Skip to content

Commit

Permalink
Address sruffilli@ comments
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 29, 2024
1 parent 08510d0 commit 24c7068
Show file tree
Hide file tree
Showing 9 changed files with 860 additions and 10 deletions.
12 changes: 6 additions & 6 deletions fast/stages/2-security/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -285,12 +285,12 @@ tls_inspection = {
| [organization](variables-fast.tf#L46) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>0-bootstrap</code> |
| [prefix](variables-fast.tf#L56) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> || | <code>0-bootstrap</code> |
| [service_accounts](variables-fast.tf#L66) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; nsec &#61; string&#10; nsec-r &#61; string&#10; project-factory &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>1-resman</code> |
| [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_configs &#61; map&#40;any&#41;&#10; ca_pool_config &#61; map&#40;any&#41;&#10; location &#61; string&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_configs &#61; map&#40;any&#41;&#10; ca_pool_config &#61; map&#40;any&#41;&#10; location &#61; string&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [essential_contacts](variables.tf#L46) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
| [kms_keys](variables.tf#L52) | KMS keys to create, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; rotation_period &#61; optional&#40;string, &#34;7776000s&#34;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; locations &#61; optional&#40;list&#40;string&#41;, &#91;&#10; &#34;europe&#34;, &#34;europe-west1&#34;, &#34;europe-west3&#34;, &#34;global&#34;&#10; &#93;&#41;&#10; purpose &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10; skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10; version_template &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; string&#10; protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [ngfw_tls_configs](variables.tf#L91) | The CAS and trust configurations key names to be used for NGFW Enterprise. | <code title="object&#40;&#123;&#10; keys &#61; optional&#40;object&#40;&#123;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; cas &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-dev-cas-0&#34;&#93;&#41;&#10; trust_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-dev-tc-0&#34;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; cas &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-prod-cas-0&#34;&#93;&#41;&#10; trust_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-prod-tc-0&#34;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; tls_inspection &#61; optional&#40;object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; min_tls_version &#61; optional&#40;string, &#34;TLS_1_0&#34;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [outputs_location](variables.tf#L117) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
| [trust_configs](variables.tf#L123) | The trust configs grouped by environment. | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; location &#61; string&#10; allowlisted_certificates &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_stores &#61; optional&#40;map&#40;object&#40;&#123;&#10; intermediate_cas &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_anchors &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#41;&#10; prod &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; location &#61; string&#10; allowlisted_certificates &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_stores &#61; optional&#40;map&#40;object&#40;&#123;&#10; intermediate_cas &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_anchors &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_configs &#61; map&#40;any&#41;&#10; ca_pool_config &#61; object&#40;&#123;&#10; ca_pool_id &#61; optional&#40;string, null&#41;&#10; name &#61; optional&#40;string, null&#41;&#10; tier &#61; optional&#40;string, &#34;DEVOPS&#34;&#41;&#10; &#125;&#41;&#10; location &#61; string&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_configs &#61; map&#40;any&#41;&#10; ca_pool_config &#61; object&#40;&#123;&#10; ca_pool_id &#61; optional&#40;string, null&#41;&#10; name &#61; optional&#40;string, null&#41;&#10; tier &#61; optional&#40;string, &#34;DEVOPS&#34;&#41;&#10; &#125;&#41;&#10; location &#61; string&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [essential_contacts](variables.tf#L54) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
| [kms_keys](variables.tf#L60) | KMS keys to create, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; rotation_period &#61; optional&#40;string, &#34;7776000s&#34;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; locations &#61; optional&#40;list&#40;string&#41;, &#91;&#10; &#34;europe&#34;, &#34;europe-west1&#34;, &#34;europe-west3&#34;, &#34;global&#34;&#10; &#93;&#41;&#10; purpose &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10; skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10; version_template &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; string&#10; protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [ngfw_tls_configs](variables.tf#L99) | The CAS and trust configurations key names to be used for NGFW Enterprise. | <code title="object&#40;&#123;&#10; keys &#61; optional&#40;object&#40;&#123;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; cas &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-dev-cas-0&#34;&#93;&#41;&#10; trust_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-dev-tc-0&#34;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; cas &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-prod-cas-0&#34;&#93;&#41;&#10; trust_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-prod-tc-0&#34;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; tls_inspection &#61; optional&#40;object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; min_tls_version &#61; optional&#40;string, &#34;TLS_1_0&#34;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [outputs_location](variables.tf#L125) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
| [trust_configs](variables.tf#L131) | The trust configs grouped by environment. | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; location &#61; string&#10; allowlisted_certificates &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_stores &#61; optional&#40;map&#40;object&#40;&#123;&#10; intermediate_cas &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_anchors &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#41;&#10; prod &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; location &#61; string&#10; allowlisted_certificates &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_stores &#61; optional&#40;map&#40;object&#40;&#123;&#10; intermediate_cas &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; trust_anchors &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |

## Outputs

Expand Down
Binary file modified fast/stages/2-security/diagram.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
847 changes: 846 additions & 1 deletion fast/stages/2-security/diagram.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions fast/stages/2-security/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
* limitations under the License.
*/

# Refer to modules/certificate-authority-service variables.tf
# for further info on the variable structure.
variable "cas_configs" {
description = "The CAS CAs to add to each environment."
type = object({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,5 @@ egress-inspect-internet:
- "0.0.0.0/0"
action: "apply_security_profile_group"
security_profile_group: "dev"
# Uncomment the line below to enable TLS inspection for this egress rule
# tls_inspect: true
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments

# yaml-language-server: $schema=../../../schemas/firewall-policy-rules.schema.json

# sample NGFW Enterprise ingress rules
# Sample NGFW Enterprise ingress rules to uncomment and customize as needed

# ingress-allow-inspect-cross:
# description: "Allow and inspect cross-env traffic from prod."
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@ egress-inspect-internet:
- "0.0.0.0/0"
action: "apply_security_profile_group"
security_profile_group: "prod"
# Uncomment the line below to enable TLS inspection for this egress rule
# tls_inspect: true
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# skip boilerplate check
---
# Following are some NGFW Enterprise ingress rules examples
# yaml-language-server: $schema=../../../schemas/firewall-policy-rules.schema.json

# Sample NGFW Enterprise ingress rules to uncomment and customize as needed

# ingress-allow-inspect-cross:
# description: "Allow and inspect cross-env traffic."
Expand Down
Binary file modified fast/stages/diagrams.excalidraw.gz
Binary file not shown.

0 comments on commit 24c7068

Please sign in to comment.