diff --git a/cloud/schemes/load-balancer/main.tf b/cloud/schemes/load-balancer/main.tf index da2dfa7..7e813f4 100644 --- a/cloud/schemes/load-balancer/main.tf +++ b/cloud/schemes/load-balancer/main.tf @@ -23,7 +23,7 @@ resource "google_compute_region_network_endpoint_group" "schemes" { resource "google_compute_backend_service" "schemes" { name = "schemes" load_balancing_scheme = "EXTERNAL_MANAGED" - security_policy = google_compute_security_policy.schemes.id + security_policy = var.security_policy_id backend { group = google_compute_region_network_endpoint_group.schemes.id @@ -84,132 +84,3 @@ resource "google_compute_global_forwarding_rule" "schemes_http" { port_range = "80" load_balancing_scheme = "EXTERNAL_MANAGED" } - -# Cloud Armor - -resource "google_compute_security_policy" "schemes" { - name = "schemes" - - rule { - description = "Block malicious IPs" - action = "deny(403)" - priority = 0 - match { - versioned_expr = "SRC_IPS_V1" - config { - src_ip_ranges = ["45.159.248.69"] - } - } - } - - rule { - description = "SQL injection" - action = "deny(403)" - priority = 1000 - match { - expr { - expression = "evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Cross-site scripting" - action = "deny(403)" - priority = 1001 - match { - expr { - expression = "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Local file inclusion" - action = "deny(403)" - priority = 1002 - match { - expr { - expression = "evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Remote file inclusion" - action = "deny(403)" - priority = 1003 - match { - expr { - expression = "evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Remote code execution" - action = "deny(403)" - priority = 1004 - match { - expr { - expression = "evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Method enforcement" - action = "deny(403)" - priority = 1005 - match { - expr { - expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Scanner detection" - action = "deny(403)" - priority = 1006 - match { - expr { - expression = "evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Protocol attack" - action = "deny(403)" - priority = 1007 - match { - expr { - expression = "evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "Session fixation attack" - action = "deny(403)" - priority = 1008 - match { - expr { - expression = "evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})" - } - } - } - - rule { - description = "default rule" - action = "allow" - priority = 2147483647 - match { - versioned_expr = "SRC_IPS_V1" - config { - src_ip_ranges = ["*"] - } - } - } -} diff --git a/cloud/schemes/load-balancer/variables.tf b/cloud/schemes/load-balancer/variables.tf index 3afc0c2..9c96989 100644 --- a/cloud/schemes/load-balancer/variables.tf +++ b/cloud/schemes/load-balancer/variables.tf @@ -12,3 +12,8 @@ variable "cloud_run_service_name" { description = "Cloud Run service name to load balance" type = string } + +variable "security_policy_id" { + description = "Security policy ID" + type = string +} diff --git a/cloud/schemes/main.tf b/cloud/schemes/main.tf index 6a891b9..37bfbc4 100644 --- a/cloud/schemes/main.tf +++ b/cloud/schemes/main.tf @@ -108,11 +108,21 @@ module "cloud_run" { ] } +module "web_application_firewall" { + source = "./web-application-firewall" +} + module "load_balancer" { source = "./load-balancer" region = local.location domain = local.config[local.env].domain cloud_run_service_name = module.cloud_run.name + security_policy_id = module.web_application_firewall.security_policy_id +} + +moved { + from = module.load_balancer.google_compute_security_policy.schemes + to = module.web_application_firewall.google_compute_security_policy.schemes } module "github_action_deploy" { diff --git a/cloud/schemes/web-application-firewall/main.tf b/cloud/schemes/web-application-firewall/main.tf new file mode 100644 index 0000000..361adc0 --- /dev/null +++ b/cloud/schemes/web-application-firewall/main.tf @@ -0,0 +1,126 @@ +resource "google_compute_security_policy" "schemes" { + name = "schemes" + + rule { + description = "Block malicious IPs" + action = "deny(403)" + priority = 0 + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["45.159.248.69"] + } + } + } + + rule { + description = "SQL injection" + action = "deny(403)" + priority = 1000 + match { + expr { + expression = "evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Cross-site scripting" + action = "deny(403)" + priority = 1001 + match { + expr { + expression = "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Local file inclusion" + action = "deny(403)" + priority = 1002 + match { + expr { + expression = "evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Remote file inclusion" + action = "deny(403)" + priority = 1003 + match { + expr { + expression = "evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Remote code execution" + action = "deny(403)" + priority = 1004 + match { + expr { + expression = "evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Method enforcement" + action = "deny(403)" + priority = 1005 + match { + expr { + expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Scanner detection" + action = "deny(403)" + priority = 1006 + match { + expr { + expression = "evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Protocol attack" + action = "deny(403)" + priority = 1007 + match { + expr { + expression = "evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "Session fixation attack" + action = "deny(403)" + priority = 1008 + match { + expr { + expression = "evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})" + } + } + } + + rule { + description = "default rule" + action = "allow" + priority = 2147483647 + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } + } +} diff --git a/cloud/schemes/web-application-firewall/outputs.tf b/cloud/schemes/web-application-firewall/outputs.tf new file mode 100644 index 0000000..7c661c0 --- /dev/null +++ b/cloud/schemes/web-application-firewall/outputs.tf @@ -0,0 +1,4 @@ +output "security_policy_id" { + description = "Security policy ID" + value = google_compute_security_policy.schemes.id +}