Skip to content

Commit

Permalink
Refactoring
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 28, 2024
1 parent 37be522 commit a8b9f83
Show file tree
Hide file tree
Showing 29 changed files with 677 additions and 314 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,8 @@ includedPermissions:
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.update
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.create
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.update
- networksecurity.tlsInspectionPolicies.use
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,6 @@ includedPermissions:
- networksecurity.securityProfiles.get
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.use
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

# yaml-language-server: $schema=../../schemas/custom-role.schema.json

name: networkFirewallPoliciesViewer
name: privateCaUser
includedPermissions:
- networksecurity.firewallEndpointAssociations.get
- networksecurity.firewallEndpointAssociations.list
- privateca.caPools.get
- privateca.caPools.use
3 changes: 2 additions & 1 deletion fast/stages/0-bootstrap/organization.tf
Original file line number Diff line number Diff line change
Expand Up @@ -181,16 +181,17 @@ module "organization" {
"roles/accesscontextmanager.policyAdmin",
"roles/cloudasset.viewer",
"roles/compute.orgFirewallPolicyAdmin",
"roles/compute.orgFirewallPolicyUser",
"roles/compute.xpnAdmin",
"roles/orgpolicy.policyAdmin",
"roles/orgpolicy.policyViewer",
"roles/resourcemanager.organizationViewer"
]))
, join(",", formatlist("'%s'", [
module.organization.custom_role_id["network_firewall_policies_admin"],
module.organization.custom_role_id["network_firewall_policies_viewer"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
module.organization.custom_role_id["ngfw_enterprise_viewer"],
module.organization.custom_role_id["private_ca_user"],
module.organization.custom_role_id["service_project_network_admin"],
module.organization.custom_role_id["tenant_network_admin"]
]))
Expand Down
14 changes: 7 additions & 7 deletions fast/stages/1-resman/README.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion fast/stages/1-resman/branch-networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ locals {
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.branch-nsec-sa[0].iam_email, null)
]
(var.custom_roles["network_firewall_policies_viewer"]) = [
"roles/compute.orgFirewallPolicyUser" = [
try(module.branch-nsec-r-sa[0].iam_email, null)
]
}
Expand Down
3 changes: 2 additions & 1 deletion fast/stages/1-resman/branch-security.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ module "branch-security-folder" {
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", [
"roles/privateca.certificateManager"
"roles/privateca.certificateManager",
var.custom_roles.private_ca_user
]))
)
title = "security_sa_delegated_grants"
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/1-resman/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ locals {
member = module.branch-nsec-sa[0].iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
sa_net_nsec_r_fw_policy_admin = {
sa_net_nsec_r_fw_policy_user = {
member = module.branch-nsec-sa[0].iam_email
role = "roles/compute.orgFirewallPolicyUser"
}
Expand Down
1 change: 1 addition & 0 deletions fast/stages/1-resman/variables-fast.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ variable "custom_roles" {
ngfw_enterprise_admin = string
ngfw_enterprise_viewer = string
organization_admin_viewer = string
private_ca_user = string
service_project_network_admin = string
storage_viewer = string
})
Expand Down
52 changes: 24 additions & 28 deletions fast/stages/2-security/README.md

Large diffs are not rendered by default.

89 changes: 57 additions & 32 deletions fast/stages/2-security/core-dev.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,24 +15,28 @@
*/

locals {
_ngfw_dev_cas_iam_bindings_additive = {
nsec_dev_sa_binding = {
# Extract NGFW locations from dev CAS
ngfw_dev_locations = toset([
for k, v in var.cas_configs.dev
: v.location
if contains(var.ngfw_tls_configs.keys.dev.cas, k)
])
ngfw_dev_sa_agent_cas_iam_bindings_additive = {
nsec_dev_agent_sa_binding = {
member = module.dev-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
_ngfw_cas_config_dev = {
for k, v in var.ngfw_tls_configs.dev.cas_configs
: k => merge(
v,
_ngfw_dev_cas_iam_bindings_additive
) if
ngfw_dev_sa_cas_iam_bindings_additive = {
nsec_dev_sa_binding = {
member = "serviceAccount:${var.service_accounts.nsec}"
role = var.custom_roles.private_ca_user
}
nsec_dev_sa_r_binding = {
member = "serviceAccount:${var.service_accounts.nsec-r}"
role = var.custom_roles.private_ca_user
}
}
cas_config_dev = merge(
var.cas_configs.dev,
try(var.ngfw_tls_configs.dev.cas_config, null) != null
? local._ngfw_cas_config_dev : null
)
dev_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-dev,
Expand All @@ -41,11 +45,6 @@ locals {
var.service_accounts.project-factory-prod
])) : "serviceAccount:${sa}"
]
trust_config_dev = merge(
var.trust_configs.dev,
try(var.ngfw_tls_configs.dev.trust_config, null) != null
? local._ngfw_trust_config_dev : null
)
}

module "dev-sec-project" {
Expand All @@ -57,12 +56,12 @@ module "dev-sec-project" {
iam = {
"roles/cloudkms.viewer" = local.dev_kms_restricted_admins
}
iam_bindings_additive = {
iam_bindings_additive = merge({
for member in local.dev_kms_restricted_admins :
"kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, {
member = member
})
}
}, local.ngfw_dev_sa_cas_iam_bindings_additive)
labels = { environment = "dev", team = "security" }
services = local.project_services
}
Expand All @@ -78,21 +77,25 @@ module "dev-sec-kms" {
keys = local.kms_locations_keys[each.key]
}

module "dev-sec-cas" {
for_each = local.cas_config_dev
source = "../../../modules/certificate-authority-service"
project_id = module.dev-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = each.value.iam_bindings_additive
iam_by_principals = each.value.iam_by_principals
location = each.value.location
module "dev-cas" {
for_each = var.cas_configs.dev
source = "../../../modules/certificate-authority-service"
project_id = module.dev-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = (
contains(var.ngfw_tls_configs.keys.dev.cas, each.key)
? merge(local.ngfw_dev_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive)
: each.value.iam_bindings_additive
)
iam_by_principals = each.value.iam_by_principals
location = each.value.location
}

resource "google_certificate_manager_trust_config" "dev_trust_configs" {
for_each = local.trust_config_dev
for_each = var.trust_configs.dev
name = each.key
project = module.dev-sec-project.project_id
description = each.value.description
Expand Down Expand Up @@ -123,3 +126,25 @@ resource "google_certificate_manager_trust_config" "dev_trust_configs" {
}
}
}

resource "google_network_security_tls_inspection_policy" "ngfw_dev_tls_ips" {
for_each = (
var.ngfw_tls_configs.tls_inspection.enabled
? local.ngfw_dev_locations : toset([])
)
name = "${var.prefix}-dev-tls-ip-0"
project = module.dev-sec-project.project_id
location = each.key
ca_pool = try([
for k, v in module.dev-cas
: v.ca_pool_id
if v.ca_pool.location == each.key && contains(var.ngfw_tls_configs.keys.dev.cas, k)
][0], null)
exclude_public_ca_set = var.ngfw_tls_configs.tls_inspection.exclude_public_ca_set
min_tls_version = var.ngfw_tls_configs.tls_inspection.min_tls_version
trust_config = try([
for k, v in google_certificate_manager_trust_config.dev_trust_configs
: v.id
if v.location == each.key
][0], null)
}
114 changes: 60 additions & 54 deletions fast/stages/2-security/core-prod.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,56 +15,35 @@
*/

locals {
_ngfw_cas_config_prod = {
prod-ca-0 = {
ca_configs = {
prod-root-ngfw-ca-0 = {
deletion_protection = false #delete
subject = {
common_name = try(var.ngfw_tls_configs.prod.cas_config.common_name, null)
organization = try(var.ngfw_tls_configs.prod.cas_config.organization, null)
}
}
}
ca_pool_config = {
authz_nsec_sa = true
name = "prod-ngfw-ca-pool-3" #fix
}
iam = {}
iam_bindings = {}
iam_bindings_additive = {
nsec_prod_sa_binding = {
member = module.prod-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
iam_by_principals = {}
location = var.ngfw_tls_configs.prod.location
# Extract NGFW locations from prod CAS
ngfw_prod_locations = toset([
for k, v in var.cas_configs.prod
: v.location
if contains(var.ngfw_tls_configs.keys.prod.cas, k)
])
ngfw_prod_sa_agent_cas_iam_bindings_additive = {
nsec_prod_agent_sa_binding = {
member = module.prod-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
_ngfw_trust_config_prod = {
prod-trust-0 = merge(
{ location = var.ngfw_tls_configs.prod.location },
var.ngfw_tls_configs.prod.trust_config
)
ngfw_prod_sa_cas_iam_bindings_additive = {
nsec_prod_sa_binding = {
member = "serviceAccount:${var.service_accounts.nsec}"
role = var.custom_roles.private_ca_user
}
nsec_prod_sa_r_binding = {
member = "serviceAccount:${var.service_accounts.nsec-r}"
role = var.custom_roles.private_ca_user
}
}
cas_config_prod = merge(
var.cas_configs.prod,
try(var.ngfw_tls_configs.prod.cas_config, null) != null
? local._ngfw_cas_config_prod : null
)
prod_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-prod,
var.service_accounts.project-factory,
var.service_accounts.project-factory-prod
])) : "serviceAccount:${sa}"
]
trust_config_prod = merge(
var.trust_configs.prod,
try(var.ngfw_tls_configs.prod.trust_config, null) != null
? local._ngfw_trust_config_prod : null
)
}

module "prod-sec-project" {
Expand All @@ -76,12 +55,12 @@ module "prod-sec-project" {
iam = {
"roles/cloudkms.viewer" = local.prod_kms_restricted_admins
}
iam_bindings_additive = {
iam_bindings_additive = merge({
for member in local.prod_kms_restricted_admins :
"kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, {
member = member
})
}
}, local.ngfw_prod_sa_cas_iam_bindings_additive)
labels = { environment = "prod", team = "security" }
services = local.project_services
}
Expand All @@ -97,21 +76,25 @@ module "prod-sec-kms" {
keys = local.kms_locations_keys[each.key]
}

module "prod-sec-cas" {
for_each = local.cas_config_prod
source = "../../../modules/certificate-authority-service"
project_id = module.prod-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = each.value.iam_bindings_additive
iam_by_principals = each.value.iam_by_principals
location = each.value.location
module "prod-cas" {
for_each = var.cas_configs.prod
source = "../../../modules/certificate-authority-service"
project_id = module.prod-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = (
contains(var.ngfw_tls_configs.keys.prod.cas, each.key)
? merge(local.ngfw_prod_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive)
: each.value.iam_bindings_additive
)
iam_by_principals = each.value.iam_by_principals
location = each.value.location
}

resource "google_certificate_manager_trust_config" "prod_trust_configs" {
for_each = local.trust_config_prod
for_each = var.trust_configs.prod
name = each.key
project = module.prod-sec-project.project_id
description = each.value.description
Expand Down Expand Up @@ -142,3 +125,26 @@ resource "google_certificate_manager_trust_config" "prod_trust_configs" {
}
}
}

resource "google_network_security_tls_inspection_policy" "ngfw_prod_tls_ips" {
for_each = (
var.ngfw_tls_configs.tls_inspection.enabled
? local.ngfw_prod_locations : toset([])
)
name = "${var.prefix}-prod-tls-ip-0"
project = module.prod-sec-project.project_id
location = each.key
ca_pool = try([
for k, v in module.prod-cas
: v.ca_pool_id
if v.ca_pool.location == each.key && contains(var.ngfw_tls_configs.keys.prod.cas, k)
][0], null)
exclude_public_ca_set = var.ngfw_tls_configs.tls_inspection.exclude_public_ca_set
min_tls_version = var.ngfw_tls_configs.tls_inspection.min_tls_version
trust_config = try([
for k, v in google_certificate_manager_trust_config.prod_trust_configs
: v.id
if v.location == each.key
][0], null)
}

Loading

0 comments on commit a8b9f83

Please sign in to comment.