This module makes it easy to setup Cloud IDS, set up private services access and a packet mirroring policy.
The packet mirroring policy requires at least one of the three below options:
- Tags: Up to 5 asset tags can be specified.
- Subnets: Up to 5 subnets can be specified.
- Instances: Up to 50 instance can be specified.
module cloud_ids {
source = "GoogleCloudPlatform/terraform-google-cloud-ids"
project_id = "<PROJECT_ID>"
vpc_network_name = "<VPC_NETWORK_NAME>"
network_region = "<NETWORK_REGION>"
network_zone = "<NETWORK_ZONE>"
instance_list = [
"projects/<PROJECT_ID>/zones/<ZONE-1>/instances/<INSTANCE-1>",
"projects/<PROJECT_ID>/zones/<ZONE-2>/instances/<INSTANCE-2>",
]
subnet_list = [
"projects/<PROJECT_ID>/regions/<ZONE-1>/subnetworks/<SUBNETWORK-1>",
"projects/<PROJECT_ID>/regions/<ZONE-1>/subnetworks/<SUBNETWORK-1>",
]
tag_list = ["<TAG-1>", "<TAG-2>", "<TAG-3>", "<TAG-4>"]
ids_private_ip_range_name = "ids-private-address"
ids_private_ip_address = "10.10.10.0"
ids_private_ip_prefix_length = 24
ids_private_ip_description = "Cloud IDS reserved IP Range"
ids_name = "cloud-ids"
severity = "INFORMATIONAL"
packet_mirroring_policy_name = "cloud-ids-packet-mirroring"
packet_mirroring_policy_description = "Packet mirroring policy for Cloud IDS"
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
cidr_ranges_filter | IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported. | list(string) |
[] |
no |
direction_filter | Direction of traffic to mirror. Possible values are INGRESS, EGRESS, and BOTH. | string |
"BOTH" |
no |
ids_name | Cloud IDS instance name | string |
"cloud-ids" |
no |
ids_private_ip_address | Cloud IDS private IP address | string |
null |
no |
ids_private_ip_description | Cloud IDS private IP address description | string |
"Cloud IDS reserved IP Range" |
no |
ids_private_ip_prefix_length | Cloud IDS private IP address prefix length | string |
24 |
no |
ids_private_ip_range_name | Cloud IDS private IP address range name | string |
"ids-private-address" |
no |
instance_list | Instance list to monitor with Cloud IDS | list(string) |
null |
no |
ip_protocols_filter | IP Protocols filter for packet mirroing policy. Can include 'tcp', 'udp', 'icmp', and 'esp' | list(string) |
[] |
no |
network_region | Network region for IDS | string |
n/a | yes |
network_zone | Network zone for IDS | string |
n/a | yes |
packet_mirroring_policy_description | Packet mirroring policy description | string |
"Packet mirroring policy for Cloud IDS" |
no |
packet_mirroring_policy_name | Packet mirroring policy name | string |
"cloud-ids-packet-mirroring" |
no |
project_id | Project ID to deploy resources | string |
n/a | yes |
severity | The minimum alert severity level that is reported by the endpoint | string |
"INFORMATIONAL" |
no |
subnet_list | Subnet list to monitor with Cloud IDS | list(string) |
null |
no |
tag_list | Tag list to monitor with Cloud IDS | list(string) |
null |
no |
threat_exceptions | Threat_exceptions list to excluded from generating alerts. Limit: 99 IDs. | list(string) |
null |
no |
vpc_network_name | VPC network name for IDS | string |
n/a | yes |
Name | Description |
---|---|
ids_endpoint_id | IDS Endpoint id |
ids_endpoint_severity | IDS Endpoint severity |
These sections describe requirements for using this module.
The following dependencies must be available:
- [Terraform][terraform] v1.3
- [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53
A service account with the following roles must be used to provision the resources of this module:
- Cloud IDS Admin:
roles/ids.admin
- Compute Packet Mirroring User:
roles/compute.packetMirroringUser
- Logs Viewer:
roles/logging.viewer
The [Project Factory module][project-factory-module] and the [IAM module][iam-module] may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Cloud IDS API:
ids.googleapis.com
- Cloud Logging API:
logging.googleapis.com
- Compute Engine API:
compute.googleapis.com
- Service Networking API:
servicenetworking.googleapis.com
The [Project Factory module][project-factory-module] can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.