GoogleCloudPlatform · imrannayer · Apr 23, 2024 · Apr 19, 2024 · Apr 19, 2024 · Apr 20, 2024
@@ -1,12 +1,21 @@
 # Cloud Armor Terraform Module
-This module makes it easy to setup [Cloud Armor Security Policy](https://cloud.google.com/armor/docs/cloud-armor-overview#security_policies) with Security rules. There are `five` type of rules you can create in each policy:
+This module makes it easy to setup [Cloud Armor global Security Policy](https://cloud.google.com/armor/docs/cloud-armor-overview#security_policies) with Security rules. You can attach the global Security Policy policy to backend services exposed by the following load balancer types:
+- Global external Application Load Balancer (HTTP/HTTPS)
+- Classic Application Load Balancer (HTTP/HTTPS)
+- Global external proxy Network Load Balancer (TCP/SSL)
+- Classic proxy Network Load Balancer (TCP/SSL)
+
+There are `five` type of rules you can create in each policy:
 1) [Pre-Configured Rules](#pre_configured_rules): These are based on [pre-configured waf rules](https://cloud.google.com/armor/docs/waf-rules).
 2) [Security Rules](#security_rules): Allow or Deny traffic from list of IP addresses or IP adress ranges.
 3) [Custom Rules](#custom_rules): You can create your own rules using [Common Expression Language (CEL)](https://cloud.google.com/armor/docs/rules-language-reference).
 4) [Threat Intelligence Rules](#threat_intelligence_rules): Add Rules based on [threat intelligence](https://cloud.google.com/armor/docs/threat-intelligence). [Managed protection plus](https://cloud.google.com/armor/docs/managed-protection-overview) subscription is needed to use this feature.
 5) [Automatically deploy Adaptive Protection Suggested Rules](#adaptive_protection_auto_deploy); When enable module will create a rule for automatically deploying the suggested rules that [Adaptive Protection generates](https://cloud.google.com/armor/docs/adaptive-protection-auto-deploy).
 
 
+NOTE: For `external passthrough Network Load Balancers`, `protocol forwarding` and `VMs with public IP addresses` create [network Edge Security policy](https://cloud.google.com/armor/docs/security-policy-overview#network-edge-policies) using [advanced network DDoS protection](./modules/advanced-network-ddos-protection/) and [network edge security policy](./modules/network-edge-security-policy/) sub-modules.
+
+
 ## Compatibility
 
 This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.
@@ -785,6 +794,11 @@ The following dependencies must be available:
 A service account with the following permission must be used to provision
 the resources of this module:
 
+- compute.networkEdgeSecurityServices.create
+- compute.networkEdgeSecurityServices.update
+- compute.networkEdgeSecurityServices.get
+- compute.networkEdgeSecurityServices.delete
+- compute.networkEdgeSecurityServices.list
 - compute.securityPolicies.create
 - compute.securityPolicies.delete
 - compute.securityPolicies.get

@@ -35,17 +35,17 @@ steps:
   waitFor:
     - init-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage apply --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage apply --verbose']
 - id: security-policy-all-verify
   waitFor:
     - security-policy-all-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage verify --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage verify --verbose']
 - id: security-policy-all-teardown
   waitFor:
     - security-policy-all-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyAll --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage teardown --verbose']
 
 - id: simple-example-apply
   waitFor:

@@ -1,6 +1,10 @@
-# Cloud Armor Edge Security Policy with custom rule
+# Cloud Armor Policy with preconfigured rules, custom rules and security rules
 
-This example configures a single Cloud Armor Edge Security Policy with a custom rule.
+This example performs the following:
+- Network (VPC/Subnets/Firewall-rules/NAT).
+- Creates a `global cloud armor security policy`.
+- Creates a VM instance behind a `global external application load balancer`.
+- Attaches `security policy` to the backend service.
 
 ## Usage
 

@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# # ############## Healthcheck
+
+resource "google_compute_http_health_check" "default" {
+  provider = google-beta
+  project  = var.project_id
+
+  name               = "glb-ca-health-check"
+  check_interval_sec = 5
+  timeout_sec        = 3
+}
+
+resource "google_compute_backend_service" "backend_service" {
+  provider = google-beta
+
+  project = var.project_id
+
+  name        = "glb-ca-web-backend-svc-a"
+  port_name   = "http"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  backend {
+    group           = google_compute_instance_group.ca_vm_1_ig.self_link
+    max_utilization = 0.5
+  }
+
+  health_checks         = [google_compute_http_health_check.default.id]
+  load_balancing_scheme = "EXTERNAL"
+
+  ## Attach Cloud Armor policy to the backend service
+  security_policy = module.cloud_armor.policy.self_link
+}
+
+resource "google_compute_url_map" "default" {
+  provider = google-beta
+
+  project     = var.project_id
+  name        = "glb-ca-https"
+  description = "global ca url map"
+
+  default_service = google_compute_backend_service.backend_service.id
+}
+
+resource "google_compute_target_http_proxy" "http_glb_proxy" {
+  name    = "glb-ca-http-proxy"
+  url_map = google_compute_url_map.default.id
+  project = var.project_id
+}
+
+resource "google_compute_global_address" "glb_external_address" {
+  name    = "glb-ca-http-global-ip"
+  project = var.project_id
+}
+
+
+resource "google_compute_global_forwarding_rule" "glb_forwarding_rule" {
+  name       = "glb-ca-http-global-fr"
+  target     = google_compute_target_http_proxy.http_glb_proxy.self_link
+  ip_address = google_compute_global_address.glb_external_address.address
+  port_range = "80"
+  project    = var.project_id
+}
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+locals {
+  primary_region   = "us-central1"
+  secondary_region = "us-east1"
+}
+
 resource "random_id" "suffix" {
   byte_length = 4
 }
@@ -24,70 +29,19 @@ module "cloud_armor" {
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"
   description                          = "Test Cloud Armor security policy with preconfigured rules, security rules and custom rules"
-  default_rule_action                  = "allow"
+  default_rule_action                  = "deny(502)"
   type                                 = "CLOUD_ARMOR"
   layer_7_ddos_defense_enable          = true
   layer_7_ddos_defense_rule_visibility = "STANDARD"
   user_ip_request_headers              = ["True-Client-IP", ]
 
-  pre_configured_rules = {
-    "sqli_sensitivity_level_4" = {
-      action          = "deny(502)"
-      priority        = 1
-      target_rule_set = "sqli-v33-stable"
-    }
-
-    "xss-stable_level_2_with_exclude" = {
-      action                  = "throttle"
-      priority                = 2
-      description             = "XSS Sensitivity Level 2 with excluded rules"
-      preview                 = true
-      target_rule_set         = "xss-v33-stable"
-      sensitivity_level       = 2
-      exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941340-xss"]
-      rate_limit_options = {
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-      }
-    }
-
-    "php-stable_level_1_with_include" = {
-      action                  = "rate_based_ban"
-      priority                = 3
-      description             = "PHP Sensitivity Level 1 with included rules"
-      target_rule_set         = "php-v33-stable"
-      sensitivity_level       = 0
-      include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
-      exclude_target_rule_ids = []
-      rate_limit_options = {
-        ban_duration_sec                     = 600
-        enforce_on_key                       = "ALL"
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-        ban_http_request_count               = 1000
-        ban_http_request_interval_sec        = 300
-      }
-    }
-
-    "rfi_sensitivity_level_4" = {
-      action          = "redirect"
-      priority        = 4
-      description     = "Remote file inclusion 4"
-      redirect_type   = "GOOGLE_RECAPTCHA"
-      target_rule_set = "rfi-v33-stable"
-    }
-
-  }
-
   security_rules = {
-    "deny_project_honeypot" = {
-      action        = "deny(502)"
+    "allow_whitelisted_ip_ranges" = {
+      action        = "allow"
       priority      = 11
-      description   = "Deny Malicious IP address from project honeypot"
-      src_ip_ranges = ["190.217.68.211", "45.116.227.68", ]
-      preview       = true
+      description   = "Allow whitelisted IP address ranges"
+      src_ip_ranges = ["190.210.69.12", ]
+      preview       = false
     }
 
     "redirect_project_drop" = {
@@ -98,23 +52,9 @@ module "cloud_armor" {
       redirect_type = "GOOGLE_RECAPTCHA"
     }
 
-    "rate_ban_project_dropten" = {
-      action        = "rate_based_ban"
-      priority      = 13
-      description   = "Rate based ban for address from project dropten as soon as they cross rate limit threshold"
-      src_ip_ranges = ["190.217.68.213", "45.116.227.70", ]
-      rate_limit_options = {
-        ban_duration_sec                     = 120
-        enforce_on_key                       = "ALL"
-        exceed_action                        = "deny(502)"
-        rate_limit_http_request_count        = 10
-        rate_limit_http_request_interval_sec = 60
-      }
-    }
-
     "rate_ban_project_dropthirty" = {
       action        = "rate_based_ban"
-      priority      = 14
+      priority      = 13
       description   = "Rate based ban for address from project dropthirty only if they cross banned threshold"
       src_ip_ranges = ["190.217.68.213", "45.116.227.70", ]
       rate_limit_options = {
@@ -130,7 +70,7 @@ module "cloud_armor" {
 
     "throttle_project_droptwenty" = {
       action        = "throttle"
-      priority      = 15
+      priority      = 14
       description   = "Throttle IP addresses from project droptwenty"
       src_ip_ranges = ["190.217.68.214", "45.116.227.71", ]
       rate_limit_options = {
@@ -151,15 +91,6 @@ module "cloud_armor" {
         '[US,AU,BE]'.contains(origin.region_code)
       EOT
     }
-
-    deny_specific_ip = {
-      action      = "deny(502)"
-      priority    = 22
-      description = "Deny Specific IP address"
-      expression  = <<-EOT
-        inIpRange(origin.ip, '47.185.201.155/32')
-      EOT
-    }
     throttle_specific_ip = {
       action      = "throttle"
       priority    = 23