Skip to content

Commit

Permalink
[FAST] TLS inspection support for NGFW Enterprise (#2484)
Browse files Browse the repository at this point in the history
  • Loading branch information
LucaPrete authored Aug 30, 2024
1 parent 8ca3bc3 commit 3ca0525
Show file tree
Hide file tree
Showing 37 changed files with 3,184 additions and 193 deletions.
6 changes: 4 additions & 2 deletions fast/stage-links.sh
Original file line number Diff line number Diff line change
Expand Up @@ -109,13 +109,15 @@ case $STAGE_NAME in
PROVIDER="providers/3-network-security-providers.tf"
TFVARS="tfvars/0-bootstrap.auto.tfvars.json
tfvars/1-resman.auto.tfvars.json
tfvars/2-networking.auto.tfvars.json"
tfvars/2-networking.auto.tfvars.json
tfvars/2-security.auto.tfvars.json"
else
unset GLOBALS
PROVIDER="tenants/$TENANT/providers/3-network-security-providers.tf"
TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json
tenants/$TENANT/tfvars/1-resman.auto.tfvars.json
tenants/$TENANT/tfvars/2-networking.auto.tfvars.json"
tenants/$TENANT/tfvars/2-networking.auto.tfvars.json
tenants/$TENANT/tfvars/2-security.auto.tfvars.json"
fi
;;
*)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,8 @@ includedPermissions:
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.update
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.create
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.update
- networksecurity.tlsInspectionPolicies.use
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,6 @@ includedPermissions:
- networksecurity.securityProfiles.get
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.use
2 changes: 1 addition & 1 deletion fast/stages/0-bootstrap/organization.tf
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,14 @@ module "organization" {
"roles/accesscontextmanager.policyAdmin",
"roles/cloudasset.viewer",
"roles/compute.orgFirewallPolicyAdmin",
"roles/compute.orgFirewallPolicyUser",
"roles/compute.xpnAdmin",
"roles/orgpolicy.policyAdmin",
"roles/orgpolicy.policyViewer",
"roles/resourcemanager.organizationViewer"
]))
, join(",", formatlist("'%s'", [
module.organization.custom_role_id["network_firewall_policies_admin"],
module.organization.custom_role_id["network_firewall_policies_viewer"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
module.organization.custom_role_id["ngfw_enterprise_viewer"],
module.organization.custom_role_id["service_project_network_admin"],
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/1-resman/branch-networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ locals {
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.branch-nsec-sa[0].iam_email, null)
]
(var.custom_roles["network_firewall_policies_viewer"]) = [
"roles/compute.orgFirewallPolicyUser" = [
try(module.branch-nsec-r-sa[0].iam_email, null)
]
}
Expand Down
18 changes: 18 additions & 0 deletions fast/stages/1-resman/branch-security.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,24 @@ module "branch-security-folder" {
]
}
iam = local._security_folder_iam
iam_bindings = {
tenant_iam_admin_conditional = {
members = [
module.branch-security-sa.iam_email,
]
role = "roles/resourcemanager.folderIamAdmin"
condition = {
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", [
"roles/privateca.certificateManager"
]))
)
title = "security_sa_delegated_grants"
description = "Certificate Authority Service delegated grants."
}
}
}
tag_bindings = {
context = try(
local.tag_values["${var.tag_names.context}/security"].id, null
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/1-resman/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ locals {
member = module.branch-nsec-sa[0].iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
sa_net_nsec_r_fw_policy_admin = {
sa_net_nsec_r_fw_policy_user = {
member = module.branch-nsec-sa[0].iam_email
role = "roles/compute.orgFirewallPolicyUser"
}
Expand Down
126 changes: 116 additions & 10 deletions fast/stages/2-security/README.md

Large diffs are not rendered by default.

86 changes: 85 additions & 1 deletion fast/stages/2-security/core-dev.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -15,6 +15,18 @@
*/

locals {
# Extract NGFW locations from dev CAS
ngfw_dev_locations = toset([
for k, v in var.cas_configs.dev
: v.location
if contains(var.ngfw_tls_configs.keys.dev.cas, k)
])
ngfw_dev_sa_agent_cas_iam_bindings_additive = {
nsec_dev_agent_sa_binding = {
member = module.dev-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
dev_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-dev,
Expand Down Expand Up @@ -54,3 +66,75 @@ module "dev-sec-kms" {
}
keys = local.kms_locations_keys[each.key]
}

module "dev-cas" {
for_each = var.cas_configs.dev
source = "../../../modules/certificate-authority-service"
project_id = module.dev-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = (
contains(var.ngfw_tls_configs.keys.dev.cas, each.key)
? merge(local.ngfw_dev_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive)
: each.value.iam_bindings_additive
)
iam_by_principals = each.value.iam_by_principals
location = each.value.location
}

resource "google_certificate_manager_trust_config" "dev_trust_configs" {
for_each = var.trust_configs.dev
name = each.key
project = module.dev-sec-project.project_id
description = each.value.description
location = each.value.location

dynamic "allowlisted_certificates" {
for_each = each.value.allowlisted_certificates
content {
pem_certificate = file(allowlisted_certificates.value)
}
}

dynamic "trust_stores" {
for_each = each.value.trust_stores
content {
dynamic "intermediate_cas" {
for_each = trust_stores.value.intermediate_cas
content {
pem_certificate = file(intermediate_cas.value)
}
}
dynamic "trust_anchors" {
for_each = trust_stores.value.trust_anchors
content {
pem_certificate = file(trust_anchors.value)
}
}
}
}
}

resource "google_network_security_tls_inspection_policy" "ngfw_dev_tls_ips" {
for_each = (
var.ngfw_tls_configs.tls_inspection.enabled
? local.ngfw_dev_locations : toset([])
)
name = "${var.prefix}-dev-tls-ip-0"
project = module.dev-sec-project.project_id
location = each.key
ca_pool = try([
for k, v in module.dev-cas
: v.ca_pool_id
if v.ca_pool.location == each.key && contains(var.ngfw_tls_configs.keys.dev.cas, k)
][0], null)
exclude_public_ca_set = var.ngfw_tls_configs.tls_inspection.exclude_public_ca_set
min_tls_version = var.ngfw_tls_configs.tls_inspection.min_tls_version
trust_config = try([
for k, v in google_certificate_manager_trust_config.dev_trust_configs
: v.id
if v.location == each.key
][0], null)
}
87 changes: 86 additions & 1 deletion fast/stages/2-security/core-prod.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -15,6 +15,18 @@
*/

locals {
# Extract NGFW locations from prod CAS
ngfw_prod_locations = toset([
for k, v in var.cas_configs.prod
: v.location
if contains(var.ngfw_tls_configs.keys.prod.cas, k)
])
ngfw_prod_sa_agent_cas_iam_bindings_additive = {
nsec_prod_agent_sa_binding = {
member = module.prod-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
prod_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-prod,
Expand Down Expand Up @@ -53,3 +65,76 @@ module "prod-sec-kms" {
}
keys = local.kms_locations_keys[each.key]
}

module "prod-cas" {
for_each = var.cas_configs.prod
source = "../../../modules/certificate-authority-service"
project_id = module.prod-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = (
contains(var.ngfw_tls_configs.keys.prod.cas, each.key)
? merge(local.ngfw_prod_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive)
: each.value.iam_bindings_additive
)
iam_by_principals = each.value.iam_by_principals
location = each.value.location
}

resource "google_certificate_manager_trust_config" "prod_trust_configs" {
for_each = var.trust_configs.prod
name = each.key
project = module.prod-sec-project.project_id
description = each.value.description
location = each.value.location

dynamic "allowlisted_certificates" {
for_each = each.value.allowlisted_certificates
content {
pem_certificate = file(allowlisted_certificates.value)
}
}

dynamic "trust_stores" {
for_each = each.value.trust_stores
content {
dynamic "intermediate_cas" {
for_each = trust_stores.value.intermediate_cas
content {
pem_certificate = file(intermediate_cas.value)
}
}
dynamic "trust_anchors" {
for_each = trust_stores.value.trust_anchors
content {
pem_certificate = file(trust_anchors.value)
}
}
}
}
}

resource "google_network_security_tls_inspection_policy" "ngfw_prod_tls_ips" {
for_each = (
var.ngfw_tls_configs.tls_inspection.enabled
? local.ngfw_prod_locations : toset([])
)
name = "${var.prefix}-prod-tls-ip-0"
project = module.prod-sec-project.project_id
location = each.key
ca_pool = try([
for k, v in module.prod-cas
: v.ca_pool_id
if v.ca_pool.location == each.key && contains(var.ngfw_tls_configs.keys.prod.cas, k)
][0], null)
exclude_public_ca_set = var.ngfw_tls_configs.tls_inspection.exclude_public_ca_set
min_tls_version = var.ngfw_tls_configs.tls_inspection.min_tls_version
trust_config = try([
for k, v in google_certificate_manager_trust_config.prod_trust_configs
: v.id
if v.location == each.key
][0], null)
}

Binary file modified fast/stages/2-security/diagram.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 5 additions & 2 deletions fast/stages/2-security/main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -33,7 +33,6 @@ locals {
)
}
}

# list of locations with keys
kms_locations = distinct(flatten([
for k, v in var.kms_keys : v.locations
Expand All @@ -48,7 +47,11 @@ locals {
}
}
project_services = [
"certificatemanager.googleapis.com",
"cloudkms.googleapis.com",
"networkmanagement.googleapis.com",
"networksecurity.googleapis.com",
"privateca.googleapis.com",
"secretmanager.googleapis.com",
"stackdriver.googleapis.com"
]
Expand Down
Loading

0 comments on commit 3ca0525

Please sign in to comment.