diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 340a08c..db5a89d 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -35,17 +35,17 @@ steps: waitFor: - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage apply --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage apply --verbose'] - id: security-policy-all-verify waitFor: - security-policy-all-apply name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage verify --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage verify --verbose'] - id: security-policy-all-teardown waitFor: - security-policy-all-verify name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage teardown --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage teardown --verbose'] - id: simple-example-apply waitFor: diff --git a/examples/security-policy-edge/README.md b/examples/global-backend-security-policy-complete/README.md similarity index 65% rename from examples/security-policy-edge/README.md rename to examples/global-backend-security-policy-complete/README.md index f684f5d..0343fbb 100644 --- a/examples/security-policy-edge/README.md +++ b/examples/global-backend-security-policy-complete/README.md @@ -1,6 +1,10 @@ -# Cloud Armor Edge Security Policy with custom rule +# Cloud Armor Policy with preconfigured rules, custom rules and security rules -This example configures a single Cloud Armor Edge Security Policy with a custom rule. +This example performs the following: +- Network (VPC/Subnets/Firewall-rules/NAT). +- Creates a `global cloud armor security policy`. +- Creates a VM instance behind a `global external application load balancer`. +- Attaches `security policy` to the backend service. ## Usage diff --git a/examples/global-backend-security-policy-complete/glb.tf b/examples/global-backend-security-policy-complete/glb.tf new file mode 100644 index 0000000..244107d --- /dev/null +++ b/examples/global-backend-security-policy-complete/glb.tf @@ -0,0 +1,78 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# # ############## Healthcheck + +resource "google_compute_http_health_check" "default" { + provider = google-beta + project = var.project_id + + name = "glb-ca-health-check" + check_interval_sec = 5 + timeout_sec = 3 +} + +resource "google_compute_backend_service" "backend_service" { + provider = google-beta + + project = var.project_id + + name = "glb-ca-web-backend-svc-a" + port_name = "http" + protocol = "HTTP" + timeout_sec = 10 + + backend { + group = google_compute_instance_group.ca_vm_1_ig.self_link + max_utilization = 0.5 + } + + health_checks = [google_compute_http_health_check.default.id] + load_balancing_scheme = "EXTERNAL" + + ## Attach Cloud Armor policy to the backend service + security_policy = module.cloud_armor.policy.self_link +} + +resource "google_compute_url_map" "default" { + provider = google-beta + + project = var.project_id + name = "glb-ca-https" + description = "global ca url map" + + default_service = google_compute_backend_service.backend_service.id +} + +resource "google_compute_target_http_proxy" "http_glb_proxy" { + name = "glb-ca-http-proxy" + url_map = google_compute_url_map.default.id + project = var.project_id +} + +resource "google_compute_global_address" "glb_external_address" { + name = "glb-ca-http-global-ip" + project = var.project_id +} + + +resource "google_compute_global_forwarding_rule" "glb_forwarding_rule" { + name = "glb-ca-http-global-fr" + target = google_compute_target_http_proxy.http_glb_proxy.self_link + ip_address = google_compute_global_address.glb_external_address.address + port_range = "80" + project = var.project_id +} diff --git a/examples/security-policy-all/main.tf b/examples/global-backend-security-policy-complete/main.tf similarity index 59% rename from examples/security-policy-all/main.tf rename to examples/global-backend-security-policy-complete/main.tf index 4ab8eac..6e352ea 100644 --- a/examples/security-policy-all/main.tf +++ b/examples/global-backend-security-policy-complete/main.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +locals { + primary_region = "us-central1" + secondary_region = "us-east1" +} + resource "random_id" "suffix" { byte_length = 4 } @@ -24,70 +29,19 @@ module "cloud_armor" { project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" description = "Test Cloud Armor security policy with preconfigured rules, security rules and custom rules" - default_rule_action = "allow" + default_rule_action = "deny(502)" type = "CLOUD_ARMOR" layer_7_ddos_defense_enable = true layer_7_ddos_defense_rule_visibility = "STANDARD" user_ip_request_headers = ["True-Client-IP", ] - pre_configured_rules = { - "sqli_sensitivity_level_4" = { - action = "deny(502)" - priority = 1 - target_rule_set = "sqli-v33-stable" - } - - "xss-stable_level_2_with_exclude" = { - action = "throttle" - priority = 2 - description = "XSS Sensitivity Level 2 with excluded rules" - preview = true - target_rule_set = "xss-v33-stable" - sensitivity_level = 2 - exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941340-xss"] - rate_limit_options = { - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - } - } - - "php-stable_level_1_with_include" = { - action = "rate_based_ban" - priority = 3 - description = "PHP Sensitivity Level 1 with included rules" - target_rule_set = "php-v33-stable" - sensitivity_level = 0 - include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"] - exclude_target_rule_ids = [] - rate_limit_options = { - ban_duration_sec = 600 - enforce_on_key = "ALL" - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - ban_http_request_count = 1000 - ban_http_request_interval_sec = 300 - } - } - - "rfi_sensitivity_level_4" = { - action = "redirect" - priority = 4 - description = "Remote file inclusion 4" - redirect_type = "GOOGLE_RECAPTCHA" - target_rule_set = "rfi-v33-stable" - } - - } - security_rules = { - "deny_project_honeypot" = { - action = "deny(502)" + "allow_whitelisted_ip_ranges" = { + action = "allow" priority = 11 - description = "Deny Malicious IP address from project honeypot" - src_ip_ranges = ["190.217.68.211", "45.116.227.68", ] - preview = true + description = "Allow whitelisted IP address ranges" + src_ip_ranges = ["190.210.69.12", ] + preview = false } "redirect_project_drop" = { @@ -98,23 +52,9 @@ module "cloud_armor" { redirect_type = "GOOGLE_RECAPTCHA" } - "rate_ban_project_dropten" = { - action = "rate_based_ban" - priority = 13 - description = "Rate based ban for address from project dropten as soon as they cross rate limit threshold" - src_ip_ranges = ["190.217.68.213", "45.116.227.70", ] - rate_limit_options = { - ban_duration_sec = 120 - enforce_on_key = "ALL" - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - } - } - "rate_ban_project_dropthirty" = { action = "rate_based_ban" - priority = 14 + priority = 13 description = "Rate based ban for address from project dropthirty only if they cross banned threshold" src_ip_ranges = ["190.217.68.213", "45.116.227.70", ] rate_limit_options = { @@ -130,7 +70,7 @@ module "cloud_armor" { "throttle_project_droptwenty" = { action = "throttle" - priority = 15 + priority = 14 description = "Throttle IP addresses from project droptwenty" src_ip_ranges = ["190.217.68.214", "45.116.227.71", ] rate_limit_options = { @@ -151,15 +91,6 @@ module "cloud_armor" { '[US,AU,BE]'.contains(origin.region_code) EOT } - - deny_specific_ip = { - action = "deny(502)" - priority = 22 - description = "Deny Specific IP address" - expression = <<-EOT - inIpRange(origin.ip, '47.185.201.155/32') - EOT - } throttle_specific_ip = { action = "throttle" priority = 23 diff --git a/examples/global-backend-security-policy-complete/network.tf b/examples/global-backend-security-policy-complete/network.tf new file mode 100644 index 0000000..1f03c9f --- /dev/null +++ b/examples/global-backend-security-policy-complete/network.tf @@ -0,0 +1,147 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + network_name = "test-global-ca" + rfc1918_cidr_ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", ] +} + +/****************************************** + Ranges for default firewall rules. + *****************************************/ + +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + + +module "test_vpc" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + project_id = var.project_id + network_name = local.network_name + + subnets = [ + { + subnet_name = "subnet-100" + subnet_ip = "10.10.100.0/24" + subnet_region = local.primary_region + }, + { + subnet_name = "subnet-200" + subnet_ip = "10.10.200.0/24" + subnet_region = local.secondary_region + }, + ] +} + +module "net_firewall" { + source = "terraform-google-modules/network/google//modules/fabric-net-firewall" + version = "~> 9.0" + project_id = module.test_vpc.project_id + network = module.test_vpc.network_name + ssh_source_ranges = [] + http_source_ranges = [] + https_source_ranges = [] + internal_ranges_enabled = true + internal_ranges = local.rfc1918_cidr_ranges + internal_allow = [ + { + protocol = "all" + }, + ] + custom_rules = { + ca-allow-ssh-from-iap = { + description = "Allow SSH access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [22] + }, + ] + extra_attributes = {} + } + ca-allow-rdp-from-iap = { + description = "Allow RDP access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [3389] + }, + { + protocol = "udp" + ports = [3389] + }, + ] + extra_attributes = {} + } + ca-allow-lb-healthcheck = { + description = "Allow Load balancer health check to all backends" + direction = "INGRESS" + action = "allow" + ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [] + }, + ] + extra_attributes = {} + } + } +} + +module "cloud_router" { + source = "terraform-google-modules/cloud-router/google" + version = "~> 6.0" + + name = "test-ca-${local.primary_region}-cr" + project = module.test_vpc.project_id + region = local.primary_region + network = module.test_vpc.network_self_link + nats = [{ + name = "test-ca-${local.primary_region}-nat" + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + min_ports_per_vm = 4096 + log_config = { + "filter" = "ERRORS_ONLY" + } + }, + ] +} diff --git a/examples/security-policy-all/outputs.tf b/examples/global-backend-security-policy-complete/outputs.tf similarity index 100% rename from examples/security-policy-all/outputs.tf rename to examples/global-backend-security-policy-complete/outputs.tf diff --git a/examples/advanced-network-ddos-protection/variables.tf b/examples/global-backend-security-policy-complete/variables.tf similarity index 100% rename from examples/advanced-network-ddos-protection/variables.tf rename to examples/global-backend-security-policy-complete/variables.tf diff --git a/examples/global-backend-security-policy-complete/vm.tf b/examples/global-backend-security-policy-complete/vm.tf new file mode 100644 index 0000000..f7a9667 --- /dev/null +++ b/examples/global-backend-security-policy-complete/vm.tf @@ -0,0 +1,84 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############## Available Zones #################### + +data "google_compute_zones" "available_primary" { + project = var.project_id + region = local.primary_region +} + +############## VM Images #################### + +data "google_compute_image" "debian_image" { + family = "debian-10" + project = "debian-cloud" +} + +############## Service Account for the VM #################### + +resource "google_service_account" "vm_service_account" { + project = var.project_id + account_id = "global-ca-web-svc-act" + display_name = "ca Web server service account" +} + +############## VM Instance #################### + +resource "google_compute_instance" "ca_vm_1" { + name = "global-ca-test-vm-${data.google_compute_zones.available_primary.names[0]}" + machine_type = "e2-micro" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + allow_stopping_for_update = true + + metadata_startup_script = "apt-get update -y;apt-get install -y nginx;" + + boot_disk { + initialize_params { + image = data.google_compute_image.debian_image.self_link + } + } + + network_interface { + subnetwork = module.test_vpc.subnets_names[0] + subnetwork_project = var.project_id + } + service_account { + email = google_service_account.vm_service_account.email + scopes = [ + "cloud-platform", + ] + } +} + +############## Instance Group #################### + +resource "google_compute_instance_group" "ca_vm_1_ig" { + name = "global-ca-ig-${data.google_compute_zones.available_primary.names[0]}" + description = "Web Instance group zone ${data.google_compute_zones.available_primary.names[0]}" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + + instances = [ + google_compute_instance.ca_vm_1.self_link, + ] + + named_port { + name = "http" + port = 80 + } +} diff --git a/examples/security-policy-managed-protection-plus/README.md b/examples/global-backend-security-policy-enterprise/README.md similarity index 83% rename from examples/security-policy-managed-protection-plus/README.md rename to examples/global-backend-security-policy-enterprise/README.md index 595fef7..9d19f0c 100644 --- a/examples/security-policy-managed-protection-plus/README.md +++ b/examples/global-backend-security-policy-enterprise/README.md @@ -1,6 +1,7 @@ -# Cloud Armor Policy with rules supported by [Cloud Armor Managed Protection Plus (CAMP+)](https://cloud.google.com/armor/docs/managed-protection-overview) +# Cloud Armor Policy with rules supported by [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) + +This example configures a single cloud armor policy with following types of rules which are only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview): -This example configures a single cloud armor policy with following types of rules: - Threat Intelligence Rules - Rule for Automatically deploying Adaptive Protection suggested rules diff --git a/examples/security-policy-managed-protection-plus/main.tf b/examples/global-backend-security-policy-enterprise/main.tf similarity index 100% rename from examples/security-policy-managed-protection-plus/main.tf rename to examples/global-backend-security-policy-enterprise/main.tf diff --git a/examples/security-policy-edge/outputs.tf b/examples/global-backend-security-policy-enterprise/outputs.tf similarity index 100% rename from examples/security-policy-edge/outputs.tf rename to examples/global-backend-security-policy-enterprise/outputs.tf diff --git a/examples/network-edge-security-policy/variables.tf b/examples/global-backend-security-policy-enterprise/variables.tf similarity index 100% rename from examples/network-edge-security-policy/variables.tf rename to examples/global-backend-security-policy-enterprise/variables.tf diff --git a/examples/simple-example/README.md b/examples/global-backend-security-policy-example/README.md similarity index 100% rename from examples/simple-example/README.md rename to examples/global-backend-security-policy-example/README.md diff --git a/examples/simple-example/main.tf b/examples/global-backend-security-policy-example/main.tf similarity index 100% rename from examples/simple-example/main.tf rename to examples/global-backend-security-policy-example/main.tf diff --git a/examples/security-policy-managed-protection-plus/outputs.tf b/examples/global-backend-security-policy-example/outputs.tf similarity index 100% rename from examples/security-policy-managed-protection-plus/outputs.tf rename to examples/global-backend-security-policy-example/outputs.tf diff --git a/examples/security-policy-all/variables.tf b/examples/global-backend-security-policy-example/variables.tf similarity index 100% rename from examples/security-policy-all/variables.tf rename to examples/global-backend-security-policy-example/variables.tf diff --git a/examples/security-policy-recaptcha/README.md b/examples/global-backend-security-policy-recaptcha/README.md similarity index 100% rename from examples/security-policy-recaptcha/README.md rename to examples/global-backend-security-policy-recaptcha/README.md diff --git a/examples/security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf similarity index 100% rename from examples/security-policy-recaptcha/main.tf rename to examples/global-backend-security-policy-recaptcha/main.tf diff --git a/examples/security-policy-recaptcha/outputs.tf b/examples/global-backend-security-policy-recaptcha/outputs.tf similarity index 100% rename from examples/security-policy-recaptcha/outputs.tf rename to examples/global-backend-security-policy-recaptcha/outputs.tf diff --git a/examples/security-policy-edge/variables.tf b/examples/global-backend-security-policy-recaptcha/variables.tf similarity index 100% rename from examples/security-policy-edge/variables.tf rename to examples/global-backend-security-policy-recaptcha/variables.tf diff --git a/examples/security-policy-all/README.md b/examples/global-edge-security-policy/README.md similarity index 74% rename from examples/security-policy-all/README.md rename to examples/global-edge-security-policy/README.md index 528f3e8..e51d288 100644 --- a/examples/security-policy-all/README.md +++ b/examples/global-edge-security-policy/README.md @@ -1,9 +1,6 @@ -# Cloud Armor Policy with preconfigured rules, custom rules and security rules +# Global Cloud Armor Edge Security Policy with custom rule -This example configures a single cloud armor policy with following types of rules: -- Pre-configured rules -- Custom rules -- Security rules +This example configures a single [Global Cloud Armor Edge Security Policy](https://cloud.google.com/armor/docs/security-policy-overview#edge-policies) with a custom rule. ## Usage diff --git a/examples/security-policy-edge/main.tf b/examples/global-edge-security-policy/main.tf similarity index 100% rename from examples/security-policy-edge/main.tf rename to examples/global-edge-security-policy/main.tf diff --git a/examples/simple-example/outputs.tf b/examples/global-edge-security-policy/outputs.tf similarity index 100% rename from examples/simple-example/outputs.tf rename to examples/global-edge-security-policy/outputs.tf diff --git a/examples/security-policy-managed-protection-plus/variables.tf b/examples/global-edge-security-policy/variables.tf similarity index 100% rename from examples/security-policy-managed-protection-plus/variables.tf rename to examples/global-edge-security-policy/variables.tf diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md b/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md new file mode 100644 index 0000000..641c857 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md @@ -0,0 +1,46 @@ +# End to end example for Cloud Armor Advanced Network DDoS Protection & Network Edge Security Policy + +This example performs the following: +- Network (VPC/Subnets/Firewall-rules/NAT). +- Enables `advanced network DDoS protection` in two regions `us-central1` and `us-east1`. +- Creates a `network edge security policy` in `us-central1`. +- Creates a VM instance behind a `network load balancer`. +- Attaches `network edge security policy` to the backend service. + +Advanced network DDoS protection and network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) + +## Usage + +To run this example you need to execute: + +```bash +YOUR_EXTERNAL_IP = "47.189.14.147/32" +export TF_VAR_project_id="your_project_id" +export TF_VAR_whitelisted_ingress_ip_ranges=[\"${YOUR_EXTERNAL_IP}\"] +``` + +```bash +terraform init +terraform plan +terraform apply +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| project\_id | The project in which the resource belongs | `string` | n/a | yes | +| whitelisted\_ingress\_ip\_ranges | whitelisted ingress ip ranges. Replace it with your own IP address | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| adv\_ddos\_protection\_policies | Advanced Network DDoS protection Security policies created | +| network\_edge\_security\_services | Network edge security services created | +| policy\_rules | Security policy rules created | +| security\_policy | Regional Network Security policy created | +| test\_nlb\_url | Use this command to test access to the load balancer. Try it from the IP address provided in whitelisted\_ingress\_ip\_ranges and a different IP address | + + diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf new file mode 100644 index 0000000..b1be03f --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf @@ -0,0 +1,64 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + primary_region = "us-central1" + secondary_region = "us-east1" +} + +resource "random_id" "suffix" { + byte_length = 4 +} + +module "advanced_network_ddos_protection" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" + version = "~> 2.0" + + project_id = var.project_id + regions = [local.primary_region, local.secondary_region] + policy_name = "test-adv-network-ddos-protection-${random_id.suffix.hex}" + network_edge_security_service_name = "test-network-edge-security-svc-${random_id.suffix.hex}" +} + +module "network_edge_security_policy" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" + version = "~> 2.0" + + project_id = var.project_id + region = local.primary_region + policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}-${local.primary_region}" + + policy_rules = [ + { + priority = 100 + action = "allow" + preview = false + description = "custom rule 100" + src_ip_ranges = var.whitelisted_ingress_ip_ranges + src_region_codes = ["US"] + dest_ports = [80] + }, + { + priority = 2147483646 + action = "deny" + preview = false + src_ip_ranges = ["*"] + }, + ] + depends_on = [ + module.advanced_network_ddos_protection + ] +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf new file mode 100644 index 0000000..369638b --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf @@ -0,0 +1,163 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + network_name = "test-ca-regional-enterprise" + rfc1918_cidr_ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", ] +} + +/****************************************** + Ranges for default firewall rules. + *****************************************/ + +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + + +module "test_vpc" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + project_id = var.project_id + network_name = local.network_name + + subnets = [ + { + subnet_name = "subnet-100" + subnet_ip = "10.10.100.0/24" + subnet_region = local.primary_region + }, + { + subnet_name = "subnet-200" + subnet_ip = "10.10.200.0/24" + subnet_region = local.secondary_region + }, + ] +} + +module "net_firewall" { + source = "terraform-google-modules/network/google//modules/fabric-net-firewall" + version = "~> 9.0" + project_id = module.test_vpc.project_id + network = module.test_vpc.network_name + ssh_source_ranges = [] + http_source_ranges = [] + https_source_ranges = [] + internal_ranges_enabled = true + internal_ranges = local.rfc1918_cidr_ranges + internal_allow = [ + { + protocol = "all" + }, + ] + custom_rules = { + ca-allow-ssh-from-iap = { + description = "Allow SSH access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [22] + }, + ] + extra_attributes = {} + } + ca-allow-rdp-from-iap = { + description = "Allow RDP access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [3389] + }, + { + protocol = "udp" + ports = [3389] + }, + ] + extra_attributes = {} + } + ca-allow-lb-healthcheck = { + description = "Allow Load balancer health check to all backends" + direction = "INGRESS" + action = "allow" + ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [] + }, + ] + extra_attributes = {} + } + ca-all-ip-address = { + description = "Allow traffic from whitelisted CIDRs" + direction = "INGRESS" + action = "allow" + ranges = ["0.0.0.0/0"] + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = ["80", "443"] + }, + ] + extra_attributes = {} + } + } +} + +module "cloud_router" { + source = "terraform-google-modules/cloud-router/google" + version = "~> 6.0" + + name = "test-ca-${local.primary_region}-cr" + project = module.test_vpc.project_id + region = local.primary_region + network = module.test_vpc.network_self_link + nats = [{ + name = "test-ca-${local.primary_region}-nat" + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + min_ports_per_vm = 4096 + log_config = { + "filter" = "ERRORS_ONLY" + } + }, + ] +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf new file mode 100644 index 0000000..3c727d6 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf @@ -0,0 +1,64 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############## Health Check #################### +resource "google_compute_region_health_check" "default" { + name = "ca-http-region-health-check" + project = var.project_id + region = local.primary_region + + timeout_sec = 1 + check_interval_sec = 1 + + http_health_check { + port = "80" + } + log_config { + enable = true + } +} + +############ Backend service on the instance group ################### + +resource "google_compute_region_backend_service" "backend" { + provider = google-beta + project = var.project_id + name = "ca-website-backend-svc" + region = local.primary_region + load_balancing_scheme = "EXTERNAL" + health_checks = [google_compute_region_health_check.default.id] + backend { + group = google_compute_instance_group.ca_vm_1_ig.self_link + } + + log_config { + enable = true + sample_rate = 0.5 + } + ## Attach Cloud Armor policy to the backend service + security_policy = module.network_edge_security_policy.security_policy.self_link +} + +############## Forwarding rule #################### + +resource "google_compute_forwarding_rule" "default" { + provider = google-beta + project = var.project_id + name = "ca-website-forwarding-rule" + region = local.primary_region + port_range = 80 + backend_service = google_compute_region_backend_service.backend.id +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf new file mode 100644 index 0000000..f07b480 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf @@ -0,0 +1,40 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "adv_ddos_protection_policies" { + value = module.advanced_network_ddos_protection.adv_ddos_protection_policies + description = "Advanced Network DDoS protection Security policies created" +} + +output "network_edge_security_services" { + value = module.advanced_network_ddos_protection.network_edge_security_services + description = "Network edge security services created" +} + +output "security_policy" { + value = module.network_edge_security_policy.security_policy + description = "Regional Network Security policy created" +} + +output "policy_rules" { + value = module.network_edge_security_policy.policy_rules + description = "Security policy rules created" +} + +output "test_nlb_url" { + value = "curl http://${google_compute_forwarding_rule.default.ip_address}" + description = "Use this command to test access to the load balancer. Try it from the IP address provided in whitelisted_ingress_ip_ranges and a different IP address" +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf new file mode 100644 index 0000000..d813d82 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + tf_sa = "gcp-sinprj-terraform@sinprj.iam.gserviceaccount.com" +} + +/****************************************** + Provider credential configuration + *****************************************/ +provider "google" { + impersonate_service_account = local.tf_sa +} + +provider "google-beta" { + impersonate_service_account = local.tf_sa +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf new file mode 100644 index 0000000..ab824e1 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project in which the resource belongs" + type = string +} + +variable "whitelisted_ingress_ip_ranges" { + description = "whitelisted ingress ip ranges. Replace it with your own IP address" + type = list(string) +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf new file mode 100644 index 0000000..afb9cb7 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf @@ -0,0 +1,79 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############## Available Zones #################### + +data "google_compute_zones" "available_primary" { + project = var.project_id + region = local.primary_region +} + +############## VM Images #################### + +data "google_compute_image" "debian_image" { + family = "debian-10" + project = "debian-cloud" +} + +############## Service Account for the VM #################### + +resource "google_service_account" "vm_service_account" { + project = var.project_id + account_id = "ca-web-svc-act" + display_name = "ca Web server service account" +} + +############## VM Instance #################### + +resource "google_compute_instance" "ca_vm_1" { + name = "ca-test-vm-${data.google_compute_zones.available_primary.names[0]}" + machine_type = "e2-micro" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + allow_stopping_for_update = true + + metadata_startup_script = "apt-get update -y;apt-get install -y nginx;" + + boot_disk { + initialize_params { + image = data.google_compute_image.debian_image.self_link + } + } + + network_interface { + subnetwork = module.test_vpc.subnets_names[0] + subnetwork_project = var.project_id + } + service_account { + email = google_service_account.vm_service_account.email + scopes = [ + "cloud-platform", + ] + } +} + +############## Instance Group #################### + +resource "google_compute_instance_group" "ca_vm_1_ig" { + name = "ca-ig-${data.google_compute_zones.available_primary.names[0]}" + description = "Web Instance group zone ${data.google_compute_zones.available_primary.names[0]}" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + + instances = [ + google_compute_instance.ca_vm_1.self_link, + ] +} diff --git a/examples/advanced-network-ddos-protection/README.md b/examples/regional-advanced-network-ddos-protection-enterprise/README.md similarity index 80% rename from examples/advanced-network-ddos-protection/README.md rename to examples/regional-advanced-network-ddos-protection-enterprise/README.md index c0efd4a..c6eda25 100644 --- a/examples/advanced-network-ddos-protection/README.md +++ b/examples/regional-advanced-network-ddos-protection-enterprise/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Advanced Network DDoS Protection -This example enables a advanced network DDoS protection in two regions. Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) +This example enables a advanced network DDoS protection in two regions `us-central1` and `us-east1`. Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) ## Usage diff --git a/examples/advanced-network-ddos-protection/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf similarity index 97% rename from examples/advanced-network-ddos-protection/main.tf rename to examples/regional-advanced-network-ddos-protection-enterprise/main.tf index e390661..c24028c 100644 --- a/examples/advanced-network-ddos-protection/main.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/advanced-network-ddos-protection/outputs.tf b/examples/regional-advanced-network-ddos-protection-enterprise/outputs.tf similarity index 97% rename from examples/advanced-network-ddos-protection/outputs.tf rename to examples/regional-advanced-network-ddos-protection-enterprise/outputs.tf index a5e0190..e134108 100644 --- a/examples/advanced-network-ddos-protection/outputs.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/security-policy-recaptcha/variables.tf b/examples/regional-advanced-network-ddos-protection-enterprise/variables.tf similarity index 95% rename from examples/security-policy-recaptcha/variables.tf rename to examples/regional-advanced-network-ddos-protection-enterprise/variables.tf index e11d5d8..8221296 100644 --- a/examples/security-policy-recaptcha/variables.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/network-edge-security-policy/README.md b/examples/regional-network-edge-security-policy-enterprise/README.md similarity index 65% rename from examples/network-edge-security-policy/README.md rename to examples/regional-network-edge-security-policy-enterprise/README.md index 04e3a02..1f8badf 100644 --- a/examples/network-edge-security-policy/README.md +++ b/examples/regional-network-edge-security-policy-enterprise/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Network Edge Security Policy -This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [example](../advanced-network-ddos-protection/) sub-module to deploy advanced newtork ddos protection. +This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this sub-module](../advanced-network-ddos-protection/) to enable `advanced network ddos protection `. See [example](../regional-advanced-network-ddos-protection-enterprise/) for enabling advanced newtork ddos protection. If you need an end to end example for deploying security policy and attach it to backend service see [complete example](../regional-adv-ddos-and-edge-security-policy-complete/) ## Usage @@ -27,6 +27,7 @@ terraform apply | Name | Description | |------|-------------| +| network\_edge\_security\_policy\_no\_rules | Regional Network Security policy created | | policy\_rules | Security policy rules created | | security\_policy | Regional Network Security policy created | diff --git a/examples/network-edge-security-policy/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf similarity index 86% rename from examples/network-edge-security-policy/main.tf rename to examples/regional-network-edge-security-policy-enterprise/main.tf index ba70fb5..b148c47 100644 --- a/examples/network-edge-security-policy/main.tf +++ b/examples/regional-network-edge-security-policy-enterprise/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -82,3 +82,12 @@ module "network_edge_security_policy" { }, ] } + +module "network_edge_security_policy_no_rules" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" + version = "~> 2.0" + + project_id = var.project_id + region = "us-central1" + policy_name = "nw-edge-security-policy-no-rules${random_id.suffix.hex}" +} diff --git a/examples/network-edge-security-policy/outputs.tf b/examples/regional-network-edge-security-policy-enterprise/outputs.tf similarity index 79% rename from examples/network-edge-security-policy/outputs.tf rename to examples/regional-network-edge-security-policy-enterprise/outputs.tf index 7e6b1b4..630da4f 100644 --- a/examples/network-edge-security-policy/outputs.tf +++ b/examples/regional-network-edge-security-policy-enterprise/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,3 +23,8 @@ output "policy_rules" { value = module.network_edge_security_policy.policy_rules description = "Security policy rules created" } + +output "network_edge_security_policy_no_rules" { + value = module.network_edge_security_policy_no_rules.security_policy + description = "Regional Network Security policy created" +} diff --git a/examples/simple-example/variables.tf b/examples/regional-network-edge-security-policy-enterprise/variables.tf similarity index 95% rename from examples/simple-example/variables.tf rename to examples/regional-network-edge-security-policy-enterprise/variables.tf index e11d5d8..8221296 100644 --- a/examples/simple-example/variables.tf +++ b/examples/regional-network-edge-security-policy-enterprise/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index e82b070..c8653e8 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -1,7 +1,7 @@ # Cloud Armor Terraform Module for Network Edge Security Policy -This module creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) in specified region. Network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this](../advanced-network-ddos-protection/) sub-module to deploy `advanced network ddos protection `. +This module creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) in specified region. Network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this sub-module](../advanced-network-ddos-protection/) to enable `advanced network ddos protection `. -You can attch network edge security policy to [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. Network edge security policy supports [byte offset filtering](https://cloud.google.com/armor/docs/network-edge-policies#byte-offset). This module creates security policy of type `CLOUD_ARMOR_NETWORK` optionally attach security policy rules to the policy. +You can attch network edge security policy to backend services of [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network). Network edge security policy supports [byte offset filtering](https://cloud.google.com/armor/docs/network-edge-policies#byte-offset). This module creates security policy of type `CLOUD_ARMOR_NETWORK` optionally attach security policy rules to the policy. ## Module Format @@ -100,7 +100,7 @@ module "network_edge_security_policy" { |------|-------------|------|---------|:--------:| | policy\_description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | | policy\_name | Name of the advanced network ddos protection security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | -| policy\_rules | Policy Rules |
list(object({| `null` | no | +| policy\_rules | Policy Rules |
priority = number
action = string
preview = optional(bool)
description = optional(string)
src_ip_ranges = optional(list(string))
src_asns = optional(list(string))
src_region_codes = optional(list(string))
ip_protocols = optional(list(string))
src_ports = optional(list(string))
dest_ports = optional(list(string))
dest_ip_ranges = optional(list(string))
user_defined_fields = optional(list(object({
name = optional(string)
values = optional(list(string))
})))
}))
list(object({| `null` | no | | policy\_user\_defined\_fields | Definitions of user-defined fields for CLOUD\_ARMOR\_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits |
priority = number
action = string
preview = optional(bool)
description = optional(string)
ip_protocols = optional(list(string))
src_ip_ranges = optional(list(string))
src_asns = optional(list(string))
src_region_codes = optional(list(string))
src_ports = optional(list(string))
dest_ports = optional(list(string))
dest_ip_ranges = optional(list(string))
user_defined_fields = optional(list(object({
name = optional(string)
values = optional(list(string))
})))
}))
list(object({| `null` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | | region | The region in which enablesecurity policy is created | `string` | n/a | yes | diff --git a/modules/network-edge-security-policy/main.tf b/modules/network-edge-security-policy/main.tf index d771da2..786cd33 100644 --- a/modules/network-edge-security-policy/main.tf +++ b/modules/network-edge-security-policy/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -48,7 +48,8 @@ resource "google_compute_region_security_policy_rule" "policy_rules" { description = each.value.description priority = each.value.priority network_match { - src_ip_ranges = lookup(each.value, "source_ip_ranges", null) + src_ip_ranges = lookup(each.value, "src_ip_ranges", null) + src_ports = lookup(each.value, "src_ports", null) src_asns = lookup(each.value, "src_asns", null) src_region_codes = lookup(each.value, "src_region_codes", null) ip_protocols = lookup(each.value, "ip_protocols", null) diff --git a/modules/network-edge-security-policy/outputs.tf b/modules/network-edge-security-policy/outputs.tf index 830a35d..eb6cad3 100644 --- a/modules/network-edge-security-policy/outputs.tf +++ b/modules/network-edge-security-policy/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/network-edge-security-policy/variables.tf b/modules/network-edge-security-policy/variables.tf index c89408e..03528d6 100644 --- a/modules/network-edge-security-policy/variables.tf +++ b/modules/network-edge-security-policy/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,10 +56,10 @@ variable "policy_rules" { action = string preview = optional(bool) description = optional(string) + ip_protocols = optional(list(string)) src_ip_ranges = optional(list(string)) src_asns = optional(list(string)) src_region_codes = optional(list(string)) - ip_protocols = optional(list(string)) src_ports = optional(list(string)) dest_ports = optional(list(string)) dest_ip_ranges = optional(list(string)) diff --git a/modules/network-edge-security-policy/versions.tf b/modules/network-edge-security-policy/versions.tf index 316d975..97df529 100644 --- a/modules/network-edge-security-policy/versions.tf +++ b/modules/network-edge-security-policy/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/integration/security-policy-all/security_policy_test.go b/test/integration/global-backend-security-policy-complete/security_policy_test.go similarity index 56% rename from test/integration/security-policy-all/security_policy_test.go rename to test/integration/global-backend-security-policy-complete/security_policy_test.go index c4e0fd7..c25de85 100644 --- a/test/integration/security-policy-all/security_policy_test.go +++ b/test/integration/global-backend-security-policy-complete/security_policy_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security_policy +package security_policy_all import ( "fmt" @@ -23,7 +23,7 @@ import ( "github.com/stretchr/testify/assert" ) -func TestSecurityPolicyAll(t *testing.T) { +func TestGlobalSecurityPolicyComplete(t *testing.T) { casp := tft.NewTFBlueprintTest(t) casp.DefineVerify(func(assert *assert.Assertions) { @@ -38,66 +38,16 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal(policyName, pname, "has expected name") } - // Rule 1 - spRule1 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 1 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule1.Array() { - assert.Equal("deny(502)", sp.Get("action").String(), "priority 1 rule has expected action") - assert.Equal("evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4})", sp.Get("match.expr.expression").String(), "priority 1 rule has expected rule expression") - assert.Empty(sp.Get("description").String(), "priority 1 rule has expected description") - assert.False(sp.Get("preview").Bool(), "priority 1 rule Preview is set to False") - } - - // Rule 2 - spRule2 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 2 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule2.Array() { - assert.True(sp.Get("preview").Bool(), "priority 2 rule Preview is set to True") - assert.Equal("throttle", sp.Get("action").String(), "priority 2 rule has expected action") - assert.Equal("XSS Sensitivity Level 2 with excluded rules", sp.Get("description").String(), "priority 2 rule has expected description") - assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 2 rule has expected Rate limit confirm action") - assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 2 rule has expected Rate limit enforce on key") - assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 2 rule has expected Rate limit exceed action") - assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 2 rule has expected Rate limit threshold count") - assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 2 rule has expected Rate limit threshold interval") - } - - // Rule 3 - spRule3 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 3 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule3.Array() { - assert.False(sp.Get("preview").Bool(), " priority 3 rule Preview is set to False") - assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 3 rule has expected action") - assert.Equal("PHP Sensitivity Level 1 with included rules", sp.Get("description").String(), "priority 3 rule has expected description") - assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 3 rule has expected Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 3 rule has expected Rate limit enforce on key") - assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 3 rule has expected Rate limit exceed action") - assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 3 rule has expected Rate limit threshold count") - assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 3 rule has expected Rate limit threshold interval") - assert.Equal("600", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 3 rule has expected Rate limit ban duration") - assert.Equal("1000", sp.Get("rateLimitOptions.banThreshold.count").String(), "priority 3 rule has expected Rate limit ban threshold count") - assert.Equal("300", sp.Get("rateLimitOptions.banThreshold.intervalSec").String(), "priority 3 rule has expected Rate limit ban threshold interval") - } - - // Rule 4 - spRule4 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 4 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule4.Array() { - assert.False(sp.Get("preview").Bool(), "priority 4 rule Preview is set to False") - assert.Equal("redirect", sp.Get("action").String(), "priority 4 rule has expected action") - assert.Equal("Remote file inclusion 4", sp.Get("description").String(), "priority 4 rule has expected description") - assert.Equal("evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 4})", sp.Get("match.expr.expression").String(), "priority 1 rule has expected rule expression") - assert.Equal("GOOGLE_RECAPTCHA", sp.Get("redirectOptions.type").String(), "priority 4 rule has expected redirect type") - } - // Rule 11 spRule11 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 11 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule11.Array() { - assert.True(sp.Get("preview").Bool(), "priority 11 rule Preview is set to True") - assert.Equal("deny(502)", sp.Get("action").String(), "priority 11 rule has expected action") - assert.Equal("Deny Malicious IP address from project honeypot", sp.Get("description").String(), "priority 11 rule has expected description") - assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 11 rule has expected redirect type") + assert.False(sp.Get("preview").Bool(), "priority 11 rule Preview is set to False") + assert.Equal("allow", sp.Get("action").String(), "priority 11 rule has expected action") + assert.Equal("Allow whitelisted IP address ranges", sp.Get("description").String(), "priority 11 rule has expected description") srcIpRanges := sp.Get("match.config.srcIpRanges").Array() - assert.Equal(2, len(srcIpRanges), "found only 2 IP address") - assert.Equal(srcIpRanges[0].String(), "190.217.68.211", "priority 11 rule found first valid cidr range") - assert.Equal(srcIpRanges[1].String(), "45.116.227.68", "priority 11 rule found second valid cidr range") + assert.Equal(1, len(srcIpRanges), "found only 2 IP address") + assert.Equal(srcIpRanges[0].String(), "190.210.69.12", "priority 11 rule found first valid cidr range") } // Rule 12 @@ -120,14 +70,14 @@ func TestSecurityPolicyAll(t *testing.T) { for _, sp := range spRule13.Array() { assert.False(sp.Get("preview").Bool(), "priority 13 rule Preview is set to False") assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 13 rule has expected action") - assert.Equal("Rate based ban for address from project dropten as soon as they cross rate limit threshold", sp.Get("description").String(), "priority 13 rule has expected description") + assert.Equal("Rate based ban for address from project dropthirty only if they cross banned threshold", sp.Get("description").String(), "priority 13 rule has expected description") assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 13 rule has expected redirect type") srcIpRanges := sp.Get("match.config.srcIpRanges").Array() assert.Equal(2, len(srcIpRanges), "priority 13 rule found only 2 IP address") assert.Equal(srcIpRanges[0].String(), "45.116.227.70", "priority 13 rule found first valid cidr range") assert.Equal(srcIpRanges[1].String(), "190.217.68.213", "priority 13 rule found second valid cidr range") - assert.Equal("120", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 13 rule has Rate limit ban duration") + assert.Equal("300", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 13 rule has Rate limit ban duration") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 13 rule has Rate limit confirm action") assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 13 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 13 rule has Rate limit exceed action") @@ -139,43 +89,21 @@ func TestSecurityPolicyAll(t *testing.T) { spRule14 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 14 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule14.Array() { assert.False(sp.Get("preview").Bool(), "priority 14 rule Preview is set to False") - assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 14 rule has expected action") - assert.Equal("Rate based ban for address from project dropthirty only if they cross banned threshold", sp.Get("description").String(), "priority 14 rule has expected description") + assert.Equal("throttle", sp.Get("action").String(), "priority 14 rule has expected action") + assert.Equal("Throttle IP addresses from project droptwenty", sp.Get("description").String(), "priority 14 rule has expected description") assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 14 rule has expected redirect type") srcIpRanges := sp.Get("match.config.srcIpRanges").Array() assert.Equal(2, len(srcIpRanges), "priority 14 rule found only 2 IP address") - assert.Equal(srcIpRanges[0].String(), "45.116.227.70", "priority 14 rule found first valid cidr range") - assert.Equal(srcIpRanges[1].String(), "190.217.68.213", "priority 14 rule found second valid cidr range") - assert.Equal("300", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 14 rule has Rate limit ban duration") - assert.Equal("1000", sp.Get("rateLimitOptions.banThreshold.count").String(), "priority 14 rule has Rate limit threshold count") - assert.Equal("300", sp.Get("rateLimitOptions.banThreshold.intervalSec").String(), "priority 14 rule has Rate limit threshold interval") + assert.Equal(srcIpRanges[0].String(), "45.116.227.71", "priority 14 rule found first valid cidr range") + assert.Equal(srcIpRanges[1].String(), "190.217.68.214", "priority 14 rule found second valid cidr range") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 14 rule has Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 14 rule has Rate limit Enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 14 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 14 rule has Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 14 rule has Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 14 rule has Rate limit threshold interval") } - // Rule 15 - spRule15 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 15 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule15.Array() { - assert.False(sp.Get("preview").Bool(), "priority 15 rule Preview is set to False") - assert.Equal("throttle", sp.Get("action").String(), "priority 15 rule has expected action") - assert.Equal("Throttle IP addresses from project droptwenty", sp.Get("description").String(), "priority 15 rule has expected description") - assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 15 rule has expected redirect type") - - srcIpRanges := sp.Get("match.config.srcIpRanges").Array() - assert.Equal(2, len(srcIpRanges), "priority 15 rule found only 2 IP address") - assert.Equal(srcIpRanges[0].String(), "45.116.227.71", "priority 15 rule found first valid cidr range") - assert.Equal(srcIpRanges[1].String(), "190.217.68.214", "priority 15 rule found second valid cidr range") - assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 15 rule has Rate limit confirm action") - assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 15 rule has Rate limit Enforce on key") - assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 15 rule has Rate limit exceed action") - assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 15 rule has Rate limit threshold count") - assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 15 rule has Rate limit threshold interval") - } - // Rule 21 spRule21 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 21 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule21.Array() { @@ -185,15 +113,6 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal("'[US,AU,BE]'.contains(origin.region_code)\n", sp.Get("match.expr.expression").String(), "priority 21 rule has expected expression") } - // Rule 22 - spRule22 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 22 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule22.Array() { - assert.False(sp.Get("preview").Bool(), "priority 22 rule Preview is set to False") - assert.Equal("deny(502)", sp.Get("action").String(), "priority 22 rule has expected action") - assert.Equal("Deny Specific IP address", sp.Get("description").String(), "priority 22 rule has expected description") - assert.Equal("inIpRange(origin.ip, '47.185.201.155/32')\n", sp.Get("match.expr.expression").String(), "priority 22 rule has expected expression") - } - // Rule 23 spRule23 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 23 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule23.Array() { diff --git a/test/integration/simple-example/simple_example_test.go b/test/integration/global-backend-security-policy-example/simple_example_test.go similarity index 100% rename from test/integration/simple-example/simple_example_test.go rename to test/integration/global-backend-security-policy-example/simple_example_test.go diff --git a/test/integration/security-policy-edge/security_policy_edge_test.go b/test/integration/global-edge-security-policy/security_policy_edge_test.go similarity index 98% rename from test/integration/security-policy-edge/security_policy_edge_test.go rename to test/integration/global-edge-security-policy/security_policy_edge_test.go index 3fac969..7eeb42c 100644 --- a/test/integration/security-policy-edge/security_policy_edge_test.go +++ b/test/integration/global-edge-security-policy/security_policy_edge_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security_policy +package security_policy_edge import ( "fmt" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 25401fe..03dbd5c 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -19,6 +19,11 @@ locals { "roles/compute.orgSecurityPolicyAdmin", "roles/recaptchaenterprise.admin", "roles/compute.securityAdmin", + "roles/compute.admin", + "roles/logging.viewer", + "roles/servicenetworking.networksAdmin", + "roles/iam.serviceAccountAdmin", + "roles/iam.serviceAccountUser", ] }
name = optional(string)
base = string
offset = optional(number)
size = optional(number)
mask = optional(string)
}))