This module creates an auto-scaling instance group and a TCP load balancer in Google Cloud (GCP) for a Banyan Access Tier. A network load balancer forwards traffic to the instance group which, when added to the proper tags and banyan zero trust policies, allows for connections to internal services or to the network via service tunnel.
This module will create an access tier definition in the Banyan API, and an access_tier scoped API key. It will populate the launch configuration of all instances in the auto-scaling group with a short script to download the latest version of the Banyan NetAgent (or a pinned version if set), install it as a service, and launch the netagent with the API key and access tier configuration name for your Banyan organization.
In order to ease the installation and configuration of the access tier, the new netagent only needs an access tier scoped API key, Banyan API URL, and the name of an access tier configuration in order to successfully connect. In this new module the access tier is defined in the Banyan API with the banyan_accesstier resource from the banyan terraform provider. The API key is created specifically for the access tier and added to the launch configuration
terraform {
required_providers {
banyan = {
source = "banyansecurity/banyan"
version = "1.0.0"
}
}
}
provider "banyan" {
api_key = "ADMIN-SCOPE-API-KEY"
}
provider "google" {
project = "my-gcloud-project"
region = "us-west1"
}
module "gcp_accesstier" {
source = "banyansecurity/banyan-accesstier2/google"
name = "example"
project = "example-project"
region = "us-west1"
network = "us-west1"
subnetwork = "us-west1-external"
tags = ["allow-accesstier"]
tunnel_cidrs = ["10.10.0.0/24"]
}
This example will configure the Banyan terraform provider and the Google Cloud provider. It will then create an access tier
with a wildcard DNS record pointing to the address of the access tier. The access tier is configured with the tunnel CIDR of 10.10.0.0/16.
This corresponds to CIDR of the private network(s) (the entire VPC or individual subnets in Google Cloud). A service tunnel is configured
to use this access tier, with a policy which allows any user with a High trust level access to the service tunnel.
This policy could be narrowed down further using the access.l4_access attribute of the banyan_policy_tunnel resource.
This is an effective replacement of a VPN tunnel, which leverages the device trust, continuous authorization and SAML capabilities of Banyan.
terraform {
required_providers {
banyan = {
source = "banyansecurity/banyan"
version = "1.0.0"
}
}
}
provider "banyan" {
api_key = "ADMIN-SCOPE-API-KEY"
}
provider "google" {
project = "my-gcloud-project"
region = "us-west1"
}
module "gcp_accesstier" {
source = "banyansecurity/banyan-accesstier2/google"
name = "example"
project = "example-project"
region = "us-west1"
network = "us-west1"
subnetwork = "us-west1-external"
tags = ["allow-accesstier"]
tunnel_cidrs = ["10.10.0.0/16"]
}
resource "banyan_service_tunnel" "example" {
name = "example-anyone-high"
description = "tunnel allowing anyone with a high trust level"
access_tier = module.gcp_accesstier.name
policy = banyan_policy_infra.anyone-high.id
}
resource "banyan_policy_tunnel" "anyone-high" {
name = "allow-anyone-high-trust"
description = "${module.gcp_accesstier.name} allow"
access {
roles = ["ANY"]
trust_level = "High"
}
}
resource "google_dns_record_set" "frontend" {
name = "*.${module.gcp_accesstier.name}.mycompany.com"
type = "A"
ttl = 300
managed_zone = google_dns_managed_zone.prod.name
rrdatas = module.gcp_accesstier.address
}Set netagent_version to the desired version number. This will ensure all instances are pinned to the same version number. If netagent_version is not specified, each instance will automatically install the latest version.
-
The default value for
management_cidrleaves SSH closed to instances in the access tier. -
The current recommended setup for to use a banyan SSH service to SSH to a host inside the private network, which in turn has SSH access to the instances in the auto-scaling group. This way no SSH service is exposed to the internet.
| Name | Version |
|---|---|
| banyan | >=1.0.0 |
| Name | Version |
|---|---|
| banyan | >=1.0.0 |
| n/a |
No modules.
| Name | Type |
|---|---|
| banyan_accesstier.accesstier | resource |
| banyan_api_key.accesstier | resource |
| google_compute_address.external | resource |
| google_compute_firewall.accesstier_ports | resource |
| google_compute_firewall.accesstier_ports_tunnel | resource |
| google_compute_firewall.accesstier_ssh | resource |
| google_compute_firewall.healthcheck | resource |
| google_compute_forwarding_rule.accesstier | resource |
| google_compute_health_check.accesstier_health_check | resource |
| google_compute_instance_template.accesstier_template | resource |
| google_compute_region_autoscaler.accesstier | resource |
| google_compute_region_backend_service.accesstier | resource |
| google_compute_region_health_check.backend_service_loadbalancer_health_check | resource |
| google_compute_region_instance_group_manager.accesstier_rigm | resource |
| google_compute_image.accesstier_image | data source |
| google_compute_network.accesstier_network | data source |
| google_compute_subnetwork.accesstier_subnet | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name to use when registering this Access Tier with the Banyan command center | string |
n/a | yes |
| network | Name of the network the Access Tier will belong to | string |
n/a | yes |
| project | GCloud project name where AccessTier is deployed | string |
n/a | yes |
| region | Region in which to create the Access Tier | string |
n/a | yes |
| subnetwork | Name of the subnetwork the Access Tier will belong to | string |
n/a | yes |
| banyan_host | URL to the Banyan API server | string |
"https://net.banyanops.com/" |
no |
| cluster | Name of an existing Shield cluster to register this Access Tier with. This value is set automatically if omitted from the configuration | string |
null |
no |
| console_log_level | Controls verbosity of logs to console. Must be one of "ERR", "WARN", "INFO", "DEBUG" | string |
null |
no |
| custom_user_data | Custom commands to append to the launch configuration initialization script. | list(string) |
[] |
no |
| datadog_api_key | API key for DataDog | string |
null |
no |
| disable_snat | Disable Source Network Address Translation (SNAT) | bool |
false |
no |
| enable_hsts | If enabled, Banyan will send the HTTP Strict-Transport-Security response header | bool |
null |
no |
| event_key_rate_limiting | Enable rate limiting of Access Event generated based on a derived “key” value. Each key has a separate rate limiter, and events with the same key value are subjected to the rate limiter for that key | bool |
null |
no |
| events_rate_limiting | Enable rate limiting of Access Event generation based on a credit-based rate control mechanism | bool |
null |
no |
| file_log | Whether to log to file or not | bool |
null |
no |
| file_log_level | Controls verbosity of logs to file. Must be one of "ERR", "WARN", "INFO", "DEBUG" | string |
null |
no |
| forward_trust_cookie | Forward the Banyan trust cookie to upstream servers. This may be enabled if upstream servers wish to make use of information in the Banyan trust cookie | bool |
null |
no |
| groups_by_userinfo | Derive groups information from userinfo endpoint | bool |
false |
no |
| log_num | For file logs: Number of files to use for log rotation | number |
null |
no |
| log_size | For file logs: Size of each file for log rotation | number |
null |
no |
| machine_type | Google compute instance types | string |
"e2-standard-4" |
no |
| management_cidrs | CIDR blocks to allow SSH connections from. Default is the VPC CIDR range | list(string) |
[] |
no |
| minimum_num_of_instances | The minimum number of instances that should be running | number |
2 |
no |
| netagent-version | Specific version of netagent | string |
null |
no |
| netagent_version | Override to use a specific version of netagent (e.g. 1.49.1). Omit for the latest version available |
string |
null |
no |
| redirect_http_to_https | If true, requests to the Access Tier on port 80 will be redirected to port 443 | bool |
false |
no |
| service_source_ip_ranges | List of ip ranges which will be allowed access through the firewall to the Access Tier | list(string) |
[ |
no |
| service_source_tags | List of network tags which will be allows access through the firewall to the Access Tier | list(string) |
[] |
no |
| src_nat_cidr_range | CIDR range which source Network Address Translation (SNAT) will be disabled for | string |
null |
no |
| statsd_address | Address to send statsd messages: “hostname:port” for UDP, “unix:///path/to/socket” for UDS | string |
null |
no |
| tags | Additional tags to assign to this Access Tier | list(string) |
[] |
no |
| tunnel_cidrs | Backend CIDR Ranges that correspond to the IP addresses in your private network(s) | list(string) |
null |
no |
| tunnel_port | UDP port for end users to this access tier to utilize when using service tunnel | number |
null |
no |
| tunnel_private_domains | Any internal domains that can only be resolved on your internal network’s private DNS | list(string) |
null |
no |
| Name | Description |
|---|---|
| address | ip address of the google compute forwarding rule |
| api_key_id | ID of the API key associated with the Access Tier |
| name | Name to use when registering this Access Tier with the console |