Skip to content

Commit

Permalink
Address sruffilli@ comments
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 29, 2024
1 parent 08510d0 commit 5e2df48
Show file tree
Hide file tree
Showing 10 changed files with 1,002 additions and 19 deletions.
12 changes: 6 additions & 6 deletions fast/stages/2-security/README.md

Large diffs are not rendered by default.

Binary file modified fast/stages/2-security/diagram.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
847 changes: 846 additions & 1 deletion fast/stages/2-security/diagram.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
151 changes: 142 additions & 9 deletions fast/stages/2-security/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,26 +14,159 @@
* limitations under the License.
*/

# Refer
variable "cas_configs" {
description = "The CAS CAs to add to each environment."
type = object({
dev = optional(map(object({
ca_configs = map(any)
ca_pool_config = map(any)
ca_configs = map(object({
deletion_protection = optional(string, true)
type = optional(string, "SELF_SIGNED")
is_ca = optional(bool, true)
lifetime = optional(string, null)
pem_ca_certificate = optional(string, null)
ignore_active_certificates_on_deletion = optional(bool, false)
skip_grace_period = optional(bool, true)
labels = optional(map(string), null)
gcs_bucket = optional(string, null)
key_spec = optional(object({
algorithm = optional(string, "RSA_PKCS1_2048_SHA256")
kms_key_id = optional(string, null)
}), {})
key_usage = optional(object({
cert_sign = optional(bool, true)
client_auth = optional(bool, false)
code_signing = optional(bool, false)
content_commitment = optional(bool, false)
crl_sign = optional(bool, true)
data_encipherment = optional(bool, false)
decipher_only = optional(bool, false)
digital_signature = optional(bool, false)
email_protection = optional(bool, false)
encipher_only = optional(bool, false)
key_agreement = optional(bool, false)
key_encipherment = optional(bool, true)
ocsp_signing = optional(bool, false)
server_auth = optional(bool, true)
time_stamping = optional(bool, false)
}), {})
subject = optional(object({
common_name = string
organization = string
country_code = optional(string)
locality = optional(string)
organizational_unit = optional(string)
postal_code = optional(string)
province = optional(string)
street_address = optional(string)
}), {
common_name = "test.example.com"
organization = "Test Example"
})
subject_alt_name = optional(object({
dns_names = optional(list(string), null)
email_addresses = optional(list(string), null)
ip_addresses = optional(list(string), null)
uris = optional(list(string), null)
}), null)
subordinate_config = optional(object({
root_ca_id = optional(string)
pem_issuer_certificates = optional(list(string))
}), null)
}))
ca_pool_config = object({
ca_pool_id = optional(string, null)
name = optional(string, null)
tier = optional(string, "DEVOPS")
})
location = string
iam = optional(map(list(string)), {})
iam_bindings = optional(map(any), {})
iam_bindings_additive = optional(map(any), {})
iam_by_principals = optional(map(list(string)), {})
})), {})
prod = optional(map(object({
ca_configs = map(any)
ca_pool_config = map(any)
location = string
iam = optional(map(list(string)), {})
iam_bindings = optional(map(any), {})
iam_bindings_additive = optional(map(any), {})
iam_by_principals = optional(map(list(string)), {})
ca_configs = map(object({
deletion_protection = optional(string, true)
type = optional(string, "SELF_SIGNED")
is_ca = optional(bool, true)
lifetime = optional(string, null)
pem_ca_certificate = optional(string, null)
ignore_active_certificates_on_deletion = optional(bool, false)
skip_grace_period = optional(bool, true)
labels = optional(map(string), null)
gcs_bucket = optional(string, null)
key_spec = optional(object({
algorithm = optional(string, "RSA_PKCS1_2048_SHA256")
kms_key_id = optional(string, null)
}), {})
key_usage = optional(object({
cert_sign = optional(bool, true)
client_auth = optional(bool, false)
code_signing = optional(bool, false)
content_commitment = optional(bool, false)
crl_sign = optional(bool, true)
data_encipherment = optional(bool, false)
decipher_only = optional(bool, false)
digital_signature = optional(bool, false)
email_protection = optional(bool, false)
encipher_only = optional(bool, false)
key_agreement = optional(bool, false)
key_encipherment = optional(bool, true)
ocsp_signing = optional(bool, false)
server_auth = optional(bool, true)
time_stamping = optional(bool, false)
}), {})
subject = optional(object({
common_name = string
organization = string
country_code = optional(string)
locality = optional(string)
organizational_unit = optional(string)
postal_code = optional(string)
province = optional(string)
street_address = optional(string)
}), {
common_name = "test.example.com"
organization = "Test Example"
})
subject_alt_name = optional(object({
dns_names = optional(list(string), null)
email_addresses = optional(list(string), null)
ip_addresses = optional(list(string), null)
uris = optional(list(string), null)
}), null)
subordinate_config = optional(object({
root_ca_id = optional(string)
pem_issuer_certificates = optional(list(string))
}), null)
}))
ca_pool_config = object({
ca_pool_id = optional(string, null)
name = optional(string, null)
tier = optional(string, "DEVOPS")
})
location = string
iam = optional(map(list(string)), {})
iam_bindings = optional(map(object({
members = list(string)
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
iam_bindings_additive = optional(map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
iam_by_principals = optional(map(list(string)), {})
})), {})
})
nullable = false
Expand Down
2 changes: 2 additions & 0 deletions fast/stages/3-network-security/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ The following diagram is a high level reference of the resources created and man
- We use global network firewall policies, as legacy VPC firewall rules are not compatible with NGFW Enterprise. These policies coexist with the legacy VPC firewall rules that we create in the netwroking stage.
- For your convenience, firewall policy rules leverage factories, so that you can define firewall policy rules using yaml files. The path of these files is configurable. Look in the [Customization](#customizations) section for more details.
- NGFW Enterprise endpoints are org-level resources that need to reference a quota project for billing purposes. By default, we create a dedicated `xxx-net-ngfw-0` quota project. Anyway, you can choose to leverage an existing project. Look in the [Customization](#customizations) section for more details.
- Firewall endpoint associations in this stage can reference TLS inspection policies created in the [2-security stage](../2-security/README.md). More info in the customization section of this document.
- While TLS inspection policies are created in the [2-security stage](../2-security/README.md), FAST still allows the service accounts of this stage and the `gcp-network-admins` group to create and manage them anywhere in the organization.

## How to run this stage

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,5 @@ egress-inspect-internet:
- "0.0.0.0/0"
action: "apply_security_profile_group"
security_profile_group: "dev"
# Uncomment the line below to enable TLS inspection for this egress rule
# tls_inspect: true
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
# skip boilerplate check
---
# start of document (---) avoids errors if the file only contains comments

# yaml-language-server: $schema=../../../schemas/firewall-policy-rules.schema.json

# sample NGFW Enterprise ingress rules
# Sample NGFW Enterprise ingress rules to uncomment and customize as needed

# ingress-allow-inspect-cross:
# description: "Allow and inspect cross-env traffic from prod."
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@ egress-inspect-internet:
- "0.0.0.0/0"
action: "apply_security_profile_group"
security_profile_group: "prod"
# Uncomment the line below to enable TLS inspection for this egress rule
# tls_inspect: true
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# skip boilerplate check
---
# Following are some NGFW Enterprise ingress rules examples
# yaml-language-server: $schema=../../../schemas/firewall-policy-rules.schema.json

# Sample NGFW Enterprise ingress rules to uncomment and customize as needed

# ingress-allow-inspect-cross:
# description: "Allow and inspect cross-env traffic."
Expand Down
Binary file modified fast/stages/diagrams.excalidraw.gz
Binary file not shown.

0 comments on commit 5e2df48

Please sign in to comment.