Skip to content

Commit

Permalink
Merge pull request #138 from cblkwell/add-iap-security-policy
Browse files Browse the repository at this point in the history
Adding security policy variable for IAP backend
bschaatsbergen authored Dec 7, 2023

Verified

This commit was signed with the committer’s verified signature.
targos Michaël Zasso
2 parents 6514948 + 1d5abd5 commit 0bc790d
Showing 5 changed files with 57 additions and 1 deletion.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -228,6 +228,7 @@ You can check the status of the certificate in the Google Cloud Console.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_block_project_ssh_keys_enabled"></a> [block\_project\_ssh\_keys\_enabled](#input\_block\_project\_ssh\_keys\_enabled) | Blocks the use of project-wide publich SSH keys | `bool` | `false` | no |
| <a name="input_default_backend_security_policy"></a> [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no |
| <a name="input_disk_kms_key_self_link"></a> [disk\_kms\_key\_self\_link](#input\_disk\_kms\_key\_self\_link) | The self link of the encryption key that is stored in Google Cloud KMS | `string` | `null` | no |
| <a name="input_domain"></a> [domain](#input\_domain) | Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://` | `string` | n/a | yes |
| <a name="input_enable_oslogin"></a> [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no |
@@ -237,6 +238,7 @@ You can check the status of the certificate in the Google Cloud Console.
| <a name="input_google_logging_use_fluentbit"></a> [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no |
| <a name="input_google_monitoring_enabled"></a> [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no |
| <a name="input_iap"></a> [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | <pre>object({<br> oauth2_client_id = string<br> oauth2_client_secret = string<br> })</pre> | `null` | no |
| <a name="input_iap_backend_security_policy"></a> [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no |
| <a name="input_image"></a> [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no |
| <a name="input_labels"></a> [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no |
| <a name="input_machine_image"></a> [machine\_image](#input\_machine\_image) | The machine image to create VMs with, if not specified, latest cos\_cloud/cos\_stable is used | `string` | `null` | no |
2 changes: 1 addition & 1 deletion examples/cloud-armor/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Example usage

This example deploys Cloud Armor to ensure requests to the default backend are coming from GitHub Webhooks.
This example deploys Cloud Armor to ensure requests to the default backend are coming from GitHub Webhooks, and adds another policy to restrict access to the IAP backend to an example CIDR.

Since IAP is enabled, two backend services will be created:

47 changes: 47 additions & 0 deletions examples/cloud-armor/main.tf
Original file line number Diff line number Diff line change
@@ -59,6 +59,7 @@ module "atlantis" {
project = local.project_id

default_backend_security_policy = google_compute_security_policy.atlantis.name
iap_backend_security_policy = google_compute_security_policy.atlantis_iap.name

iap = {
oauth2_client_id = google_iap_client.atlantis.client_id
@@ -124,6 +125,52 @@ resource "google_compute_security_policy" "atlantis" {
}
}

# This policy allows you to restrict access to the UI from anywhere but say
# your VPN exits, etc.
resource "google_compute_security_policy" "atlantis_iap" {
name = "atlantis-iap-security-policy"
description = "Policy blocking all traffic except from example range"
project = local.project_id

rule {
# Allow from sample range, eg 192.168.0.0/16
action = "allow"
priority = "2"
description = "Allow from sample CIDR"
match {
expr {
expression = "(inIpRange(origin.ip, '192.168.0.0/16'))"
}
}
}

rule {
# Deny all by default
action = "deny(403)"
priority = "2147483647"
description = "Default rule: deny all"

match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
}

rule {
# Log4j vulnerability
action = "deny(403)"
priority = "1"
description = "CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)"
match {
expr {
expression = "evaluatePreconfiguredExpr('cve-canary')"
}
}
}
}

resource "google_iap_client" "atlantis" {
display_name = "iap-client"
brand = local.google_iap_brand_name
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -332,6 +332,7 @@ resource "google_compute_backend_service" "iap" {
connection_draining_timeout_sec = 5
load_balancing_scheme = "EXTERNAL_MANAGED"
health_checks = [google_compute_health_check.default.id]
security_policy = var.iap_backend_security_policy

log_config {
enable = true
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -175,3 +175,9 @@ variable "default_backend_security_policy" {
description = "Name of the security policy to apply to the default backend service"
default = null
}

variable "iap_backend_security_policy" {
type = string
description = "Name of the security policy to apply to the IAP backend service"
default = null
}

0 comments on commit 0bc790d

Please sign in to comment.