Skip to content

Commit

Permalink
Extract web application firewall module
Browse files Browse the repository at this point in the history
  • Loading branch information
markhobson committed Nov 28, 2024
1 parent a54bdbd commit 909b0a5
Show file tree
Hide file tree
Showing 5 changed files with 146 additions and 130 deletions.
131 changes: 1 addition & 130 deletions cloud/schemes/load-balancer/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ resource "google_compute_region_network_endpoint_group" "schemes" {
resource "google_compute_backend_service" "schemes" {
name = "schemes"
load_balancing_scheme = "EXTERNAL_MANAGED"
security_policy = google_compute_security_policy.schemes.id
security_policy = var.security_policy_id

backend {
group = google_compute_region_network_endpoint_group.schemes.id
Expand Down Expand Up @@ -84,132 +84,3 @@ resource "google_compute_global_forwarding_rule" "schemes_http" {
port_range = "80"
load_balancing_scheme = "EXTERNAL_MANAGED"
}

# Cloud Armor

resource "google_compute_security_policy" "schemes" {
name = "schemes"

rule {
description = "Block malicious IPs"
action = "deny(403)"
priority = 0
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["45.159.248.69"]
}
}
}

rule {
description = "SQL injection"
action = "deny(403)"
priority = 1000
match {
expr {
expression = "evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Cross-site scripting"
action = "deny(403)"
priority = 1001
match {
expr {
expression = "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Local file inclusion"
action = "deny(403)"
priority = 1002
match {
expr {
expression = "evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Remote file inclusion"
action = "deny(403)"
priority = 1003
match {
expr {
expression = "evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Remote code execution"
action = "deny(403)"
priority = 1004
match {
expr {
expression = "evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Method enforcement"
action = "deny(403)"
priority = 1005
match {
expr {
expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Scanner detection"
action = "deny(403)"
priority = 1006
match {
expr {
expression = "evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Protocol attack"
action = "deny(403)"
priority = 1007
match {
expr {
expression = "evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Session fixation attack"
action = "deny(403)"
priority = 1008
match {
expr {
expression = "evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "default rule"
action = "allow"
priority = 2147483647
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
}
}
5 changes: 5 additions & 0 deletions cloud/schemes/load-balancer/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,8 @@ variable "cloud_run_service_name" {
description = "Cloud Run service name to load balance"
type = string
}

variable "security_policy_id" {
description = "Security policy ID"
type = string
}
10 changes: 10 additions & 0 deletions cloud/schemes/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -108,11 +108,21 @@ module "cloud_run" {
]
}

module "web_application_firewall" {
source = "./web-application-firewall"
}

module "load_balancer" {
source = "./load-balancer"
region = local.location
domain = local.config[local.env].domain
cloud_run_service_name = module.cloud_run.name
security_policy_id = module.web_application_firewall.security_policy_id
}

moved {
from = module.load_balancer.google_compute_security_policy.schemes
to = module.web_application_firewall.google_compute_security_policy.schemes
}

module "github_action_deploy" {
Expand Down
126 changes: 126 additions & 0 deletions cloud/schemes/web-application-firewall/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
resource "google_compute_security_policy" "schemes" {
name = "schemes"

rule {
description = "Block malicious IPs"
action = "deny(403)"
priority = 0
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["45.159.248.69"]
}
}
}

rule {
description = "SQL injection"
action = "deny(403)"
priority = 1000
match {
expr {
expression = "evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Cross-site scripting"
action = "deny(403)"
priority = 1001
match {
expr {
expression = "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Local file inclusion"
action = "deny(403)"
priority = 1002
match {
expr {
expression = "evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Remote file inclusion"
action = "deny(403)"
priority = 1003
match {
expr {
expression = "evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Remote code execution"
action = "deny(403)"
priority = 1004
match {
expr {
expression = "evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Method enforcement"
action = "deny(403)"
priority = 1005
match {
expr {
expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Scanner detection"
action = "deny(403)"
priority = 1006
match {
expr {
expression = "evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Protocol attack"
action = "deny(403)"
priority = 1007
match {
expr {
expression = "evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "Session fixation attack"
action = "deny(403)"
priority = 1008
match {
expr {
expression = "evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})"
}
}
}

rule {
description = "default rule"
action = "allow"
priority = 2147483647
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
}
}
4 changes: 4 additions & 0 deletions cloud/schemes/web-application-firewall/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "security_policy_id" {
description = "Security policy ID"
value = google_compute_security_policy.schemes.id
}

0 comments on commit 909b0a5

Please sign in to comment.