Merge pull request #138 from cblkwell/add-iap-security-policy

Adding security policy variable for IAP backend
runatlantis · Dec 7, 2023 · 0bc790d · 0bc790d
2 parents 6514948 + 1d5abd5
commit 0bc790d
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -228,6 +228,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_block_project_ssh_keys_enabled"></a> [block\_project\_ssh\_keys\_enabled](#input\_block\_project\_ssh\_keys\_enabled) | Blocks the use of project-wide publich SSH keys | `bool` | `false` | no |
+| <a name="input_default_backend_security_policy"></a> [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no |
 | <a name="input_disk_kms_key_self_link"></a> [disk\_kms\_key\_self\_link](#input\_disk\_kms\_key\_self\_link) | The self link of the encryption key that is stored in Google Cloud KMS | `string` | `null` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://` | `string` | n/a | yes |
 | <a name="input_enable_oslogin"></a> [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no |
@@ -237,6 +238,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_google_logging_use_fluentbit"></a> [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no |
 | <a name="input_google_monitoring_enabled"></a> [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no |
 | <a name="input_iap"></a> [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | <pre>object({<br>    oauth2_client_id     = string<br>    oauth2_client_secret = string<br>  })</pre> | `null` | no |
+| <a name="input_iap_backend_security_policy"></a> [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no |
 | <a name="input_image"></a> [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no |
 | <a name="input_machine_image"></a> [machine\_image](#input\_machine\_image) | The machine image to create VMs with, if not specified, latest cos\_cloud/cos\_stable is used | `string` | `null` | no |

diff --git a/examples/cloud-armor/README.md b/examples/cloud-armor/README.md
@@ -1,6 +1,6 @@
 # Example usage
 
-This example deploys Cloud Armor to ensure requests to the default backend are coming from GitHub Webhooks.
+This example deploys Cloud Armor to ensure requests to the default backend are coming from GitHub Webhooks, and adds another policy to restrict access to the IAP backend to an example CIDR.
 
 Since IAP is enabled, two backend services will be created:
 

diff --git a/examples/cloud-armor/main.tf b/examples/cloud-armor/main.tf
@@ -59,6 +59,7 @@ module "atlantis" {
   project = local.project_id
 
   default_backend_security_policy = google_compute_security_policy.atlantis.name
+  iap_backend_security_policy     = google_compute_security_policy.atlantis_iap.name
 
   iap = {
     oauth2_client_id     = google_iap_client.atlantis.client_id
@@ -124,6 +125,52 @@ resource "google_compute_security_policy" "atlantis" {
   }
 }
 
+# This policy allows you to restrict access to the UI from anywhere but say
+# your VPN exits, etc.
+resource "google_compute_security_policy" "atlantis_iap" {
+  name        = "atlantis-iap-security-policy"
+  description = "Policy blocking all traffic except from example range"
+  project     = local.project_id
+
+  rule {
+    # Allow from sample range, eg 192.168.0.0/16
+    action      = "allow"
+    priority    = "2"
+    description = "Allow from sample CIDR"
+    match {
+      expr {
+        expression = "(inIpRange(origin.ip, '192.168.0.0/16'))"
+      }
+    }
+  }
+
+  rule {
+    # Deny all by default
+    action      = "deny(403)"
+    priority    = "2147483647"
+    description = "Default rule: deny all"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+  }
+
+  rule {
+    # Log4j vulnerability
+    action      = "deny(403)"
+    priority    = "1"
+    description = "CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)"
+    match {
+      expr {
+        expression = "evaluatePreconfiguredExpr('cve-canary')"
+      }
+    }
+  }
+}
+
 resource "google_iap_client" "atlantis" {
   display_name = "iap-client"
   brand        = local.google_iap_brand_name

diff --git a/main.tf b/main.tf
@@ -332,6 +332,7 @@ resource "google_compute_backend_service" "iap" {
   connection_draining_timeout_sec = 5
   load_balancing_scheme           = "EXTERNAL_MANAGED"
   health_checks                   = [google_compute_health_check.default.id]
+  security_policy                 = var.iap_backend_security_policy
 
   log_config {
     enable      = true

diff --git a/variables.tf b/variables.tf
@@ -175,3 +175,9 @@ variable "default_backend_security_policy" {
   description = "Name of the security policy to apply to the default backend service"
   default     = null
 }
+
+variable "iap_backend_security_policy" {
+  type        = string
+  description = "Name of the security policy to apply to the IAP backend service"
+  default     = null
+}