Skip to content
This repository has been archived by the owner on Sep 18, 2019. It is now read-only.

spotify/gcp-firewall-enforcer

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 1 tag
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
gcp_firewall_enforcer
 
 
sample_configs
 
 
.gitignore
 
 
CONTRIBUTORS
 
 
LICENSE
 
 
MANIFEST.in
 
 
NOTICE
 
 
README.md
 
 
requirements.txt
 
 
setup.py
 
 
GCP Firewall Enforcer Installation Prerequisites Development Usage Code of Conduct

README.md

GCP Firewall Enforcer

A toolbox to enforce firewall rules across multiple GCP projects.

The package is comprised of the following:

  • gcp_firewall_enforcer: which is the main tool used to enforce firewall rules
  • gcp_rule_parser: a helper to retrieve the current rules set from GCP projects

gcp-firewall-enforcer is currently in alpha status. We are actively improving it and Spotify's production environment is our current test suite.

Installation

Run pip install git+https://github.com/spotify/gcp-firewall-enforcer.git.

Prerequisites

Supported Python versions: 2.7+

Development

To contribute and develop, clone the project inside a virtualenv and install all the dependencies with pip install -r requirements.txt.

Usage

First you need to generate a json key via the GCP console for every project.

Save the file somewhere the scripts can read it, for example:

$ mkdir -p /etc/gcloud/keys
$ mv your-gcp-keyfile.json /etc/gcloud/keys/

Next you need to build a master config file. The master config is first used by gcp_rule_parser to retrieve the project's firewall rules and build a local database, and then by gcp_firewall_enforcer to push/enforce the local firewall databases.

The config file structure is the following:

[
 {
     "project_name" : "GCP Project Name",
     "project" : "gcp-project-name-12345",
     "firewall_db" : "/absolute/path/to/gcp-project-name-firewall-db.json",
     "keyfile" : "/absolute/path/to/gcp-project-name-keyfile-12345.json"
 },
 {
     "project_name" : "GCP Project Name #2",
     "project" : "second-gcp-project-name-54321",
     "firewall_db" : "/absolute/path/to/second-gcp-project-name-firewall-db.json",
     "keyfile" : "/absolute/path/to/second-gcp-project-name-keyfile-54321.json"
 }
]

The meaning of the fields in the json blob are the following:

  • project_name: the descriptive name we used for the project
  • project: internal GCP name (the one you see in the URL, for example gcp-project-name-12345)
  • firewall_db: the absolute path to the json that contains all the firewall rules, this is where gcp_rule_parser write the rules and gcp_firewall_enforcer reads them
  • keyfile: the absolute path to the json file that contains the GCP service key

Once you've properly compiled the master config file, you can use gcp_rule_parser to pull the rules, for example:

$ gcp_rule_parser config.json

This will create a json files containing all the firewall rules in the location specified by firewall_db.

Finally you can start enforcing the rules through gcp_firewall_enforcer. The script will delete all rules that are not in the database.

$ gcp_firewall_enforcer config.json

The script is intended to be run as a cron job.

Code of Conduct

This project adheres to the Open Code of Conduct. By participating, you are expected to honor this code.

About

A toolbox to enforce firewall rules across multiple GCP projects.

Topics

security security-audit firewall google-cloud google-cloud-platform

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity

Stars

76 stars

Watchers

27 watching

Forks

14 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages