From 99f9bfe7eb4f358d4efbd1f8660ddbe14b90e932 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki <77694243+renato-rudnicki@users.noreply.github.com> Date: Fri, 16 Jun 2023 17:36:45 -0300 Subject: [PATCH] feat: Adding Secure Web Proxy to examples (#43) Co-authored-by: Amanda Karina Lopes de Oliveira Co-authored-by: Samir-Cit Co-authored-by: Samir Ribeiro <42391123+Samir-Cit@users.noreply.github.com> Co-authored-by: Grant Sorbo --- build/int.cloudbuild.yaml | 38 ++- .../README.md | 158 ++++++++++++ .../functions/bq-to-cf/main.go | 14 +- .../main.tf | 113 ++++++++- .../versions.tf | 2 +- .../README.md | 169 +++++++++++++ .../function/go.mod | 5 + .../function/main.go | 65 +++++ .../internal_server.tf | 107 ++++++++ .../main.tf | 236 ++++++++++++++++++ .../outputs.tf | 94 +++++++ .../providers.tf | 25 ++ .../variables.tf | 70 ++++++ .../versions.tf | 29 +++ .../web_server/internal_server_setup.sh | 52 ++++ .../functions/cf-to-sql/main.go | 3 + .../secure_cloud_function_with_sql/main.tf | 122 ++++++++- helpers/generate_swp_certificate.sh | 38 +++ modules/secure-cloud-function-core/README.md | 1 + modules/secure-cloud-function-core/main.tf | 9 +- .../secure-cloud-function-core/variables.tf | 6 +- modules/secure-cloud-function/README.md | 1 + modules/secure-cloud-function/main.tf | 3 +- modules/secure-cloud-function/variables.tf | 5 + test/install_build_dependencies.sh | 18 ++ .../cloud_function2_bigquery_trigger_test.go | 89 ++++++- .../cloud_function_internal_server_test.go | 117 +++++++++ .../secure_cloud_function_with_sql_test.go | 13 +- test/setup/iam.tf | 5 +- test/setup/main.tf | 12 +- test/setup/outputs.tf | 8 +- 31 files changed, 1577 insertions(+), 50 deletions(-) create mode 100644 examples/secure_cloud_function_bigquery_trigger/README.md create mode 100644 examples/secure_cloud_function_internal_server/README.md create mode 100644 examples/secure_cloud_function_internal_server/function/go.mod create mode 100644 examples/secure_cloud_function_internal_server/function/main.go create mode 100644 examples/secure_cloud_function_internal_server/internal_server.tf create mode 100644 examples/secure_cloud_function_internal_server/main.tf create mode 100644 examples/secure_cloud_function_internal_server/outputs.tf create mode 100644 examples/secure_cloud_function_internal_server/providers.tf create mode 100644 examples/secure_cloud_function_internal_server/variables.tf create mode 100644 examples/secure_cloud_function_internal_server/versions.tf create mode 100755 examples/secure_cloud_function_internal_server/web_server/internal_server_setup.sh create mode 100755 helpers/generate_swp_certificate.sh create mode 100755 test/install_build_dependencies.sh create mode 100644 test/integration/secure_cloud_function_internal_server/cloud_function_internal_server_test.go diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 166afb83..f1ac7932 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -27,7 +27,6 @@ steps: args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - prepare @@ -47,17 +46,15 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGCF2GCSSource --stage teardown --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - cloud-func-gcs-source-verify - id: secure-cloud-func-sql-apply name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestGCF2CloudSQL --stage apply --verbose'] + args: ['/bin/bash', '-c', './test/install_build_dependencies.sh && cft test run TestGCF2CloudSQL --stage apply --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - cloud-func-init @@ -66,7 +63,6 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGCF2CloudSQL --stage verify --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - secure-cloud-func-sql-apply @@ -75,11 +71,35 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGCF2CloudSQL --stage teardown --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - secure-cloud-func-sql-verify +- id: secure-cloud-func-internal-server-apply + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', './test/install_build_dependencies.sh && cft test run TestCFInternalServer --stage apply --verbose'] + env: + - 'TF_VAR_org_id=$_ORG_ID' + - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + waitFor: + - cloud-func-init +- id: secure-cloud-func-internal-server-verify + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestCFInternalServer --stage verify --verbose'] + env: + - 'TF_VAR_org_id=$_ORG_ID' + - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + waitFor: + - secure-cloud-func-internal-server-apply +- id: secure-cloud-func-internal-server-teardown + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestCFInternalServer --stage teardown --verbose'] + env: + - 'TF_VAR_org_id=$_ORG_ID' + - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + waitFor: + - secure-cloud-func-internal-server-verify + - id: cloud-func-pubsub-trigger-apply name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestGCF2PubSubTrigger --stage apply --verbose'] @@ -95,17 +115,15 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGCF2PubSubTrigger --stage teardown --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - cloud-func-pubsub-trigger-verify - id: secure-cloud-func-bigquery-apply name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestGCF2BigqueryTrigger --stage apply --verbose'] + args: ['/bin/bash', '-c', './test/install_build_dependencies.sh && cft test run TestGCF2BigqueryTrigger --stage apply --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - cloud-func-init @@ -114,7 +132,6 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGCF2BigqueryTrigger --stage verify --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - secure-cloud-func-bigquery-apply @@ -123,7 +140,6 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestGCF2BigqueryTrigger --stage teardown --verbose'] env: - 'TF_VAR_org_id=$_ORG_ID' - - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' waitFor: - secure-cloud-func-bigquery-verify diff --git a/examples/secure_cloud_function_bigquery_trigger/README.md b/examples/secure_cloud_function_bigquery_trigger/README.md new file mode 100644 index 00000000..143d6bbf --- /dev/null +++ b/examples/secure_cloud_function_bigquery_trigger/README.md @@ -0,0 +1,158 @@ +# Secure Cloud Function Triggered by BigQuery + +This examples shows how trigger Secure Cloud Function (2nd Gen) by BigQuery. + +The resources and services that this example will create or enable are: + +* The **secure-serverless-harness** module will: + * Create a Security Project with the following APIS enabled: + * Cloud KMS API: `cloudkms.googleapis.com` + * Create a Cloud Function project with the following APIS enabled: + * Google VPC Access API: `vpcaccess.googleapis.com` + * Compute API: `compute.googleapis.com` + * Container Registry API: `container.googleapis.com` + * Cloud Function API: `run.googleapis.com` + * Create a Shared VPC Project with: + * A Shared Network + * A firewall rule to deny all egress traffic + * A firewall rule to allow Internal APIs traffic + * A configured Private Connect + * And the following APIs enabled: + * Google VPC Access API: `vpcaccess.googleapis.com` + * Compute API: `compute.googleapis.com` + +* The **secure-serverless-network** module will: + * Create the following Firewall rules on the **Shared VPC Project**. + * Serverless to VPC Connector + * VPC Connector to Serverless + * VPC Connector Health Checks + * Create a a sub network to VPC Connector usage purpose. + * Create a Serverless Connector on the **Shared VPC Project** or **Serverless Project**. Refer to the following comparison to choose where to create Serverless Connector: + * Advantages of creating connectors in the [Shared VPC Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#host-project) + * Advantages of creating connectors in the [Serverless Project](https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#service-projects) + * Grant the necessary roles for the Cloud Function to be able to use the VPC Connector on the Shared VPC if creating the VPC Connector in the host project: + * Grant Network User role to the [Google API Service Agent](https://cloud.google.com/compute/docs/access/service-accounts#google_apis_service_agent) service account. + * Grant VPC Access User to the [Google Cloud Functions Service Agent](https://cloud.google.com/functions/docs/concepts/iam#access_control_for_service_accounts) when deploying VPC Access. + +* The **secure-web-proxy** module will: + * Create a sub network for Regional Managed Proxy purpose + * Create the following Firewall rule on the **Shared VPC Project**: + * Cloud Build to Secure Web Proxy + * Create a VPC peering for the Shared VPC Network with: + * A Compute Global Address + * A Service Networking Connection + * Upload a example generated self-signed certificate to Certificate Manager + * Create a Gateway Security Policy with: + * A Gateway Security Policy Rule + * A Security URL Lists resource + * Create the Secure Web Proxy/Gateway (SWP/SWG) instance + +* The **secure-cloud-serverless-security** module will: + * Create KMS Keyring and Key for [customer managed encryption keys](https://cloud.google.com/run/docs/securing/using-cmek) in the **KMS Project** to be used by Cloud Function (2nd Gen) + * Enable the following Organization Policies related to Cloud Function (2nd Gen) in the **Serverless Project**: + * Allowed ingress settings - Allow HTTP traffic from private VPC sources and through GCLB. + * Allowed VPC Connector egress settings - Force the use of VPC Access Connector for all egress traffic from the function. + * Grant the following roles if groups emails are provided: + * **Serverless Administrator** group on the Service Project: + * Cloud Run Admin: `roles/run.admin` + * Cloud Functions Admin: `roles/cloudfunctions.admin` + * Network Viewer: `roles/compute.networkViewer` + * Network User: `roles/compute.networkUser` + * **Servervless Security Administrator** group on the Security project: + * Cloud Functions Viewer: `roles/cloudfunctions.viewer` + * Cloud Frun Viewer: `roles/run.viewer` + * Cloud KMS Viewer: `roles/cloudkms.viewer` + * Artifact Registry Reader: `roles/artifactregistry.reader` + * **Cloud Function (2nd Gen) developer** group on the Security project: + * Cloud Functions Developer: `roles/cloudfunctions.developer` + * Artifact Registry Writer: `roles/artifactregistry.writer` + * Cloud KMS CryptoKey Encrypter: `roles/cloudkms.cryptoKeyEncrypter` + * **Cloud Function (2nd Gen) user** group on the Service project: + * Cloud Functions Invoker: `roles/cloudfunctions.invoker` + +* The **secure-cloud-function-core** module will: + * Create a Cloud Function (2nd Gen) + * Create the Cloud Function source bucket in the same location as the Cloud Function + * Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location + * **Warning:** If there is another CMEK configured for the same region, it will be overwritten + * Create a private worker pool for Cloud Build configured to not use External IP + * Grant Cloud Functions Invoker to the [EventArc Trigger Service Account](https://cloud.google.com/functions/docs/calling/eventarc#trigger-identity) + * Enable [Container Registry Automatic Scanning](https://cloud.google.com/artifact-registry/docs/analysis) + +* In addition to all the secure-cloud-function resources created, this example will also create:: + * BigQuery Dataset + * BigQuery Table + * Storage Bucket to store Cloud Function source Code + * KMS Keys to be used by: + * Pub/Sub Topic + * BigQuery Dataset and Table + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. This variable must be provided if `create_access_context_manager_access_policy` is set to `false` | `number` | `null` | no | +| access\_level\_members | The list of members who will be in the access level. | `list(string)` | n/a | yes | +| billing\_account | The ID of the billing account to associate this project with. | `string` | n/a | yes | +| create\_access\_context\_manager\_access\_policy | Defines if Access Context Manager will be created by Terraform. If set to `false`, you must provide `access_context_manager_policy_id`. More information about Access Context Manager creation in [this documentation](https://cloud.google.com/access-context-manager/docs/create-access-level). | `bool` | n/a | yes | +| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). |
list(object({
from = any
to = any
}))
| `[]` | no | +| folder\_id | The ID of a folder to host the infrastructure created in this example. | `string` | `""` | no | +| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). |
list(object({
from = any
to = any
}))
| `[]` | no | +| org\_id | The organization ID. | `string` | n/a | yes | +| terraform\_service\_account | The e-mail of the service account who will impersionate when creating infrastructure. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| bigquery\_kms\_key | KMS Key used in the Bigquery dataset. | +| cloud\_function\_name | The service account email created to be used by Cloud Function. | +| cloudfunction\_bucket | The Cloud Function source bucket. | +| cloudfunction\_bucket\_name | Name of the Cloud Function source bucket. | +| cloudfunction\_url | The URL on which the deployed service is available. | +| connector\_id | VPC serverless connector ID. | +| network\_project\_id | The network project id. | +| restricted\_access\_level\_name | Access level name. | +| restricted\_service\_perimeter\_name | Service Perimeter name. | +| security\_project\_id | The security project id. | +| security\_project\_number | The security project number. | +| serverless\_project\_id | The serverless project id. | +| serverless\_project\_number | The serverless project number. | +| service\_account\_email | The service account email created to be used by Cloud Function. | +| service\_vpc\_name | The Network self-link created in harness. | +| service\_vpc\_self\_link | The Network self-link created in harness. | +| service\_vpc\_subnet\_name | The sub-network name created in harness. | +| table\_id | Bigquery table name. | + + + +## Requirements + +### Software + +The following dependencies must be available: + +* [Terraform](https://www.terraform.io/downloads.html) >= 1.3 +* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) < 5.0 +* [Google Cloud SDK CLI](https://cloud.google.com/sdk/docs/install) > 428.0.0 + +### APIs +#TODO: Fill with APIs needed on SA project + +### Service Account + +A service account with the following roles must be used to provision +the resources of this module: + +* Shared VPC Project +* Organization Level + * Access Context Manager Admin: `roles/accesscontextmanager.policyAdmin` + * Organization Policy Admin: `roles/orgpolicy.policyAdmin` +* Folder Level: + * Folder Admin: `roles/resourcemanager.folderAdmin` + * Project Creator: `roles/resourcemanager.projectCreator` + * Project Deleter: `roles/resourcemanager.projectDeleter` + * Compute Shared VPC Admin: `roles/compute.xpnAdmin` +* Billing: + * Billing User: `roles/billing.user` diff --git a/examples/secure_cloud_function_bigquery_trigger/functions/bq-to-cf/main.go b/examples/secure_cloud_function_bigquery_trigger/functions/bq-to-cf/main.go index 9fb2d805..33875f99 100644 --- a/examples/secure_cloud_function_bigquery_trigger/functions/bq-to-cf/main.go +++ b/examples/secure_cloud_function_bigquery_trigger/functions/bq-to-cf/main.go @@ -61,14 +61,14 @@ func helloPubSub(ctx context.Context, e event.Event) error { log.Printf("Error listing compute regions: %s.", err.Error()) fmt.Errorf(err.Error()) } - log.Println("Regions: %v!\n", regions) + log.Printf("Regions: %v!\n", regions) buckets, err := listBuckets() if err != nil { log.Printf("Error listing project buckets: %s.", err.Error()) fmt.Errorf(err.Error()) } - log.Println("Buckets: %v!\n", buckets) + log.Printf("Buckets: %v!\n", buckets) return nil } @@ -79,7 +79,7 @@ func helloPubSub(ctx context.Context, e event.Event) error { func listBuckets() ([]string, error) { projectID := os.Getenv("PROJECT_ID") ctx := context.Background() - log.Println("Creating Client for Storage.") + log.Printf("Creating Client for Storage.") client, err := storage.NewClient(ctx) if err != nil { return nil, fmt.Errorf("storage.NewClient: %v", err) @@ -90,7 +90,7 @@ func listBuckets() ([]string, error) { defer cancel() var buckets []string - log.Println("Getting buckets in project.") + log.Printf("Getting buckets in project.") it := client.Buckets(ctx, projectID) for { battrs, err := it.Next() @@ -108,13 +108,13 @@ func listBuckets() ([]string, error) { func listComputeRegions() ([]string, error) { ctx := context.Background() - log.Println("Creating Default Client for Compute client.") + log.Printf("Creating Default Client for Compute client.") c, err := google.DefaultClient(ctx) if err != nil { log.Fatal(err) } - log.Println("Creating service for Compute client.") + log.Printf("Creating service for Compute client.") computeService, err := compute.New(c) if err != nil { log.Fatal(err) @@ -123,7 +123,7 @@ func listComputeRegions() ([]string, error) { // Project ID for this request. project := os.Getenv("PROJECT_ID") var regions []string - log.Println("Getting compute regions.") + log.Printf("Getting compute regions.") req := computeService.Regions.List(project) if err := req.Pages(ctx, func(page *compute.RegionList) error { for _, region := range page.Items { diff --git a/examples/secure_cloud_function_bigquery_trigger/main.tf b/examples/secure_cloud_function_bigquery_trigger/main.tf index 0ae9de28..78a75359 100644 --- a/examples/secure_cloud_function_bigquery_trigger/main.tf +++ b/examples/secure_cloud_function_bigquery_trigger/main.tf @@ -21,7 +21,9 @@ locals { repository_name = "rep-secure-cloud-function" table_name = "tbl_test" kms_bigquery = "key-secure-bigquery" + subnet_ip = "10.0.0.0/28" } + resource "random_id" "random_folder_suffix" { byte_length = 2 } @@ -40,11 +42,11 @@ module "secure_harness" { region = local.region location = local.location vpc_name = "vpc-secure-cloud-function" - subnet_ip = "10.0.0.0/28" + subnet_ip = local.subnet_ip private_service_connect_ip = "10.3.0.5" create_access_context_manager_access_policy = var.create_access_context_manager_access_policy access_context_manager_policy_id = var.access_context_manager_policy_id - access_level_members = var.access_level_members + access_level_members = distinct(concat(var.access_level_members, ["serviceAccount:${var.terraform_service_account}"])) key_name = "key-secure-artifact-registry" keyring_name = "krg-secure-artifact-registry" prevent_destroy = false @@ -59,6 +61,20 @@ module "secure_harness" { "prj-secure-cloud-function" = ["roles/eventarc.eventReceiver", "roles/viewer", "roles/compute.networkViewer", "roles/run.invoker"] } + network_project_extra_apis = ["networksecurity.googleapis.com"] + + serverless_project_extra_apis = { + "prj-secure-cloud-function" = ["networksecurity.googleapis.com"] + } +} + +resource "google_project_service" "network_project_apis" { + for_each = toset(["networkservices.googleapis.com", "certificatemanager.googleapis.com"]) + project = module.secure_harness.network_project_id[0] + service = each.value + disable_on_destroy = false + + depends_on = [module.secure_harness] } data "archive_file" "cf_bigquery_source" { @@ -144,6 +160,85 @@ module "bigquery" { ] } +resource "null_resource" "generate_certificate" { + triggers = { + project_id = module.secure_harness.network_project_id[0] + region = local.region + } + + provisioner "local-exec" { + when = create + command = < +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. This variable must be provided if `create_access_context_manager_access_policy` is set to `false` | `number` | `null` | no | +| access\_level\_members | The list of members who will be in the access level. | `list(string)` | n/a | yes | +| billing\_account | The ID of the billing account to associate this project with. | `string` | n/a | yes | +| create\_access\_context\_manager\_access\_policy | Defines if Access Context Manager will be created by Terraform. If set to `false`, you must provide `access_context_manager_policy_id`. More information about Access Context Manager creation in [this documentation](https://cloud.google.com/access-context-manager/docs/create-access-level). | `bool` | n/a | yes | +| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). |
list(object({
from = any
to = any
}))
| `[]` | no | +| folder\_id | The ID of a folder to host the infrastructure created in this example. | `string` | `""` | no | +| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). |
list(object({
from = any
to = any
}))
| `[]` | no | +| org\_id | The organization ID. | `string` | n/a | yes | +| terraform\_service\_account | The e-mail of the service account who will impersionate when creating infrastructure. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| cloud\_function\_name | The service account email created to be used by Cloud Function. | +| cloudfunction\_bucket | The Cloud Function source bucket. | +| cloudfunction\_bucket\_name | Name of the Cloud Function source bucket. | +| cloudfunction\_url | The URL on which the deployed service is available. | +| connector\_id | VPC serverless connector ID. | +| network\_project\_id | The network project id. | +| restricted\_access\_level\_name | Access level name. | +| restricted\_service\_perimeter\_name | Service Perimeter name. | +| security\_project\_id | The security project id. | +| security\_project\_number | The security project number. | +| serverless\_project\_id | The serverless project id. | +| serverless\_project\_number | The serverless project number. | +| service\_account\_email | The service account email created to be used by Cloud Function. | +| service\_vpc\_name | The Network self-link created in harness. | +| service\_vpc\_self\_link | The Network self-link created in harness. | +| service\_vpc\_subnet\_name | The sub-network name created in harness. | + + +## Requirements + +### Software + +The following dependencies must be available: + +* [Terraform](https://www.terraform.io/downloads.html) >= 1.3 +* [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) < 5.0 + +### APIs + +The Secure Cloud Function Internal Server Example will enable the following APIs to the Serverless Project: + +* Google VPC Access API: `vpcaccess.googleapis.com` +* Compute API: `compute.googleapis.com` +* Container Registry API: `container.googleapis.com` +* Artifact Registry API: `artifactregistry.googleapis.com` +* Cloud Function API: `cloudfunctions.googleapis.com` +* Cloud Run API: `run.googleapis.com` +* Service Networking API: `servicenetworking.googleapis.com` +* Cloud KMS API: `cloudkms.googleapis.com` +* Container Scanning API: `containerscanning.googleapis.com` +* Eventarc API: `eventarc.googleapis.com` +* Eventarc Publishing API: `eventarcpublishing.googleapis.com` +* Cloud Build API: `cloudbuild.googleapis.com` + +The Secure Cloud Function with Internal Server Example will enable the following APIs to the VPC Project: + +* Google VPC Access API: `vpcaccess.googleapis.com` +* Compute API: `compute.googleapis.com` +* Service Networking API: `servicenetworking.googleapis.com` +* DNS API: `dns.googleapis.com` + +The Secure Cloud Function with Internal Server Example will enable the following APIs to the Security Project: + +* Cloud KMS API: `cloudkms.googleapis.com` +* Artifact Registry API: `artifactregistry.googleapis.com` + +### Service Account + +A service account with the following roles must be used to provision the resources of this module: + +* Organization Level + * Access Context Manager Admin: `roles/accesscontextmanager.policyAdmin` + * Organization Policy Admin: `roles/orgpolicy.policyAdmin` +* Folder Level: + * Folder Admin: `roles/resourcemanager.folderAdmin` + * Project Creator: `roles/resourcemanager.projectCreator` + * Project Deleter: `roles/resourcemanager.projectDeleter` + * Compute Shared VPC Admin: `roles/compute.xpnAdmin` +* Billing: + * Billing User: `roles/billing.user` diff --git a/examples/secure_cloud_function_internal_server/function/go.mod b/examples/secure_cloud_function_internal_server/function/go.mod new file mode 100644 index 00000000..2d275316 --- /dev/null +++ b/examples/secure_cloud_function_internal_server/function/go.mod @@ -0,0 +1,5 @@ +module example.com/module/helloworld + +require ( + github.com/GoogleCloudPlatform/functions-framework-go v1.6.1 +) diff --git a/examples/secure_cloud_function_internal_server/function/main.go b/examples/secure_cloud_function_internal_server/function/main.go new file mode 100644 index 00000000..5284e73a --- /dev/null +++ b/examples/secure_cloud_function_internal_server/function/main.go @@ -0,0 +1,65 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helloworld + +import ( + "fmt" + "io/ioutil" + "log" + "net/http" + "os" + + "github.com/GoogleCloudPlatform/functions-framework-go/functions" +) + +func init() { + functions.HTTP("helloHTTP", helloHTTP) +} + +func helloHTTP(w http.ResponseWriter, r *http.Request) { + ipAddress := os.Getenv("TARGET_IP") + if ipAddress == "" { + log.Println("TARGET_IP environment variable not set") + http.Error(w, "TARGET_IP not set", http.StatusInternalServerError) + return + } + + url := fmt.Sprintf("http://%s:8000/index.html", ipAddress) + + // Send GET request to the server + response, err := http.Get(url) + if err != nil { + log.Printf("Failed to send GET request: %s\n", err) + http.Error(w, "Failed to send GET request", http.StatusInternalServerError) + return + } + defer response.Body.Close() + + // Read the response body + content, err := ioutil.ReadAll(response.Body) + if err != nil { + log.Printf("Failed to read response body: %s\n", err) + http.Error(w, "Failed to read response body", http.StatusInternalServerError) + return + } + + // Log the content + log.Printf("Message returned from internal server: %s\n", string(content)) + + // Write the content to the response + w.Header().Set("Content-Type", "text/plain") + w.WriteHeader(http.StatusOK) + fmt.Fprint(w, string(content)) +} diff --git a/examples/secure_cloud_function_internal_server/internal_server.tf b/examples/secure_cloud_function_internal_server/internal_server.tf new file mode 100644 index 00000000..e9429c2b --- /dev/null +++ b/examples/secure_cloud_function_internal_server/internal_server.tf @@ -0,0 +1,107 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_project_service_identity" "compute_identity_sa" { + provider = google-beta + + project = module.secure_harness.serverless_project_ids[0] + service = "compute.googleapis.com" +} + +module "compute_service_account" { + source = "terraform-google-modules/service-accounts/google" + version = "~> 3.0" + project_id = module.secure_harness.serverless_project_ids[0] + names = ["sa-compute-instance"] +} + +resource "google_project_iam_member" "service_account_roles" { + project = module.secure_harness.serverless_project_ids[0] + member = "serviceAccount:${module.compute_service_account.email}" + role = "roles/compute.instanceAdmin.v1" + + depends_on = [module.compute_service_account] +} + +data "google_project" "serverless_project_id" { + project_id = module.secure_harness.serverless_project_ids[0] +} + +resource "google_service_account_iam_member" "service_account_user" { + service_account_id = module.compute_service_account.service_account.id + role = "roles/iam.serviceAccountUser" + member = "serviceAccount:service-${data.google_project.serverless_project_id.number}@compute-system.iam.gserviceaccount.com" + + depends_on = [google_project_iam_member.service_account_roles] +} + +resource "google_compute_instance" "internal_server" { + name = local.webserver_instance + project = module.secure_harness.serverless_project_ids[0] + zone = local.zone + machine_type = "e2-small" + can_ip_forward = true + + boot_disk { + initialize_params { + image = "debian-cloud/debian-11" + } + } + tags = ["https-server"] + metadata_startup_script = file("${abspath(path.module)}/web_server/internal_server_setup.sh") + + network_interface { + subnetwork = module.secure_harness.service_subnet[0] + network_ip = local.network_ip + subnetwork_project = module.secure_harness.network_project_id[0] + } + + service_account { + email = module.compute_service_account.email + scopes = ["cloud-platform"] + } + + depends_on = [ + google_service_account_iam_member.service_account_user, + module.secure_harness + ] +} + +module "internal_server_firewall_rule" { + source = "terraform-google-modules/network/google//modules/firewall-rules" + version = "~> 7.0" + project_id = module.secure_harness.network_project_id[0] + network_name = module.secure_harness.service_vpc[0].network.name + + rules = [{ + name = "fw-e-shared-restricted-internal-server" + description = "Allow Cloud Function to connect in Internal Server using the private IP" + direction = "EGRESS" + priority = 100 + + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + deny = [] + allow = [{ + protocol = "tcp" + ports = ["8000"] + }] + + ranges = ["10.0.0.0/28"] + target_tags = ["allow-google-apis", "vpc-connector"] + }] +} diff --git a/examples/secure_cloud_function_internal_server/main.tf b/examples/secure_cloud_function_internal_server/main.tf new file mode 100644 index 00000000..95c415e1 --- /dev/null +++ b/examples/secure_cloud_function_internal_server/main.tf @@ -0,0 +1,236 @@ +# /** +# * Copyright 2023 Google LLC +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +locals { + location = "us-west1" + region = "us-west1" + zone = "us-west1-b" + repository_name = "rep-secure-cloud-function" + network_ip = "10.0.0.3" + webserver_instance = "webserver" + subnet_ip = "10.0.0.0/28" +} +resource "random_id" "random_folder_suffix" { + byte_length = 2 +} + +module "secure_harness" { + source = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness" + version = "~> 0.8" + + billing_account = var.billing_account + security_project_name = "prj-security" + network_project_name = "prj-restricted-shared" + serverless_project_names = ["prj-secure-cloud-function"] + org_id = var.org_id + parent_folder_id = var.folder_id + serverless_folder_suffix = random_id.random_folder_suffix.hex + region = local.region + location = local.location + vpc_name = "vpc-secure-cloud-function" + subnet_ip = local.subnet_ip + private_service_connect_ip = "10.3.0.5" + create_access_context_manager_access_policy = var.create_access_context_manager_access_policy + access_context_manager_policy_id = var.access_context_manager_policy_id + access_level_members = distinct(concat(var.access_level_members, ["serviceAccount:${var.terraform_service_account}"])) + key_name = "key-secure-artifact-registry" + keyring_name = "krg-secure-artifact-registry" + prevent_destroy = false + artifact_registry_repository_name = local.repository_name + egress_policies = var.egress_policies + ingress_policies = var.ingress_policies + serverless_type = "CLOUD_FUNCTION" + use_shared_vpc = true + time_to_wait_vpc_sc_propagation = "660s" + + service_account_project_roles = { + "prj-secure-cloud-function" = [ + "roles/eventarc.eventReceiver", + "roles/viewer", + "roles/compute.networkViewer", + "roles/run.invoker" + ] + } + + network_project_extra_apis = [ + "networksecurity.googleapis.com" + ] + + serverless_project_extra_apis = { + "prj-secure-cloud-function" = [ + "networksecurity.googleapis.com" + ] + } +} + +resource "google_project_service" "network_project_apis" { + for_each = toset(["networkservices.googleapis.com", "certificatemanager.googleapis.com"]) + project = module.secure_harness.network_project_id[0] + service = each.value + disable_on_destroy = false + + depends_on = [module.secure_harness] +} + +data "archive_file" "cf-internal-server-source" { + type = "zip" + source_dir = "${path.module}/function" + output_path = "function/cloudfunction-${random_id.random_folder_suffix.hex}.zip" +} + +resource "google_storage_bucket_object" "function-source" { + source = data.archive_file.cf-internal-server-source.output_path + content_type = "application/zip" + + # Append to the MD5 checksum of the files's content + # to force the zip to be updated as soon as a change occurs + name = "src-${data.archive_file.cf-internal-server-source.output_md5}.zip" + bucket = module.secure_harness.cloudfunction_source_bucket[module.secure_harness.serverless_project_ids[0]].name + + depends_on = [ + data.archive_file.cf-internal-server-source + ] +} + +resource "null_resource" "generate_certificate" { + triggers = { + project_id = module.secure_harness.network_project_id[0] + region = local.region + } + + provisioner "local-exec" { + when = create + command = <object({
project_id = optional(string)
repo_name = string
branch_name = string
dir = optional(string)
tag_name = optional(string)
commit_sha = optional(string)
invert_regex = optional(bool, false)
}) | `null` | no | diff --git a/modules/secure-cloud-function-core/main.tf b/modules/secure-cloud-function-core/main.tf index 695ba38f..43151b4b 100644 --- a/modules/secure-cloud-function-core/main.tf +++ b/modules/secure-cloud-function-core/main.tf @@ -84,6 +84,10 @@ resource "google_cloudbuild_worker_pool" "pool" { machine_type = "e2-standard-8" no_external_ip = true } + network_config { + peered_network = var.network_id + } + } module "cloud_function" { @@ -102,13 +106,12 @@ module "cloud_function" { storage_source = var.storage_source service_config = var.service_config docker_repository = google_artifact_registry_repository.cloudfunction_repo.id - - ## THIS SHOULD BE UNCOMMENTED WHEN SECURE WEB PROXY IS READY, TO ALLOW THE PRIVATE POOL USAGE. - # worker_pool = google_cloudbuild_worker_pool.pool.id + worker_pool = google_cloudbuild_worker_pool.pool.id depends_on = [ module.cloudfunction_bucket, google_eventarc_google_channel_config.primary, + google_cloudbuild_worker_pool.pool, google_project_service.container_scanning_api, module.pubsub ] diff --git a/modules/secure-cloud-function-core/variables.tf b/modules/secure-cloud-function-core/variables.tf index 983b075e..382bc321 100644 --- a/modules/secure-cloud-function-core/variables.tf +++ b/modules/secure-cloud-function-core/variables.tf @@ -14,12 +14,16 @@ * limitations under the License. */ - variable "project_id" { description = "The project ID to deploy to." type = string } +variable "network_id" { + description = "VPC network ID which is going to be used to connect the WorkerPool." + type = string +} + variable "project_number" { description = "The project number to deploy to." type = number diff --git a/modules/secure-cloud-function/README.md b/modules/secure-cloud-function/README.md index 02a2c4cf..66fa0154 100644 --- a/modules/secure-cloud-function/README.md +++ b/modules/secure-cloud-function/README.md @@ -117,6 +117,7 @@ module "secure_cloud_run" { | location | The location where resources are going to be deployed. | `string` | n/a | yes | | max\_scale\_instances | Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). | `number` | `2` | no | | min\_scale\_instances | Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this [documentation](https://cloud.google.com/run/docs/about-instance-autoscaling). | `number` | `1` | no | +| network\_id | VPC network ID which is going to be used to connect the WorkerPool. | `string` | n/a | yes | | organization\_id | The organization ID to apply the policy to. | `string` | `""` | no | | policy\_for | Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. | `string` | `"project"` | no | | prevent\_destroy | Set the `prevent_destroy` lifecycle attribute on the Cloud KMS key. | `bool` | `true` | no | diff --git a/modules/secure-cloud-function/main.tf b/modules/secure-cloud-function/main.tf index 4a0ef6b4..504bd0a7 100644 --- a/modules/secure-cloud-function/main.tf +++ b/modules/secure-cloud-function/main.tf @@ -17,7 +17,7 @@ module "cloud_serverless_network" { source = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-net" - version = "~> 0.7" + version = "~> 0.8" connector_name = var.connector_name subnet_name = var.subnet_name @@ -130,6 +130,7 @@ module "cloud_function_core" { encryption_key = module.cloud_function_security.key_self_link bucket_lifecycle_rules = var.bucket_lifecycle_rules bucket_cors = var.bucket_cors + network_id = var.network_id service_config = { max_instance_count = var.max_scale_instances diff --git a/modules/secure-cloud-function/variables.tf b/modules/secure-cloud-function/variables.tf index f945e8ac..f3a55163 100644 --- a/modules/secure-cloud-function/variables.tf +++ b/modules/secure-cloud-function/variables.tf @@ -35,6 +35,11 @@ variable "vpc_project_id" { type = string } +variable "network_id" { + description = "VPC network ID which is going to be used to connect the WorkerPool." + type = string +} + variable "key_name" { description = "The name of KMS Key to be created and used in Cloud Run." type = string diff --git a/test/install_build_dependencies.sh b/test/install_build_dependencies.sh new file mode 100755 index 00000000..7c01cb88 --- /dev/null +++ b/test/install_build_dependencies.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# OpenSSL is needed to generate a self-signed certificate +apk add --no-cache openssl diff --git a/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go b/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go index 83d124f4..924762ba 100644 --- a/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go +++ b/test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go @@ -57,9 +57,20 @@ func GetOrgACMPolicyID(t testing.TB, orgID string) string { func TestGCF2BigqueryTrigger(t *testing.T) { orgID := utils.ValFromEnv(t, "TF_VAR_org_id") policyID := GetOrgACMPolicyID(t, orgID) + createACM := false + vars := map[string]interface{}{ - "access_context_manager_policy_id": policyID, + "create_access_context_manager_access_policy": createACM, + "access_context_manager_policy_id": policyID, + } + + if policyID == "" { + createACM = true + vars = map[string]interface{}{ + "create_access_context_manager_access_policy": createACM, + } } + restrictedServices := []string{ "accessapproval.googleapis.com", "adsdatahub.googleapis.com", @@ -222,6 +233,13 @@ func TestGCF2BigqueryTrigger(t *testing.T) { assert.Equal(subnetName, subnet.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnetName)) assert.Equal(subNetRange, subnet.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subNetRange)) + // Sub-network Proxy test + subnetProxyName := fmt.Sprintf("sb-swp-%s", location) + subnetProxyRange := "10.129.0.0/23" + subnetProxy := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnetProxyName, location, networkProjectID) + assert.Equal(subnetProxyName, subnetProxy.Get("name").String(), fmt.Sprintf("Subnet %s should exist", subnetProxyName)) + assert.Equal(subnetProxyRange, subnetProxy.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnetProxyRange)) + // Firewall - Deny all egress test denyAllEgressName := "fw-e-shared-restricted-65535-e-d-all-all-all" denyAllEgressRule := gcloud.Runf(t, "compute firewall-rules describe %s --project %s", denyAllEgressName, networkProjectID) @@ -246,6 +264,21 @@ func TestGCF2BigqueryTrigger(t *testing.T) { assert.Equal(1, len(allowApiEgressRule.Get("allowed.0.ports").Array()), fmt.Sprintf("firewall rule %s should allow only one port", allowApiEgressName)) assert.Equal("443", allowApiEgressRule.Get("allowed.0.ports.0").String(), fmt.Sprintf("firewall rule %s should allow port 443", allowApiEgressName)) + // Firewall - Allow egress to Secure Web Proxy + allowSwpEgressName := "fw-allow-tcp-443-egress-to-secure-web-proxy" + swpRanges := []string{subnetProxyRange, subNetRange} + allowSwpEgressRule := gcloud.Runf(t, "compute firewall-rules describe %s --project %s", allowSwpEgressName, networkProjectID) + assert.Equal(allowSwpEgressName, allowSwpEgressRule.Get("name").String(), fmt.Sprintf("firewall rule %s should exist", allowSwpEgressName)) + assert.Equal("EGRESS", allowSwpEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", allowSwpEgressName)) + assert.True(allowSwpEgressRule.Get("logConfig.enable").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", allowSwpEgressName)) + assert.Equal(1, len(allowSwpEgressRule.Get("allowed").Array()), fmt.Sprintf("firewall rule %s should have only one allowed", allowSwpEgressName)) + assert.Equal(2, len(allowSwpEgressRule.Get("allowed.0").Map()), fmt.Sprintf("firewall rule %s should have only one protocol and ports", allowSwpEgressName)) + assert.Equal("tcp", allowSwpEgressRule.Get("allowed.0.IPProtocol").String(), fmt.Sprintf("firewall rule %s should allow tcp protocol", allowSwpEgressName)) + assert.Equal(1, len(allowSwpEgressRule.Get("allowed.0.ports").Array()), fmt.Sprintf("firewall rule %s should allow only one port", allowSwpEgressName)) + assert.Equal("443", allowSwpEgressRule.Get("allowed.0.ports.0").String(), fmt.Sprintf("firewall rule %s should allow port 443", allowSwpEgressName)) + firewallDestinationRanges := utils.GetResultStrSlice(allowSwpEgressRule.Get("destinationRanges").Array()) + assert.Subset(swpRanges, firewallDestinationRanges, fmt.Sprintf("firewall rule %s destination ranges should be %v", allowSwpEgressName, swpRanges)) + // VPC test connectorName := "con-secure-cloud-function" expectedSubnet := fmt.Sprintf("sb-restricted-%s", location) @@ -335,6 +368,60 @@ func TestGCF2BigqueryTrigger(t *testing.T) { assert.Equal(location, opDataset.Get("location").String(), fmt.Sprintf("Should have same location: %s", location)) assert.Equal(bqKmsKey, opDataset.Get("encryptionConfiguration.kmsKeyName").String(), fmt.Sprintf("Should have the KMS Key: %s", bqKmsKey)) + // Global Address test + // Networking Connection Peering test + opNetworkPeering := gcloud.Runf(t, "compute networks peerings list --network=%s --project=%s", networkName, networkProjectID).Array() + assert.Equal(1, len(opNetworkPeering), "Should have only one Network Peering.") + + // Gateway Security Policy test + opSwpPolicy := gcloud.Runf(t, "network-security gateway-security-policies list --location=%s --project=%s", location, networkProjectID).Array() + assert.Equal(1, len(opSwpPolicy), "Should have only one Gateway Security Policy") + + // URL lists test + swpUrlListValues := []string{ + "*google.com/go*", + "*github.com/GoogleCloudPlatform*", + "*github.com/cloudevents*", + "*golang.org/x*", + "*google.golang.org/*", + "*github.com/golang/*", + "*github.com/google/*", + "*github.com/googleapis/*", + "*github.com/json-iterator/go", + "*github.com/modern-go/concurrent", + "*github.com/modern-go/reflect2", + "*go.opencensus.io", + "*go.uber.org/atomic", + "*go.uber.org/multierr", + "*go.uber.org/zap", + } + opSwpUrlList := gcloud.Runf(t, "network-security url-lists list --location=%s --project=%s", location, networkProjectID).Array() + assert.Equal(1, len(opSwpUrlList), "Should have only one URL Lists") + urlLists := utils.GetResultStrSlice(opSwpUrlList[0].Get("values").Array()) + assert.Subset(swpUrlListValues, urlLists, fmt.Sprintf("Should have same URL Lists value: %v", swpUrlListValues)) + + // Gateway Security Policy Rule test + swpSessionMatcher := fmt.Sprintf("inUrlList(host(), 'projects/%s/locations/%s/urlLists/swp-url-lists')", networkProjectID, location) + opSwpPolicyRule := gcloud.Runf(t, "network-security gateway-security-policies rules list --gateway-security-policy swp-security-policy --location=%s --project=%s", location, networkProjectID).Array() + assert.Equal(1, len(opSwpPolicyRule), "Should have only one Gateway Security Policy Rule") + assert.Equal(swpSessionMatcher, opSwpPolicyRule[0].Get("sessionMatcher").String(), fmt.Sprintf("Should have same session matcher: %s", swpSessionMatcher)) + + // Secure Web Proxy test + swpName := fmt.Sprintf("projects/%s/locations/%s/gateways/secure-web-proxy", networkProjectID, location) + swpCertificate := fmt.Sprintf("projects/%s/locations/%s/certificates/swp-certificate", networkProjectID, location) + swpSecurityPolicy := fmt.Sprintf("projects/%s/locations/%s/gatewaySecurityPolicies/swp-security-policy", networkProjectID, location) + swpNetwork := fmt.Sprintf("projects/%s/global/networks/vpc-secure-cloud-function", networkProjectID) + swpSubnetwork := fmt.Sprintf("projects/%s/regions/%s/subnetworks/sb-restricted-%s", networkProjectID, location, location) + opSwpGateway := gcloud.Runf(t, "network-services gateways describe secure-web-proxy --location=%s --project=%s", location, networkProjectID) + assert.Equal(swpName, opSwpGateway.Get("name").String(), fmt.Sprintf("SWP name should be %s", swpName)) + assert.Equal("SECURE_WEB_GATEWAY", opSwpGateway.Get("type").String(), "SWP type should be SECURE_WEB_GATEWAY") + assert.Equal("10.0.0.10", opSwpGateway.Get("addresses").Array()[0].String(), "SWP first address should be 10.0.0.10") + assert.Equal("443", opSwpGateway.Get("ports").Array()[0].String(), "SWP ports should be 443") + assert.Equal(swpCertificate, opSwpGateway.Get("certificateUrls").Array()[0].String(), fmt.Sprintf("SWP certificate should be %s", swpCertificate)) + assert.Equal(swpSecurityPolicy, opSwpGateway.Get("gatewaySecurityPolicy").String(), fmt.Sprintf("SWP gateway security policy should be %s", swpSecurityPolicy)) + assert.Equal(swpNetwork, opSwpGateway.Get("network").String(), fmt.Sprintf("SWP network should be %s", swpNetwork)) + assert.Equal(swpSubnetwork, opSwpGateway.Get("subnetwork").String(), fmt.Sprintf("SWP subnetwork should be %s", swpSubnetwork)) + assert.Equal("samplescope", opSwpGateway.Get("scope").String(), "SWP scope should be samplescope") }) bqt.Test() } diff --git a/test/integration/secure_cloud_function_internal_server/cloud_function_internal_server_test.go b/test/integration/secure_cloud_function_internal_server/cloud_function_internal_server_test.go new file mode 100644 index 00000000..3f7fc472 --- /dev/null +++ b/test/integration/secure_cloud_function_internal_server/cloud_function_internal_server_test.go @@ -0,0 +1,117 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cloud_function_internal_server + +import ( + "fmt" + "strings" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/stretchr/testify/assert" + "github.com/tidwall/gjson" +) + +type Protocols struct { + Protocol string + Ports []string +} + +func GetLastSplitElement(value string, sep string) string { + splitted := strings.Split(value, sep) + return splitted[len(splitted)-1] +} + +func GetResultFieldStrSlice(rs []gjson.Result, field string) []string { + s := make([]string, 0) + for _, r := range rs { + s = append(s, r.Get(field).String()) + } + return s +} + +// GetOrgACMPolicyID gets the Organization Access Context Manager Policy ID +func GetOrgACMPolicyID(t testing.TB, orgID string) string { + filter := fmt.Sprintf("parent:organizations/%s", orgID) + id := gcloud.Runf(t, "access-context-manager policies list --organization %s --filter %s --quiet", orgID, filter).Array() + if len(id) == 0 { + return "" + } + return GetLastSplitElement(id[0].Get("name").String(), "/") +} + +func TestCFInternalServer(t *testing.T) { + orgID := utils.ValFromEnv(t, "TF_VAR_org_id") + policyID := GetOrgACMPolicyID(t, orgID) + createACM := false + + vars := map[string]interface{}{ + "create_access_context_manager_access_policy": createACM, + "access_context_manager_policy_id": policyID, + } + + if policyID == "" { + createACM = true + vars = map[string]interface{}{ + "create_access_context_manager_access_policy": createACM, + } + } + + cft := tft.NewTFBlueprintTest(t, tft.WithVars(vars)) + + cft.DefineVerify(func(assert *assert.Assertions) { + + location := "us-west1" + networkProjectID := cft.GetStringOutput("network_project_id") + projectID := cft.GetStringOutput("serverless_project_id") + functionName := cft.GetStringOutput("cloud_function_name") + connectorID := cft.GetStringOutput("connector_id") + saEmail := cft.GetStringOutput("service_account_email") + + cf := gcloud.Runf(t, "functions describe %s --project %s --gen2 --region %s", functionName, projectID, location) + cfTrigger := cf.Get("eventTrigger.trigger") + assert.Equal("ACTIVE", cf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.") + assert.Equal(connectorID, cf.Get("serviceConfig.vpcConnector").String(), fmt.Sprintf("VPC Connector should be %s. Connector was not set.", connectorID)) + assert.Equal("ALL_TRAFFIC", cf.Get("serviceConfig.vpcConnectorEgressSettings").String(), "Egress setting should be ALL_TRAFFIC.") + assert.Equal("ALLOW_INTERNAL_AND_GCLB", cf.Get("serviceConfig.ingressSettings").String(), "Ingress setting should be ALLOW_INTERNAL_AND_GCLB.") + assert.Equal(saEmail, cf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", saEmail)) + assert.Equal("google.cloud.storage.object.v1.finalized", cf.Get("eventTrigger.eventType").String(), "Cloud Function EventType should be google.cloud.storage.object.v1.finalized.") + assert.NotNil(t, cfTrigger, "Trigger should exist.") + + gcloudArgsBucket := gcloud.WithCommonArgs([]string{"--project", projectID, "--json"}) + bucketName := cft.GetStringOutput("cloudfunction_bucket_name") + opBucket := gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s", bucketName), gcloudArgsBucket).Array() + assert.Equal(bucketName, opBucket[0].Get("metadata.name").String(), fmt.Sprintf("The bucket name should be %s.", bucketName)) + assert.True(opBucket[0].Exists(), "Bucket %s should exist.", bucketName) + + instanceName := "webserver" + instanceZone := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/zones/us-west1-b", projectID) + opInstance := gcloud.Runf(t, "compute instances describe %s --zone=us-west1-b --project=%s", instanceName, projectID) + assert.Equal(instanceName, opInstance.Get("name").String(), fmt.Sprintf("Instance name should be %s", instanceName)) + assert.Equal(instanceZone, opInstance.Get("zone").String(), fmt.Sprintf("Instance should be in zone %s", instanceZone)) + + denyAllEgressName := "fw-e-shared-restricted-internal-server" + denyAllEgressRule := gcloud.Runf(t, "compute firewall-rules describe %s --project %s", denyAllEgressName, networkProjectID) + assert.Equal(denyAllEgressName, denyAllEgressRule.Get("name").String(), fmt.Sprintf("firewall rule %s should exist", denyAllEgressName)) + assert.Equal("EGRESS", denyAllEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", denyAllEgressName)) + assert.True(denyAllEgressRule.Get("logConfig.enable").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", denyAllEgressName)) + assert.Equal("10.0.0.0/28", denyAllEgressRule.Get("destinationRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be 10.0.0.0/28", denyAllEgressName)) + assert.Equal("8000", denyAllEgressRule.Get("allowed.0.ports.0").String(), fmt.Sprintf("firewall rule %s should allow port 8000", denyAllEgressName)) + + }) + cft.Test() +} diff --git a/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go b/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go index fddd3fc0..8d3e6788 100644 --- a/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go +++ b/test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go @@ -43,9 +43,20 @@ func GetLastSplitElement(value string, sep string) string { func TestGCF2CloudSQL(t *testing.T) { orgID := utils.ValFromEnv(t, "TF_VAR_org_id") policyID := GetOrgACMPolicyID(t, orgID) + createACM := false + vars := map[string]interface{}{ - "access_context_manager_policy_id": policyID, + "create_access_context_manager_access_policy": createACM, + "access_context_manager_policy_id": policyID, + } + + if policyID == "" { + createACM = true + vars = map[string]interface{}{ + "create_access_context_manager_access_policy": createACM, + } } + cf2SQL := tft.NewTFBlueprintTest(t, tft.WithVars(vars)) cf2SQL.DefineVerify(func(assert *assert.Assertions) { diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 750424de..492faba3 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -17,7 +17,8 @@ locals { int_required_roles = [ "roles/owner", - "roles/iam.serviceAccountUser" + "roles/iam.serviceAccountUser", + "roles/certificatemanager.editor" ] folder_required_roles = [ @@ -51,7 +52,7 @@ resource "google_project_iam_member" "int_test" { resource "google_folder_iam_member" "folder_test" { count = length(local.folder_required_roles) - folder = "folders/${var.folder_id}" + folder = google_folder.ci-iam-folder.id role = local.folder_required_roles[count.index] member = "serviceAccount:${google_service_account.int_test.email}" } diff --git a/test/setup/main.tf b/test/setup/main.tf index 060d0145..c7de235c 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -14,6 +14,15 @@ * limitations under the License. */ +resource "random_id" "folder-rand" { + byte_length = 2 +} + +resource "google_folder" "ci-iam-folder" { + display_name = "ci-cloud-functions-${random_id.folder-rand.hex}" + parent = "folders/${var.folder_id}" +} + module "project" { source = "terraform-google-modules/project-factory/google" version = "~> 14.0" @@ -21,7 +30,7 @@ module "project" { name = "ci-cloud-functions" random_project_id = "true" org_id = var.org_id - folder_id = var.folder_id + folder_id = google_folder.ci-iam-folder.id billing_account = var.billing_account default_service_account = "keep" @@ -41,6 +50,7 @@ module "project" { "cloudbilling.googleapis.com", "cloudkms.googleapis.com", "bigquery.googleapis.com", + "certificatemanager.googleapis.com", "sql-component.googleapis.com", "sqladmin.googleapis.com", "servicenetworking.googleapis.com" diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index ca4966b4..4d7bf9e7 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -14,6 +14,10 @@ * limitations under the License. */ +output "folder_id" { + value = google_folder.ci-iam-folder.folder_id +} + output "project_id" { value = module.project.project_id } @@ -30,7 +34,3 @@ output "terraform_service_account" { output "access_level_members" { value = ["serviceAccount:${google_service_account.int_test.email}"] } - -output "create_access_context_manager_access_policy" { - value = false -}