diff --git a/examples/cloud-armor/README.md b/examples/cloud-armor/README.md index 07ebca8a..e37e82bd 100644 --- a/examples/cloud-armor/README.md +++ b/examples/cloud-armor/README.md @@ -3,7 +3,7 @@ This is an example of setting up a project to take advantage of one of the [Cloud Armor features](https://cloud.google.com/armor/) that allows whitelisting of traffic to a compute instance based on ip address. It will set up a single compute instance running nginx that is accessible via a load balanced pool that is managed by cloud armor security policies. To run the example: -* Set up a Google Cloud Platform account with the [compute engine api enabled](https://cloud.google.com/endpoints/docs/openapi/enable-api) +* Set up a Google Cloud Platform account with the [compute engine api enabled](https://console.cloud.google.com/apis/library/compute.googleapis.com) * [Configure the Google Cloud Provider credentials](https://www.terraform.io/docs/providers/google/index.html#credentials) * Update the `variables.tf` OR provide overrides in the command line * Run with a command similar to: @@ -16,4 +16,4 @@ terraform apply \ After running `terraform apply` the external ip address of the load balancer will be output to the console. Either enter the ip address into the browser directly or add it to the hosts file on your machine so that it can be accessed at 'mysite.com'. -Navigating to the address either way should result in a 403 rejection. Change the ip address in the whitelist rule in `main.tf` to a local ip address or range and re-run `terraform apply` to be able to hit the nginx welcome page on the instance. Note: it can take a little while before the changes apply. +Navigating to the address either way should result in a 403 rejection. Change the ip address in the whitelist variable in `variables.tf` to your computer's local ip address and re-run `terraform apply` to be able to hit the nginx welcome page on the instance. After the policy has been updated it will need to be propagated to the load balancers which can take up to a few minutes to apply. diff --git a/examples/cloud-armor/main.tf b/examples/cloud-armor/main.tf index 209d55da..28f47253 100644 --- a/examples/cloud-armor/main.tf +++ b/examples/cloud-armor/main.tf @@ -36,7 +36,7 @@ resource "google_compute_instance" "cluster1" { } resource "google_compute_firewall" "cluster1" { - name = "cloud-armor-firewall" + name = "armor-firewall" network = "default" allow { @@ -125,7 +125,7 @@ resource "google_compute_security_policy" "security-policy-1" { versioned_expr = "SRC_IPS_V1" config { - src_ip_ranges = ["192.0.2.0/24"] + src_ip_ranges = "${var.ip_white_list}" } } @@ -135,20 +135,18 @@ resource "google_compute_security_policy" "security-policy-1" { # Front end of the load balancer resource "google_compute_global_forwarding_rule" "default" { - name = "default-rule" + name = "armor-rule" target = "${google_compute_target_http_proxy.default.self_link}" port_range = "80" } resource "google_compute_target_http_proxy" "default" { - name = "test-proxy" - description = "a description" + name = "armor-proxy" url_map = "${google_compute_url_map.default.self_link}" } resource "google_compute_url_map" "default" { - name = "url-map" - description = "a description" + name = "armor-url-map" default_service = "${google_compute_backend_service.website.self_link}" host_rule { diff --git a/examples/cloud-armor/variables.tf b/examples/cloud-armor/variables.tf index b98a15c8..d3967d59 100644 --- a/examples/cloud-armor/variables.tf +++ b/examples/cloud-armor/variables.tf @@ -14,3 +14,8 @@ variable "credentials_file_path" { description = "Path to the JSON file used to describe your account credentials" default = "~/.gcloud/Terraform.json" } + +variable "ip_white_list" { + description = "A list of ip addresses that can be white listed through security policies" + default = ["192.0.2.0/24"] +}