@hiiretail/gcp-infra-cli 0.92.5 → 0.93.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/generators/common-resources/cloud-armor/generator.json +4 -0
- package/generators/common-resources/cloud-armor/index.js +45 -0
- package/generators/common-resources/cloud-armor/templates/policies.yaml +49 -0
- package/generators/common-resources/cloud-armor/templates/terragrunt.hcl +30 -0
- package/package.json +1 -1
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
const path = require('path');
|
|
2
|
+
const chalk = require('chalk');
|
|
3
|
+
const BaseGenerator = require('../../../src/BaseGenerator');
|
|
4
|
+
const getTribeAndClanName = require('../../init/clan-infra/tribe-clan-repo');
|
|
5
|
+
|
|
6
|
+
module.exports = class extends BaseGenerator {
|
|
7
|
+
prompting() {
|
|
8
|
+
const prompts = [
|
|
9
|
+
{
|
|
10
|
+
type: 'input',
|
|
11
|
+
name: 'name',
|
|
12
|
+
default: getTribeAndClanName().clan,
|
|
13
|
+
message: 'Enter your policy name or leave blank for default',
|
|
14
|
+
},
|
|
15
|
+
];
|
|
16
|
+
return this.prompt(prompts).then((props) => {
|
|
17
|
+
this.answers = props;
|
|
18
|
+
});
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
writing() {
|
|
22
|
+
const {
|
|
23
|
+
name,
|
|
24
|
+
} = this.answers;
|
|
25
|
+
|
|
26
|
+
const run = (env) => {
|
|
27
|
+
this.copyDir(
|
|
28
|
+
path.join(''),
|
|
29
|
+
path.join('infra', env, 'cloud-armor', name),
|
|
30
|
+
);
|
|
31
|
+
};
|
|
32
|
+
run('staging');
|
|
33
|
+
run('prod');
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
end() {
|
|
37
|
+
const {
|
|
38
|
+
name,
|
|
39
|
+
} = this.answers;
|
|
40
|
+
this.log(`
|
|
41
|
+
${chalk.green(`Your cloud armor policy ${chalk.cyan(name)} has been created. To finalize your configuration, please continue
|
|
42
|
+
with manual editing of the generated files.`)}
|
|
43
|
+
`);
|
|
44
|
+
}
|
|
45
|
+
};
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
## This yaml file will configure your cloud armor policies
|
|
2
|
+
## For more information on how to configure the expressions
|
|
3
|
+
## Visit https://cloud.google.com/armor/docs/rules-language-reference
|
|
4
|
+
description: Cloud armor policy
|
|
5
|
+
default-action: allow ## if no requests match any rules this value will be honored ( allow | deny )
|
|
6
|
+
rules:
|
|
7
|
+
deny-no-auth-header:
|
|
8
|
+
action: deny
|
|
9
|
+
priority: 10
|
|
10
|
+
description: Block requests without auth header
|
|
11
|
+
preview: true ## dry run true | false
|
|
12
|
+
## Expression will block any request not containing the authorization header
|
|
13
|
+
expression: >-
|
|
14
|
+
!has(request.headers["authorization"])
|
|
15
|
+
|
|
16
|
+
## Example rules
|
|
17
|
+
# ban-requests:
|
|
18
|
+
# action: rate_based_ban
|
|
19
|
+
# priority: 500
|
|
20
|
+
# description: ban requests if more then 10 with the same authorization token
|
|
21
|
+
# preview: true
|
|
22
|
+
# expression: >-
|
|
23
|
+
# inIpRange(origin.ip, "0.0.0.0/0") && has(request.headers["authorization"])
|
|
24
|
+
# rate_limit_options:
|
|
25
|
+
# exceed_action: deny(502)
|
|
26
|
+
## Ban if we get more than 10 requests in 10 minutes for 40 minutes
|
|
27
|
+
# ban_http_request_count: 10
|
|
28
|
+
# ban_http_request_interval_sec: 600
|
|
29
|
+
# ban_duration_sec: 2700
|
|
30
|
+
## Throttle if we get more than 5 requests every 60 seconds
|
|
31
|
+
# rate_limit_http_request_count: 5
|
|
32
|
+
# rate_limit_http_request_interval_sec: 60
|
|
33
|
+
## Enforce on auth header only
|
|
34
|
+
# enforce_on_key_configs:
|
|
35
|
+
# - enforce_on_key_type: HTTP_HEADER
|
|
36
|
+
# enforce_on_key_name: authorization
|
|
37
|
+
# throttle-requests:
|
|
38
|
+
# action: throttle
|
|
39
|
+
# priority: 1000
|
|
40
|
+
# description: throttle requests from SE (100/minute)
|
|
41
|
+
# preview: true
|
|
42
|
+
# expression: >-
|
|
43
|
+
# inIpRange(origin.ip, "0.0.0.0/0") && origin.region_code == "SE"
|
|
44
|
+
# rate_limit_options:
|
|
45
|
+
# exceed_action: deny(429)
|
|
46
|
+
## Throttle if we get 100 requests per minute from sweden and the same IP
|
|
47
|
+
# rate_limit_http_request_count: 100
|
|
48
|
+
# rate_limit_http_request_interval_sec: 60
|
|
49
|
+
# enforce_on_key: ALL
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
|
|
2
|
+
# working directory, into a temporary folder, and execute your Terraform commands in that folder.
|
|
3
|
+
terraform {
|
|
4
|
+
source = "git::https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor//?ref=v2.0.1"
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
include {
|
|
8
|
+
path = find_in_parent_folders("terragrunt_root.hcl")
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
locals {
|
|
12
|
+
project_vars = read_terragrunt_config(find_in_parent_folders("project.hcl"))
|
|
13
|
+
common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl"))
|
|
14
|
+
policies = yamldecode(file("${get_terragrunt_dir()}/policies.yaml"))
|
|
15
|
+
name = basename(get_terragrunt_dir())
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
inputs = merge(
|
|
19
|
+
{
|
|
20
|
+
project_id = local.project_vars.locals.project_id
|
|
21
|
+
name = local.name
|
|
22
|
+
description = local.policies["description"]
|
|
23
|
+
default_rule_action = local.policies["default-action"]
|
|
24
|
+
type = "CLOUD_ARMOR"
|
|
25
|
+
layer_7_ddos_defense_enable = false
|
|
26
|
+
json_parsing = "STANDARD"
|
|
27
|
+
log_level = "VERBOSE"
|
|
28
|
+
custom_rules = local.policies["rules"]
|
|
29
|
+
}
|
|
30
|
+
)
|