Skip to content

Commit

Permalink
Updates per offline discussion
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Jul 15, 2024
1 parent aecbceb commit 76939cb
Show file tree
Hide file tree
Showing 17 changed files with 402 additions and 143 deletions.
15 changes: 0 additions & 15 deletions fast/stages/2-networking-a-simple/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,4 @@ module "folder" {
? {}
: { (var.essential_contacts) = ["ALL"] }
)
firewall_policy = {
name = "default"
policy = module.firewall-policy-default.id
}
}

module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
name = var.factories_config.firewall_policy_name
parent_id = module.folder.id
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
}
}

66 changes: 0 additions & 66 deletions fast/stages/2-networking-a-simple/net-dev.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,6 @@ module "dev-spoke-project" {
"stackdriver.googleapis.com",
"vpcaccess.googleapis.com"
],
(
var.ngfw_enterprise_config.enabled
? ["networksecurity.googleapis.com"]
: []
),
(
var.fast_features.gcve
? ["vmwareengine.googleapis.com"]
Expand Down Expand Up @@ -107,67 +102,6 @@ module "dev-spoke-vpc" {
}
}

resource "google_network_security_security_profile" "dev_sec_profile" {
count = var.ngfw_enterprise_config.enabled ? 1 : 0
name = "${var.prefix}-dev-sp-0"
type = "THREAT_PREVENTION"
parent = "organizations/${var.organization.id}"
location = "global"
}

resource "google_network_security_security_profile_group" "dev_sec_profile_group" {
count = var.ngfw_enterprise_config.enabled ? 1 : 0
name = "${var.prefix}-dev-spg-0"
parent = "organizations/${var.organization.id}"
location = "global"
description = "Dev security profile group."
threat_prevention_profile = try(google_network_security_security_profile.dev_sec_profile[0].id)
}

resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_association" {
for_each = (
var.ngfw_enterprise_config.enabled
? toset(local.ngfw_endpoint_locations)
: toset([])
)
name = "${var.prefix}-dev-endpoint-association-${each.key}"
parent = module.dev-spoke-project.project_id
location = each.value.zone
firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id
network = module.dev-spoke-vpc.self_link
}

module "dev-firewall-policy" {
source = "../../../modules/net-firewall-policy"
name = "${var.prefix}-dev-fw-policy"
parent_id = module.dev-spoke-project.project_id
security_profile_group_ids = {
dev = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.dev_sec_profile_group[0].id, "")}"
}
attachments = {
dev-spoke = module.dev-spoke-vpc.self_link
}
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/egress.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/ingress.yaml"
}
}

module "dev-spoke-firewall" {
count = var.ngfw_enterprise_config.enabled ? 0 : 1
source = "../../../modules/net-vpc-firewall"
project_id = module.dev-spoke-project.project_id
network = module.dev-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
rules_folder = "${var.factories_config.data_dir}/firewall-rules/dev"
}
}

module "dev-spoke-cloudnat" {
source = "../../../modules/net-cloudnat"
for_each = toset(var.enable_cloud_nat ? values(module.dev-spoke-vpc.subnet_regions) : [])
Expand Down
13 changes: 0 additions & 13 deletions fast/stages/2-networking-a-simple/net-landing.tf
Original file line number Diff line number Diff line change
Expand Up @@ -74,19 +74,6 @@ module "landing-vpc" {
}
}

module "landing-firewall" {
source = "../../../modules/net-vpc-firewall"
project_id = module.landing-project.project_id
network = module.landing-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing"
}
}

module "landing-nat-primary" {
source = "../../../modules/net-cloudnat"
count = var.enable_cloud_nat ? 1 : 0
Expand Down
13 changes: 0 additions & 13 deletions fast/stages/2-networking-a-simple/net-prod.tf
Original file line number Diff line number Diff line change
Expand Up @@ -95,19 +95,6 @@ module "prod-spoke-vpc" {
}
}

module "prod-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
rules_folder = "${var.factories_config.data_dir}/firewall-rules/prod"
}
}

module "prod-spoke-cloudnat" {
source = "../../../modules/net-cloudnat"
for_each = toset(var.enable_cloud_nat ? values(module.prod-spoke-vpc.subnet_regions) : [])
Expand Down
11 changes: 0 additions & 11 deletions fast/stages/2-networking-a-simple/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,6 @@ variable "factories_config" {
}
}

variable "ngfw_enterprise_config" {
description = "NGFW Enterprise configuration."
type = object({
enabled = optional(bool, false)
endpoint_primary_region_zones = optional(set(string), ["a", "b", "c"])
endpoint_secondary_region_zones = optional(set(string), ["a", "b", "c"])
})
nullable = false
default = {}
}

variable "outputs_location" {
description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable."
type = string
Expand Down
8 changes: 8 additions & 0 deletions fast/stages/3-ngfw-enterprise/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Network Security

This stage sets up the network firewall, including hierarchical firewall policies, network firewall policies and -optionally- NGFW Enterprise.

...
<!-- TFDOC OPTS files:1 show_extra:1 -->
<!-- BEGIN TFDOC -->
<!-- END TFDOC -->
18 changes: 18 additions & 0 deletions fast/stages/3-ngfw-enterprise/data/cidrs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.

healthchecks:
- 35.191.0.0/16
- 130.211.0.0/22
- 209.85.152.0/22
- 209.85.204.0/22

rfc1918:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

onprem_probes:
- 10.255.255.254/32
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# skip boilerplate check

egress-allow-rfc1918:
description: "Allow all hosts to RFC-1918"
priority: 2147483642
match:
destination_ranges:
- rfc1918
action: "allow"

egress-inspect-internet:
description: "Inspect egress traffic from all dev hosts to Internet"
priority: 2147483643
match:
destination_ranges:
- "0.0.0.0/0"
action: "apply_security_profile_group"
security_profile_group: "dev"
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# skip boilerplate check

# Following are some NGFW Enterprise ingress rules examples

# ingress-allow-inspect-cross:
# description: "Allow and inspect cross-env traffic from prod."
# priority: 1
# match:
# source_ranges:
# - prod (to be defined)
# action: "apply_security_profile_group"
# security_profile_group: "dev"

# ingress-allow-inspect-intra:
# description: "Allow and inspect same-env (intra-vpc) traffic."
# priority: 2
# match:
# source_ranges:
# - dev (to be defined)
# action: "apply_security_profile_group"
# security_profile_group: "dev"
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# skip boilerplate check

egress-allow-rfc1918:
description: "Allow all hosts to RFC-1918"
priority: 2147483642
match:
destination_ranges:
- rfc1918
action: "allow"

egress-inspect-internet:
description: "Inspect egress traffic from all prod hosts to Internet"
priority: 2147483643
match:
destination_ranges:
- "0.0.0.0/0"
action: "apply_security_profile_group"
security_profile_group: "prod"
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# skip boilerplate check

# Following are some NGFW Enterprise ingress rules examples

# ingress-allow-inspect-cross:
# description: "Allow and inspect cross-env traffic."
# priority: 1
# match:
# source_ranges:
# - dev (to be defined)
# action: "apply_security_profile_group"
# security_profile_group: "prod"

# ingress-allow-inspect-intra:
# description: "Allow and inspect intra-VPC traffic."
# priority: 2
# match:
# source_ranges:
# - prod (to be defined)
# action: "apply_security_profile_group"
# security_profile_group: "prod"
Original file line number Diff line number Diff line change
Expand Up @@ -17,34 +17,24 @@
# tfdoc:file:description Next-Generation Firewall Enterprise configuration.

locals {
# Renders to
# {
# euw1a = {
# region = europe-west1
# zone = europe-west1-a
# },
# ...
# }
ngfw_endpoint_locations = merge(
{
for zone in var.ngfw_enterprise_config.endpoint_primary_region_zones
: "${local.region_shortnames[var.regions.primary]}${zone}"
=> { region = var.regions.primary, zone = "${var.regions.primary}-${zone}" }
},
{
for zone in var.ngfw_enterprise_config.endpoint_secondary_region_zones
: "${local.region_shortnames[var.regions.secondary]}${zone}"
=> { region = var.regions.secondary, zone = "${var.regions.secondary}-${zone}" }
}
)
enabled_vpcs = {
dev-spoke-0 = try(var.vpc_self_links.dev-spoke0, null) != null
prod-spoke-0 = try(var.vpc_self_links.prod-spoke0, null) != null
}
}

module "landing-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
name = "prod-net-landing-0"
parent = var.folder_ids.networking-prod
prefix = var.prefix
project_create = false
services = ["networksecurity.googleapis.com"]
}

resource "google_network_security_firewall_endpoint" "firewall_endpoint" {
for_each = (
var.ngfw_enterprise_config.enabled
? toset(local.ngfw_endpoint_locations)
: toset([])
)
for_each = toset(var.ngfw_enterprise_config.endpoint_zones)
name = "${var.prefix}-ngfw-endpoint-${each.key}"
parent = "organizations/${var.organization.id}"
location = each.value.zone
Expand Down
72 changes: 72 additions & 0 deletions fast/stages/3-ngfw-enterprise/net-dev.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

# tfdoc:file:description Security components for dev spoke VPC.

module "dev-spoke-project" {
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0
source = "../../../modules/project"
billing_account = var.billing_account.id
name = "dev-net-spoke-0"
parent = var.folder_ids.networking-dev
prefix = var.prefix
project_create = false
services = ["networksecurity.googleapis.com"]
}

resource "google_network_security_security_profile" "dev_sec_profile" {
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0
name = "${var.prefix}-dev-sp-0"
type = "THREAT_PREVENTION"
parent = "organizations/${var.organization.id}"
location = "global"
}

resource "google_network_security_security_profile_group" "dev_sec_profile_group" {
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0
name = "${var.prefix}-dev-spg-0"
parent = "organizations/${var.organization.id}"
location = "global"
description = "Dev security profile group."
threat_prevention_profile = try(google_network_security_security_profile.dev_sec_profile[0].id, null)
}

resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_association" {
for_each = toset(var.ngfw_enterprise_config.endpoint_zones)
name = "${var.prefix}-dev-epa-${each.key}"
parent = try(module.dev-spoke-project[0].project_id, null)
location = each.value.zone
firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id
network = try(var.vpc_self_links.dev-spoke-0, null)
}

module "dev-spoke-firewall-policy" {
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0
source = "../../../modules/net-firewall-policy"
name = "${var.prefix}-dev-fw-policy"
parent_id = try(module.dev-spoke-project[0].project_id, null)
security_profile_group_ids = {
dev = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.dev_sec_profile_group[0].id, "")}"
}
attachments = {
dev-spoke = try(var.vpc_self_links.dev-spoke-0, null)
}
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/egress.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/ingress.yaml"
}
}
Loading

0 comments on commit 76939cb

Please sign in to comment.