diff --git a/Makefile b/Makefile index c49665d66..127b39141 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 9b42735f1..c07702dcc 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -246,4 +246,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 2471e2001..c71429811 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23' diff --git a/examples/global-network-firewall-policy/main.tf b/examples/global-network-firewall-policy/main.tf index 0dc57e9ef..5eb6a7cc2 100644 --- a/examples/global-network-firewall-policy/main.tf +++ b/examples/global-network-firewall-policy/main.tf @@ -23,7 +23,7 @@ data "google_project" "project" { } resource "random_string" "random_suffix" { - length = 6 + length = 4 special = false lower = true upper = false @@ -39,6 +39,10 @@ resource "google_compute_network" "network_backup" { name = "${local.prefix}-network-backup" } +################################ +# Tags # +################################ + resource "google_tags_tag_key" "tag_key" { description = "For keyname resources." @@ -56,6 +60,10 @@ resource "google_tags_tag_value" "tag_value" { short_name = "yes" } +################################ +# Address group # +################################ + resource "google_network_security_address_group" "networksecurity_address_group" { provider = google-beta @@ -68,6 +76,10 @@ resource "google_network_security_address_group" "networksecurity_address_group" capacity = 100 } +################################ +# Service Account # +################################ + resource "google_service_account" "service_account" { project = var.project_id account_id = "${local.prefix}-fw-test-svc-acct" @@ -75,18 +87,21 @@ resource "google_service_account" "service_account" { } ################################ -# VPC Spoke # +# VPC # ################################ + module "vpc" { source = "terraform-google-modules/network/google//modules/vpc" version = "~> 10.0" project_id = var.project_id network_name = "global-sec-policy-test-vpc" - - # shared_vpc_host = false } +################################ +# Mirroring # +################################ + resource "google_network_security_mirroring_deployment_group" "mirroring_deployment_group" { project = var.project_id mirroring_deployment_group_id = "${local.prefix}-mirroring-dg" @@ -104,13 +119,11 @@ resource "google_network_security_mirroring_endpoint_group" "mirroring_endpoint_ mirroring_deployment_group = google_network_security_mirroring_deployment_group.mirroring_deployment_group.id } - resource "google_network_security_security_profile" "security_profile" { - provider = google-beta - name = "${local.prefix}-security-profile" - parent = "organizations/${var.org_id}" - description = "Security profile description" - type = "CUSTOM_MIRRORING" + provider = google-beta + name = "${local.prefix}-mirror-sp-${random_string.random_suffix.result}" + parent = "organizations/${var.org_id}" + type = "CUSTOM_MIRRORING" custom_mirroring_profile { mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.mirroring_endpoint_group.id @@ -119,13 +132,33 @@ resource "google_network_security_security_profile" "security_profile" { resource "google_network_security_security_profile_group" "security_profile_group" { provider = google-beta - name = "${local.prefix}-sec-profile-group" + name = "${local.prefix}-mirror-spg-${random_string.random_suffix.result}" parent = "organizations/${var.org_id}" - description = "Security profile group" custom_mirroring_profile = google_network_security_security_profile.security_profile.id } +################################ +# Threat # +################################ + +resource "google_network_security_security_profile" "security_profile_1" { + provider = google-beta + name = "${local.prefix}-threat-sp-${random_string.random_suffix.result}" + type = "THREAT_PREVENTION" + parent = "organizations/${var.org_id}" + location = "global" +} + +resource "google_network_security_security_profile_group" "security_profile_group_1" { + provider = google-beta + name = "${local.prefix}-threat-spg-${random_string.random_suffix.result}" + parent = "organizations/${var.org_id}" + threat_prevention_profile = google_network_security_security_profile.security_profile_1.id +} +################################ +# Firewall Policy # +################################ module "firewal_policy" { source = "terraform-google-modules/network/google//modules/network-firewall-policy" @@ -259,16 +292,14 @@ module "firewal_policy" { } }, { - is_mirroring = true - priority = "200" - direction = "EGRESS" - action = "mirror" - rule_name = "egress-200" - disabled = false - description = "test egress mirroring rule 200" - target_service_accounts = ["fw-test-svc-acct@${var.project_id}.iam.gserviceaccount.com"] + is_mirroring = true + priority = "200" + direction = "EGRESS" + action = "mirror" + rule_name = "egress-200" + disabled = false + description = "test egress mirroring rule 200" match = { - src_ip_ranges = ["0.0.0.0/0"] dest_ip_ranges = ["0.0.0.0/0"] layer4_configs = [ { @@ -279,6 +310,23 @@ module "firewal_policy" { } security_profile_group_id = google_network_security_security_profile_group.security_profile_group.id }, + { + priority = "300" + direction = "EGRESS" + action = "apply_security_profile_group" + rule_name = "egress-300" + disabled = false + description = "test egress threat prevention rule 300" + match = { + dest_ip_ranges = ["0.0.0.0/0"] + layer4_configs = [ + { + ip_protocol = "tcp" + } + ] + } + security_profile_group_id = google_network_security_security_profile_group.security_profile_group_1.id + }, ] @@ -289,8 +337,9 @@ module "firewal_policy" { } module "firewal_policy_no_rule" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 11.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 11.0" + project_id = var.project_id policy_name = "${local.prefix}-firewall-policy-no-rules-${random_string.random_suffix.result}" description = "${local.prefix} test firewall policy without any rules" diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf index f6345c8f1..3df0ce6d8 100644 --- a/examples/network_connectivity_center/main.tf +++ b/examples/network_connectivity_center/main.tf @@ -122,7 +122,7 @@ module "vpn_spoke_local_vpc" { module "remote_to_local_vpn" { source = "terraform-google-modules/vpn/google//modules/vpn_ha" - version = "~> 4.0" + version = "~> 5.0" project_id = var.project_id region = var.vpn_region @@ -160,7 +160,7 @@ module "remote_to_local_vpn" { module "local_to_remote_vpn" { source = "terraform-google-modules/vpn/google//modules/vpn_ha" - version = "~> 4.0" + version = "~> 5.0" project_id = var.project_id region = var.vpn_region diff --git a/modules/network-firewall-policy/main.tf b/modules/network-firewall-policy/main.tf index 5b3229bd4..d79e629f6 100644 --- a/modules/network-firewall-policy/main.tf +++ b/modules/network-firewall-policy/main.tf @@ -50,6 +50,8 @@ resource "google_compute_network_firewall_policy_rule" "rules" { firewall_policy = google_compute_network_firewall_policy.fw_policy[0].name rule_name = each.value.rule_name target_service_accounts = each.value.target_service_accounts + tls_inspect = each.value.action == "apply_security_profile_group" ? lookup(each.value, "tls_inspect", null) : null + security_profile_group = each.value.action == "apply_security_profile_group" ? "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" : null ## targetSecureTag may not be set at the same time as targetServiceAccounts dynamic "target_secure_tags" { @@ -107,8 +109,8 @@ resource "google_compute_network_firewall_policy_packet_mirroring_rule" "rules" disabled = each.value.disabled firewall_policy = google_compute_network_firewall_policy.fw_policy[0].name rule_name = each.value.rule_name - tls_inspect = lookup(each.value, "tls_inspect", null) - security_profile_group = "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" + tls_inspect = each.value.action == "mirror" ? lookup(each.value, "tls_inspect", null) : null + security_profile_group = each.value.action == "mirror" ? "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" : null dynamic "target_secure_tags" { for_each = each.value.target_secure_tags == null ? [] : toset(each.value.target_secure_tags) @@ -167,6 +169,8 @@ resource "google_compute_region_network_firewall_policy_rule" "rules" { firewall_policy = google_compute_region_network_firewall_policy.fw_policy[0].name rule_name = each.value.rule_name target_service_accounts = each.value.target_service_accounts + tls_inspect = each.value.action == "apply_security_profile_group" ? lookup(each.value, "tls_inspect", null) : null + security_profile_group = each.value.action == "apply_security_profile_group" ? "//networksecurity.googleapis.com/${each.value.security_profile_group_id}" : null ## targetSecureTag may not be set at the same time as targetServiceAccounts dynamic "target_secure_tags" { diff --git a/modules/vpc-serverless-connector-beta/metadata.yaml b/modules/vpc-serverless-connector-beta/metadata.yaml index 9a91598ec..094bac160 100644 --- a/modules/vpc-serverless-connector-beta/metadata.yaml +++ b/modules/vpc-serverless-connector-beta/metadata.yaml @@ -28,7 +28,7 @@ spec: version: 10.0.0 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: diff --git a/modules/vpc-serverless-connector-beta/versions.tf b/modules/vpc-serverless-connector-beta/versions.tf index 88da6049f..f66f7aa34 100644 --- a/modules/vpc-serverless-connector-beta/versions.tf +++ b/modules/vpc-serverless-connector-beta/versions.tf @@ -15,7 +15,7 @@ */ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { google-beta = { source = "hashicorp/google-beta" diff --git a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go index 6d075ccf0..24787e65f 100644 --- a/test/integration/global-network-firewall-policy/global_firewall_policy_test.go +++ b/test/integration/global-network-firewall-policy/global_firewall_policy_test.go @@ -146,6 +146,15 @@ func TestGlobalNetworkFirewallPolicy(t *testing.T) { assert.Equal("tcp", sp104.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol") layer4ConfigsPorts200 := sp104.Get("match.layer4Configs").Array()[0].Get("ports").Array() assert.Equal(1, len(layer4ConfigsPorts200), "Rule3 should have the correct layer4Configs.ports count") + + rule300 := gcloud.Runf(t, "compute network-firewall-policies rules describe 300 --global-firewall-policy --firewall-policy %s --project %s", policyName, projectId) + sp300 := rule300.Array()[0] + assert.Equal("apply_security_profile_group", sp300.Get("action").String(), "Rule300 action should be allow") + assert.Equal("egress-300", sp300.Get("ruleName").String(), "Rule300 ruleName should be egress-300") + assert.Equal("test egress threat prevention rule 300", sp300.Get("description").String(), "Rule300 has expected description") + assert.Equal("EGRESS", sp300.Get("direction").String(), "Rule300 direction should be EGRESS") + assert.Equal("0.0.0.0/0", sp300.Get("match.destIpRanges").Array()[0].String(), "has expected destIpRanges") + assert.Equal("tcp", sp300.Get("match.layer4Configs").Array()[0].Get("ipProtocol").String(), "has expected layer4Configs.ipProtocol") }) fwp.Test() } diff --git a/test/setup/main.tf b/test/setup/main.tf index ce15e77b1..3b5b07b8c 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -22,18 +22,21 @@ resource "random_string" "random_suffix" { } resource "google_folder" "folder1" { - display_name = "ci-network1-${random_string.random_suffix.result}" - parent = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}" + display_name = "ci-network1-${random_string.random_suffix.result}" + parent = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}" + deletion_protection = false } resource "google_folder" "folder2" { - display_name = "ci-network2-${random_string.random_suffix.result}" - parent = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}" + display_name = "ci-network2-${random_string.random_suffix.result}" + parent = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}" + deletion_protection = false } resource "google_folder" "folder3" { - display_name = "ci-network3-${random_string.random_suffix.result}" - parent = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}" + display_name = "ci-network3-${random_string.random_suffix.result}" + parent = var.folder_id != null ? "folders/${var.folder_id}" : "organizations/${var.org_id}" + deletion_protection = false } module "project" {