From 63ba9c4d56dc4dd52f54292430106a60494c2041 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Fri, 19 Apr 2024 21:30:31 +0000 Subject: [PATCH 01/10] added advanced network ddos protection sub-module --- .../README.md | 33 +++++++ .../advanced-network-ddos-protection/main.tf | 29 ++++++ .../outputs.tf | 23 +++++ .../variables.tf | 20 +++++ .../README.md | 90 +++++++++++++++++++ .../advanced-network-ddos-protection/main.tf | 45 ++++++++++ .../outputs.tf | 25 ++++++ .../variables.tf | 55 ++++++++++++ .../versions.tf | 35 ++++++++ test/setup/iam.tf | 1 + 10 files changed, 356 insertions(+) create mode 100644 examples/advanced-network-ddos-protection/README.md create mode 100644 examples/advanced-network-ddos-protection/main.tf create mode 100644 examples/advanced-network-ddos-protection/outputs.tf create mode 100644 examples/advanced-network-ddos-protection/variables.tf create mode 100644 modules/advanced-network-ddos-protection/README.md create mode 100644 modules/advanced-network-ddos-protection/main.tf create mode 100644 modules/advanced-network-ddos-protection/outputs.tf create mode 100644 modules/advanced-network-ddos-protection/variables.tf create mode 100644 modules/advanced-network-ddos-protection/versions.tf diff --git a/examples/advanced-network-ddos-protection/README.md b/examples/advanced-network-ddos-protection/README.md new file mode 100644 index 0000000..5e1eafe --- /dev/null +++ b/examples/advanced-network-ddos-protection/README.md @@ -0,0 +1,33 @@ +# Enable Cloud Armor Advanced Network DDoS Protection + +This example enables a advanced network DDoS protection in two regions. Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) + +## Usage + +To run this example you need to execute: + +```bash +export TF_VAR_project_id="your_project_id" +``` + +```bash +terraform init +terraform plan +terraform apply +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| project\_id | The project in which the resource belongs | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| adv\_ddos\_protection\_policies | n/a | +| network\_edge\_security\_services | n/a | + + diff --git a/examples/advanced-network-ddos-protection/main.tf b/examples/advanced-network-ddos-protection/main.tf new file mode 100644 index 0000000..21eba09 --- /dev/null +++ b/examples/advanced-network-ddos-protection/main.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_id" "suffix" { + byte_length = 4 +} + +module "advanced_network_ddos_protection" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-advanced-ddos-protection" + version = "~> 2.0" + + project_id = var.project_id + regions = ["us-central1", "us-east1"] + policy_name = "adv-network-ddos-protection-${random_id.suffix.hex}" + network_edge_security_service_name = "adv-network-ddos-protection-${random_id.suffix.hex}" +} diff --git a/examples/advanced-network-ddos-protection/outputs.tf b/examples/advanced-network-ddos-protection/outputs.tf new file mode 100644 index 0000000..8a773e6 --- /dev/null +++ b/examples/advanced-network-ddos-protection/outputs.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "adv_ddos_protection_policies" { + value = module.advanced_network_ddos_protection.adv_ddos_protection_policies +} + +output "network_edge_security_services" { + value = module.advanced_network_ddos_protection.network_edge_security_services +} diff --git a/examples/advanced-network-ddos-protection/variables.tf b/examples/advanced-network-ddos-protection/variables.tf new file mode 100644 index 0000000..e11d5d8 --- /dev/null +++ b/examples/advanced-network-ddos-protection/variables.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project in which the resource belongs" + type = string +} diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md new file mode 100644 index 0000000..362d742 --- /dev/null +++ b/modules/advanced-network-ddos-protection/README.md @@ -0,0 +1,90 @@ +# Cloud Armor Terraform Module +This module enables [advanced network DDoS protection](https://cloud.google.com/armor/docs/armor-enterprise-overview#advanced_network_ddos_protection) in specified region(s). Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Advanced network DDoS protection feature protects workloads using [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. When enabled for a particular region, Google Cloud Armor provides always-on targeted volumetric attack detection and mitigation for external passthrough Network Load Balancer, protocol forwarding, and VMs with public IP addresses in that region. This module creates security policy of type `CLOUD_ARMOR_NETWORK` and a a network edge security service in the specified region(s). + +## Compatibility + +This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue. + +## Version + +Current version is 0.X. Upgrade guides: + +## Usage +There are examples included in the [examples](https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor/tree/main/examples) folder but simple usage is as follows: + + +``` +module "advanced_network_ddos_protection" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-advanced-ddos-protection" + version = "~> 2.0" + + project_id = var.project_id + adv_ddos_policy_regions = ["us-central1", "us-east1"] +} +``` + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| ddos\_protection\_config | Configuration for Google Cloud Armor DDOS Proctection Config. 1) ADVANCED: additional protections for Managed Protection Plus subscribers 2) ADVANCED\_PREVIEW: flag to enable the security policy in preview mode | `string` | `"ADVANCED"` | no | +| network\_edge\_security\_service\_description | description of edge security service for advanced network ddos protection | `string` | `"edge security service for advanced network ddos protection"` | no | +| network\_edge\_security\_service\_name | Name of network edge security service resource for advanced network ddos protection | `string` | `"adv-network-ddos-protection"` | no | +| policy\_description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | +| policy\_name | Name of the advanced network ddos protection security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | +| project\_id | The project in which the resource belongs. | `string` | n/a | yes | +| regions | The regions in which enable advanced network DDoS protection | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| adv\_ddos\_protection\_policies | Advanced Network DDoS protection Security policies created | +| network\_edge\_security\_services | Network edge security services created | + + + +## Requirements + +These sections describe requirements for using this module. + +### Software + +The following dependencies must be available: + +- [Terraform][terraform] v1.3+ +- [Terraform Provider for GCP][terraform-provider-gcp] plugin v4.80+ + +### Service Account + +A service account with the following permission must be used to provision +the resources of this module: + +- compute.networkEdgeSecurityServices.create +- compute.networkEdgeSecurityServices.update +- compute.networkEdgeSecurityServices.get +- compute.networkEdgeSecurityServices.delete +- compute.networkEdgeSecurityServices.list +- compute.regionSecurityPolicies.create +- compute.regionSecurityPolicies.delete +- compute.regionSecurityPolicies.get +- compute.regionSecurityPolicies.list +- compute.regionSecurityPolicies.use +- compute.regionSecurityPolicies.update + +Following roles contain above mentioned permissions. You can either assing one of the following role or create custom roles with above permissions. + +- Compute Security Admin: `roles/compute.securityAdmin` +- Compute Admin: `roles/compute.admin` + +### Enable API's +In order to operate with the Service Account you must activate the following API on the project where the Service Account was created: + +- Compute Engine API - compute.googleapis.com + +## Contributing + +Refer to the [contribution guidelines](./CONTRIBUTING.md) for +information on contributing to this module. diff --git a/modules/advanced-network-ddos-protection/main.tf b/modules/advanced-network-ddos-protection/main.tf new file mode 100644 index 0000000..ec74329 --- /dev/null +++ b/modules/advanced-network-ddos-protection/main.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +### Adding custom rules to network security policies requires advanced network DDoS protection to be enabled in the region. Advanced protection can be enabled in preview mode. + +resource "google_compute_region_security_policy" "adv_ddos_protection" { + provider = google-beta + for_each = toset(var.regions) + project = var.project_id + + + name = "${var.policy_name}-${each.value}" + description = "${var.policy_description} region: ${each.value}" + type = "CLOUD_ARMOR_NETWORK" + region = each.value + + ddos_protection_config { + ddos_protection = var.ddos_protection_config + } + +} + +resource "google_compute_network_edge_security_service" "adv_ddos_protection" { + provider = google-beta + for_each = toset(var.regions) + project = var.project_id + + name = "${var.network_edge_security_service_name}-${each.value}" + region = each.value + description = "${var.network_edge_security_service_description} region: ${each.value}" + security_policy = google_compute_region_security_policy.adv_ddos_protection[each.value].self_link +} diff --git a/modules/advanced-network-ddos-protection/outputs.tf b/modules/advanced-network-ddos-protection/outputs.tf new file mode 100644 index 0000000..1154c3f --- /dev/null +++ b/modules/advanced-network-ddos-protection/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "adv_ddos_protection_policies" { + value = google_compute_region_security_policy.adv_ddos_protection + description = "Advanced Network DDoS protection Security policies created" +} + +output "network_edge_security_services" { + value = google_compute_network_edge_security_service.adv_ddos_protection + description = "Network edge security services created" +} diff --git a/modules/advanced-network-ddos-protection/variables.tf b/modules/advanced-network-ddos-protection/variables.tf new file mode 100644 index 0000000..b26162a --- /dev/null +++ b/modules/advanced-network-ddos-protection/variables.tf @@ -0,0 +1,55 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project in which the resource belongs." + type = string +} + +variable "regions" { + description = "The regions in which enable advanced network DDoS protection" + type = list(string) +} + +variable "ddos_protection_config" { + description = "Configuration for Google Cloud Armor DDOS Proctection Config. 1) ADVANCED: additional protections for Managed Protection Plus subscribers 2) ADVANCED_PREVIEW: flag to enable the security policy in preview mode" + type = string + default = "ADVANCED" +} + +variable "policy_name" { + description = "Name of the advanced network ddos protection security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash" + type = string + default = "adv-network-ddos-protection" +} + +variable "policy_description" { + description = "An optional description of advanced network ddos protection security policy" + type = string + default = "CA Advance DDoS protection" +} + +variable "network_edge_security_service_name" { + description = "Name of network edge security service resource for advanced network ddos protection" + type = string + default = "adv-network-ddos-protection" +} + +variable "network_edge_security_service_description" { + description = "description of edge security service for advanced network ddos protection" + type = string + default = "edge security service for advanced network ddos protection" +} diff --git a/modules/advanced-network-ddos-protection/versions.tf b/modules/advanced-network-ddos-protection/versions.tf new file mode 100644 index 0000000..2d32775 --- /dev/null +++ b/modules/advanced-network-ddos-protection/versions.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3.0" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.80, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 4.80, < 6" + } + } + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-cloud-armor:advanced-network-ddos-protection/v2.1.0" + } + provider_meta "google-beta" { + module_name = "blueprints/terraform/terraform-google-cloud-armor:advanced-network-ddos-protection/v2.1.0" + } +} diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 1af3bda..25401fe 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -18,6 +18,7 @@ locals { int_required_roles = [ "roles/compute.orgSecurityPolicyAdmin", "roles/recaptchaenterprise.admin", + "roles/compute.securityAdmin", ] } From 19ae047541c27ffd18f82bfe5630d9a8c5ffcad7 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Fri, 19 Apr 2024 21:44:58 +0000 Subject: [PATCH 02/10] added advanced network ddos protection sub-module --- examples/advanced-network-ddos-protection/main.tf | 2 +- modules/advanced-network-ddos-protection/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/advanced-network-ddos-protection/main.tf b/examples/advanced-network-ddos-protection/main.tf index 21eba09..6cfde4e 100644 --- a/examples/advanced-network-ddos-protection/main.tf +++ b/examples/advanced-network-ddos-protection/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "advanced_network_ddos_protection" { - source = "GoogleCloudPlatform/cloud-armor/google//modules/network-advanced-ddos-protection" + source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" version = "~> 2.0" project_id = var.project_id diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md index 362d742..9b3bd3b 100644 --- a/modules/advanced-network-ddos-protection/README.md +++ b/modules/advanced-network-ddos-protection/README.md @@ -15,7 +15,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "advanced_network_ddos_protection" { - source = "GoogleCloudPlatform/cloud-armor/google//modules/network-advanced-ddos-protection" + source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" version = "~> 2.0" project_id = var.project_id From 28532143563e380e50c6a9889cf70b72fa97d88c Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Sat, 20 Apr 2024 00:15:44 +0000 Subject: [PATCH 03/10] added network edge security policy sub-module --- README.md | 5 + .../advanced-network-ddos-protection/main.tf | 4 +- .../network-edge-security-policy/README.md | 33 +++ examples/network-edge-security-policy/main.tf | 84 ++++++++ .../network-edge-security-policy/outputs.tf | 25 +++ .../network-edge-security-policy/variables.tf | 20 ++ .../README.md | 45 +--- .../advanced-network-ddos-protection/main.tf | 2 - .../network-edge-security-policy/README.md | 194 ++++++++++++++++++ modules/network-edge-security-policy/main.tf | 67 ++++++ .../network-edge-security-policy/outputs.tf | 25 +++ .../network-edge-security-policy/variables.tf | 73 +++++++ .../network-edge-security-policy/versions.tf | 35 ++++ 13 files changed, 564 insertions(+), 48 deletions(-) create mode 100644 examples/network-edge-security-policy/README.md create mode 100644 examples/network-edge-security-policy/main.tf create mode 100644 examples/network-edge-security-policy/outputs.tf create mode 100644 examples/network-edge-security-policy/variables.tf create mode 100644 modules/network-edge-security-policy/README.md create mode 100644 modules/network-edge-security-policy/main.tf create mode 100644 modules/network-edge-security-policy/outputs.tf create mode 100644 modules/network-edge-security-policy/variables.tf create mode 100644 modules/network-edge-security-policy/versions.tf diff --git a/README.md b/README.md index 6c19273..0f31a0a 100644 --- a/README.md +++ b/README.md @@ -785,6 +785,11 @@ The following dependencies must be available: A service account with the following permission must be used to provision the resources of this module: +- compute.networkEdgeSecurityServices.create +- compute.networkEdgeSecurityServices.update +- compute.networkEdgeSecurityServices.get +- compute.networkEdgeSecurityServices.delete +- compute.networkEdgeSecurityServices.list - compute.securityPolicies.create - compute.securityPolicies.delete - compute.securityPolicies.get diff --git a/examples/advanced-network-ddos-protection/main.tf b/examples/advanced-network-ddos-protection/main.tf index 6cfde4e..e390661 100644 --- a/examples/advanced-network-ddos-protection/main.tf +++ b/examples/advanced-network-ddos-protection/main.tf @@ -24,6 +24,6 @@ module "advanced_network_ddos_protection" { project_id = var.project_id regions = ["us-central1", "us-east1"] - policy_name = "adv-network-ddos-protection-${random_id.suffix.hex}" - network_edge_security_service_name = "adv-network-ddos-protection-${random_id.suffix.hex}" + policy_name = "test-adv-network-ddos-protection-${random_id.suffix.hex}" + network_edge_security_service_name = "test-network-edge-security-svc-${random_id.suffix.hex}" } diff --git a/examples/network-edge-security-policy/README.md b/examples/network-edge-security-policy/README.md new file mode 100644 index 0000000..e26b1d8 --- /dev/null +++ b/examples/network-edge-security-policy/README.md @@ -0,0 +1,33 @@ +# Enable Cloud Armor Network Edge Security Policy + +This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [example](../advanced-network-ddos-protection/) to deploy advanced newtork ddos protection. + +## Usage + +To run this example you need to execute: + +```bash +export TF_VAR_project_id="your_project_id" +``` + +```bash +terraform init +terraform plan +terraform apply +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| project\_id | The project in which the resource belongs | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| policy\_rules | Security policy rules created | +| security\_policy | Regional Network Security policy created | + + diff --git a/examples/network-edge-security-policy/main.tf b/examples/network-edge-security-policy/main.tf new file mode 100644 index 0000000..ba70fb5 --- /dev/null +++ b/examples/network-edge-security-policy/main.tf @@ -0,0 +1,84 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_id" "suffix" { + byte_length = 4 +} + +module "network_edge_security_policy" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" + version = "~> 2.0" + + project_id = var.project_id + region = "us-central1" + policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}" + + policy_user_defined_fields = [ + { + name = "SIG1_AT_0" + base = "UDP" + offset = 8 + size = 2 + mask = "0x8F00" + }, + { + name = "SIG2_AT_8" + base = "TCP" + offset = 16 + size = 4 + mask = "0xFFFFFFFF" + }, + { + name = "IPv4-TTL" + base = "IPV4" + offset = 8 + size = 1 + mask = "0xFF" + }, + + ] + + policy_rules = [ + { + priority = 100 + action = "deny" + preview = true + description = "custom rule 100" + src_ip_ranges = ["10.10.0.0/16"] + src_asns = [15169] + src_region_codes = ["AU"] + ip_protocols = ["TCP"] + src_ports = [80] + dest_ports = ["8080"] + dest_ip_ranges = ["10.100.0.0/16"] + user_defined_fields = [ + { + name = "SIG1_AT_0" + values = ["0x8F00"] + }, + ] + }, + { + priority = 200 + action = "deny" + preview = false + priority = 200 + src_asns = [15269] + dest_ports = ["80"] + dest_ip_ranges = ["10.100.0.0/16"] + }, + ] +} diff --git a/examples/network-edge-security-policy/outputs.tf b/examples/network-edge-security-policy/outputs.tf new file mode 100644 index 0000000..7e6b1b4 --- /dev/null +++ b/examples/network-edge-security-policy/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "security_policy" { + value = module.network_edge_security_policy.security_policy + description = "Regional Network Security policy created" +} + +output "policy_rules" { + value = module.network_edge_security_policy.policy_rules + description = "Security policy rules created" +} diff --git a/examples/network-edge-security-policy/variables.tf b/examples/network-edge-security-policy/variables.tf new file mode 100644 index 0000000..e11d5d8 --- /dev/null +++ b/examples/network-edge-security-policy/variables.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project in which the resource belongs" + type = string +} diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md index 9b3bd3b..e4ff87a 100644 --- a/modules/advanced-network-ddos-protection/README.md +++ b/modules/advanced-network-ddos-protection/README.md @@ -1,4 +1,4 @@ -# Cloud Armor Terraform Module +# Enable Cloud Armor Advanced Network DDoS Protection This module enables [advanced network DDoS protection](https://cloud.google.com/armor/docs/armor-enterprise-overview#advanced_network_ddos_protection) in specified region(s). Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Advanced network DDoS protection feature protects workloads using [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. When enabled for a particular region, Google Cloud Armor provides always-on targeted volumetric attack detection and mitigation for external passthrough Network Load Balancer, protocol forwarding, and VMs with public IP addresses in that region. This module creates security policy of type `CLOUD_ARMOR_NETWORK` and a a network edge security service in the specified region(s). ## Compatibility @@ -45,46 +45,3 @@ module "advanced_network_ddos_protection" { | network\_edge\_security\_services | Network edge security services created | - -## Requirements - -These sections describe requirements for using this module. - -### Software - -The following dependencies must be available: - -- [Terraform][terraform] v1.3+ -- [Terraform Provider for GCP][terraform-provider-gcp] plugin v4.80+ - -### Service Account - -A service account with the following permission must be used to provision -the resources of this module: - -- compute.networkEdgeSecurityServices.create -- compute.networkEdgeSecurityServices.update -- compute.networkEdgeSecurityServices.get -- compute.networkEdgeSecurityServices.delete -- compute.networkEdgeSecurityServices.list -- compute.regionSecurityPolicies.create -- compute.regionSecurityPolicies.delete -- compute.regionSecurityPolicies.get -- compute.regionSecurityPolicies.list -- compute.regionSecurityPolicies.use -- compute.regionSecurityPolicies.update - -Following roles contain above mentioned permissions. You can either assing one of the following role or create custom roles with above permissions. - -- Compute Security Admin: `roles/compute.securityAdmin` -- Compute Admin: `roles/compute.admin` - -### Enable API's -In order to operate with the Service Account you must activate the following API on the project where the Service Account was created: - -- Compute Engine API - compute.googleapis.com - -## Contributing - -Refer to the [contribution guidelines](./CONTRIBUTING.md) for -information on contributing to this module. diff --git a/modules/advanced-network-ddos-protection/main.tf b/modules/advanced-network-ddos-protection/main.tf index ec74329..822baae 100644 --- a/modules/advanced-network-ddos-protection/main.tf +++ b/modules/advanced-network-ddos-protection/main.tf @@ -14,8 +14,6 @@ * limitations under the License. */ -### Adding custom rules to network security policies requires advanced network DDoS protection to be enabled in the region. Advanced protection can be enabled in preview mode. - resource "google_compute_region_security_policy" "adv_ddos_protection" { provider = google-beta for_each = toset(var.regions) diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md new file mode 100644 index 0000000..7cdf95f --- /dev/null +++ b/modules/network-edge-security-policy/README.md @@ -0,0 +1,194 @@ +# Cloud Armor Terraform Module +This module creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) in specified region. Network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this](../advanced-network-ddos-protection/) sub-module to deploy `advanced network ddos protection `. + +You can attch network edge security policy to [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. Network edge security policy supports [byte offset filtering](https://cloud.google.com/armor/docs/network-edge-policies#byte-offset). This module creates security policy of type `CLOUD_ARMOR_NETWORK` optionally attach security policy rules to the policy. + +## Module Format + +``` +module "network_edge_security_policy" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" + version = "~> 2.0" + + project_id = var.project_id + region = "us-central1" + policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}" + + policy_user_defined_fields = [ + {}, + {}, + ] + + policy_rules = [ + {}, + {}, + ] +} +``` + +`policy_rules` details and Sample Code for each type of rule is available [here](#Rules) + +## Usage +There are examples included in the [examples](https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor/tree/main/examples) folder but simple usage is as follows: + + +``` +module "network_edge_security_policy" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" + version = "~> 2.0" + + project_id = var.project_id + region = "us-central1" + policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}" + + policy_user_defined_fields = [ + { + name = "SIG1_AT_0" + base = "UDP" + offset = 8 + size = 2 + mask = "0x8F00" + }, + { + name = "SIG2_AT_8" + base = "TCP" + offset = 16 + size = 4 + mask = "0xFFFFFFFF" + }, + ] + + policy_rules = [ + { + priority = 100 + action = "deny" + preview = true + description = "custom rule 100" + src_ip_ranges = ["10.10.0.0/16"] + src_asns = [15169] + src_region_codes = ["AU"] + ip_protocols = ["TCP"] + src_ports = [80] + dest_ports = ["8080"] + dest_ip_ranges = ["10.100.0.0/16"] + user_defined_fields = [ + { + name = "SIG1_AT_0" + values = ["0x8F00"] + }, + ] + }, + { + priority = 200 + action = "deny" + preview = false + priority = 200 + src_asns = [15269] + dest_ports = ["80"] + dest_ip_ranges = ["10.100.0.0/16"] + }, + ] + +} +``` + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| policy\_description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | +| policy\_name | Name of the advanced network ddos protection security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | +| policy\_rules | Policy Rules | 
list(object({
    priority         = number
    action           = string
    preview          = optional(bool)
    description      = optional(string)
    src_ip_ranges    = optional(list(string))
    src_asns         = optional(list(string))
    src_region_codes = optional(list(string))
    ip_protocols     = optional(list(string))
    src_ports        = optional(list(string))
    dest_ports       = optional(list(string))
    dest_ip_ranges   = optional(list(string))

    user_defined_fields = optional(list(object({
      name   = optional(string)
      values = optional(list(string))
    })))
  }))
| `null` | no | +| policy\_user\_defined\_fields | Definitions of user-defined fields for CLOUD\_ARMOR\_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits | 
list(object({
    name   = optional(string)
    base   = string
    offset = optional(number)
    size   = optional(number)
    mask   = optional(string)
  }))
| `null` | no | +| project\_id | The project in which the resource belongs. | `string` | n/a | yes | +| region | The region in which enablesecurity policy is created | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| policy\_rules | Security policy rules created | +| security\_policy | Regional network Security policy created | + + + +## Rules + +`policy_rules` is a list of objects with following parameters: +- `priority`: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. +- `action`: The Action to perform when the rule is matched. The following are the valid actions: + - allow: allow access to target. + - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. +- `preview`: If set to true, the specified action is not enforced +- `description`: An optional description of this resource. Provide this property when you create the resource +- `src_ip_ranges`: list of source IPv4/IPv6 addresses or CIDR prefixes, in standard text format +- `src_asns`: list of BGP Autonomous System Number associated with the source IP address +- `src_region_codes`: list of Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address +- `ip_protocols`: list of IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp" +- `src_ports`: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023") +- `dest_ports`: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023") +- `dest_ip_ranges`: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format +- `user_defined_fields`:User-defined fields. Each element names a defined field and lists the matching values for that field. Support following fields: + - `name`: Name of the user-defined field, as given in the definition + - `values`: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff") + +### Format: + +``` +[ + { + priority = 100 + action = "deny" + preview = true + description = "custom rule 100" + src_ip_ranges = ["10.10.0.0/16"] + src_asns = [15169] + src_region_codes = ["AU"] + ip_protocols = ["TCP"] + src_ports = [80] + dest_ports = ["8080"] + dest_ip_ranges = ["10.100.0.0/16"] + user_defined_fields = [ + {}, + ] + }, +] +``` + + +### Sample: + +``` + policy_rules = [ + { + priority = 100 + action = "deny" + preview = true + description = "custom rule 100" + src_ip_ranges = ["10.10.0.0/16"] + src_asns = [15169] + src_region_codes = ["AU"] + ip_protocols = ["TCP"] + src_ports = [80] + dest_ports = ["8080"] + dest_ip_ranges = ["10.100.0.0/16"] + user_defined_fields = [ + { + name = "SIG1_AT_0" + values = ["0x8F00"] + }, + ] + }, + { + priority = 200 + action = "deny" + preview = false + priority = 200 + src_asns = [15269] + dest_ports = ["80"] + dest_ip_ranges = ["10.100.0.0/16"] + }, + ] +``` \ No newline at end of file diff --git a/modules/network-edge-security-policy/main.tf b/modules/network-edge-security-policy/main.tf new file mode 100644 index 0000000..d771da2 --- /dev/null +++ b/modules/network-edge-security-policy/main.tf @@ -0,0 +1,67 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +### Adding custom rules to network dge security policies requires advanced network DDoS protection to be enabled in the region. + +resource "google_compute_region_security_policy" "security_policy" { + provider = google-beta + project = var.project_id + + + name = var.policy_name + description = var.policy_description + type = "CLOUD_ARMOR_NETWORK" + region = var.region + + dynamic "user_defined_fields" { + for_each = var.policy_user_defined_fields == null ? [] : var.policy_user_defined_fields + content { + name = lookup(user_defined_fields.value, "name", null) + base = user_defined_fields.value.base + offset = lookup(user_defined_fields.value, "offset", null) + size = lookup(user_defined_fields.value, "size", null) + mask = lookup(user_defined_fields.value, "mask", null) + } + + } +} + +resource "google_compute_region_security_policy_rule" "policy_rules" { + provider = google-beta + for_each = var.policy_rules == null ? {} : { for x in var.policy_rules : x.priority => x } + project = var.project_id + region = var.region + security_policy = google_compute_region_security_policy.security_policy.name + description = each.value.description + priority = each.value.priority + network_match { + src_ip_ranges = lookup(each.value, "source_ip_ranges", null) + src_asns = lookup(each.value, "src_asns", null) + src_region_codes = lookup(each.value, "src_region_codes", null) + ip_protocols = lookup(each.value, "ip_protocols", null) + dest_ports = lookup(each.value, "dest_ports", null) + dest_ip_ranges = lookup(each.value, "dest_ip_ranges", null) + dynamic "user_defined_fields" { + for_each = lookup(each.value, "user_defined_fields", null) == null ? [] : lookup(each.value, "user_defined_fields") + content { + name = lookup(user_defined_fields.value, "name", null) + values = lookup(user_defined_fields.value, "values", null) + } + } + } + action = each.value.action + preview = each.value.preview +} diff --git a/modules/network-edge-security-policy/outputs.tf b/modules/network-edge-security-policy/outputs.tf new file mode 100644 index 0000000..830a35d --- /dev/null +++ b/modules/network-edge-security-policy/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "security_policy" { + value = google_compute_region_security_policy.security_policy + description = "Regional network Security policy created" +} + +output "policy_rules" { + value = google_compute_region_security_policy_rule.policy_rules + description = "Security policy rules created" +} diff --git a/modules/network-edge-security-policy/variables.tf b/modules/network-edge-security-policy/variables.tf new file mode 100644 index 0000000..c89408e --- /dev/null +++ b/modules/network-edge-security-policy/variables.tf @@ -0,0 +1,73 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project in which the resource belongs." + type = string +} + +variable "region" { + description = "The region in which enablesecurity policy is created" + type = string +} + + +variable "policy_name" { + description = "Name of the advanced network ddos protection security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash" + type = string + default = "adv-network-ddos-protection" +} + +variable "policy_description" { + description = "An optional description of advanced network ddos protection security policy" + type = string + default = "CA Advance DDoS protection" +} + +variable "policy_user_defined_fields" { + description = "Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits" + type = list(object({ + name = optional(string) + base = string + offset = optional(number) + size = optional(number) + mask = optional(string) + })) + default = null +} + +variable "policy_rules" { + description = "Policy Rules" + type = list(object({ + priority = number + action = string + preview = optional(bool) + description = optional(string) + src_ip_ranges = optional(list(string)) + src_asns = optional(list(string)) + src_region_codes = optional(list(string)) + ip_protocols = optional(list(string)) + src_ports = optional(list(string)) + dest_ports = optional(list(string)) + dest_ip_ranges = optional(list(string)) + + user_defined_fields = optional(list(object({ + name = optional(string) + values = optional(list(string)) + }))) + })) + default = null +} diff --git a/modules/network-edge-security-policy/versions.tf b/modules/network-edge-security-policy/versions.tf new file mode 100644 index 0000000..2d32775 --- /dev/null +++ b/modules/network-edge-security-policy/versions.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3.0" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.80, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 4.80, < 6" + } + } + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-cloud-armor:advanced-network-ddos-protection/v2.1.0" + } + provider_meta "google-beta" { + module_name = "blueprints/terraform/terraform-google-cloud-armor:advanced-network-ddos-protection/v2.1.0" + } +} From 037e84ccd8ab035ca252103abfc3b8fcabec8fdf Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Sat, 20 Apr 2024 01:07:12 +0000 Subject: [PATCH 04/10] fixed lint issues --- modules/network-edge-security-policy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index 7cdf95f..b5975ee 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -191,4 +191,4 @@ module "network_edge_security_policy" { dest_ip_ranges = ["10.100.0.0/16"] }, ] -``` \ No newline at end of file +``` From 4bc303acf0d4e96d87179fdd96f011a5cdaf04da Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Sat, 20 Apr 2024 05:24:36 +0000 Subject: [PATCH 05/10] updated docs --- README.md | 11 ++++++++++- examples/advanced-network-ddos-protection/README.md | 4 ++-- examples/advanced-network-ddos-protection/outputs.tf | 6 ++++-- examples/network-edge-security-policy/README.md | 2 +- modules/network-edge-security-policy/README.md | 2 +- modules/network-edge-security-policy/versions.tf | 4 ++-- 6 files changed, 20 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 0f31a0a..aec95e4 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,11 @@ # Cloud Armor Terraform Module -This module makes it easy to setup [Cloud Armor Security Policy](https://cloud.google.com/armor/docs/cloud-armor-overview#security_policies) with Security rules. There are `five` type of rules you can create in each policy: +This module makes it easy to setup [Cloud Armor global Security Policy](https://cloud.google.com/armor/docs/cloud-armor-overview#security_policies) with Security rules. You can attach the global Security Policy policy to backend services exposed by the following load balancer types: +- Global external Application Load Balancer (HTTP/HTTPS) +- Classic Application Load Balancer (HTTP/HTTPS) +- Global external proxy Network Load Balancer (TCP/SSL) +- Classic proxy Network Load Balancer (TCP/SSL) + +There are `five` type of rules you can create in each policy: 1) [Pre-Configured Rules](#pre_configured_rules): These are based on [pre-configured waf rules](https://cloud.google.com/armor/docs/waf-rules). 2) [Security Rules](#security_rules): Allow or Deny traffic from list of IP addresses or IP adress ranges. 3) [Custom Rules](#custom_rules): You can create your own rules using [Common Expression Language (CEL)](https://cloud.google.com/armor/docs/rules-language-reference). @@ -7,6 +13,9 @@ This module makes it easy to setup [Cloud Armor Security Policy](https://cloud.g 5) [Automatically deploy Adaptive Protection Suggested Rules](#adaptive_protection_auto_deploy); When enable module will create a rule for automatically deploying the suggested rules that [Adaptive Protection generates](https://cloud.google.com/armor/docs/adaptive-protection-auto-deploy). +NOTE: For `external passthrough Network Load Balancers`, `protocol forwarding` and `VMs with public IP addresses` create [network Edge Security policy](https://cloud.google.com/armor/docs/security-policy-overview#network-edge-policies) using [advanced network DDoS protection](./modules/advanced-network-ddos-protection/) and [network edge security policy](./modules/network-edge-security-policy/) sub-modules. + + ## Compatibility This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue. diff --git a/examples/advanced-network-ddos-protection/README.md b/examples/advanced-network-ddos-protection/README.md index 5e1eafe..c0efd4a 100644 --- a/examples/advanced-network-ddos-protection/README.md +++ b/examples/advanced-network-ddos-protection/README.md @@ -27,7 +27,7 @@ terraform apply | Name | Description | |------|-------------| -| adv\_ddos\_protection\_policies | n/a | -| network\_edge\_security\_services | n/a | +| adv\_ddos\_protection\_policies | Advanced Network DDoS protection Security policies created | +| network\_edge\_security\_services | Network edge security services created | diff --git a/examples/advanced-network-ddos-protection/outputs.tf b/examples/advanced-network-ddos-protection/outputs.tf index 8a773e6..a5e0190 100644 --- a/examples/advanced-network-ddos-protection/outputs.tf +++ b/examples/advanced-network-ddos-protection/outputs.tf @@ -15,9 +15,11 @@ */ output "adv_ddos_protection_policies" { - value = module.advanced_network_ddos_protection.adv_ddos_protection_policies + value = module.advanced_network_ddos_protection.adv_ddos_protection_policies + description = "Advanced Network DDoS protection Security policies created" } output "network_edge_security_services" { - value = module.advanced_network_ddos_protection.network_edge_security_services + value = module.advanced_network_ddos_protection.network_edge_security_services + description = "Network edge security services created" } diff --git a/examples/network-edge-security-policy/README.md b/examples/network-edge-security-policy/README.md index e26b1d8..04e3a02 100644 --- a/examples/network-edge-security-policy/README.md +++ b/examples/network-edge-security-policy/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Network Edge Security Policy -This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [example](../advanced-network-ddos-protection/) to deploy advanced newtork ddos protection. +This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [example](../advanced-network-ddos-protection/) sub-module to deploy advanced newtork ddos protection. ## Usage diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index b5975ee..fdf0b60 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -1,4 +1,4 @@ -# Cloud Armor Terraform Module +# Cloud Armor Terraform Module for Network Edge Security Policy This module creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) in specified region. Network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this](../advanced-network-ddos-protection/) sub-module to deploy `advanced network ddos protection `. You can attch network edge security policy to [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. Network edge security policy supports [byte offset filtering](https://cloud.google.com/armor/docs/network-edge-policies#byte-offset). This module creates security policy of type `CLOUD_ARMOR_NETWORK` optionally attach security policy rules to the policy. diff --git a/modules/network-edge-security-policy/versions.tf b/modules/network-edge-security-policy/versions.tf index 2d32775..316d975 100644 --- a/modules/network-edge-security-policy/versions.tf +++ b/modules/network-edge-security-policy/versions.tf @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-cloud-armor:advanced-network-ddos-protection/v2.1.0" + module_name = "blueprints/terraform/terraform-google-cloud-armor:network-edge-security-policy/v2.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-cloud-armor:advanced-network-ddos-protection/v2.1.0" + module_name = "blueprints/terraform/terraform-google-cloud-armor:network-edge-security-policy/v2.1.0" } } From 0836853906e17dd74ffba012a993110e6d90eae0 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Sat, 20 Apr 2024 05:53:13 +0000 Subject: [PATCH 06/10] updated docs --- modules/network-edge-security-policy/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index fdf0b60..e82b070 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -7,12 +7,12 @@ You can attch network edge security policy to [external passthrough Network Load ``` module "network_edge_security_policy" { - source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" version = "~> 2.0" project_id = var.project_id region = "us-central1" - policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}" + policy_name = "test-nw-edge-security-policy" policy_user_defined_fields = [ {}, @@ -34,12 +34,12 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "network_edge_security_policy" { - source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" version = "~> 2.0" project_id = var.project_id region = "us-central1" - policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}" + policy_name = "test-nw-edge-security-policy" policy_user_defined_fields = [ { From b5b41e5ae13137f7cd477087d621f791e07e2bd7 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Mon, 22 Apr 2024 23:34:38 +0000 Subject: [PATCH 07/10] added end to end examples --- build/int.cloudbuild.yaml | 6 +- .../README.md | 8 +- .../glb.tf | 78 +++++++++ .../main.tf | 95 ++-------- .../network.tf | 147 ++++++++++++++++ .../outputs.tf | 0 .../variables.tf | 0 .../vm.tf | 84 +++++++++ .../README.md | 5 +- .../main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../README.md | 0 .../main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../README.md | 0 .../main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../README.md | 7 +- .../main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../README.md | 46 +++++ .../main.tf | 64 +++++++ .../network.tf | 163 ++++++++++++++++++ .../nlb.tf | 64 +++++++ .../outputs.tf | 40 +++++ .../provider.tf | 30 ++++ .../variables.tf | 25 +++ .../vm.tf | 79 +++++++++ .../README.md | 2 +- .../main.tf | 2 +- .../outputs.tf | 2 +- .../variables.tf | 2 +- .../README.md | 3 +- .../main.tf | 11 +- .../outputs.tf | 7 +- .../variables.tf | 2 +- .../network-edge-security-policy/README.md | 6 +- modules/network-edge-security-policy/main.tf | 5 +- .../network-edge-security-policy/outputs.tf | 2 +- .../network-edge-security-policy/variables.tf | 4 +- .../network-edge-security-policy/versions.tf | 2 +- .../security_policy_test.go | 109 ++---------- .../simple_example_test.go | 0 .../security_policy_edge_test.go | 2 +- test/setup/iam.tf | 5 + 49 files changed, 900 insertions(+), 207 deletions(-) rename examples/{security-policy-edge => global-backend-security-policy-complete}/README.md (65%) create mode 100644 examples/global-backend-security-policy-complete/glb.tf rename examples/{security-policy-all => global-backend-security-policy-complete}/main.tf (59%) create mode 100644 examples/global-backend-security-policy-complete/network.tf rename examples/{security-policy-all => global-backend-security-policy-complete}/outputs.tf (100%) rename examples/{advanced-network-ddos-protection => global-backend-security-policy-complete}/variables.tf (100%) create mode 100644 examples/global-backend-security-policy-complete/vm.tf rename examples/{security-policy-managed-protection-plus => global-backend-security-policy-enterprise}/README.md (83%) rename examples/{security-policy-managed-protection-plus => global-backend-security-policy-enterprise}/main.tf (100%) rename examples/{security-policy-edge => global-backend-security-policy-enterprise}/outputs.tf (100%) rename examples/{network-edge-security-policy => global-backend-security-policy-enterprise}/variables.tf (100%) rename examples/{simple-example => global-backend-security-policy-example}/README.md (100%) rename examples/{simple-example => global-backend-security-policy-example}/main.tf (100%) rename examples/{security-policy-managed-protection-plus => global-backend-security-policy-example}/outputs.tf (100%) rename examples/{security-policy-all => global-backend-security-policy-example}/variables.tf (100%) rename examples/{security-policy-recaptcha => global-backend-security-policy-recaptcha}/README.md (100%) rename examples/{security-policy-recaptcha => global-backend-security-policy-recaptcha}/main.tf (100%) rename examples/{security-policy-recaptcha => global-backend-security-policy-recaptcha}/outputs.tf (100%) rename examples/{security-policy-edge => global-backend-security-policy-recaptcha}/variables.tf (100%) rename examples/{security-policy-all => global-edge-security-policy}/README.md (74%) rename examples/{security-policy-edge => global-edge-security-policy}/main.tf (100%) rename examples/{simple-example => global-edge-security-policy}/outputs.tf (100%) rename examples/{security-policy-managed-protection-plus => global-edge-security-policy}/variables.tf (100%) create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/README.md create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf create mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf rename examples/{advanced-network-ddos-protection => regional-advanced-network-ddos-protection-enterprise}/README.md (80%) rename examples/{advanced-network-ddos-protection => regional-advanced-network-ddos-protection-enterprise}/main.tf (97%) rename examples/{advanced-network-ddos-protection => regional-advanced-network-ddos-protection-enterprise}/outputs.tf (97%) rename examples/{security-policy-recaptcha => regional-advanced-network-ddos-protection-enterprise}/variables.tf (95%) rename examples/{network-edge-security-policy => regional-network-edge-security-policy-enterprise}/README.md (65%) rename examples/{network-edge-security-policy => regional-network-edge-security-policy-enterprise}/main.tf (86%) rename examples/{network-edge-security-policy => regional-network-edge-security-policy-enterprise}/outputs.tf (79%) rename examples/{simple-example => regional-network-edge-security-policy-enterprise}/variables.tf (95%) rename test/integration/{security-policy-all => global-backend-security-policy-complete}/security_policy_test.go (56%) rename test/integration/{simple-example => global-backend-security-policy-example}/simple_example_test.go (100%) rename test/integration/{security-policy-edge => global-edge-security-policy}/security_policy_edge_test.go (98%) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 340a08c..db5a89d 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -35,17 +35,17 @@ steps: waitFor: - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage apply --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage apply --verbose'] - id: security-policy-all-verify waitFor: - security-policy-all-apply name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage verify --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage verify --verbose'] - id: security-policy-all-teardown waitFor: - security-policy-all-verify name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage teardown --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage teardown --verbose'] - id: simple-example-apply waitFor: diff --git a/examples/security-policy-edge/README.md b/examples/global-backend-security-policy-complete/README.md similarity index 65% rename from examples/security-policy-edge/README.md rename to examples/global-backend-security-policy-complete/README.md index f684f5d..0343fbb 100644 --- a/examples/security-policy-edge/README.md +++ b/examples/global-backend-security-policy-complete/README.md @@ -1,6 +1,10 @@ -# Cloud Armor Edge Security Policy with custom rule +# Cloud Armor Policy with preconfigured rules, custom rules and security rules -This example configures a single Cloud Armor Edge Security Policy with a custom rule. +This example performs the following: +- Network (VPC/Subnets/Firewall-rules/NAT). +- Creates a `global cloud armor security policy`. +- Creates a VM instance behind a `global external application load balancer`. +- Attaches `security policy` to the backend service. ## Usage diff --git a/examples/global-backend-security-policy-complete/glb.tf b/examples/global-backend-security-policy-complete/glb.tf new file mode 100644 index 0000000..244107d --- /dev/null +++ b/examples/global-backend-security-policy-complete/glb.tf @@ -0,0 +1,78 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# # ############## Healthcheck + +resource "google_compute_http_health_check" "default" { + provider = google-beta + project = var.project_id + + name = "glb-ca-health-check" + check_interval_sec = 5 + timeout_sec = 3 +} + +resource "google_compute_backend_service" "backend_service" { + provider = google-beta + + project = var.project_id + + name = "glb-ca-web-backend-svc-a" + port_name = "http" + protocol = "HTTP" + timeout_sec = 10 + + backend { + group = google_compute_instance_group.ca_vm_1_ig.self_link + max_utilization = 0.5 + } + + health_checks = [google_compute_http_health_check.default.id] + load_balancing_scheme = "EXTERNAL" + + ## Attach Cloud Armor policy to the backend service + security_policy = module.cloud_armor.policy.self_link +} + +resource "google_compute_url_map" "default" { + provider = google-beta + + project = var.project_id + name = "glb-ca-https" + description = "global ca url map" + + default_service = google_compute_backend_service.backend_service.id +} + +resource "google_compute_target_http_proxy" "http_glb_proxy" { + name = "glb-ca-http-proxy" + url_map = google_compute_url_map.default.id + project = var.project_id +} + +resource "google_compute_global_address" "glb_external_address" { + name = "glb-ca-http-global-ip" + project = var.project_id +} + + +resource "google_compute_global_forwarding_rule" "glb_forwarding_rule" { + name = "glb-ca-http-global-fr" + target = google_compute_target_http_proxy.http_glb_proxy.self_link + ip_address = google_compute_global_address.glb_external_address.address + port_range = "80" + project = var.project_id +} diff --git a/examples/security-policy-all/main.tf b/examples/global-backend-security-policy-complete/main.tf similarity index 59% rename from examples/security-policy-all/main.tf rename to examples/global-backend-security-policy-complete/main.tf index 4ab8eac..6e352ea 100644 --- a/examples/security-policy-all/main.tf +++ b/examples/global-backend-security-policy-complete/main.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +locals { + primary_region = "us-central1" + secondary_region = "us-east1" +} + resource "random_id" "suffix" { byte_length = 4 } @@ -24,70 +29,19 @@ module "cloud_armor" { project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" description = "Test Cloud Armor security policy with preconfigured rules, security rules and custom rules" - default_rule_action = "allow" + default_rule_action = "deny(502)" type = "CLOUD_ARMOR" layer_7_ddos_defense_enable = true layer_7_ddos_defense_rule_visibility = "STANDARD" user_ip_request_headers = ["True-Client-IP", ] - pre_configured_rules = { - "sqli_sensitivity_level_4" = { - action = "deny(502)" - priority = 1 - target_rule_set = "sqli-v33-stable" - } - - "xss-stable_level_2_with_exclude" = { - action = "throttle" - priority = 2 - description = "XSS Sensitivity Level 2 with excluded rules" - preview = true - target_rule_set = "xss-v33-stable" - sensitivity_level = 2 - exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941340-xss"] - rate_limit_options = { - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - } - } - - "php-stable_level_1_with_include" = { - action = "rate_based_ban" - priority = 3 - description = "PHP Sensitivity Level 1 with included rules" - target_rule_set = "php-v33-stable" - sensitivity_level = 0 - include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"] - exclude_target_rule_ids = [] - rate_limit_options = { - ban_duration_sec = 600 - enforce_on_key = "ALL" - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - ban_http_request_count = 1000 - ban_http_request_interval_sec = 300 - } - } - - "rfi_sensitivity_level_4" = { - action = "redirect" - priority = 4 - description = "Remote file inclusion 4" - redirect_type = "GOOGLE_RECAPTCHA" - target_rule_set = "rfi-v33-stable" - } - - } - security_rules = { - "deny_project_honeypot" = { - action = "deny(502)" + "allow_whitelisted_ip_ranges" = { + action = "allow" priority = 11 - description = "Deny Malicious IP address from project honeypot" - src_ip_ranges = ["190.217.68.211", "45.116.227.68", ] - preview = true + description = "Allow whitelisted IP address ranges" + src_ip_ranges = ["190.210.69.12", ] + preview = false } "redirect_project_drop" = { @@ -98,23 +52,9 @@ module "cloud_armor" { redirect_type = "GOOGLE_RECAPTCHA" } - "rate_ban_project_dropten" = { - action = "rate_based_ban" - priority = 13 - description = "Rate based ban for address from project dropten as soon as they cross rate limit threshold" - src_ip_ranges = ["190.217.68.213", "45.116.227.70", ] - rate_limit_options = { - ban_duration_sec = 120 - enforce_on_key = "ALL" - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - } - } - "rate_ban_project_dropthirty" = { action = "rate_based_ban" - priority = 14 + priority = 13 description = "Rate based ban for address from project dropthirty only if they cross banned threshold" src_ip_ranges = ["190.217.68.213", "45.116.227.70", ] rate_limit_options = { @@ -130,7 +70,7 @@ module "cloud_armor" { "throttle_project_droptwenty" = { action = "throttle" - priority = 15 + priority = 14 description = "Throttle IP addresses from project droptwenty" src_ip_ranges = ["190.217.68.214", "45.116.227.71", ] rate_limit_options = { @@ -151,15 +91,6 @@ module "cloud_armor" { '[US,AU,BE]'.contains(origin.region_code) EOT } - - deny_specific_ip = { - action = "deny(502)" - priority = 22 - description = "Deny Specific IP address" - expression = <<-EOT - inIpRange(origin.ip, '47.185.201.155/32') - EOT - } throttle_specific_ip = { action = "throttle" priority = 23 diff --git a/examples/global-backend-security-policy-complete/network.tf b/examples/global-backend-security-policy-complete/network.tf new file mode 100644 index 0000000..1f03c9f --- /dev/null +++ b/examples/global-backend-security-policy-complete/network.tf @@ -0,0 +1,147 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + network_name = "test-global-ca" + rfc1918_cidr_ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", ] +} + +/****************************************** + Ranges for default firewall rules. + *****************************************/ + +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + + +module "test_vpc" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + project_id = var.project_id + network_name = local.network_name + + subnets = [ + { + subnet_name = "subnet-100" + subnet_ip = "10.10.100.0/24" + subnet_region = local.primary_region + }, + { + subnet_name = "subnet-200" + subnet_ip = "10.10.200.0/24" + subnet_region = local.secondary_region + }, + ] +} + +module "net_firewall" { + source = "terraform-google-modules/network/google//modules/fabric-net-firewall" + version = "~> 9.0" + project_id = module.test_vpc.project_id + network = module.test_vpc.network_name + ssh_source_ranges = [] + http_source_ranges = [] + https_source_ranges = [] + internal_ranges_enabled = true + internal_ranges = local.rfc1918_cidr_ranges + internal_allow = [ + { + protocol = "all" + }, + ] + custom_rules = { + ca-allow-ssh-from-iap = { + description = "Allow SSH access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [22] + }, + ] + extra_attributes = {} + } + ca-allow-rdp-from-iap = { + description = "Allow RDP access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [3389] + }, + { + protocol = "udp" + ports = [3389] + }, + ] + extra_attributes = {} + } + ca-allow-lb-healthcheck = { + description = "Allow Load balancer health check to all backends" + direction = "INGRESS" + action = "allow" + ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [] + }, + ] + extra_attributes = {} + } + } +} + +module "cloud_router" { + source = "terraform-google-modules/cloud-router/google" + version = "~> 6.0" + + name = "test-ca-${local.primary_region}-cr" + project = module.test_vpc.project_id + region = local.primary_region + network = module.test_vpc.network_self_link + nats = [{ + name = "test-ca-${local.primary_region}-nat" + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + min_ports_per_vm = 4096 + log_config = { + "filter" = "ERRORS_ONLY" + } + }, + ] +} diff --git a/examples/security-policy-all/outputs.tf b/examples/global-backend-security-policy-complete/outputs.tf similarity index 100% rename from examples/security-policy-all/outputs.tf rename to examples/global-backend-security-policy-complete/outputs.tf diff --git a/examples/advanced-network-ddos-protection/variables.tf b/examples/global-backend-security-policy-complete/variables.tf similarity index 100% rename from examples/advanced-network-ddos-protection/variables.tf rename to examples/global-backend-security-policy-complete/variables.tf diff --git a/examples/global-backend-security-policy-complete/vm.tf b/examples/global-backend-security-policy-complete/vm.tf new file mode 100644 index 0000000..f7a9667 --- /dev/null +++ b/examples/global-backend-security-policy-complete/vm.tf @@ -0,0 +1,84 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############## Available Zones #################### + +data "google_compute_zones" "available_primary" { + project = var.project_id + region = local.primary_region +} + +############## VM Images #################### + +data "google_compute_image" "debian_image" { + family = "debian-10" + project = "debian-cloud" +} + +############## Service Account for the VM #################### + +resource "google_service_account" "vm_service_account" { + project = var.project_id + account_id = "global-ca-web-svc-act" + display_name = "ca Web server service account" +} + +############## VM Instance #################### + +resource "google_compute_instance" "ca_vm_1" { + name = "global-ca-test-vm-${data.google_compute_zones.available_primary.names[0]}" + machine_type = "e2-micro" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + allow_stopping_for_update = true + + metadata_startup_script = "apt-get update -y;apt-get install -y nginx;" + + boot_disk { + initialize_params { + image = data.google_compute_image.debian_image.self_link + } + } + + network_interface { + subnetwork = module.test_vpc.subnets_names[0] + subnetwork_project = var.project_id + } + service_account { + email = google_service_account.vm_service_account.email + scopes = [ + "cloud-platform", + ] + } +} + +############## Instance Group #################### + +resource "google_compute_instance_group" "ca_vm_1_ig" { + name = "global-ca-ig-${data.google_compute_zones.available_primary.names[0]}" + description = "Web Instance group zone ${data.google_compute_zones.available_primary.names[0]}" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + + instances = [ + google_compute_instance.ca_vm_1.self_link, + ] + + named_port { + name = "http" + port = 80 + } +} diff --git a/examples/security-policy-managed-protection-plus/README.md b/examples/global-backend-security-policy-enterprise/README.md similarity index 83% rename from examples/security-policy-managed-protection-plus/README.md rename to examples/global-backend-security-policy-enterprise/README.md index 595fef7..9d19f0c 100644 --- a/examples/security-policy-managed-protection-plus/README.md +++ b/examples/global-backend-security-policy-enterprise/README.md @@ -1,6 +1,7 @@ -# Cloud Armor Policy with rules supported by [Cloud Armor Managed Protection Plus (CAMP+)](https://cloud.google.com/armor/docs/managed-protection-overview) +# Cloud Armor Policy with rules supported by [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) + +This example configures a single cloud armor policy with following types of rules which are only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview): -This example configures a single cloud armor policy with following types of rules: - Threat Intelligence Rules - Rule for Automatically deploying Adaptive Protection suggested rules diff --git a/examples/security-policy-managed-protection-plus/main.tf b/examples/global-backend-security-policy-enterprise/main.tf similarity index 100% rename from examples/security-policy-managed-protection-plus/main.tf rename to examples/global-backend-security-policy-enterprise/main.tf diff --git a/examples/security-policy-edge/outputs.tf b/examples/global-backend-security-policy-enterprise/outputs.tf similarity index 100% rename from examples/security-policy-edge/outputs.tf rename to examples/global-backend-security-policy-enterprise/outputs.tf diff --git a/examples/network-edge-security-policy/variables.tf b/examples/global-backend-security-policy-enterprise/variables.tf similarity index 100% rename from examples/network-edge-security-policy/variables.tf rename to examples/global-backend-security-policy-enterprise/variables.tf diff --git a/examples/simple-example/README.md b/examples/global-backend-security-policy-example/README.md similarity index 100% rename from examples/simple-example/README.md rename to examples/global-backend-security-policy-example/README.md diff --git a/examples/simple-example/main.tf b/examples/global-backend-security-policy-example/main.tf similarity index 100% rename from examples/simple-example/main.tf rename to examples/global-backend-security-policy-example/main.tf diff --git a/examples/security-policy-managed-protection-plus/outputs.tf b/examples/global-backend-security-policy-example/outputs.tf similarity index 100% rename from examples/security-policy-managed-protection-plus/outputs.tf rename to examples/global-backend-security-policy-example/outputs.tf diff --git a/examples/security-policy-all/variables.tf b/examples/global-backend-security-policy-example/variables.tf similarity index 100% rename from examples/security-policy-all/variables.tf rename to examples/global-backend-security-policy-example/variables.tf diff --git a/examples/security-policy-recaptcha/README.md b/examples/global-backend-security-policy-recaptcha/README.md similarity index 100% rename from examples/security-policy-recaptcha/README.md rename to examples/global-backend-security-policy-recaptcha/README.md diff --git a/examples/security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf similarity index 100% rename from examples/security-policy-recaptcha/main.tf rename to examples/global-backend-security-policy-recaptcha/main.tf diff --git a/examples/security-policy-recaptcha/outputs.tf b/examples/global-backend-security-policy-recaptcha/outputs.tf similarity index 100% rename from examples/security-policy-recaptcha/outputs.tf rename to examples/global-backend-security-policy-recaptcha/outputs.tf diff --git a/examples/security-policy-edge/variables.tf b/examples/global-backend-security-policy-recaptcha/variables.tf similarity index 100% rename from examples/security-policy-edge/variables.tf rename to examples/global-backend-security-policy-recaptcha/variables.tf diff --git a/examples/security-policy-all/README.md b/examples/global-edge-security-policy/README.md similarity index 74% rename from examples/security-policy-all/README.md rename to examples/global-edge-security-policy/README.md index 528f3e8..e51d288 100644 --- a/examples/security-policy-all/README.md +++ b/examples/global-edge-security-policy/README.md @@ -1,9 +1,6 @@ -# Cloud Armor Policy with preconfigured rules, custom rules and security rules +# Global Cloud Armor Edge Security Policy with custom rule -This example configures a single cloud armor policy with following types of rules: -- Pre-configured rules -- Custom rules -- Security rules +This example configures a single [Global Cloud Armor Edge Security Policy](https://cloud.google.com/armor/docs/security-policy-overview#edge-policies) with a custom rule. ## Usage diff --git a/examples/security-policy-edge/main.tf b/examples/global-edge-security-policy/main.tf similarity index 100% rename from examples/security-policy-edge/main.tf rename to examples/global-edge-security-policy/main.tf diff --git a/examples/simple-example/outputs.tf b/examples/global-edge-security-policy/outputs.tf similarity index 100% rename from examples/simple-example/outputs.tf rename to examples/global-edge-security-policy/outputs.tf diff --git a/examples/security-policy-managed-protection-plus/variables.tf b/examples/global-edge-security-policy/variables.tf similarity index 100% rename from examples/security-policy-managed-protection-plus/variables.tf rename to examples/global-edge-security-policy/variables.tf diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md b/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md new file mode 100644 index 0000000..641c857 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md @@ -0,0 +1,46 @@ +# End to end example for Cloud Armor Advanced Network DDoS Protection & Network Edge Security Policy + +This example performs the following: +- Network (VPC/Subnets/Firewall-rules/NAT). +- Enables `advanced network DDoS protection` in two regions `us-central1` and `us-east1`. +- Creates a `network edge security policy` in `us-central1`. +- Creates a VM instance behind a `network load balancer`. +- Attaches `network edge security policy` to the backend service. + +Advanced network DDoS protection and network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) + +## Usage + +To run this example you need to execute: + +```bash +YOUR_EXTERNAL_IP = "47.189.14.147/32" +export TF_VAR_project_id="your_project_id" +export TF_VAR_whitelisted_ingress_ip_ranges=[\"${YOUR_EXTERNAL_IP}\"] +``` + +```bash +terraform init +terraform plan +terraform apply +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| project\_id | The project in which the resource belongs | `string` | n/a | yes | +| whitelisted\_ingress\_ip\_ranges | whitelisted ingress ip ranges. Replace it with your own IP address | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| adv\_ddos\_protection\_policies | Advanced Network DDoS protection Security policies created | +| network\_edge\_security\_services | Network edge security services created | +| policy\_rules | Security policy rules created | +| security\_policy | Regional Network Security policy created | +| test\_nlb\_url | Use this command to test access to the load balancer. Try it from the IP address provided in whitelisted\_ingress\_ip\_ranges and a different IP address | + + diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf new file mode 100644 index 0000000..b1be03f --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/main.tf @@ -0,0 +1,64 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + primary_region = "us-central1" + secondary_region = "us-east1" +} + +resource "random_id" "suffix" { + byte_length = 4 +} + +module "advanced_network_ddos_protection" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" + version = "~> 2.0" + + project_id = var.project_id + regions = [local.primary_region, local.secondary_region] + policy_name = "test-adv-network-ddos-protection-${random_id.suffix.hex}" + network_edge_security_service_name = "test-network-edge-security-svc-${random_id.suffix.hex}" +} + +module "network_edge_security_policy" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" + version = "~> 2.0" + + project_id = var.project_id + region = local.primary_region + policy_name = "test-nw-edge-security-policy-${random_id.suffix.hex}-${local.primary_region}" + + policy_rules = [ + { + priority = 100 + action = "allow" + preview = false + description = "custom rule 100" + src_ip_ranges = var.whitelisted_ingress_ip_ranges + src_region_codes = ["US"] + dest_ports = [80] + }, + { + priority = 2147483646 + action = "deny" + preview = false + src_ip_ranges = ["*"] + }, + ] + depends_on = [ + module.advanced_network_ddos_protection + ] +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf new file mode 100644 index 0000000..369638b --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/network.tf @@ -0,0 +1,163 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + network_name = "test-ca-regional-enterprise" + rfc1918_cidr_ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", ] +} + +/****************************************** + Ranges for default firewall rules. + *****************************************/ + +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + + +module "test_vpc" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + project_id = var.project_id + network_name = local.network_name + + subnets = [ + { + subnet_name = "subnet-100" + subnet_ip = "10.10.100.0/24" + subnet_region = local.primary_region + }, + { + subnet_name = "subnet-200" + subnet_ip = "10.10.200.0/24" + subnet_region = local.secondary_region + }, + ] +} + +module "net_firewall" { + source = "terraform-google-modules/network/google//modules/fabric-net-firewall" + version = "~> 9.0" + project_id = module.test_vpc.project_id + network = module.test_vpc.network_name + ssh_source_ranges = [] + http_source_ranges = [] + https_source_ranges = [] + internal_ranges_enabled = true + internal_ranges = local.rfc1918_cidr_ranges + internal_allow = [ + { + protocol = "all" + }, + ] + custom_rules = { + ca-allow-ssh-from-iap = { + description = "Allow SSH access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [22] + }, + ] + extra_attributes = {} + } + ca-allow-rdp-from-iap = { + description = "Allow RDP access from IAP tunnel" + direction = "INGRESS" + action = "allow" + ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4 + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [3389] + }, + { + protocol = "udp" + ports = [3389] + }, + ] + extra_attributes = {} + } + ca-allow-lb-healthcheck = { + description = "Allow Load balancer health check to all backends" + direction = "INGRESS" + action = "allow" + ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = [] + }, + ] + extra_attributes = {} + } + ca-all-ip-address = { + description = "Allow traffic from whitelisted CIDRs" + direction = "INGRESS" + action = "allow" + ranges = ["0.0.0.0/0"] + sources = [] + targets = [] + use_service_accounts = false + rules = [ + { + protocol = "tcp" + ports = ["80", "443"] + }, + ] + extra_attributes = {} + } + } +} + +module "cloud_router" { + source = "terraform-google-modules/cloud-router/google" + version = "~> 6.0" + + name = "test-ca-${local.primary_region}-cr" + project = module.test_vpc.project_id + region = local.primary_region + network = module.test_vpc.network_self_link + nats = [{ + name = "test-ca-${local.primary_region}-nat" + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + min_ports_per_vm = 4096 + log_config = { + "filter" = "ERRORS_ONLY" + } + }, + ] +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf new file mode 100644 index 0000000..3c727d6 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/nlb.tf @@ -0,0 +1,64 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############## Health Check #################### +resource "google_compute_region_health_check" "default" { + name = "ca-http-region-health-check" + project = var.project_id + region = local.primary_region + + timeout_sec = 1 + check_interval_sec = 1 + + http_health_check { + port = "80" + } + log_config { + enable = true + } +} + +############ Backend service on the instance group ################### + +resource "google_compute_region_backend_service" "backend" { + provider = google-beta + project = var.project_id + name = "ca-website-backend-svc" + region = local.primary_region + load_balancing_scheme = "EXTERNAL" + health_checks = [google_compute_region_health_check.default.id] + backend { + group = google_compute_instance_group.ca_vm_1_ig.self_link + } + + log_config { + enable = true + sample_rate = 0.5 + } + ## Attach Cloud Armor policy to the backend service + security_policy = module.network_edge_security_policy.security_policy.self_link +} + +############## Forwarding rule #################### + +resource "google_compute_forwarding_rule" "default" { + provider = google-beta + project = var.project_id + name = "ca-website-forwarding-rule" + region = local.primary_region + port_range = 80 + backend_service = google_compute_region_backend_service.backend.id +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf new file mode 100644 index 0000000..f07b480 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/outputs.tf @@ -0,0 +1,40 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "adv_ddos_protection_policies" { + value = module.advanced_network_ddos_protection.adv_ddos_protection_policies + description = "Advanced Network DDoS protection Security policies created" +} + +output "network_edge_security_services" { + value = module.advanced_network_ddos_protection.network_edge_security_services + description = "Network edge security services created" +} + +output "security_policy" { + value = module.network_edge_security_policy.security_policy + description = "Regional Network Security policy created" +} + +output "policy_rules" { + value = module.network_edge_security_policy.policy_rules + description = "Security policy rules created" +} + +output "test_nlb_url" { + value = "curl http://${google_compute_forwarding_rule.default.ip_address}" + description = "Use this command to test access to the load balancer. Try it from the IP address provided in whitelisted_ingress_ip_ranges and a different IP address" +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf new file mode 100644 index 0000000..d813d82 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + tf_sa = "gcp-sinprj-terraform@sinprj.iam.gserviceaccount.com" +} + +/****************************************** + Provider credential configuration + *****************************************/ +provider "google" { + impersonate_service_account = local.tf_sa +} + +provider "google-beta" { + impersonate_service_account = local.tf_sa +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf new file mode 100644 index 0000000..ab824e1 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/variables.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project in which the resource belongs" + type = string +} + +variable "whitelisted_ingress_ip_ranges" { + description = "whitelisted ingress ip ranges. Replace it with your own IP address" + type = list(string) +} diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf new file mode 100644 index 0000000..afb9cb7 --- /dev/null +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/vm.tf @@ -0,0 +1,79 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +############## Available Zones #################### + +data "google_compute_zones" "available_primary" { + project = var.project_id + region = local.primary_region +} + +############## VM Images #################### + +data "google_compute_image" "debian_image" { + family = "debian-10" + project = "debian-cloud" +} + +############## Service Account for the VM #################### + +resource "google_service_account" "vm_service_account" { + project = var.project_id + account_id = "ca-web-svc-act" + display_name = "ca Web server service account" +} + +############## VM Instance #################### + +resource "google_compute_instance" "ca_vm_1" { + name = "ca-test-vm-${data.google_compute_zones.available_primary.names[0]}" + machine_type = "e2-micro" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + allow_stopping_for_update = true + + metadata_startup_script = "apt-get update -y;apt-get install -y nginx;" + + boot_disk { + initialize_params { + image = data.google_compute_image.debian_image.self_link + } + } + + network_interface { + subnetwork = module.test_vpc.subnets_names[0] + subnetwork_project = var.project_id + } + service_account { + email = google_service_account.vm_service_account.email + scopes = [ + "cloud-platform", + ] + } +} + +############## Instance Group #################### + +resource "google_compute_instance_group" "ca_vm_1_ig" { + name = "ca-ig-${data.google_compute_zones.available_primary.names[0]}" + description = "Web Instance group zone ${data.google_compute_zones.available_primary.names[0]}" + zone = data.google_compute_zones.available_primary.names[0] + project = var.project_id + + instances = [ + google_compute_instance.ca_vm_1.self_link, + ] +} diff --git a/examples/advanced-network-ddos-protection/README.md b/examples/regional-advanced-network-ddos-protection-enterprise/README.md similarity index 80% rename from examples/advanced-network-ddos-protection/README.md rename to examples/regional-advanced-network-ddos-protection-enterprise/README.md index c0efd4a..c6eda25 100644 --- a/examples/advanced-network-ddos-protection/README.md +++ b/examples/regional-advanced-network-ddos-protection-enterprise/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Advanced Network DDoS Protection -This example enables a advanced network DDoS protection in two regions. Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) +This example enables a advanced network DDoS protection in two regions `us-central1` and `us-east1`. Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) ## Usage diff --git a/examples/advanced-network-ddos-protection/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf similarity index 97% rename from examples/advanced-network-ddos-protection/main.tf rename to examples/regional-advanced-network-ddos-protection-enterprise/main.tf index e390661..c24028c 100644 --- a/examples/advanced-network-ddos-protection/main.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/advanced-network-ddos-protection/outputs.tf b/examples/regional-advanced-network-ddos-protection-enterprise/outputs.tf similarity index 97% rename from examples/advanced-network-ddos-protection/outputs.tf rename to examples/regional-advanced-network-ddos-protection-enterprise/outputs.tf index a5e0190..e134108 100644 --- a/examples/advanced-network-ddos-protection/outputs.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/security-policy-recaptcha/variables.tf b/examples/regional-advanced-network-ddos-protection-enterprise/variables.tf similarity index 95% rename from examples/security-policy-recaptcha/variables.tf rename to examples/regional-advanced-network-ddos-protection-enterprise/variables.tf index e11d5d8..8221296 100644 --- a/examples/security-policy-recaptcha/variables.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/network-edge-security-policy/README.md b/examples/regional-network-edge-security-policy-enterprise/README.md similarity index 65% rename from examples/network-edge-security-policy/README.md rename to examples/regional-network-edge-security-policy-enterprise/README.md index 04e3a02..1f8badf 100644 --- a/examples/network-edge-security-policy/README.md +++ b/examples/regional-network-edge-security-policy-enterprise/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Network Edge Security Policy -This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [example](../advanced-network-ddos-protection/) sub-module to deploy advanced newtork ddos protection. +This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this sub-module](../advanced-network-ddos-protection/) to enable `advanced network ddos protection `. See [example](../regional-advanced-network-ddos-protection-enterprise/) for enabling advanced newtork ddos protection. If you need an end to end example for deploying security policy and attach it to backend service see [complete example](../regional-adv-ddos-and-edge-security-policy-complete/) ## Usage @@ -27,6 +27,7 @@ terraform apply | Name | Description | |------|-------------| +| network\_edge\_security\_policy\_no\_rules | Regional Network Security policy created | | policy\_rules | Security policy rules created | | security\_policy | Regional Network Security policy created | diff --git a/examples/network-edge-security-policy/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf similarity index 86% rename from examples/network-edge-security-policy/main.tf rename to examples/regional-network-edge-security-policy-enterprise/main.tf index ba70fb5..b148c47 100644 --- a/examples/network-edge-security-policy/main.tf +++ b/examples/regional-network-edge-security-policy-enterprise/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -82,3 +82,12 @@ module "network_edge_security_policy" { }, ] } + +module "network_edge_security_policy_no_rules" { + source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" + version = "~> 2.0" + + project_id = var.project_id + region = "us-central1" + policy_name = "nw-edge-security-policy-no-rules${random_id.suffix.hex}" +} diff --git a/examples/network-edge-security-policy/outputs.tf b/examples/regional-network-edge-security-policy-enterprise/outputs.tf similarity index 79% rename from examples/network-edge-security-policy/outputs.tf rename to examples/regional-network-edge-security-policy-enterprise/outputs.tf index 7e6b1b4..630da4f 100644 --- a/examples/network-edge-security-policy/outputs.tf +++ b/examples/regional-network-edge-security-policy-enterprise/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,3 +23,8 @@ output "policy_rules" { value = module.network_edge_security_policy.policy_rules description = "Security policy rules created" } + +output "network_edge_security_policy_no_rules" { + value = module.network_edge_security_policy_no_rules.security_policy + description = "Regional Network Security policy created" +} diff --git a/examples/simple-example/variables.tf b/examples/regional-network-edge-security-policy-enterprise/variables.tf similarity index 95% rename from examples/simple-example/variables.tf rename to examples/regional-network-edge-security-policy-enterprise/variables.tf index e11d5d8..8221296 100644 --- a/examples/simple-example/variables.tf +++ b/examples/regional-network-edge-security-policy-enterprise/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index e82b070..c8653e8 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -1,7 +1,7 @@ # Cloud Armor Terraform Module for Network Edge Security Policy -This module creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) in specified region. Network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this](../advanced-network-ddos-protection/) sub-module to deploy `advanced network ddos protection `. +This module creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) in specified region. Network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this sub-module](../advanced-network-ddos-protection/) to enable `advanced network ddos protection `. -You can attch network edge security policy to [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network), [protocol forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding), or VMs with public IP addresses. Network edge security policy supports [byte offset filtering](https://cloud.google.com/armor/docs/network-edge-policies#byte-offset). This module creates security policy of type `CLOUD_ARMOR_NETWORK` optionally attach security policy rules to the policy. +You can attch network edge security policy to backend services of [external passthrough Network Load Balancers](https://cloud.google.com/load-balancing/docs/network). Network edge security policy supports [byte offset filtering](https://cloud.google.com/armor/docs/network-edge-policies#byte-offset). This module creates security policy of type `CLOUD_ARMOR_NETWORK` optionally attach security policy rules to the policy. ## Module Format @@ -100,7 +100,7 @@ module "network_edge_security_policy" { |------|-------------|------|---------|:--------:| | policy\_description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | | policy\_name | Name of the advanced network ddos protection security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | -| policy\_rules | Policy Rules | 
list(object({
    priority         = number
    action           = string
    preview          = optional(bool)
    description      = optional(string)
    src_ip_ranges    = optional(list(string))
    src_asns         = optional(list(string))
    src_region_codes = optional(list(string))
    ip_protocols     = optional(list(string))
    src_ports        = optional(list(string))
    dest_ports       = optional(list(string))
    dest_ip_ranges   = optional(list(string))

    user_defined_fields = optional(list(object({
      name   = optional(string)
      values = optional(list(string))
    })))
  }))
| `null` | no | +| policy\_rules | Policy Rules | 
list(object({
    priority         = number
    action           = string
    preview          = optional(bool)
    description      = optional(string)
    ip_protocols     = optional(list(string))
    src_ip_ranges    = optional(list(string))
    src_asns         = optional(list(string))
    src_region_codes = optional(list(string))
    src_ports        = optional(list(string))
    dest_ports       = optional(list(string))
    dest_ip_ranges   = optional(list(string))

    user_defined_fields = optional(list(object({
      name   = optional(string)
      values = optional(list(string))
    })))
  }))
| `null` | no | | policy\_user\_defined\_fields | Definitions of user-defined fields for CLOUD\_ARMOR\_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits | 
list(object({
    name   = optional(string)
    base   = string
    offset = optional(number)
    size   = optional(number)
    mask   = optional(string)
  }))
| `null` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | | region | The region in which enablesecurity policy is created | `string` | n/a | yes | diff --git a/modules/network-edge-security-policy/main.tf b/modules/network-edge-security-policy/main.tf index d771da2..786cd33 100644 --- a/modules/network-edge-security-policy/main.tf +++ b/modules/network-edge-security-policy/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -48,7 +48,8 @@ resource "google_compute_region_security_policy_rule" "policy_rules" { description = each.value.description priority = each.value.priority network_match { - src_ip_ranges = lookup(each.value, "source_ip_ranges", null) + src_ip_ranges = lookup(each.value, "src_ip_ranges", null) + src_ports = lookup(each.value, "src_ports", null) src_asns = lookup(each.value, "src_asns", null) src_region_codes = lookup(each.value, "src_region_codes", null) ip_protocols = lookup(each.value, "ip_protocols", null) diff --git a/modules/network-edge-security-policy/outputs.tf b/modules/network-edge-security-policy/outputs.tf index 830a35d..eb6cad3 100644 --- a/modules/network-edge-security-policy/outputs.tf +++ b/modules/network-edge-security-policy/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/modules/network-edge-security-policy/variables.tf b/modules/network-edge-security-policy/variables.tf index c89408e..03528d6 100644 --- a/modules/network-edge-security-policy/variables.tf +++ b/modules/network-edge-security-policy/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,10 +56,10 @@ variable "policy_rules" { action = string preview = optional(bool) description = optional(string) + ip_protocols = optional(list(string)) src_ip_ranges = optional(list(string)) src_asns = optional(list(string)) src_region_codes = optional(list(string)) - ip_protocols = optional(list(string)) src_ports = optional(list(string)) dest_ports = optional(list(string)) dest_ip_ranges = optional(list(string)) diff --git a/modules/network-edge-security-policy/versions.tf b/modules/network-edge-security-policy/versions.tf index 316d975..97df529 100644 --- a/modules/network-edge-security-policy/versions.tf +++ b/modules/network-edge-security-policy/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/integration/security-policy-all/security_policy_test.go b/test/integration/global-backend-security-policy-complete/security_policy_test.go similarity index 56% rename from test/integration/security-policy-all/security_policy_test.go rename to test/integration/global-backend-security-policy-complete/security_policy_test.go index c4e0fd7..c25de85 100644 --- a/test/integration/security-policy-all/security_policy_test.go +++ b/test/integration/global-backend-security-policy-complete/security_policy_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security_policy +package security_policy_all import ( "fmt" @@ -23,7 +23,7 @@ import ( "github.com/stretchr/testify/assert" ) -func TestSecurityPolicyAll(t *testing.T) { +func TestGlobalSecurityPolicyComplete(t *testing.T) { casp := tft.NewTFBlueprintTest(t) casp.DefineVerify(func(assert *assert.Assertions) { @@ -38,66 +38,16 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal(policyName, pname, "has expected name") } - // Rule 1 - spRule1 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 1 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule1.Array() { - assert.Equal("deny(502)", sp.Get("action").String(), "priority 1 rule has expected action") - assert.Equal("evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4})", sp.Get("match.expr.expression").String(), "priority 1 rule has expected rule expression") - assert.Empty(sp.Get("description").String(), "priority 1 rule has expected description") - assert.False(sp.Get("preview").Bool(), "priority 1 rule Preview is set to False") - } - - // Rule 2 - spRule2 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 2 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule2.Array() { - assert.True(sp.Get("preview").Bool(), "priority 2 rule Preview is set to True") - assert.Equal("throttle", sp.Get("action").String(), "priority 2 rule has expected action") - assert.Equal("XSS Sensitivity Level 2 with excluded rules", sp.Get("description").String(), "priority 2 rule has expected description") - assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 2 rule has expected Rate limit confirm action") - assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 2 rule has expected Rate limit enforce on key") - assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 2 rule has expected Rate limit exceed action") - assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 2 rule has expected Rate limit threshold count") - assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 2 rule has expected Rate limit threshold interval") - } - - // Rule 3 - spRule3 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 3 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule3.Array() { - assert.False(sp.Get("preview").Bool(), " priority 3 rule Preview is set to False") - assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 3 rule has expected action") - assert.Equal("PHP Sensitivity Level 1 with included rules", sp.Get("description").String(), "priority 3 rule has expected description") - assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 3 rule has expected Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 3 rule has expected Rate limit enforce on key") - assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 3 rule has expected Rate limit exceed action") - assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 3 rule has expected Rate limit threshold count") - assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 3 rule has expected Rate limit threshold interval") - assert.Equal("600", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 3 rule has expected Rate limit ban duration") - assert.Equal("1000", sp.Get("rateLimitOptions.banThreshold.count").String(), "priority 3 rule has expected Rate limit ban threshold count") - assert.Equal("300", sp.Get("rateLimitOptions.banThreshold.intervalSec").String(), "priority 3 rule has expected Rate limit ban threshold interval") - } - - // Rule 4 - spRule4 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 4 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule4.Array() { - assert.False(sp.Get("preview").Bool(), "priority 4 rule Preview is set to False") - assert.Equal("redirect", sp.Get("action").String(), "priority 4 rule has expected action") - assert.Equal("Remote file inclusion 4", sp.Get("description").String(), "priority 4 rule has expected description") - assert.Equal("evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 4})", sp.Get("match.expr.expression").String(), "priority 1 rule has expected rule expression") - assert.Equal("GOOGLE_RECAPTCHA", sp.Get("redirectOptions.type").String(), "priority 4 rule has expected redirect type") - } - // Rule 11 spRule11 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 11 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule11.Array() { - assert.True(sp.Get("preview").Bool(), "priority 11 rule Preview is set to True") - assert.Equal("deny(502)", sp.Get("action").String(), "priority 11 rule has expected action") - assert.Equal("Deny Malicious IP address from project honeypot", sp.Get("description").String(), "priority 11 rule has expected description") - assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 11 rule has expected redirect type") + assert.False(sp.Get("preview").Bool(), "priority 11 rule Preview is set to False") + assert.Equal("allow", sp.Get("action").String(), "priority 11 rule has expected action") + assert.Equal("Allow whitelisted IP address ranges", sp.Get("description").String(), "priority 11 rule has expected description") srcIpRanges := sp.Get("match.config.srcIpRanges").Array() - assert.Equal(2, len(srcIpRanges), "found only 2 IP address") - assert.Equal(srcIpRanges[0].String(), "190.217.68.211", "priority 11 rule found first valid cidr range") - assert.Equal(srcIpRanges[1].String(), "45.116.227.68", "priority 11 rule found second valid cidr range") + assert.Equal(1, len(srcIpRanges), "found only 2 IP address") + assert.Equal(srcIpRanges[0].String(), "190.210.69.12", "priority 11 rule found first valid cidr range") } // Rule 12 @@ -120,14 +70,14 @@ func TestSecurityPolicyAll(t *testing.T) { for _, sp := range spRule13.Array() { assert.False(sp.Get("preview").Bool(), "priority 13 rule Preview is set to False") assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 13 rule has expected action") - assert.Equal("Rate based ban for address from project dropten as soon as they cross rate limit threshold", sp.Get("description").String(), "priority 13 rule has expected description") + assert.Equal("Rate based ban for address from project dropthirty only if they cross banned threshold", sp.Get("description").String(), "priority 13 rule has expected description") assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 13 rule has expected redirect type") srcIpRanges := sp.Get("match.config.srcIpRanges").Array() assert.Equal(2, len(srcIpRanges), "priority 13 rule found only 2 IP address") assert.Equal(srcIpRanges[0].String(), "45.116.227.70", "priority 13 rule found first valid cidr range") assert.Equal(srcIpRanges[1].String(), "190.217.68.213", "priority 13 rule found second valid cidr range") - assert.Equal("120", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 13 rule has Rate limit ban duration") + assert.Equal("300", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 13 rule has Rate limit ban duration") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 13 rule has Rate limit confirm action") assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 13 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 13 rule has Rate limit exceed action") @@ -139,43 +89,21 @@ func TestSecurityPolicyAll(t *testing.T) { spRule14 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 14 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule14.Array() { assert.False(sp.Get("preview").Bool(), "priority 14 rule Preview is set to False") - assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 14 rule has expected action") - assert.Equal("Rate based ban for address from project dropthirty only if they cross banned threshold", sp.Get("description").String(), "priority 14 rule has expected description") + assert.Equal("throttle", sp.Get("action").String(), "priority 14 rule has expected action") + assert.Equal("Throttle IP addresses from project droptwenty", sp.Get("description").String(), "priority 14 rule has expected description") assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 14 rule has expected redirect type") srcIpRanges := sp.Get("match.config.srcIpRanges").Array() assert.Equal(2, len(srcIpRanges), "priority 14 rule found only 2 IP address") - assert.Equal(srcIpRanges[0].String(), "45.116.227.70", "priority 14 rule found first valid cidr range") - assert.Equal(srcIpRanges[1].String(), "190.217.68.213", "priority 14 rule found second valid cidr range") - assert.Equal("300", sp.Get("rateLimitOptions.banDurationSec").String(), "priority 14 rule has Rate limit ban duration") - assert.Equal("1000", sp.Get("rateLimitOptions.banThreshold.count").String(), "priority 14 rule has Rate limit threshold count") - assert.Equal("300", sp.Get("rateLimitOptions.banThreshold.intervalSec").String(), "priority 14 rule has Rate limit threshold interval") + assert.Equal(srcIpRanges[0].String(), "45.116.227.71", "priority 14 rule found first valid cidr range") + assert.Equal(srcIpRanges[1].String(), "190.217.68.214", "priority 14 rule found second valid cidr range") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 14 rule has Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 14 rule has Rate limit Enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 14 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 14 rule has Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 14 rule has Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 14 rule has Rate limit threshold interval") } - // Rule 15 - spRule15 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 15 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule15.Array() { - assert.False(sp.Get("preview").Bool(), "priority 15 rule Preview is set to False") - assert.Equal("throttle", sp.Get("action").String(), "priority 15 rule has expected action") - assert.Equal("Throttle IP addresses from project droptwenty", sp.Get("description").String(), "priority 15 rule has expected description") - assert.Equal("SRC_IPS_V1", sp.Get("match.versionedExpr").String(), "priority 15 rule has expected redirect type") - - srcIpRanges := sp.Get("match.config.srcIpRanges").Array() - assert.Equal(2, len(srcIpRanges), "priority 15 rule found only 2 IP address") - assert.Equal(srcIpRanges[0].String(), "45.116.227.71", "priority 15 rule found first valid cidr range") - assert.Equal(srcIpRanges[1].String(), "190.217.68.214", "priority 15 rule found second valid cidr range") - assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 15 rule has Rate limit confirm action") - assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 15 rule has Rate limit Enforce on key") - assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 15 rule has Rate limit exceed action") - assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 15 rule has Rate limit threshold count") - assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 15 rule has Rate limit threshold interval") - } - // Rule 21 spRule21 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 21 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule21.Array() { @@ -185,15 +113,6 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal("'[US,AU,BE]'.contains(origin.region_code)\n", sp.Get("match.expr.expression").String(), "priority 21 rule has expected expression") } - // Rule 22 - spRule22 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 22 --security-policy=%s --project %s", policyName, projectId)) - for _, sp := range spRule22.Array() { - assert.False(sp.Get("preview").Bool(), "priority 22 rule Preview is set to False") - assert.Equal("deny(502)", sp.Get("action").String(), "priority 22 rule has expected action") - assert.Equal("Deny Specific IP address", sp.Get("description").String(), "priority 22 rule has expected description") - assert.Equal("inIpRange(origin.ip, '47.185.201.155/32')\n", sp.Get("match.expr.expression").String(), "priority 22 rule has expected expression") - } - // Rule 23 spRule23 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 23 --security-policy=%s --project %s", policyName, projectId)) for _, sp := range spRule23.Array() { diff --git a/test/integration/simple-example/simple_example_test.go b/test/integration/global-backend-security-policy-example/simple_example_test.go similarity index 100% rename from test/integration/simple-example/simple_example_test.go rename to test/integration/global-backend-security-policy-example/simple_example_test.go diff --git a/test/integration/security-policy-edge/security_policy_edge_test.go b/test/integration/global-edge-security-policy/security_policy_edge_test.go similarity index 98% rename from test/integration/security-policy-edge/security_policy_edge_test.go rename to test/integration/global-edge-security-policy/security_policy_edge_test.go index 3fac969..7eeb42c 100644 --- a/test/integration/security-policy-edge/security_policy_edge_test.go +++ b/test/integration/global-edge-security-policy/security_policy_edge_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security_policy +package security_policy_edge import ( "fmt" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 25401fe..03dbd5c 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -19,6 +19,11 @@ locals { "roles/compute.orgSecurityPolicyAdmin", "roles/recaptchaenterprise.admin", "roles/compute.securityAdmin", + "roles/compute.admin", + "roles/logging.viewer", + "roles/servicenetworking.networksAdmin", + "roles/iam.serviceAccountAdmin", + "roles/iam.serviceAccountUser", ] } From 5be4d6f9b24d921ef977708fce35693c815de56a Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 23 Apr 2024 15:10:30 +0000 Subject: [PATCH 08/10] removed provider.tf file --- .../provider.tf | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf b/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf deleted file mode 100644 index d813d82..0000000 --- a/examples/regional-adv-ddos-and-edge-security-policy-complete/provider.tf +++ /dev/null @@ -1,30 +0,0 @@ -/** - * Copyright 2020 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - tf_sa = "gcp-sinprj-terraform@sinprj.iam.gserviceaccount.com" -} - -/****************************************** - Provider credential configuration - *****************************************/ -provider "google" { - impersonate_service_account = local.tf_sa -} - -provider "google-beta" { - impersonate_service_account = local.tf_sa -} From ad67b12cc619c798797a3f5625605b966b424c19 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 23 Apr 2024 15:31:27 +0000 Subject: [PATCH 09/10] updated README --- examples/global-backend-security-policy-complete/README.md | 2 +- .../README.md | 2 +- .../README.md | 2 +- .../regional-network-edge-security-policy-enterprise/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/global-backend-security-policy-complete/README.md b/examples/global-backend-security-policy-complete/README.md index 0343fbb..e9f3c62 100644 --- a/examples/global-backend-security-policy-complete/README.md +++ b/examples/global-backend-security-policy-complete/README.md @@ -4,7 +4,7 @@ This example performs the following: - Network (VPC/Subnets/Firewall-rules/NAT). - Creates a `global cloud armor security policy`. - Creates a VM instance behind a `global external application load balancer`. -- Attaches `security policy` to the backend service. +- Attaches `security policy` to the backend service by passing security policy link in `security_policy` parameter in `google_compute_backend_service` resource. ## Usage diff --git a/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md b/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md index 641c857..fffb8fd 100644 --- a/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md +++ b/examples/regional-adv-ddos-and-edge-security-policy-complete/README.md @@ -5,7 +5,7 @@ This example performs the following: - Enables `advanced network DDoS protection` in two regions `us-central1` and `us-east1`. - Creates a `network edge security policy` in `us-central1`. - Creates a VM instance behind a `network load balancer`. -- Attaches `network edge security policy` to the backend service. +- Attaches `network edge security policy` to the backend service by passing security policy link in `security_policy` parameter in `google_compute_region_backend_service` resource. Advanced network DDoS protection and network edge security policy is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) diff --git a/examples/regional-advanced-network-ddos-protection-enterprise/README.md b/examples/regional-advanced-network-ddos-protection-enterprise/README.md index c6eda25..5bc5b7a 100644 --- a/examples/regional-advanced-network-ddos-protection-enterprise/README.md +++ b/examples/regional-advanced-network-ddos-protection-enterprise/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Advanced Network DDoS Protection -This example enables a advanced network DDoS protection in two regions `us-central1` and `us-east1`. Advanced network DDoS protection is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) +This example enables a [advanced network DDoS protection](https://cloud.google.com/armor/docs/armor-enterprise-overview#advanced_network_ddos_protection) in two regions `us-central1` and `us-east1`. `Advanced network DDoS protection` is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) ## Usage diff --git a/examples/regional-network-edge-security-policy-enterprise/README.md b/examples/regional-network-edge-security-policy-enterprise/README.md index 1f8badf..8ed2062 100644 --- a/examples/regional-network-edge-security-policy-enterprise/README.md +++ b/examples/regional-network-edge-security-policy-enterprise/README.md @@ -1,6 +1,6 @@ # Enable Cloud Armor Network Edge Security Policy -This example creates network edge security policy with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this sub-module](../advanced-network-ddos-protection/) to enable `advanced network ddos protection `. See [example](../regional-advanced-network-ddos-protection-enterprise/) for enabling advanced newtork ddos protection. If you need an end to end example for deploying security policy and attach it to backend service see [complete example](../regional-adv-ddos-and-edge-security-policy-complete/) +This example creates [network edge security policy](https://cloud.google.com/armor/docs/network-edge-policies) with policy rules. Feature is only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview) with [Advanced network DDoS protection](https://cloud.google.com/armor/docs/advanced-network-ddos#activate-advanced-ddos-protection) enabled. You can use [this sub-module](../advanced-network-ddos-protection/) to enable `advanced network ddos protection `. See [example](../regional-advanced-network-ddos-protection-enterprise/) for enabling advanced newtork ddos protection. If you need an end to end example for deploying security policy and attach it to backend service see [complete example](../regional-adv-ddos-and-edge-security-policy-complete/) ## Usage From 8a17666717fcffd07c66ba125ef05bf75be49c18 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 23 Apr 2024 15:48:35 +0000 Subject: [PATCH 10/10] updated README --- README.md | 134 +++--------------- .../network-edge-security-policy/README.md | 22 +++ 2 files changed, 43 insertions(+), 113 deletions(-) diff --git a/README.md b/README.md index aec95e4..a9b64ce 100644 --- a/README.md +++ b/README.md @@ -83,55 +83,6 @@ module "security_policy" { sensitivity_level = 4 description = "sqli-v33-stable Sensitivity Level 4 and 2 preconfigured_waf_config_exclusions" - - preconfigured_waf_config_exclusions = { - exclusion_1 = { - target_rule_set = "sqli-v33-stable" - target_rule_ids = ["owasp-crs-v030301-id942120-sqli", "owasp-crs-v030301-id942130-sqli"] - request_cookie = [ - { - operator = "STARTS_WITH" - value = "abc" - } - ] - request_header = [ - { - operator = "STARTS_WITH" - value = "xyz" - }, - { - operator = "STARTS_WITH" - value = "uvw" - } - ] - } - - exclusion_2 = { - target_rule_set = "sqli-v33-stable" - target_rule_ids = ["owasp-crs-v030301-id942150-sqli", "owasp-crs-v030301-id942180-sqli"] - request_header = [ - { - operator = "STARTS_WITH" - value = "lmn" - }, - { - operator = "ENDS_WITH" - value = "opq" - } - ] - request_uri = [ - { - operator = "CONTAINS" - value = "https://hashicorp.com" - }, - { - operator = "CONTAINS" - value = "https://xyz.com" - }, - ] - } - - } } "xss-stable_level_2_with_exclude" = { @@ -166,15 +117,6 @@ module "security_policy" { preview = true } - "redirect_project_rd" = { - action = "redirect" - priority = 12 - description = "Redirect IP address from project RD" - src_ip_ranges = ["190.217.68.215", "45.116.227.99", ] - redirect_type = "EXTERNAL_302" - redirect_target = "https://www.example.com" - } - "rate_ban_project_actor3" = { action = "rate_based_ban" priority = 14 @@ -190,29 +132,6 @@ module "security_policy" { enforce_on_key = "ALL" } } - - "throttle_project_droptwenty" = { - action = "throttle" - priority = 15 - description = "Throttle IP addresses from project droptwenty" - src_ip_ranges = ["190.217.68.214", "45.116.227.71", ] - - rate_limit_options = { - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - enforce_on_key_configs = [ - { - enforce_on_key_type = "HTTP_PATH" - }, - { - enforce_on_key_type = "HTTP_COOKIE" - enforce_on_key_name = "site_id" - } - ] - } - - } } # Custom Rules using CEL @@ -237,20 +156,6 @@ module "security_policy" { EOT } - throttle_specific_ip_region = { - action = "throttle" - priority = 23 - description = "Throttle specific IP address in US Region" - expression = <<-EOT - origin.region_code == "US" && inIpRange(origin.ip, '47.185.201.159/32') - EOT - rate_limit_options = { - exceed_action = "deny(502)" - rate_limit_http_request_count = 10 - rate_limit_http_request_interval_sec = 60 - } - } - allow_path_token_header = { action = "allow" priority = 25 @@ -272,17 +177,6 @@ module "security_policy" { ] } - - deny_java_level3_with_exclude = { - action = "deny(502)" - priority = 100 - description = "Deny pre-configured rule java-v33-stable at sensitivity level 3" - preview = true - expression = <<-EOT - evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3, 'opt_out_rule_ids': ['owasp-crs-v030301-id944240-java', 'owasp-crs-v030301-id944120-java']}) - EOT - } - } # Threat Intelligence Rules @@ -297,18 +191,32 @@ module "security_policy" { feed = "iplist-known-malicious-ips" exclude_ip = "['47.100.100.100', '47.189.12.139']" } + } - deny_tor_exit_ips = { - action = "deny(502)" - priority = 210 - description = "Deny Tor exit nodes IP addresses" - preview = false - feed = "iplist-tor-exit-nodes" - } +} + +resource "google_compute_backend_service" "backend_service" { + provider = google-beta + + ## Attach Cloud Armor policy to the backend service + security_policy = module.cloud_armor.policy.self_link + project = var.project_id + + name = "glb-ca-web-backend-svc-a" + port_name = "http" + protocol = "HTTP" + timeout_sec = 10 + + backend { + group = google_compute_instance_group.ca_vm_1_ig.self_link + max_utilization = 0.5 } + health_checks = [google_compute_http_health_check.default.id] + load_balancing_scheme = "EXTERNAL" } + ``` diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index c8653e8..27c03f9 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -88,8 +88,30 @@ module "network_edge_security_policy" { dest_ip_ranges = ["10.100.0.0/16"] }, ] +} +## Backnd service to attach the security policy +resource "google_compute_region_backend_service" "backend" { + provider = google-beta + + ## Attach Cloud Armor policy to the backend service + security_policy = module.network_edge_security_policy.security_policy.self_link + + project = var.project_id + name = "ca-website-backend-svc" + region = local.primary_region + load_balancing_scheme = "EXTERNAL" + health_checks = [google_compute_region_health_check.default.id] + backend { + group = google_compute_instance_group.ca_vm_1_ig.self_link + } + + log_config { + enable = true + sample_rate = 0.5 + } } + ```