        = 4
-      description     = "Remote file inclusion 4"
-      redirect_type   = "GOOGLE_RECAPTCHA"
-      target_rule_set = "rfi-v33-stable"
-    }
-
-  }
-
   security_rules = {
-    "deny_project_honeypot" = {
-      action        = "deny(502)"
+    "allow_whitelisted_ip_ranges" = {
+      action        = "allow"
       priority      = 11
-      description   = "Deny Malicious IP address from project honeypot"
-      src_ip_ranges = ["190.217.68.211", "45.116.227.68", ]
-      preview       = true
+      description   = "Allow whitelisted IP address ranges"
+      src_ip_ranges = ["190.210.69.12", ]
+      preview       = false
     }
 
     "redirect_project_drop" = {
@@ -98,23 +52,9 @@ module "cloud_armor" {
       redirect_type = "GOOGLE_RECAPTCHA"
     }
 
-    "rate_ban_project_dropten" = {
-      action        = "rate_based_ban"
-      priority      = 13
-      description   = "Rate based ban for address from project dropten as soon as they cross rate limit threshold"
-      src_ip_ranges = ["190.217.68.213", "45.116.227.70", ]
-      rate_limit_options = {
-        ban_duration_sec                     = 120
-        enforce_on_key                       = "ALL"
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-      }
-    }
-
     "rate_ban_project_dropthirty" = {
       action        = "rate_based_ban"
-      priority      = 14
+      priority      = 13
       description   = "Rate based ban for address from project dropthirty only if they cross banned threshold"
       src_ip_ranges = ["190.217.68.213", "45.116.227.70", ]
       rate_limit_options = {
@@ -130,7 +70,7 @@ module "cloud_armor" {
 
     "throttle_project_droptwenty" = {
       action        = "throttle"
-      priority      = 15
+      priority      = 14
       description   = "Throttle IP addresses from project droptwenty"
       src_ip_ranges = ["190.217.68.214", "45.116.227.71", ]
       rate_limit_options = {
@@ -151,15 +91,6 @@ module "cloud_armor" {
         '[US,AU,BE]'.contains(origin.region_code)
       EOT
     }
-
-    deny_specific_ip = {
-      action      = "deny(502)"
-      priority    = 22
-      description = "Deny Specific IP address"
-      expression  = <<-EOT
-        inIpRange(origin.ip, '47.185.201.155/32')
-      EOT
-    }
     throttle_specific_ip = {
       action      = "throttle"
       priority    = 23

examples/global-backend-security-policy-complete/network.tf

@@ -0,0 +1,147 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  network_name        = "test-global-ca"
+  rfc1918_cidr_ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", ]
+}
+
+/******************************************
+  Ranges for default firewall rules.
+ *****************************************/
+
+data "google_netblock_ip_ranges" "legacy_health_checkers" {
+  range_type = "legacy-health-checkers"
+}
+
+data "google_netblock_ip_ranges" "health_checkers" {
+  range_type = "health-checkers"
+}
+
+data "google_netblock_ip_ranges" "iap_forwarders" {
+  range_type = "iap-forwarders"
+}
+
+
+module "test_vpc" {
+  source       = "terraform-google-modules/network/google"
+  version      = "~> 9.0"
+  project_id   = var.project_id
+  network_name = local.network_name
+
+  subnets = [
+    {
+      subnet_name   = "subnet-100"
+      subnet_ip     = "10.10.100.0/24"
+      subnet_region = local.primary_region
+    },
+    {
+      subnet_name   = "subnet-200"
+      subnet_ip     = "10.10.200.0/24"
+      subnet_region = local.secondary_region
+    },
+  ]
+}
+
+module "net_firewall" {
+  source                  = "terraform-google-modules/network/google//modules/fabric-net-firewall"
+  version                 = "~> 9.0"
+  project_id              = module.test_vpc.project_id
+  network                 = module.test_vpc.network_name
+  ssh_source_ranges       = []
+  http_source_ranges      = []
+  https_source_ranges     = []
+  internal_ranges_enabled = true
+  internal_ranges         = local.rfc1918_cidr_ranges
+  internal_allow = [
+    {
+      protocol = "all"
+    },
+  ]
+  custom_rules = {
+    ca-allow-ssh-from-iap = {
+      description          = "Allow SSH access from IAP tunnel"
+      direction            = "INGRESS"
+      action               = "allow"
+      ranges               = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4
+      sources              = []
+      targets              = []
+      use_service_accounts = false
+      rules = [
+        {
+          protocol = "tcp"
+          ports    = [22]
+        },
+      ]
+      extra_attributes = {}
+    }
+    ca-allow-rdp-from-iap = {
+      description          = "Allow RDP access from IAP tunnel"
+      direction            = "INGRESS"
+      action               = "allow"
+      ranges               = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4
+      sources              = []
+      targets              = []
+      use_service_accounts = false
+      rules = [
+        {
+          protocol = "tcp"
+          ports    = [3389]
+        },
+        {
+          protocol = "udp"
+          ports    = [3389]
+        },
+      ]
+      extra_attributes = {}
+    }
+    ca-allow-lb-healthcheck = {
+      description          = "Allow Load balancer health check to all backends"
+      direction            = "INGRESS"
+      action               = "allow"
+      ranges               = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)
+      sources              = []
+      targets              = []
+      use_service_accounts = false
+      rules = [
+        {
+          protocol = "tcp"
+          ports    = []
+        },
+      ]
+      extra_attributes = {}
+    }
+  }
+}
+
+module "cloud_router" {
+  source  = "terraform-google-modules/cloud-router/google"
+  version = "~> 6.0"
+
+  name    = "test-ca-${local.primary_region}-cr"
+  project = module.test_vpc.project_id
+  region  = local.primary_region
+  network = module.test_vpc.network_self_link
+  nats = [{
+    name                               = "test-ca-${local.primary_region}-nat"
+    source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+    min_ports_per_vm                   = 4096
+    log_config = {
+      "filter" = "ERRORS_ONLY"
+    }
+    },
+  ]
+}