Google Git
Sign in
third-party-mirror / terraform-provider-google / refs/heads/main / . / v6.2.0 / examples / cloud-armor / main.tf
blob: 762fde2ea2127c6bf69ec4664370c093fdd56cf1 [file] [log] [blame] [edit]
# Example for using Cloud Armor https://cloud.google.com/armor/
#
resource "random_id" "instance_id" {
byte_length = 4
}
# Configure the Google Cloud provider
provider "google" {
credentials = file(var.credentials_file_path)
project = var.project_name
region = var.region
zone = var.region_zone
}
# Set up a backend to be proxied to:
# A single instance in a pool running nginx with port 80 open will allow end to end network testing
resource "google_compute_instance" "cluster1" {
name = "armor-gce-${random_id.instance_id.hex}"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
# Ephemeral IP
}
}
metadata_startup_script = "sudo apt-get update; sudo apt-get install -yq nginx; sudo service nginx restart"
}
resource "google_compute_firewall" "cluster1" {
name = "armor-firewall"
network = "default"
allow {
protocol = "tcp"
ports = ["80", "43"]
}
}
resource "google_compute_instance_group" "webservers" {
name = "instance-group-all"
description = "An instance group for the single GCE instance"
instances = [
google_compute_instance.cluster1.self_link,
]
named_port {
name = "http"
port = "80"
}
}
resource "google_compute_target_pool" "example" {
name = "armor-pool"
instances = [
google_compute_instance.cluster1.self_link,
]
health_checks = [
google_compute_http_health_check.health.name,
]
}
resource "google_compute_http_health_check" "health" {
name = "armor-healthcheck"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
resource "google_compute_backend_service" "website" {
name = "armor-backend"
description = "Our company website"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
enable_cdn = false
backend {
group = google_compute_instance_group.webservers.self_link
}
security_policy = google_compute_security_policy.security-policy-1.self_link
health_checks = [google_compute_http_health_check.health.self_link]
}
# Cloud Armor Security policies
resource "google_compute_security_policy" "security-policy-1" {
name = "armor-security-policy"
description = "example security policy"
# Reject all traffic that hasn't been whitelisted.
rule {
action = "deny(403)"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
description = "Default rule, higher priority overrides it"
}
# Whitelist traffic from certain ip address
rule {
action = "allow"
priority = "1000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = var.ip_white_list
}
}
description = "allow traffic from 192.0.2.0/24"
}
}
# Front end of the load balancer
resource "google_compute_global_forwarding_rule" "default" {
name = "armor-rule"
target = google_compute_target_http_proxy.default.self_link
port_range = "80"
}
resource "google_compute_target_http_proxy" "default" {
name = "armor-proxy"
url_map = google_compute_url_map.default.self_link
}
resource "google_compute_url_map" "default" {
name = "armor-url-map"
default_service = google_compute_backend_service.website.self_link
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.website.self_link
path_rule {
paths = ["/*"]
service = google_compute_backend_service.website.self_link
}
}
}
output "ip" {
value = google_compute_global_forwarding_rule.default.ip_address
}