-
Notifications
You must be signed in to change notification settings - Fork 910
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Luca Prete
committed
Jul 15, 2024
1 parent
aecbceb
commit 76939cb
Showing
17 changed files
with
402 additions
and
143 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Network Security | ||
|
||
This stage sets up the network firewall, including hierarchical firewall policies, network firewall policies and -optionally- NGFW Enterprise. | ||
|
||
... | ||
<!-- TFDOC OPTS files:1 show_extra:1 --> | ||
<!-- BEGIN TFDOC --> | ||
<!-- END TFDOC --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# skip boilerplate check | ||
--- | ||
# Terraform will be unable to decode this file if it does not contain valid YAML | ||
# You can retain `---` (start of the document) to indicate an empty document. | ||
|
||
healthchecks: | ||
- 35.191.0.0/16 | ||
- 130.211.0.0/22 | ||
- 209.85.152.0/22 | ||
- 209.85.204.0/22 | ||
|
||
rfc1918: | ||
- 10.0.0.0/8 | ||
- 172.16.0.0/12 | ||
- 192.168.0.0/16 | ||
|
||
onprem_probes: | ||
- 10.255.255.254/32 |
18 changes: 18 additions & 0 deletions
18
fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/egress.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# skip boilerplate check | ||
|
||
egress-allow-rfc1918: | ||
description: "Allow all hosts to RFC-1918" | ||
priority: 2147483642 | ||
match: | ||
destination_ranges: | ||
- rfc1918 | ||
action: "allow" | ||
|
||
egress-inspect-internet: | ||
description: "Inspect egress traffic from all dev hosts to Internet" | ||
priority: 2147483643 | ||
match: | ||
destination_ranges: | ||
- "0.0.0.0/0" | ||
action: "apply_security_profile_group" | ||
security_profile_group: "dev" |
21 changes: 21 additions & 0 deletions
21
fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/dev/ingress.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# skip boilerplate check | ||
|
||
# Following are some NGFW Enterprise ingress rules examples | ||
|
||
# ingress-allow-inspect-cross: | ||
# description: "Allow and inspect cross-env traffic from prod." | ||
# priority: 1 | ||
# match: | ||
# source_ranges: | ||
# - prod (to be defined) | ||
# action: "apply_security_profile_group" | ||
# security_profile_group: "dev" | ||
|
||
# ingress-allow-inspect-intra: | ||
# description: "Allow and inspect same-env (intra-vpc) traffic." | ||
# priority: 2 | ||
# match: | ||
# source_ranges: | ||
# - dev (to be defined) | ||
# action: "apply_security_profile_group" | ||
# security_profile_group: "dev" |
18 changes: 18 additions & 0 deletions
18
fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/egress.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# skip boilerplate check | ||
|
||
egress-allow-rfc1918: | ||
description: "Allow all hosts to RFC-1918" | ||
priority: 2147483642 | ||
match: | ||
destination_ranges: | ||
- rfc1918 | ||
action: "allow" | ||
|
||
egress-inspect-internet: | ||
description: "Inspect egress traffic from all prod hosts to Internet" | ||
priority: 2147483643 | ||
match: | ||
destination_ranges: | ||
- "0.0.0.0/0" | ||
action: "apply_security_profile_group" | ||
security_profile_group: "prod" |
21 changes: 21 additions & 0 deletions
21
fast/stages/3-ngfw-enterprise/data/firewall-policy-rules/prod/ingress.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# skip boilerplate check | ||
|
||
# Following are some NGFW Enterprise ingress rules examples | ||
|
||
# ingress-allow-inspect-cross: | ||
# description: "Allow and inspect cross-env traffic." | ||
# priority: 1 | ||
# match: | ||
# source_ranges: | ||
# - dev (to be defined) | ||
# action: "apply_security_profile_group" | ||
# security_profile_group: "prod" | ||
|
||
# ingress-allow-inspect-intra: | ||
# description: "Allow and inspect intra-VPC traffic." | ||
# priority: 2 | ||
# match: | ||
# source_ranges: | ||
# - prod (to be defined) | ||
# action: "apply_security_profile_group" | ||
# security_profile_group: "prod" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
/** | ||
* Copyright 2024 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
# tfdoc:file:description Security components for dev spoke VPC. | ||
|
||
module "dev-spoke-project" { | ||
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 | ||
source = "../../../modules/project" | ||
billing_account = var.billing_account.id | ||
name = "dev-net-spoke-0" | ||
parent = var.folder_ids.networking-dev | ||
prefix = var.prefix | ||
project_create = false | ||
services = ["networksecurity.googleapis.com"] | ||
} | ||
|
||
resource "google_network_security_security_profile" "dev_sec_profile" { | ||
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 | ||
name = "${var.prefix}-dev-sp-0" | ||
type = "THREAT_PREVENTION" | ||
parent = "organizations/${var.organization.id}" | ||
location = "global" | ||
} | ||
|
||
resource "google_network_security_security_profile_group" "dev_sec_profile_group" { | ||
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 | ||
name = "${var.prefix}-dev-spg-0" | ||
parent = "organizations/${var.organization.id}" | ||
location = "global" | ||
description = "Dev security profile group." | ||
threat_prevention_profile = try(google_network_security_security_profile.dev_sec_profile[0].id, null) | ||
} | ||
|
||
resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_association" { | ||
for_each = toset(var.ngfw_enterprise_config.endpoint_zones) | ||
name = "${var.prefix}-dev-epa-${each.key}" | ||
parent = try(module.dev-spoke-project[0].project_id, null) | ||
location = each.value.zone | ||
firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id | ||
network = try(var.vpc_self_links.dev-spoke-0, null) | ||
} | ||
|
||
module "dev-spoke-firewall-policy" { | ||
count = local.enabled_vpcs.dev-spoke-0 ? 1 : 0 | ||
source = "../../../modules/net-firewall-policy" | ||
name = "${var.prefix}-dev-fw-policy" | ||
parent_id = try(module.dev-spoke-project[0].project_id, null) | ||
security_profile_group_ids = { | ||
dev = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.dev_sec_profile_group[0].id, "")}" | ||
} | ||
attachments = { | ||
dev-spoke = try(var.vpc_self_links.dev-spoke-0, null) | ||
} | ||
factories_config = { | ||
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml" | ||
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/egress.yaml" | ||
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policy-rules/dev/ingress.yaml" | ||
} | ||
} |
Oops, something went wrong.