# Example for using Cloud Armor https://cloud.google.com/armor/ # resource "random_id" "instance_id" { byte_length = 4 } # Configure the Google Cloud provider provider "google" { credentials = "${file(var.credentials_file_path)}" project = "${var.project_name}" region = "${var.region}" zone = "${var.region_zone}" } # Set up a backend to be proxied to: # A single instance in a pool running nginx with port 80 open will allow end to end network testing resource "google_compute_instance" "cluster1" { name = "armor-gce-${random_id.instance_id.hex}" machine_type = "f1-micro" boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config = { # Ephemeral IP } } metadata_startup_script = "sudo apt-get update; sudo apt-get install -yq nginx; sudo service nginx restart" } resource "google_compute_firewall" "cluster1" { name = "armor-firewall" network = "default" allow { protocol = "tcp" ports = ["80", "43"] } } resource "google_compute_instance_group" "webservers" { name = "instance-group-all" description = "An instance group for the single GCE instance" instances = [ "${google_compute_instance.cluster1.self_link}", ] named_port { name = "http" port = "80" } } resource "google_compute_target_pool" "example" { name = "armor-pool" instances = [ "${google_compute_instance.cluster1.self_link}", ] health_checks = [ "${google_compute_http_health_check.health.name}", ] } resource "google_compute_http_health_check" "health" { name = "armor-healthcheck" request_path = "/" check_interval_sec = 1 timeout_sec = 1 } resource "google_compute_backend_service" "website" { name = "armor-backend" description = "Our company website" port_name = "http" protocol = "HTTP" timeout_sec = 10 enable_cdn = false backend { group = "${google_compute_instance_group.webservers.self_link}" } security_policy = "${google_compute_security_policy.security-policy-1.self_link}" health_checks = ["${google_compute_http_health_check.health.self_link}"] } # Cloud Armor Security policies resource "google_compute_security_policy" "security-policy-1" { name = "armor-security-policy" description = "example security policy" # Reject all traffic that hasn't been whitelisted. rule { action = "deny(403)" priority = "2147483647" match { versioned_expr = "SRC_IPS_V1" config { src_ip_ranges = ["*"] } } description = "Default rule, higher priority overrides it" } # Whitelist traffic from certain ip address rule { action = "allow" priority = "1000" match { versioned_expr = "SRC_IPS_V1" config { src_ip_ranges = "${var.ip_white_list}" } } description = "allow traffic from 192.0.2.0/24" } } # Front end of the load balancer resource "google_compute_global_forwarding_rule" "default" { name = "armor-rule" target = "${google_compute_target_http_proxy.default.self_link}" port_range = "80" } resource "google_compute_target_http_proxy" "default" { name = "armor-proxy" url_map = "${google_compute_url_map.default.self_link}" } resource "google_compute_url_map" "default" { name = "armor-url-map" default_service = "${google_compute_backend_service.website.self_link}" host_rule { hosts = ["mysite.com"] path_matcher = "allpaths" } path_matcher { name = "allpaths" default_service = "${google_compute_backend_service.website.self_link}" path_rule { paths = ["/*"] service = "${google_compute_backend_service.website.self_link}" } } } output "ip" { value = "${google_compute_global_forwarding_rule.default.ip_address}" }