feat: added security profile rule support in network firewall policy (#602)

Author: imrannayer

Makefile

@@ -15,7 +15,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

build/int.cloudbuild.yaml

@@ -246,4 +246,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23'

examples/global-network-firewall-policy/main.tf

@@ -23,7 +23,7 @@ data "google_project" "project" {
 }
 
 resource "random_string" "random_suffix" {
-  length  = 6
+  length  = 4
   special = false
   lower   = true
   upper   = false
@@ -39,6 +39,10 @@ resource "google_compute_network" "network_backup" {
   name    = "${local.prefix}-network-backup"
 }
 
+################################
+#          Tags                #
+################################
+
 resource "google_tags_tag_key" "tag_key" {
 
   description = "For keyname resources."
@@ -56,6 +60,10 @@ resource "google_tags_tag_value" "tag_value" {
   short_name  = "yes"
 }
 
+################################
+#          Address group       #
+################################
+
 resource "google_network_security_address_group" "networksecurity_address_group" {
   provider = google-beta
 
@@ -68,25 +76,32 @@ resource "google_network_security_address_group" "networksecurity_address_group"
   capacity    = 100
 }
 
+################################
+#          Service Account     #
+################################
+
 resource "google_service_account" "service_account" {
   project      = var.project_id
   account_id   = "${local.prefix}-fw-test-svc-acct"
   display_name = "${local.prefix} firewall policy test service account"
 }
 
 ################################
-#          VPC Spoke           #
+#          VPC                 #
 ################################
+
 module "vpc" {
   source  = "terraform-google-modules/network/google//modules/vpc"
   version = "~> 10.0"
 
   project_id   = var.project_id
   network_name = "global-sec-policy-test-vpc"
-
-  # shared_vpc_host = false
 }
 
+################################
+#          Mirroring           #
+################################
+
 resource "google_network_security_mirroring_deployment_group" "mirroring_deployment_group" {
   project                       = var.project_id
   mirroring_deployment_group_id = "${local.prefix}-mirroring-dg"
@@ -104,13 +119,11 @@ resource "google_network_security_mirroring_endpoint_group" "mirroring_endpoint_
   mirroring_deployment_group  = google_network_security_mirroring_deployment_group.mirroring_deployment_group.id
 }
 
-
 resource "google_network_security_security_profile" "security_profile" {
-  provider    = google-beta
-  name        = "${local.prefix}-security-profile"
-  parent      = "organizations/${var.org_id}"
-  description = "Security profile description"
-  type        = "CUSTOM_MIRRORING"
+  provider = google-beta
+  name     = "${local.prefix}-mirror-sp-${random_string.random_suffix.result}"
+  parent   = "organizations/${var.org_id}"
+  type     = "CUSTOM_MIRRORING"
 
   custom_mirroring_profile {
     mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.mirroring_endpoint_group.id
@@ -119,13 +132,33 @@ resource "google_network_security_security_profile" "security_profile" {
 
 resource "google_network_security_security_profile_group" "security_profile_group" {
   provider                 = google-beta
-  name                     = "${local.prefix}-sec-profile-group"
+  name                     = "${local.prefix}-mirror-spg-${random_string.random_suffix.result}"
   parent                   = "organizations/${var.org_id}"
-  description              = "Security profile group"
   custom_mirroring_profile = google_network_security_security_profile.security_profile.id
 }
 
+################################
+#          Threat              #
+################################
+
+resource "google_network_security_security_profile" "security_profile_1" {
+  provider = google-beta
+  name     = "${local.prefix}-threat-sp-${random_string.random_suffix.result}"
+  type     = "THREAT_PREVENTION"
+  parent   = "organizations/${var.org_id}"
+  location = "global"
+}
+
+resource "google_network_security_security_profile_group" "security_profile_group_1" {
+  provider                  = google-beta
+  name                      = "${local.prefix}-threat-spg-${random_string.random_suffix.result}"
+  parent                    = "organizations/${var.org_id}"
+  threat_prevention_profile = google_network_security_security_profile.security_profile_1.id
+}
 
+################################
+#      Firewall Policy         #
+################################
 
 module "firewal_policy" {
   source  = "terraform-google-modules/network/google//modules/network-firewall-policy"
@@ -259,16 +292,14 @@ module "firewal_policy" {
       }
     },
     {
-      is_mirroring            = true
-      priority                = "200"
-      direction               = "EGRESS"
-      action                  = "mirror"
-      rule_name               = "egress-200"
-      disabled                = false
-      description             = "test egress mirroring rule 200"
-      target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"]
+      is_mirroring = true
+      priority     = "200"
+      direction    = "EGRESS"
+      action       = "mirror"
+      rule_name    = "egress-200"
+      disabled     = false
+      description  = "test egress mirroring rule 200"
       match = {
-        src_ip_ranges  = ["0.0.0.0/0"]
         dest_ip_ranges = ["0.0.0.0/0"]
         layer4_configs = [
           {
@@ -279,6 +310,23 @@ module "firewal_policy" {
       }
       security_profile_group_id = google_network_security_security_profile_group.security_profile_group.id
     },
+    {
+      priority    = "300"
+      direction   = "EGRESS"
+      action      = "apply_security_profile_group"
+      rule_name   = "egress-300"
+      disabled    = false
+      description = "test egress threat prevention rule 300"
+      match = {
+        dest_ip_ranges = ["0.0.0.0/0"]
+        layer4_configs = [
+          {
+            ip_protocol = "tcp"
+          }
+        ]
+      }
+      security_profile_group_id = google_network_security_security_profile_group.security_profile_group_1.id
+    },
 
   ]
 
@@ -289,8 +337,9 @@ module "firewal_policy" {
 }
 
 module "firewal_policy_no_rule" {
-  source      = "terraform-google-modules/network/google//modules/network-firewall-policy"
-  version     = "~> 11.0"
+  source  = "terraform-google-modules/network/google//modules/network-firewall-policy"
+  version = "~> 11.0"
+
   project_id  = var.project_id
   policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}"
   description = "${local.prefix} test firewall policy without any rules"

examples/network_connectivity_center/main.tf

@@ -122,7 +122,7 @@ module "vpn_spoke_local_vpc" {
 
 module "remote_to_local_vpn" {
   source  = "terraform-google-modules/vpn/google//modules/vpn_ha"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   project_id       = var.project_id
   region           = var.vpn_region
@@ -160,7 +160,7 @@ module "remote_to_local_vpn" {
 
 module "local_to_remote_vpn" {
   source  = "terraform-google-modules/vpn/google//modules/vpn_ha"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   project_id       = var.project_id
   region           = var.vpn_region

modules/network-firewall-policy/main.tf

@@ -50,6 +50,8 @@ resource "google_compute_network_firewall_policy_rule" "rules" {
   firewall_policy         = google_compute_network_firewall_policy.fw_policy[0].name
   rule_name               = each.value.rule_name
   target_service_accounts = each.value.target_service_accounts
+  tls_inspect             = each.value.action == "apply_security_profile_group" ? lookup(each.value, "tls_inspect", null) : null
+  security_profile_group  = each.value.action == "apply_security_profile_group" ? "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" : null
 
   ## targetSecureTag may not be set at the same time as targetServiceAccounts
   dynamic "target_secure_tags" {
@@ -107,8 +109,8 @@ resource "google_compute_network_firewall_policy_packet_mirroring_rule" "rules"
   disabled               = each.value.disabled
   firewall_policy        = google_compute_network_firewall_policy.fw_policy[0].name
   rule_name              = each.value.rule_name
-  tls_inspect            = lookup(each.value, "tls_inspect", null)
-  security_profile_group = "//networksecurity.googleapis.com/${each.value.security_profile_group_id}"
+  tls_inspect            = each.value.action == "mirror" ? lookup(each.value, "tls_inspect", null) : null
+  security_profile_group = each.value.action == "mirror" ? "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" : null
 
   dynamic "target_secure_tags" {
     for_each = each.value.target_secure_tags == null ? [] : toset(each.value.target_secure_tags)
@@ -167,6 +169,8 @@ resource "google_compute_region_network_firewall_policy_rule" "rules" {
   firewall_policy         = google_compute_region_network_firewall_policy.fw_policy[0].name
   rule_name               = each.value.rule_name
   target_service_accounts = each.value.target_service_accounts
+  tls_inspect             = each.value.action == "apply_security_profile_group" ? lookup(each.value, "tls_inspect", null) : null
+  security_profile_group  = each.value.action == "apply_security_profile_group" ? "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" : null
 
   ## targetSecureTag may not be set at the same time as targetServiceAccounts
   dynamic "target_secure_tags" {

modules/vpc-serverless-connector-beta/metadata.yaml

@@ -28,7 +28,7 @@ spec:
     version: 10.0.0
     actuationTool:
       flavor: Terraform
-      version: ">= 0.13.0"
+      version: ">= 1.3"
     description: {}
   content:
     examples:

modules/vpc-serverless-connector-beta/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.3"
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"

test/integration/global-network-firewall-policy/global_firewall_policy_test.go

@@ -146,6 +146,15 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) {
 			assert.Equal("tcp", sp104.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
 			layer4ConfigsPorts200 := sp104.Get("match.layer4Configs").Array()[0].Get("ports").Array()
 			assert.Equal(1, len(layer4ConfigsPorts200), "Rule3 should have the correct layer4Configs.ports count")
+
+			rule300 := gcloud.Runf(t, "compute network-firewall-policies rules describe 300 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId)
+			sp300 := rule300.Array()[0]
+			assert.Equal("apply_security_profile_group", sp300.Get("action").String(), "Rule300 action should be allow")
+			assert.Equal("egress-300", sp300.Get("ruleName").String(), "Rule300 ruleName should be egress-300")
+			assert.Equal("test egress threat prevention rule 300", sp300.Get("description").String(), "Rule300 has expected description")
+			assert.Equal("EGRESS", sp300.Get("direction").String(), "Rule300 direction should be EGRESS")
+			assert.Equal("0.0.0.0/0", sp300.Get("match.destIpRanges").Array()[0].String(), "has expected destIpRanges")
+			assert.Equal("tcp", sp300.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol")
 	})
 	fwp.Test()
 }

test/setup/main.tf

@@ -22,18 +22,21 @@ resource "random_string" "random_suffix" {
 }
 
 resource "google_folder" "folder1" {
-  display_name = "ci-network1-${random_string.random_suffix.result}"
-  parent       = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}"
+  display_name        = "ci-network1-${random_string.random_suffix.result}"
+  parent              = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}"
+  deletion_protection = false
 }
 
 resource "google_folder" "folder2" {
-  display_name = "ci-network2-${random_string.random_suffix.result}"
-  parent       = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}"
+  display_name        = "ci-network2-${random_string.random_suffix.result}"
+  parent              = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}"
+  deletion_protection = false
 }
 
 resource "google_folder" "folder3" {
-  display_name = "ci-network3-${random_string.random_suffix.result}"
-  parent       = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}"
+  display_name        = "ci-network3-${random_string.random_suffix.result}"
+  parent              = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}"
+  deletion_protection = false
 }
 
 module "project" {