├── .github ├── conventional-commit-lint.yaml ├── release-please.yml ├── renovate.json ├── trusted-contribution.yml └── workflows │ ├── lint.yaml │ └── stale.yml ├── CHANGELOG.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── build ├── int.cloudbuild.yaml └── lint.cloudbuild.yaml ├── docs ├── architecture-diagram │ └── architecture.png └── core-concepts │ └── core-concepts.md ├── examples ├── basic_configuration │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── mirror_resource_filtering │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── multiple_vpc_support │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf └── packet_mirroring_traffic_filtering │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── files └── startup_script.sh ├── kitchen.yml ├── main.tf ├── outputs.tf ├── packer ├── .gitignore ├── README.md ├── files │ ├── add_fields.zeek │ ├── append_local.zeek │ ├── json-streaming-logs.zeek │ └── zeek.conf ├── image.json └── scripts │ ├── fluentd.sh │ └── zeek.sh ├── test ├── .gitignore ├── fixtures │ ├── basic_configuration │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── mirror_resource_filtering │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── multiple_vpc_support │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ └── packet_mirroring_traffic_filtering │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf ├── integration │ ├── basic_configuration │ │ ├── controls │ │ │ └── gcp.rb │ │ └── inspec.yml │ ├── mirror_resource_filtering │ │ ├── controls │ │ │ └── gcp.rb │ │ └── inspec.yml │ ├── multiple_vpc_support │ │ ├── controls │ │ │ └── gcp.rb │ │ └── inspec.yml │ └── packet_mirroring_traffic_filtering │ │ ├── controls │ │ └── gcp.rb │ │ └── inspec.yml └── setup │ ├── .gitignore │ ├── iam.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── variables.tf └── versions.tf /.github/conventional-commit-lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | enabled: true 19 | always_check_pr_title: true 20 | -------------------------------------------------------------------------------- /.github/release-please.yml: -------------------------------------------------------------------------------- 1 | releaseType: terraform-module 2 | handleGHRelease: true 3 | primaryBranch: main 4 | bumpMinorPreMajor: true 5 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate"] 4 | } 5 | -------------------------------------------------------------------------------- /.github/trusted-contribution.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | annotations: 19 | - type: comment 20 | text: "/gcbrun" 21 | trustedContributors: 22 | - release-please[bot] 23 | - renovate[bot] 24 | - renovate-bot 25 | - forking-renovate[bot] 26 | - dependabot[bot] 27 | -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from values at: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 17 | 18 | name: 'lint' 19 | 20 | on: 21 | workflow_dispatch: 22 | pull_request: 23 | branches: 24 | - main 25 | 26 | concurrency: 27 | group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}' 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | lint: 32 | name: 'lint' 33 | runs-on: 'ubuntu-latest' 34 | steps: 35 | - uses: 'actions/checkout@v4' 36 | - id: variables 37 | run: | 38 | MAKEFILE=$(find . -name Makefile -print -quit) 39 | if [ -z "$MAKEFILE" ]; then 40 | echo dev-tools=gcr.io/cloud-foundation-cicd/cft/developer-tools:1 >> "$GITHUB_OUTPUT" 41 | else 42 | VERSION=$(grep "DOCKER_TAG_VERSION_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 43 | IMAGE=$(grep "DOCKER_IMAGE_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 44 | REGISTRY=$(grep "REGISTRY_URL := " $MAKEFILE | cut -d\ -f3) 45 | echo dev-tools=${REGISTRY}/${IMAGE}:${VERSION} >> "$GITHUB_OUTPUT" 46 | fi 47 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} module-swapper 48 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} /usr/local/bin/test_lint.sh 49 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | name: "Close stale issues" 19 | on: 20 | schedule: 21 | - cron: "0 23 * * *" 22 | 23 | jobs: 24 | stale: 25 | if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules' 26 | runs-on: ubuntu-latest 27 | steps: 28 | - uses: actions/stale@v9 29 | with: 30 | repo-token: ${{ secrets.GITHUB_TOKEN }} 31 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 32 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 33 | exempt-issue-labels: 'triaged' 34 | exempt-pr-labels: 'dependencies,autorelease: pending' 35 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | The format is based on 6 | [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 7 | and this project adheres to 8 | [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 9 | This changelog is generated automatically based on [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). 10 | 11 | ## [0.1.0](https://github.com/terraform-google-modules/terraform-google-network-forensics/releases/tag/v0.1.0) - 2021-07-30 12 | 13 | ### Features 14 | 15 | - Initial release 16 | 17 | [0.1.0]: https://github.com/terraform-google-modules/terraform-google-network-forensics/releases/tag/v0.1.0 18 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # NOTE: This file is automatically generated from values at: 2 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 3 | 4 | * @GoogleCloudPlatform/blueprint-solutions 5 | 6 | # NOTE: GitHub CODEOWNERS locations: 7 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection 8 | 9 | CODEOWNERS @GoogleCloudPlatform/blueprint-solutions 10 | .github/CODEOWNERS @GoogleCloudPlatform/blueprint-solutions 11 | docs/CODEOWNERS @GoogleCloudPlatform/blueprint-solutions 12 | 13 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This document provides guidelines for contributing to the module. 4 | 5 | ## Dependencies 6 | 7 | The following dependencies must be installed on the development system: 8 | 9 | - [Docker Engine][docker-engine] 10 | - [Google Cloud SDK][google-cloud-sdk] 11 | - [make] 12 | 13 | ## Generating Documentation for Inputs and Outputs 14 | 15 | The Inputs and Outputs tables in the READMEs of the root module, 16 | submodules, and example modules are automatically generated based on 17 | the `variables` and `outputs` of the respective modules. These tables 18 | must be refreshed if the module interfaces are changed. 19 | 20 | ### Execution 21 | 22 | Run `make generate_docs` to generate new Inputs and Outputs tables. 23 | 24 | ## Integration Testing 25 | 26 | Integration tests are used to verify the behaviour of the root module, 27 | submodules, and example modules. Additions, changes, and fixes should 28 | be accompanied with tests. 29 | 30 | The integration tests are run using [Kitchen][kitchen], 31 | [Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These 32 | tools are packaged within a Docker image for convenience. 33 | 34 | The general strategy for these tests is to verify the behaviour of the 35 | [example modules](./examples/), thus ensuring that the root module, 36 | submodules, and example modules are all functionally correct. 37 | 38 | ### Test Environment 39 | The easiest way to test the module is in an isolated test project. The setup for such a project is defined in [test/setup](./test/setup/) directory. 40 | 41 | To use this setup, you need a service account with Project Creator access on a folder. Export the Service Account credentials to your environment like so: 42 | 43 | ``` 44 | export SERVICE_ACCOUNT_JSON=$(< credentials.json) 45 | ``` 46 | 47 | You will also need to set a few environment variables: 48 | ``` 49 | export TF_VAR_org_id="your_org_id" 50 | export TF_VAR_folder_id="your_folder_id" 51 | export TF_VAR_billing_account="your_billing_account_id" 52 | ``` 53 | 54 | With these settings in place, you can prepare a test project using Docker: 55 | ``` 56 | make docker_test_prepare 57 | ``` 58 | 59 | ### Noninteractive Execution 60 | 61 | Run `make docker_test_integration` to test all of the example modules 62 | noninteractively, using the prepared test project. 63 | 64 | ### Interactive Execution 65 | 66 | 1. Run `make docker_run` to start the testing Docker container in 67 | interactive mode. 68 | 69 | 1. Run `kitchen_do create ` to initialize the working 70 | directory for an example module. 71 | 72 | 1. Run `kitchen_do converge ` to apply the example module. 73 | 74 | 1. Run `kitchen_do verify ` to test the example module. 75 | 76 | 1. Run `kitchen_do destroy ` to destroy the example module 77 | state. 78 | 79 | ## Linting and Formatting 80 | 81 | Many of the files in the repository can be linted or formatted to 82 | maintain a standard of quality. 83 | 84 | ### Execution 85 | 86 | Run `make docker_test_lint`. 87 | 88 | [docker-engine]: https://www.docker.com/products/docker-engine 89 | [flake8]: http://flake8.pycqa.org/en/latest/ 90 | [gofmt]: https://golang.org/cmd/gofmt/ 91 | [google-cloud-sdk]: https://cloud.google.com/sdk/install 92 | [hadolint]: https://github.com/hadolint/hadolint 93 | [inspec]: https://inspec.io/ 94 | [kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform 95 | [kitchen]: https://kitchen.ci/ 96 | [make]: https://en.wikipedia.org/wiki/Make_(software) 97 | [shellcheck]: https://www.shellcheck.net/ 98 | [terraform-docs]: https://github.com/segmentio/terraform-docs 99 | [terraform]: https://terraform.io/ -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /usr/bin/env bash 16 | 17 | DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.13 18 | DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools 19 | REGISTRY_URL := gcr.io/cloud-foundation-cicd 20 | 21 | # Enter docker container for local development 22 | .PHONY: docker_run 23 | docker_run: 24 | docker run --rm -it \ 25 | -e SERVICE_ACCOUNT_JSON \ 26 | -v "$(CURDIR)":/workspace \ 27 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 28 | /bin/bash 29 | 30 | # Execute prepare tests within the docker container 31 | .PHONY: docker_test_prepare 32 | docker_test_prepare: 33 | docker run --rm -it \ 34 | -e SERVICE_ACCOUNT_JSON \ 35 | -e TF_VAR_org_id \ 36 | -e TF_VAR_folder_id \ 37 | -e TF_VAR_billing_account \ 38 | -v "$(CURDIR)":/workspace \ 39 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 40 | /usr/local/bin/execute_with_credentials.sh prepare_environment 41 | 42 | # Clean up test environment within the docker container 43 | .PHONY: docker_test_cleanup 44 | docker_test_cleanup: 45 | docker run --rm -it \ 46 | -e SERVICE_ACCOUNT_JSON \ 47 | -e TF_VAR_org_id \ 48 | -e TF_VAR_folder_id \ 49 | -e TF_VAR_billing_account \ 50 | -v "$(CURDIR)":/workspace \ 51 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 52 | /usr/local/bin/execute_with_credentials.sh cleanup_environment 53 | 54 | # Execute integration tests within the docker container 55 | .PHONY: docker_test_integration 56 | docker_test_integration: 57 | docker run --rm -it \ 58 | -e SERVICE_ACCOUNT_JSON \ 59 | -v "$(CURDIR)":/workspace \ 60 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 61 | /usr/local/bin/test_integration.sh 62 | 63 | # Execute lint tests within the docker container 64 | .PHONY: docker_test_lint 65 | docker_test_lint: 66 | docker run --rm -it \ 67 | -v "$(CURDIR)":/workspace \ 68 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 69 | /usr/local/bin/test_lint.sh 70 | 71 | # Generate documentation 72 | .PHONY: docker_generate_docs 73 | docker_generate_docs: 74 | docker run --rm -it \ 75 | -v "$(CURDIR)":/workspace \ 76 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 77 | /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' 78 | 79 | # Generate files from autogen 80 | .PHONY: docker_generate_modules 81 | docker_generate_modules: 82 | docker run --rm -it \ 83 | -v "$(CURDIR)":/workspace \ 84 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 85 | /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_modules' 86 | 87 | # Alias for backwards compatibility 88 | .PHONY: generate_docs 89 | generate_docs: docker_generate_docs 90 | 91 | .PHONY: generate_modules 92 | generate_modules: docker_generate_modules 93 | 94 | .PHONY: build 95 | build: docker_generate_modules docker_generate_docs -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Google Zeek Automation Module 2 | 3 | ![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.13.5-blue.svg) 4 | 5 | This module simplifies the deployment of Zeek so GCP customers can feed raw packets from VPC Packet Mirroring and produce rich security telemetry for threat detection and investigation in our Chronicle Security Platform. 6 | 7 | 8 | ## Compatibility 9 | 10 | This module is meant for use with Terraform `v0.13.5` or above. 11 | 12 | 13 | ## Examples 14 | 15 | Examples of how to use these modules can be found in the [examples](examples) folder. 16 | - [Basic Configurations](examples/basic_configurations): Demonstrates how to use google zeek automation module with basic configurations. 17 | - [Mirror Resource Filtering](examples/mirror_resource_filtering): Demonstrates how to specify mirror vpc network sources, for packet mirroring policy. 18 | - [Packet Mirroring Traffic Filtering](examples/packet_mirroring_traffic_filtering): Demonstrates how to use traffic filtering parameters for packet-mirroring policy. 19 | 20 | 21 | ## Architecture 22 | 23 | ![Architecture](docs/architecture-diagram/architecture.png "Architecture") 24 | 25 | 26 | ## Features 27 | 28 | - Creates regional managed instance groups using same network peering between mirror-collector vpc for collecting logs from mirror vpc sources. 29 | - Enables regional packet mirroring policies for mirroring mirror vpc sources like: 30 | - mirror-vpc subnets 31 | - mirror-vpc tags 32 | - mirror-vpc instances 33 | 34 | with optional parametes like: ip_protocols, direction, & cidr_ranges. 35 | - Enables packaging of logs in order to send it to Chronicle Platform. 36 | 37 | 38 | ## Pre-requisites 39 | 40 | 1. [Packer Image](#packer-image) should exist before running terraform script. 41 | 2. Terraform is [installed](#software-dependencies) on the machine where Terraform is executed. 42 | 3. The Service Account you execute the module with has the right [permissions](#IAM). 43 | 4. The Compute Engine APIs are [active](#enable-apis) on the project you will launch the infrastructure on. 44 | 5. User must create a GCS Bucket. 45 | 6. If Mirror VPC is in a different project, then the user will have to do the manual network peering from Mirror VPC to Collector VPC, if they want to mirror traffic from that project VPC. 46 | 7. If Mirror VPC is in a different project, then the user will have to add an egress firewall rule in the Mirror VPC for redirecting incoming traffic to Collector VPC. 47 | 48 | 49 | ### Packer Image 50 | 51 | There are two ways for using packer image: 52 | - [Use pre-configured image](#use-pre-configured-image) 53 | - [Create your own custom image](#create-your-own-custom-image) 54 | 55 | #### Use Pre-Configured Image 56 | - One can use our pre-configured packer image which is published on GCP and publicly available to all. 57 | - We have already configured our packer image with terraform script by configuring variable [`golden_image`](#inputs). (i.e. `projects/zeekautomation/global/images/zeek-fluentd-golden-image-v1`) 58 | 59 | #### Create Your Own Custom Image 60 | - One can make their own custom image by following [this](packer/README.md) documentation. 61 | - Once the custom image is created, change the [`golden_image`](#inputs) variable value with your custom image name to use it in terraform script. 62 | 63 | 64 | ### IAM 65 | Service account or [user credentials][user-credentials] with the following roles must be used to provision the resources of this module: 66 | 67 | - Service Account User - `roles/iam.serviceAccountUser` 68 | - Service Account Token Creator - `roles/iam.serviceAccountTokenCreator` 69 | - Compute Admin - `roles/compute.admin` 70 | - Compute Network Admin - `roles/compute.networkAdmin` 71 | - Compute Packet Mirroring User - `roles/compute.packetMirroringUser` 72 | - Compute Packet Mirroring Admin - `roles/compute.packetMirroringAdmin` 73 | - Logs Writer - `roles/logging.logWriter` 74 | - Monitoring Metric Writer - `roles/monitoring.metricWriter` 75 | - Storage Admin - `roles/storage.admin` 76 | 77 | **In addition to above roles, for Mirror VPCs residing in different projects than Collector VPC, the Service account email used for provisioning Collector VPC resources must be added as IAM Member to respective Mirror VPC project with the following role:** 78 | 79 | - Compute Packet Mirroring Admin - `roles/compute.packetMirroringAdmin` 80 | 81 | ### Enable APIs 82 | In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created: 83 | 84 | - Compute Engine API - `compute.googleapis.com` 85 | - Service Usage API - `serviceusage.googleapis.com` 86 | - Identity and Access Management (IAM) API - `iam.googleapis.com` 87 | - Cloud Resource Manager API - `cloudresourcemanager.googleapis.com` 88 | - Cloud Logging API - `logging.googleapis.com` 89 | - Cloud Monitoring API - `monitoring.googleapis.com` 90 | - Cloud Storage API - `storage.googleapis.com` 91 | 92 | 93 | ## Usage 94 | 95 | ```tf 96 | module "google_zeek_automation" { 97 | source = "/google_zeek_automation" 98 | gcp_project = "collector_project-123" 99 | service_account_email = "service-account@collector-project-123.iam.gserviceaccount.com" 100 | 101 | collector_vpc_name = "collector-vpc" 102 | subnets = [ 103 | { 104 | mirror_vpc_network = "projects/mirror-project-123/global/networks/test-mirror" 105 | collector_vpc_subnet_cidr = "10.11.0.0/24" 106 | collector_vpc_subnet_region = "us-west1" 107 | }, 108 | ] 109 | 110 | mirror_vpc_subnets = { 111 | "mirror-project-123--mirror_vpc_name--us-west1" = ["projects/mirror-project-123/regions/us-west1/subnetworks/subnet-01"] 112 | } 113 | 114 | } 115 | ``` 116 | **Note: For packet mirroring policy, it requires a mirror source to be specified before running the script. So, out of 3 variables: `mirror_vpc_instances` | `mirror_vpc_tags`| `mirror_vpc_subnets`, at least one of them should be specified while running the terraform script.** 117 | 118 | Then perform the following commands on the root folder: 119 | - `terraform init` to get the plugins 120 | - `terraform plan` to see the infrastructure plan 121 | - `terraform apply` to apply the infrastructure build 122 | - `terraform destroy` to destroy the built infrastructure 123 | 124 | 125 | 126 | ## Software Dependencies 127 | 128 | ### Terraform and Plugins 129 | - [Terraform][terraform-download] v0.13.5 130 | - [Terraform Provider for GCP][terraform-provider-google] v3.55 131 | 132 | 133 | ## Inputs 134 | 135 | | Name | Description | Type | Default | Required | 136 | |------|-------------|------|---------|:--------:| 137 | | gcp\_project | GCP Project ID where collector vpc will be provisioned. | `string` | n/a | yes | 138 | | golden\_image | This is name of zeek-fluentd packer image | `string` | `"projects/zeekautomation/global/images/zeek-fluentd-golden-image-v1"` | no | 139 | | collector\_vpc\_name | This is name of collector vpc. | `string` | n/a | yes | 140 | | mirror\_vpc\_instances | Mirror VPC Instances list to be mirrored.

**(Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)** | `map(list(string))` | `{}` | no | 141 | | mirror\_vpc\_subnets | Mirror VPC Subnets list to be mirrored. | `map(list(string))` | `{}` | no | 142 | | mirror\_vpc\_tags | Mirror VPC Tags list to be mirrored. | `map(list(string))` | `{}` | no | 143 | | service\_account\_email | User's Service Account Email. | `string` | n/a | yes | 144 | | subnets | The list of subnets being created | 
list(object({
    mirror_vpc_network      = string
    collector_vpc_subnet_cidr   = string
    collector_vpc_subnet_region = string
  }))
| n/a | yes | 145 | 146 | 147 | ## Outputs 148 | 149 | | Name | Description | 150 | |------|-------------| 151 | | autoscaler\_ids | Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}} | 152 | | collector\_vpc\_network\_id | The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}. | 153 | | collector\_vpc\_subnets\_ids | Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}} | 154 | | forwarding\_rule\_ids | Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}} | 155 | | health\_check\_id | Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}} | 156 | | intance\_group\_ids | Managed Instance Group identifier for the resource with format {{disk.name}} | 157 | | intance\_groups | The full URL of the instance group created by the manager. | 158 | | intance\_template\_ids | Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}} | 159 | | loadbalancer\_ids | Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}} | 160 | | packet\_mirroring\_policy\_ids | Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}} | 161 | 162 | #### Specifying credentials 163 | 164 | The Google Zeek Automation uses external scripts to perform a few tasks that are not implemented 165 | by Terraform providers. Because of this the Google Zeek Automation needs a copy of service account 166 | credentials to pass to these scripts. Credentials can be provided via two mechanisms: 167 | 168 | 1. Explicitly passed to the Google Zeek Automation with the `credentials` variable. This approach 169 | typically uses the same credentials for the `google` provider and the Google Zeek Automation: 170 | ```terraform 171 | provider "google" { 172 | credentials = "${file(var.credentials)}" 173 | } 174 | 175 | module "google_zeek_automation" { 176 | source = "/google_zeek_automation" 177 | 178 | # other variables follow ... 179 | } 180 | ``` 181 | 2. Implicitly provided by the [Application Default Credentials][application-default-credentials] 182 | flow, which typically uses the `GOOGLE_APPLICATION_CREDENTIALS` environment variable: 183 | ```terraform 184 | # `GOOGLE_APPLICATION_CREDENTIALS` must be set in the environment before Terraform is run. 185 | provider "google" { 186 | # Terraform will check the `GOOGLE_APPLICATION_CREDENTIALS` variable, so no `credentials` 187 | # value is needed here. 188 | } 189 | 190 | module "google_zeek_automation" { 191 | source = "/google_zeek_automation" 192 | 193 | # Google Zeek Automation will also check the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. 194 | # other variables follow ... 195 | } 196 | ``` 197 | 198 | ## Learn 199 | 200 | ### Core concepts 201 | 202 | - [VPC Network](docs/core-concepts/core-concepts.md#vpc-network) 203 | - [Network Subnets](docs/core-concepts/core-concepts.md#network-subnets) 204 | - [Network Firewall](docs/core-concepts/core-concepts.md#network-firewall) 205 | - [VPC Network Peering](docs/core-concepts/core-concepts.md#vpc-network-peering) 206 | - [Instance Template](docs/core-concepts/core-concepts.md#instance-template) 207 | - [Managed Instance Group](docs/core-concepts/core-concepts.md#managed-instance-group) 208 | - [Internal Load Balancer](docs/core-concepts/core-concepts.md#internal-load-balancer) 209 | - [Packet Mirroring](docs/core-concepts/core-concepts.md#packet-mirroring) 210 | 211 | 212 | ### Repo organisation 213 | 214 | This repo has the following folder structure: 215 | 216 | - [examples](./examples): This folder contains examples of how to use the module. 217 | 218 | - [files](./files): This folder contains startup script file. 219 | 220 | - [packer](./packer): To generate your own packer image. 221 | 222 | - [test](./test): Automated tests for the module. 223 | 224 | 225 | ## Contributions 226 | 227 | Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite. 228 | 229 | Please see [contributing guidelines](CONTRIBUTING.md) for information on contributing to this module. 230 | 231 | 232 | ## Troubleshooting 233 | 234 | - If you get error: `Error: Error waiting for Adding Network Peering: An IP range in the peer network (X.X.X.X/X) overlaps with an IP range in the local network (X.X.X.X/X) allocated by resource (projects//regions//subnetworks/).` 235 | 236 | **Reason:** A subnet CIDR range in one peered VPC network cannot overlap with a static route in another peered network. This rule covers both subnet routes and static routes.
237 | Refer: https://cloud.google.com/vpc/docs/vpc-peering#restrictions 238 | 239 | **Solution**: 240 | Users should establish a new configuration with mirror VPCs whose CIDR ranges clash with those of the present infrastructure. Following that, a new collector VPC will be launched, as well as a new set of mirror VPCs will be mirrored, which will resolve the overlapping CIDR problem. 241 | 242 | 243 | 244 | [terraform-download]: https://www.terraform.io/downloads.html 245 | [terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google 246 | [application-default-credentials]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application 247 | [user-credentials]: https://cloud.google.com/sdk/gcloud/reference/auth/login -------------------------------------------------------------------------------- /build/int.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | timeout: 3600s 16 | steps: 17 | - id: prepare 18 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 19 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment'] 20 | env: 21 | - 'TF_VAR_org_id=$_ORG_ID' 22 | - 'TF_VAR_folder_id=$_FOLDER_ID' 23 | - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' 24 | - id: create 25 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 26 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create'] 27 | - id: converge 28 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 29 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge'] 30 | - id: verify 31 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 32 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify'] 33 | - id: destroy 34 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 35 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy'] 36 | tags: 37 | - 'ci' 38 | - 'integration' 39 | substitutions: 40 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 41 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0' 42 | -------------------------------------------------------------------------------- /build/lint.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 17 | id: 'lint' 18 | args: ['/usr/local/bin/test_lint.sh'] 19 | tags: 20 | - 'ci' 21 | - 'lint' 22 | substitutions: 23 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 24 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0' 25 | -------------------------------------------------------------------------------- /docs/architecture-diagram/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/terraform-google-network-forensics/b8a5993508013b48b6b0338cda4c74a4fb870a60/docs/architecture-diagram/architecture.png -------------------------------------------------------------------------------- /docs/core-concepts/core-concepts.md: -------------------------------------------------------------------------------- 1 | # VPC Network 2 | 3 | A [Virtual Private Cloud (VPC) network](https://cloud.google.com/vpc/docs/vpc) or "network" is a private, isolated 4 | section of your cloud infrastructure. Networks are a virtual version of a physically segregated network that control 5 | connections between your resources and services both on Google Cloud and outside of it. 6 | 7 | Networks are global, and a single network can be used for all of your GCP resources across all regions. Subnetworks, 8 | ranges of IP addresses within a single region, can be used to usefully partition your private network IP space. 9 | 10 | 11 | # Network Subnets 12 | 13 | Each VPC network consists of one or more useful IP range partitions called subnets. Each subnet is associated with a region. 14 | VPC networks do not have any IP address ranges associated with them. IP ranges are [defined for the subnets](https://cloud.google.com/vpc/docs/vpc#manually_created_subnet_ip_ranges). 15 | 16 | A network must have at least one subnet before you can use it. Auto mode VPC networks create subnets in each region automatically. 17 | Custom mode VPC networks start with no subnets, giving you full control over subnet creation. You can create more than one subnet per region. 18 | For information about the differences between auto mode and custom mode VPC networks, see [types of VPC networks](https://cloud.google.com/vpc/docs/vpc#subnet-ranges). 19 | 20 | 21 | # Network Firewall 22 | 23 | The Network Firewall module is used to configure a standard set of [firewall rules](https://cloud.google.com/vpc/docs/firewalls) 24 | for your network. 25 | 26 | Firewall rules on Google Cloud Platform (GCP) are created at the network level but act on each instance; if traffic is 27 | restricted between instances by the rule, they will be unable to communicate even if they're in the same network or 28 | subnetwork. 29 | 30 | The default firewall rules on GCP block inbound traffic and allow outbound traffic. Firewall rules are stateful; if a 31 | connection is allowed between a source and a target or a target and a destination, all subsequent traffic in either 32 | direction will be allowed as long as the connection is active. 33 | 34 | 35 | # VPC Network Peering 36 | 37 | The Network Peering module creates [VPC network peering connections](https://cloud.google.com/vpc/docs/vpc-peering) 38 | between networks. 39 | 40 | VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. 41 | Traffic stays within Google's network and doesn't traverse the public internet. 42 | 43 | 44 | # Instance Template 45 | 46 | An [instance template](https://cloud.google.com/compute/docs/instance-templates) is a resource that you can use to 47 | create virtual machine (VM) instances and managed instance groups (MIGs). 48 | 49 | Instance templates define the machine type, boot disk image or container image, labels, and other instance properties. 50 | You can then use an instance template to create a MIG or to create individual VMs. Instance templates are a convenient 51 | way to save a VM instance's configuration so you can use it later to create VMs or groups of VMs. 52 | 53 | 54 | # Managed Instance Group 55 | 56 | An [instance group](https://cloud.google.com/compute/docs/instance-groups) is a collection of virtual machine (VM) instances that you can manage as a single entity. 57 | 58 | Compute Engine offers two kinds of VM instance groups, managed and unmanaged: 59 | - [Managed instance groups (MIGs)](https://cloud.google.com/compute/docs/instance-groups#managed_instance_groups) let you operate apps on multiple identical VMs. You can make your workloads scalable and highly available by taking advantage of automated MIG services, including: autoscaling, autohealing, regional (multiple zone) deployment, and automatic updating. 60 | - [Unmanaged instance groups](https://cloud.google.com/compute/docs/instance-groups#unmanaged_instance_groups) let you load balance across a fleet of VMs that you manage yourself. 61 | 62 | 63 | # Internal Load Balancer 64 | 65 | [Cloud Load Balancing](https://cloud.google.com/load-balancing/docs/load-balancing-overview) is a fully distributed, software-defined, managed service for all your traffic. 66 | It is not an instance or device based solution, so you won’t be locked into physical load balancing infrastructure or face the HA, scale and 67 | management challenges inherent in instance based LBs. Cloud Load Balancing features include: 68 | 69 | [Internal TCP/UDP Load Balancing](https://cloud.google.com/load-balancing/docs/internal) is a regional load balancer that enables you to run and 70 | scale your services behind an internal load balancing IP address that is accessible only to your internal virtual machine (VM) instances. Internal 71 | TCP/UDP Load Balancing distributes traffic among VM instances in the same region in a Virtual Private Cloud (VPC) network by using an internal IP 72 | address. An Internal TCP/UDP Load Balancing service has a frontend (the forwarding rule) and a backend (the backend service). 73 | 74 | 75 | # Packet Mirroring 76 | 77 | [Packet Mirroring](https://cloud.google.com/vpc/docs/packet-mirroring) clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. 78 | Packet Mirroring captures all traffic and packet data, including payloads and headers. The capture can be configured for both egress and 79 | ingress traffic, only ingress traffic, or only egress traffic. 80 | 81 | The mirroring happens on the virtual machine (VM) instances, not on the network. Consequently, Packet Mirroring consumes additional 82 | bandwidth on the VMs. 83 | 84 | Packet Mirroring is useful when you need to monitor and analyze your security status. It exports all traffic, not only the traffic between 85 | sampling periods. For example, you can use security software that analyzes mirrored traffic to detect all threats or anomalies. Additionally, 86 | you can inspect the full traffic flow to detect application performance issues. -------------------------------------------------------------------------------- /examples/basic_configuration/README.md: -------------------------------------------------------------------------------- 1 | # Basic Configurations 2 | This example demonstrates how to use google zeek automation module with basic configurations. 3 | 4 | ## Usage 5 | 6 | ```tf 7 | module "google_zeek_automation" { 8 | source = "/google_zeek_automation" 9 | gcp_project = var.gcp_project_id 10 | service_account_email = var.service_account_email 11 | 12 | collector_vpc_name = var.collector_vpc_name 13 | subnets = var.subnets 14 | mirror_vpc_subnets = var.mirror_vpc_subnets 15 | } 16 | ``` 17 | Above variables can be set either by specifying it through [Environment Variables](https://www.terraform.io/docs/cli/config/environment-variables.html#tf_var_name) or setting it in `terraform.tfvars` file. Below is an example of how to set the variables in `terraform.tfvars` file. 18 | 19 | ```tf 20 | gcp_project_id = "{{collector_project_id}}" 21 | 22 | service_account_email = "{{User's Service Account Email.}}" 23 | 24 | collector_vpc_name = "{{collector-vpc}}" 25 | 26 | subnets = [ 27 | { 28 | mirror_vpc_network = "{{mirror_vpc_network}}" 29 | collector_vpc_subnet_cidr = "{{subnet_cidr}}" 30 | collector_vpc_subnet_region = "{{region}}" 31 | }, 32 | 33 | # Note: For each mirror VPC and regions, user needs to repeat above block accordingly. 34 | ] 35 | 36 | mirror_vpc_subnets = { 37 | "{{mirror_project_id--mirror_vpc_name--region}}" = ["{{subnet_id}}"] 38 | } 39 | 40 | ``` 41 | 42 | 43 | ## Inputs 44 | 45 | | Name | Description | Type | Default | Required | 46 | |------|-------------|------|---------|:--------:| 47 | | bucket | Name of the bucket to store .tfstate file remotely. | `string` | n/a | yes | 48 | | gcp_project_id | GCP Project ID where collector vpc will be provisioned. | `string` | n/a | yes | 49 | | service_account_email | User's Service Account Email. | `string` | n/a | yes | 50 | | collector_vpc_name | This is name of collector vpc. | `string` | n/a | yes | 51 | | subnets | The list of subnets being created | 
list(object({
    mirror_vpc_network      = string
    collector_vpc_subnet_cidr   = string
    collector_vpc_subnet_region = string
  }))
| n/a | yes | 52 | | cidr\_ranges | IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported. | `list(string)` | `[]` | no | 53 | | credentials | Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no | 54 | | direction | Direction of traffic to mirror. Default value: "BOTH" Possible values: ["INGRESS", "EGRESS", "BOTH"] | `string` | `"BOTH"` | no | 55 | | ip\_protocols | Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"] | `list(string)` | `[]` | no | 56 | | mirror\_vpc\_instances | Mirror VPC Instances list to be mirrored.

**(Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)** | `map(list(string))` | `{}` | no | 57 | | mirror\_vpc\_subnets | Mirror VPC Subnets list to be mirrored. | `map(list(string))` | `{}` | no | 58 | | mirror\_vpc\_tags | Mirror VPC Tags list to be mirrored. | `map(list(string))` | `{}` | no | 59 | 60 | ## Outputs 61 | 62 | | Name | Description | 63 | |------|-------------| 64 | | autoscaler\_ids | Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}} | 65 | | collector\_vpc\_network\_id | The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}. | 66 | | collector\_vpc\_subnets\_ids | Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}} | 67 | | forwarding\_rule\_ids | Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}} | 68 | | health\_check\_id | Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}} | 69 | | intance\_group\_ids | Managed Instance Group identifier for the resource with format {{disk.name}} | 70 | | intance\_groups | The full URL of the instance group created by the manager. | 71 | | intance\_template\_ids | Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}} | 72 | | loadbalancer\_ids | Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}} | 73 | | packet\_mirroring\_policy\_ids | Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}} | 74 | 75 | 76 | To provision this example, run the following from within this directory: 77 | - `terraform init` to get the plugins 78 | - `terraform plan` to see the infrastructure plan 79 | - `terraform apply` to apply the infrastructure build 80 | - `terraform destroy` to destroy the built infrastructure -------------------------------------------------------------------------------- /examples/basic_configuration/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # PROVIDER CONFIGURATION 19 | # -------------------------------------------------------------- # 20 | 21 | provider "google" { 22 | credentials = var.credentials 23 | } 24 | 25 | # -------------------------------------------------------------- # 26 | # MODULE CONFIGURATIONS 27 | # -------------------------------------------------------------- # 28 | 29 | module "google_zeek_automation" { 30 | source = "/google_zeek_automation" 31 | gcp_project = var.gcp_project_id 32 | service_account_email = var.service_account_email 33 | 34 | collector_vpc_name = var.collector_vpc_name 35 | subnets = var.subnets 36 | mirror_vpc_subnets = var.mirror_vpc_subnets 37 | } -------------------------------------------------------------------------------- /examples/basic_configuration/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.google_zeek_automation.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.google_zeek_automation.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.google_zeek_automation.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.google_zeek_automation.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.google_zeek_automation.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.google_zeek_automation.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.google_zeek_automation.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.google_zeek_automation.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.google_zeek_automation.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.google_zeek_automation.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /examples/basic_configuration/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "credentials" { 22 | description = "Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials." 23 | type = string 24 | default = "" 25 | } 26 | 27 | variable "bucket" { 28 | description = "Name of the bucket to store .tfstate file remotely." 29 | type = string 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created." 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } 95 | -------------------------------------------------------------------------------- /examples/basic_configuration/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13.5" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.55" 23 | } 24 | } 25 | backend "gcs" {} 26 | } -------------------------------------------------------------------------------- /examples/mirror_resource_filtering/README.md: -------------------------------------------------------------------------------- 1 | # Mirror Resouce Filtering 2 | This example demonstrates how to specify mirror vpc network sources, for packet mirroring policy. 3 | 4 | ## Usage 5 | 6 | ```tf 7 | module "google_zeek_automation" { 8 | source = "/google_zeek_automation" 9 | gcp_project = var.gcp_project_id 10 | service_account_email = var.service_account_email 11 | 12 | collector_vpc_name = var.collector_vpc_name 13 | subnets = var.subnets 14 | mirror_vpc_subnets = var.mirror_vpc_subnets 15 | mirror_vpc_instances = var.mirror_vpc_instances 16 | mirror_vpc_tags = var.mirror_vpc_tags 17 | } 18 | ``` 19 | Above variables can be set either by specifying it through [Environment Variables](https://www.terraform.io/docs/cli/config/environment-variables.html#tf_var_name) or setting it in `terraform.tfvars` file. Below is an example of how to set the variables in `terraform.tfvars` file. 20 | 21 | ```tf 22 | gcp_project_id = "{{collector_project_id}}" 23 | 24 | service_account_email = "{{User's Service Account Email.}}" 25 | 26 | collector_vpc_name = "{{collector-vpc}}" 27 | 28 | subnets = [ 29 | { 30 | mirror_vpc_network = "{{mirror_vpc_network}}" 31 | collector_vpc_subnet_cidr = "{{subnet_cidr}}" 32 | collector_vpc_subnet_region = "{{region}}" 33 | }, 34 | 35 | # Note: For each mirror VPC and regions, user needs to repeat above block accordingly. 36 | ] 37 | 38 | 39 | # Mirror Resource Filtering 40 | 41 | mirror_vpc_subnets = { 42 | "{{mirror_project_id--mirror_vpc_name--region}}" = ["{{subnet_id}}"] 43 | } 44 | 45 | mirror_vpc_instances = { 46 | "{{collector_project_id--mirror_vpc_name--region}}" = ["{{instance_id}}"] 47 | 48 | # Note: Allowed only if mirror and collector vpc are in same project. 49 | } 50 | 51 | mirror_vpc_tags = { 52 | "{{mirror_project_id--mirror_vpc_name--region}}" = ["{{tag-1}}", "{{tag-2}}"] 53 | } 54 | 55 | ``` 56 | 57 | ## Inputs 58 | 59 | | Name | Description | Type | Default | Required | 60 | |------|-------------|------|---------|:--------:| 61 | | bucket | Name of the bucket to store .tfstate file remotely. | `string` | n/a | yes | 62 | | gcp_project_id | GCP Project ID where collector vpc will be provisioned. | `string` | n/a | yes | 63 | | service_account_email | User's Service Account Email. | `string` | n/a | yes | 64 | | collector_vpc_name | This is name of collector vpc. | `string` | n/a | yes | 65 | | subnets | The list of subnets being created | 
list(object({
    mirror_vpc_network      = string
    collector_vpc_subnet_cidr   = string
    collector_vpc_subnet_region = string
  }))
| n/a | yes | 66 | | cidr\_ranges | IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported. | `list(string)` | `[]` | no | 67 | | credentials | Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no | 68 | | direction | Direction of traffic to mirror. Default value: "BOTH" Possible values: ["INGRESS", "EGRESS", "BOTH"] | `string` | `"BOTH"` | no | 69 | | ip\_protocols | Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"] | `list(string)` | `[]` | no | 70 | | mirror\_vpc\_instances | Mirror VPC Instances list to be mirrored.

**(Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)** | `map(list(string))` | `{}` | no | 71 | | mirror\_vpc\_subnets | Mirror VPC Subnets list to be mirrored. | `map(list(string))` | `{}` | no | 72 | | mirror\_vpc\_tags | Mirror VPC Tags list to be mirrored. | `map(list(string))` | `{}` | no | 73 | 74 | ## Outputs 75 | 76 | | Name | Description | 77 | |------|-------------| 78 | | autoscaler\_ids | Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}} | 79 | | collector\_vpc\_network\_id | The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}. | 80 | | collector\_vpc\_subnets\_ids | Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}} | 81 | | forwarding\_rule\_ids | Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}} | 82 | | health\_check\_id | Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}} | 83 | | intance\_group\_ids | Managed Instance Group identifier for the resource with format {{disk.name}} | 84 | | intance\_groups | The full URL of the instance group created by the manager. | 85 | | intance\_template\_ids | Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}} | 86 | | loadbalancer\_ids | Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}} | 87 | | packet\_mirroring\_policy\_ids | Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}} | 88 | 89 | 90 | To provision this example, run the following from within this directory: 91 | - `terraform init` to get the plugins 92 | - `terraform plan` to see the infrastructure plan 93 | - `terraform apply` to apply the infrastructure build 94 | - `terraform destroy` to destroy the built infrastructure -------------------------------------------------------------------------------- /examples/mirror_resource_filtering/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # PROVIDER CONFIGURATION 19 | # -------------------------------------------------------------- # 20 | 21 | provider "google" { 22 | credentials = var.credentials 23 | } 24 | 25 | # -------------------------------------------------------------- # 26 | # MODULE CONFIGURATIONS 27 | # -------------------------------------------------------------- # 28 | 29 | module "google_zeek_automation" { 30 | source = "/google_zeek_automation" 31 | gcp_project = var.gcp_project_id 32 | service_account_email = var.service_account_email 33 | 34 | collector_vpc_name = var.collector_vpc_name 35 | subnets = var.subnets 36 | mirror_vpc_subnets = var.mirror_vpc_subnets 37 | mirror_vpc_instances = var.mirror_vpc_instances 38 | mirror_vpc_tags = var.mirror_vpc_tags 39 | } -------------------------------------------------------------------------------- /examples/mirror_resource_filtering/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.google_zeek_automation.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.google_zeek_automation.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.google_zeek_automation.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.google_zeek_automation.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.google_zeek_automation.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.google_zeek_automation.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.google_zeek_automation.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.google_zeek_automation.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.google_zeek_automation.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.google_zeek_automation.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /examples/mirror_resource_filtering/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "credentials" { 22 | description = "Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials." 23 | type = string 24 | default = "" 25 | } 26 | 27 | variable "bucket" { 28 | description = "Name of the bucket to store .tfstate file remotely." 29 | type = string 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created." 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } 95 | -------------------------------------------------------------------------------- /examples/mirror_resource_filtering/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13.5" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.55" 23 | } 24 | } 25 | backend "gcs" {} 26 | } -------------------------------------------------------------------------------- /examples/multiple_vpc_support/README.md: -------------------------------------------------------------------------------- 1 | # Multiple VPC Support 2 | This example demonstrates how to configure packet mirroring for multiple mirror VPCs. 3 | 4 | ## Usage 5 | 6 | ```tf 7 | module "google_zeek_automation" { 8 | source = "/google_zeek_automation" 9 | gcp_project = var.gcp_project_id 10 | service_account_email = var.service_account_email 11 | 12 | collector_vpc_name = var.collector_vpc_name 13 | subnets = var.subnets 14 | mirror_vpc_subnets = var.mirror_vpc_subnets 15 | mirror_vpc_instances = var.mirror_vpc_instances 16 | mirror_vpc_tags = var.mirror_vpc_tags 17 | 18 | # Optional Parameters 19 | ip_protocols = var.ip_protocols 20 | direction = var.direction 21 | cidr_ranges = var.cidr_ranges 22 | } 23 | ``` 24 | Above variables can be set either by specifying it through [Environment Variables](https://www.terraform.io/docs/cli/config/environment-variables.html#tf_var_name) or setting it in `terraform.tfvars` file. Below is an example of how to set the variables in `terraform.tfvars` file. 25 | 26 | ```tf 27 | gcp_project_id = "{{collector_project_id}}" 28 | 29 | service_account_email = "{{User's Service Account Email.}}" 30 | 31 | collector_vpc_name = "{{collector-vpc}}" 32 | 33 | subnets = [ 34 | { 35 | mirror_vpc_network = "{{mirror_vpc_network_1}}" 36 | collector_vpc_subnet_cidr = "{{subnet_cidr_1}}" 37 | collector_vpc_subnet_region = "{{region_1}}" 38 | }, 39 | { 40 | mirror_vpc_network = "{{mirror_vpc_network_2}}" 41 | collector_vpc_subnet_cidr = "{{subnet_cidr_2}}" 42 | collector_vpc_subnet_region = "{{region_1}}" 43 | }, 44 | { 45 | mirror_vpc_network = "{{mirror_vpc_network_3}}" 46 | collector_vpc_subnet_cidr = "{{subnet_cidr_3}}" 47 | collector_vpc_subnet_region = "{{region_2}}" 48 | }, 49 | . 50 | . 51 | ., 52 | { 53 | mirror_vpc_network = "{{mirror_vpc_network_N}}" 54 | collector_vpc_subnet_cidr = "{{subnet_cidr_N}}" 55 | collector_vpc_subnet_region = "{{region_N}}" 56 | }, 57 | 58 | # Note: For each mirror VPC and regions, user needs to repeat above block accordingly. 59 | ] 60 | 61 | mirror_vpc_subnets = { 62 | "{{mirror_project_id_1--mirror_vpc_name_1--region_1}}" = ["{{subnet_id-1}},{{subnet_id-2}}"], 63 | "{{mirror_project_id_2--mirror_vpc_name_2--region_1}}" = ["{{subnet_id-3}},{{subnet_id-4}}"], 64 | "{{mirror_project_id_3--mirror_vpc_name_3--region_2}}" = ["{{subnet_id-5}},{{subnet_id-6}}"], 65 | . 66 | . 67 | ., 68 | "{{mirror_project_id_N--mirror_vpc_name_N--region_N}}" = ["{{subnet_id-N}},{{subnet_id-M}}"] 69 | } 70 | 71 | mirror_vpc_instances = { 72 | "{{collector_project_id--mirror_vpc_name_1--region_1}}" = ["{{instance_id-1}},{{instance_id-2}}"], 73 | "{{collector_project_id--mirror_vpc_name_2--region_1}}" = ["{{instance_id-3}},{{instance_id-4}}"], 74 | "{{collector_project_id--mirror_vpc_name_3--region_2}}" = ["{{instance_id-5}},{{instance_id-6}}"], 75 | . 76 | . 77 | ., 78 | "{{collector_project_id--mirror_vpc_name_N--region_N}}" = ["{{instance_id-N}},{{instance_id-M}}"] 79 | 80 | 81 | # Note: Allowed only if mirror and collector vpc are in same project. 82 | } 83 | 84 | mirror_vpc_tags = { 85 | "{{mirror_project_id_1--mirror_vpc_name_1--region_1}}" = ["{{tag-1}}", "{{tag-2}}"], 86 | "{{mirror_project_id_2--mirror_vpc_name_2--region_1}}" = ["{{tag-3}}", "{{tag-4}}"], 87 | "{{mirror_project_id_3--mirror_vpc_name_3--region_2}}" = ["{{tag-5}}", "{{tag-6}}"], 88 | . 89 | . 90 | ., 91 | "{{mirror_project_id_N--mirror_vpc_name_N--region_N}}" = ["{{tag-N}}", "{{tag-M}}"] 92 | } 93 | 94 | # Packet Mirroring Traffic Filtering 95 | 96 | ip_protocols = ["{{protocol}}"] # Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"] 97 | 98 | direction = "{{direction_of_traffic}}" # Direction of traffic to mirror. Possible values: "INGRESS", "EGRESS", "BOTH" 99 | 100 | cidr_ranges = ["{{cidr}}"] # "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header." 101 | 102 | ``` 103 | 104 | ## Inputs 105 | 106 | | Name | Description | Type | Default | Required | 107 | |------|-------------|------|---------|:--------:| 108 | | bucket | Name of the bucket to store .tfstate file remotely. | `string` | n/a | yes | 109 | | gcp_project_id | GCP Project ID where collector vpc will be provisioned. | `string` | n/a | yes | 110 | | service_account_email | User's Service Account Email. | `string` | n/a | yes | 111 | | collector_vpc_name | This is name of collector vpc. | `string` | n/a | yes | 112 | | subnets | The list of subnets being created | 
list(object({
    mirror_vpc_network      = string
    collector_vpc_subnet_cidr   = string
    collector_vpc_subnet_region = string
  }))
| n/a | yes | 113 | | cidr\_ranges | IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported. | `list(string)` | `[]` | no | 114 | | credentials | Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no | 115 | | direction | Direction of traffic to mirror. Default value: "BOTH" Possible values: ["INGRESS", "EGRESS", "BOTH"] | `string` | `"BOTH"` | no | 116 | | ip\_protocols | Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"] | `list(string)` | `[]` | no | 117 | | mirror\_vpc\_instances | Mirror VPC Instances list to be mirrored.

**(Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)** | `map(list(string))` | `{}` | no | 118 | | mirror\_vpc\_subnets | Mirror VPC Subnets list to be mirrored. | `map(list(string))` | `{}` | no | 119 | | mirror\_vpc\_tags | Mirror VPC Tags list to be mirrored. | `map(list(string))` | `{}` | no | 120 | 121 | ## Outputs 122 | 123 | | Name | Description | 124 | |------|-------------| 125 | | autoscaler\_ids | Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}} | 126 | | collector\_vpc\_network\_id | The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}. | 127 | | collector\_vpc\_subnets\_ids | Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}} | 128 | | forwarding\_rule\_ids | Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}} | 129 | | health\_check\_id | Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}} | 130 | | intance\_group\_ids | Managed Instance Group identifier for the resource with format {{disk.name}} | 131 | | intance\_groups | The full URL of the instance group created by the manager. | 132 | | intance\_template\_ids | Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}} | 133 | | loadbalancer\_ids | Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}} | 134 | | packet\_mirroring\_policy\_ids | Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}} | 135 | 136 | 137 | To provision this example, run the following from within this directory: 138 | - `terraform init` to get the plugins 139 | - `terraform plan` to see the infrastructure plan 140 | - `terraform apply` to apply the infrastructure build 141 | - `terraform destroy` to destroy the built infrastructure -------------------------------------------------------------------------------- /examples/multiple_vpc_support/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # PROVIDER CONFIGURATION 19 | # -------------------------------------------------------------- # 20 | 21 | provider "google" { 22 | credentials = var.credentials 23 | } 24 | 25 | # -------------------------------------------------------------- # 26 | # MODULE CONFIGURATIONS 27 | # -------------------------------------------------------------- # 28 | 29 | module "google_zeek_automation" { 30 | source = "/google_zeek_automation" 31 | gcp_project = var.gcp_project_id 32 | service_account_email = var.service_account_email 33 | 34 | collector_vpc_name = var.collector_vpc_name 35 | subnets = var.subnets 36 | mirror_vpc_subnets = var.mirror_vpc_subnets 37 | mirror_vpc_instances = var.mirror_vpc_instances 38 | mirror_vpc_tags = var.mirror_vpc_tags 39 | 40 | # Optional Parameters 41 | ip_protocols = var.ip_protocols 42 | direction = var.direction 43 | cidr_ranges = var.cidr_ranges 44 | } -------------------------------------------------------------------------------- /examples/multiple_vpc_support/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.google_zeek_automation.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.google_zeek_automation.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.google_zeek_automation.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.google_zeek_automation.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.google_zeek_automation.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.google_zeek_automation.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.google_zeek_automation.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.google_zeek_automation.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.google_zeek_automation.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.google_zeek_automation.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /examples/multiple_vpc_support/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "credentials" { 22 | description = "Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials." 23 | type = string 24 | default = "" 25 | } 26 | 27 | variable "bucket" { 28 | description = "Name of the bucket to store .tfstate file remotely." 29 | type = string 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created." 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } 95 | -------------------------------------------------------------------------------- /examples/multiple_vpc_support/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13.5" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.55" 23 | } 24 | } 25 | backend "gcs" {} 26 | } -------------------------------------------------------------------------------- /examples/packet_mirroring_traffic_filtering/README.md: -------------------------------------------------------------------------------- 1 | # Packet Mirroring Traffic Filtering 2 | This example demonstrates how to use traffic filtering parameters for packet-mirroring policy. 3 | 4 | ## Usage 5 | 6 | ```tf 7 | module "google_zeek_automation" { 8 | source = "/google_zeek_automation" 9 | gcp_project = var.gcp_project_id 10 | service_account_email = var.service_account_email 11 | 12 | collector_vpc_name = var.collector_vpc_name 13 | subnets = var.subnets 14 | mirror_vpc_subnets = var.mirror_vpc_subnets 15 | 16 | # Optional Parameters 17 | ip_protocols = var.ip_protocols 18 | direction = var.direction 19 | cidr_ranges = var.cidr_ranges 20 | } 21 | ``` 22 | Above variables can be set either by specifying it through [Environment Variables](https://www.terraform.io/docs/cli/config/environment-variables.html#tf_var_name) or setting it in `terraform.tfvars` file. Below is an example of how to set the variables in `terraform.tfvars` file. 23 | 24 | ```tf 25 | gcp_project_id = "{{collector_project_id}}" 26 | 27 | service_account_email = "{{User's Service Account Email.}}" 28 | 29 | collector_vpc_name = "{{collector-vpc}}" 30 | 31 | subnets = [ 32 | { 33 | mirror_vpc_network = "{{mirror_vpc_network}}" 34 | collector_vpc_subnet_cidr = "{{subnet_cidr}}" 35 | collector_vpc_subnet_region = "{{region}}" 36 | }, 37 | 38 | # Note: For each mirror VPC and regions, user needs to repeat above block accordingly. 39 | ] 40 | 41 | mirror_vpc_subnets = { 42 | "{{mirror_project_id--mirror_vpc_name--region}}" = ["{{subnet_id}}"] 43 | } 44 | 45 | 46 | # Packet Mirroring Traffic Filtering 47 | 48 | ip_protocols = ["{{protocol}}"] # Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"] 49 | 50 | direction = "{{direction_of_traffic}}" # Direction of traffic to mirror. Possible values: "INGRESS", "EGRESS", "BOTH" 51 | 52 | cidr_ranges = ["{{cidr}}"] # "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header." 53 | 54 | ``` 55 | 56 | ## Inputs 57 | 58 | | Name | Description | Type | Default | Required | 59 | |------|-------------|------|---------|:--------:| 60 | | bucket | Name of the bucket to store .tfstate file remotely. | `string` | n/a | yes | 61 | | gcp_project_id | GCP Project ID where collector vpc will be provisioned. | `string` | n/a | yes | 62 | | service_account_email | User's Service Account Email. | `string` | n/a | yes | 63 | | collector_vpc_name | This is name of collector vpc. | `string` | n/a | yes | 64 | | subnets | The list of subnets being created | 
list(object({
    mirror_vpc_network      = string
    collector_vpc_subnet_cidr   = string
    collector_vpc_subnet_region = string
  }))
| n/a | yes | 65 | | cidr\_ranges | IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported. | `list(string)` | `[]` | no | 66 | | credentials | Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no | 67 | | direction | Direction of traffic to mirror. Default value: "BOTH" Possible values: ["INGRESS", "EGRESS", "BOTH"] | `string` | `"BOTH"` | no | 68 | | ip\_protocols | Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"] | `list(string)` | `[]` | no | 69 | | mirror\_vpc\_instances | Mirror VPC Instances list to be mirrored.

**(Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)** | `map(list(string))` | `{}` | no | 70 | | mirror\_vpc\_subnets | Mirror VPC Subnets list to be mirrored. | `map(list(string))` | `{}` | no | 71 | | mirror\_vpc\_tags | Mirror VPC Tags list to be mirrored. | `map(list(string))` | `{}` | no | 72 | 73 | ## Outputs 74 | 75 | | Name | Description | 76 | |------|-------------| 77 | | autoscaler\_ids | Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}} | 78 | | collector\_vpc\_network\_id | The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}. | 79 | | collector\_vpc\_subnets\_ids | Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}} | 80 | | forwarding\_rule\_ids | Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}} | 81 | | health\_check\_id | Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}} | 82 | | intance\_group\_ids | Managed Instance Group identifier for the resource with format {{disk.name}} | 83 | | intance\_groups | The full URL of the instance group created by the manager. | 84 | | intance\_template\_ids | Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}} | 85 | | loadbalancer\_ids | Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}} | 86 | | packet\_mirroring\_policy\_ids | Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}} | 87 | 88 | 89 | To provision this example, run the following from within this directory: 90 | - `terraform init` to get the plugins 91 | - `terraform plan` to see the infrastructure plan 92 | - `terraform apply` to apply the infrastructure build 93 | - `terraform destroy` to destroy the built infrastructure -------------------------------------------------------------------------------- /examples/packet_mirroring_traffic_filtering/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # PROVIDER CONFIGURATION 19 | # -------------------------------------------------------------- # 20 | 21 | provider "google" { 22 | credentials = var.credentials 23 | } 24 | 25 | # -------------------------------------------------------------- # 26 | # MODULE CONFIGURATIONS 27 | # -------------------------------------------------------------- # 28 | 29 | module "google_zeek_automation" { 30 | source = "/google_zeek_automation" 31 | gcp_project = var.gcp_project_id 32 | service_account_email = var.service_account_email 33 | 34 | collector_vpc_name = var.collector_vpc_name 35 | subnets = var.subnets 36 | mirror_vpc_subnets = var.mirror_vpc_subnets 37 | 38 | # Optional Parameters 39 | ip_protocols = var.ip_protocols 40 | direction = var.direction 41 | cidr_ranges = var.cidr_ranges 42 | } -------------------------------------------------------------------------------- /examples/packet_mirroring_traffic_filtering/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.google_zeek_automation.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.google_zeek_automation.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.google_zeek_automation.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.google_zeek_automation.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.google_zeek_automation.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.google_zeek_automation.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.google_zeek_automation.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.google_zeek_automation.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.google_zeek_automation.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.google_zeek_automation.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /examples/packet_mirroring_traffic_filtering/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "credentials" { 22 | description = "Path to a service account credentials file with rights to run the Google Zeek Automation. If this file is absent Terraform will fall back to Application Default Credentials." 23 | type = string 24 | default = "" 25 | } 26 | 27 | variable "bucket" { 28 | description = "Name of the bucket to store .tfstate file remotely." 29 | type = string 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created." 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } 95 | -------------------------------------------------------------------------------- /examples/packet_mirroring_traffic_filtering/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13.5" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.55" 23 | } 24 | } 25 | backend "gcs" {} 26 | } -------------------------------------------------------------------------------- /files/startup_script.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | sudo userdel -r packer 18 | 19 | export INTERFACE_NAME=$(ip -br link | grep -v LOOPBACK | awk '{ print $1 }') 20 | 21 | sed -i 's/"vpc"/"${vpc_name}"/' /usr/local/zeek/share/zeek/site/add_fields.zeek 22 | sed -i 's/"project"/"${project_id}"/' /usr/local/zeek/share/zeek/site/add_fields.zeek 23 | 24 | echo -e '\n# Ignore collector subnets\nredef PacketFilter::default_capture_filter="(ip or not ip) and not (net ${collector_cidr})";\n' >> /usr/local/zeek/share/zeek/site/local.zeek 25 | 26 | sed -i '0,/interface=.*/s//interface='$INTERFACE_NAME'/' /usr/local/zeek/etc/node.cfg 27 | sed -i '0,/LogExpireInterval = .*/s//LogExpireInterval = 3day/' /usr/local/zeek/etc/zeekctl.cfg 28 | 29 | echo "" >> /usr/local/zeek/etc/networks.cfg 30 | echo -e '${ip_cidrs}' >> /usr/local/zeek/etc/networks.cfg 31 | 32 | export PATH=/usr/local/zeek/bin:$PATH 33 | zeekctl install 34 | zeekctl deploy 35 | 36 | systemctl restart google-fluentd 37 | 38 | if [ -f /etc/startup_script_completed ]; then 39 | exit 0 40 | fi 41 | a2ensite default-ssl 42 | a2enmod ssl 43 | 44 | file_ports="/etc/apache2/ports.conf" 45 | file_http_site="/etc/apache2/sites-available/000-default.conf" 46 | 47 | http_listen_prts="Listen 80\nListen 8008\nListen 8080\nListen 8088" 48 | http_vh_prts="*:80 *:8008 *:8080 *:8088" 49 | 50 | vm_hostname="$(curl -H "Metadata-Flavor:Google" \ 51 | http://169.254.169.254/computeMetadata/v1/instance/name)" 52 | 53 | echo "Page served from: $vm_hostname" | \ 54 | tee /var/www/html/index.html 55 | 56 | prt_conf="$(cat "$file_ports")" 57 | prt_conf_2="$(echo "$prt_conf" | sed "s|Listen 80|$${http_listen_prts}|")" 58 | 59 | echo "$prt_conf_2" | tee "$file_ports" 60 | 61 | http_site_conf="$(cat "$file_http_site")" 62 | http_site_conf_2="$(echo "$http_site_conf" | sed "s|*:80|$${http_vh_prts}|")" 63 | 64 | echo "$http_site_conf_2" | tee "$file_http_site" 65 | 66 | systemctl restart apache2 67 | 68 | touch /etc/startup_script_completed -------------------------------------------------------------------------------- /kitchen.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | driver: 17 | name: "terraform" 18 | command_timeout: 1800 19 | verify_version: false 20 | 21 | provisioner: 22 | name: "terraform" 23 | 24 | platforms: 25 | - name: terraform 26 | 27 | suites: 28 | - name: "basic_configuration" 29 | driver: 30 | name: "terraform" 31 | command_timeout: 1800 32 | root_module_directory: test/fixtures/basic_configuration/ 33 | verifier: 34 | name: terraform 35 | color: true 36 | systems: 37 | - name: inspec-gcp 38 | backend: gcp 39 | controls: 40 | - gcp 41 | 42 | - name: "mirror_resource_filtering" 43 | driver: 44 | name: "terraform" 45 | command_timeout: 1800 46 | root_module_directory: test/fixtures/mirror_resource_filtering/ 47 | verifier: 48 | name: terraform 49 | color: true 50 | systems: 51 | - name: inspec-gcp 52 | backend: gcp 53 | controls: 54 | - gcp 55 | 56 | - name: "packet_mirroring_traffic_filtering" 57 | driver: 58 | name: "terraform" 59 | command_timeout: 1800 60 | root_module_directory: test/fixtures/packet_mirroring_traffic_filtering/ 61 | verifier: 62 | name: terraform 63 | color: true 64 | systems: 65 | - name: inspec-gcp 66 | backend: gcp 67 | controls: 68 | - gcp 69 | 70 | - name: "multiple_vpc_support" 71 | driver: 72 | name: "terraform" 73 | command_timeout: 1800 74 | root_module_directory: test/fixtures/multiple_vpc_support/ 75 | verifier: 76 | name: terraform 77 | color: true 78 | systems: 79 | - name: inspec-gcp 80 | backend: gcp 81 | controls: 82 | - gcp 83 | 84 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | 18 | locals { 19 | gcp_project_id = var.gcp_project 20 | mirror_vpc_network_id = distinct([for subnet in var.subnets : subnet.mirror_vpc_network]) 21 | 22 | packet_mirroring_mirror_subnet_sources = var.mirror_vpc_subnets 23 | packet_mirroring_mirror_tag_sources = var.mirror_vpc_tags 24 | packet_mirroring_mirror_instance_sources = var.mirror_vpc_instances 25 | 26 | collector_vpc_name = var.collector_vpc_name 27 | collector_vpc_subnets = { 28 | for subnet in var.subnets : "${element(split("/", subnet.mirror_vpc_network), 1)}--${element(split("/", subnet.mirror_vpc_network), 4)}--${subnet.collector_vpc_subnet_region}" => subnet 29 | } 30 | 31 | collector_vpc_subnets_cidrs = { 32 | for subnet in var.subnets : "${element(split("/", subnet.mirror_vpc_network), 1)}--${element(split("/", subnet.mirror_vpc_network), 4)}--${subnet.collector_vpc_subnet_region}" => subnet.collector_vpc_subnet_cidr 33 | } 34 | 35 | subnet_key_count = [ 36 | for key in var.subnets : "${element(split("/", key.mirror_vpc_network), 1)}--${element(split("/", key.mirror_vpc_network), 4)}--${key.collector_vpc_subnet_region}" 37 | ] 38 | 39 | same_project_mirror_networks = [for network in local.mirror_vpc_network_id : network if element(split("/", network), 1) == local.gcp_project_id] 40 | } 41 | 42 | # -------------------------------------------------------------- # 43 | # VPC NETWORK 44 | # -------------------------------------------------------------- # 45 | 46 | resource "google_compute_network" "main" { 47 | name = local.collector_vpc_name 48 | project = local.gcp_project_id 49 | routing_mode = var.vpc_routing_mode 50 | description = var.vpc_description 51 | auto_create_subnetworks = var.auto_create_subnetworks 52 | delete_default_routes_on_create = var.delete_default_internet_gateway_routes 53 | mtu = var.mtu 54 | } 55 | 56 | 57 | resource "google_compute_subnetwork" "main" { 58 | for_each = local.collector_vpc_subnets 59 | name = format("%s-%s-%02d", local.collector_vpc_name, "subnet", index(var.subnets, each.value) + 1) 60 | project = local.gcp_project_id 61 | ip_cidr_range = each.value.collector_vpc_subnet_cidr 62 | region = each.value.collector_vpc_subnet_region 63 | private_ip_google_access = var.private_ip_google_access 64 | network = google_compute_network.main.self_link 65 | depends_on = [google_compute_network.main] 66 | } 67 | 68 | # -------------------------------------------------------------- # 69 | # FIREWALL-RULES 70 | # -------------------------------------------------------------- # 71 | 72 | resource "google_compute_firewall" "allow-health-check" { 73 | name = "${local.collector_vpc_name}-rule-allow-health-check" 74 | project = local.gcp_project_id 75 | network = google_compute_network.main.name 76 | direction = "INGRESS" 77 | allow { 78 | protocol = "tcp" 79 | ports = ["80"] 80 | } 81 | source_ranges = ["35.191.0.0/16", "130.211.0.0/22"] 82 | depends_on = [google_compute_subnetwork.main] 83 | } 84 | 85 | resource "google_compute_firewall" "allow_ingress" { 86 | name = "${local.collector_vpc_name}-rule-allow-ingress" 87 | project = local.gcp_project_id 88 | network = google_compute_network.main.name 89 | direction = "INGRESS" 90 | allow { 91 | protocol = "all" 92 | } 93 | source_ranges = ["0.0.0.0/0"] 94 | depends_on = [google_compute_subnetwork.main] 95 | } 96 | 97 | resource "google_compute_firewall" "allow_egress" { 98 | for_each = toset(local.same_project_mirror_networks) 99 | name = "${element(split("/", each.value), 4)}-rule-allow-egress" 100 | project = local.gcp_project_id 101 | network = element(split("/", each.value), 4) 102 | direction = "EGRESS" 103 | allow { 104 | protocol = "all" 105 | } 106 | destination_ranges = [for subnet in var.subnets : subnet.collector_vpc_subnet_cidr if subnet.mirror_vpc_network == each.value] 107 | depends_on = [google_compute_subnetwork.main] 108 | } 109 | 110 | # -------------------------------------------------------------- # 111 | # VPC-PEERING 112 | # -------------------------------------------------------------- # 113 | 114 | resource "google_compute_network_peering" "mirror_vpc_network_peering" { 115 | for_each = toset(local.same_project_mirror_networks) 116 | name = format("%s-%s-%02d", "mirror-to-", local.collector_vpc_name, index(local.same_project_mirror_networks, each.key) + 1) 117 | network = each.value 118 | peer_network = google_compute_network.main.id 119 | export_custom_routes = var.export_local_custom_routes 120 | import_custom_routes = var.export_peer_custom_routes 121 | depends_on = [google_compute_subnetwork.main, google_compute_firewall.allow_egress] 122 | } 123 | 124 | resource "google_compute_network_peering" "collector_vpc_network_peering" { 125 | for_each = toset(local.mirror_vpc_network_id) 126 | name = format("%s-%s-%02d", local.collector_vpc_name, "to-mirror", index(local.mirror_vpc_network_id, each.key) + 1) 127 | network = google_compute_network.main.id 128 | peer_network = each.value 129 | export_custom_routes = var.export_peer_custom_routes 130 | import_custom_routes = var.export_local_custom_routes 131 | 132 | depends_on = [google_compute_subnetwork.main, google_compute_firewall.allow_egress, google_compute_network_peering.mirror_vpc_network_peering] 133 | } 134 | 135 | # -------------------------------------------------------------- # 136 | # INSTANCE-TEMPLATE 137 | # -------------------------------------------------------------- # 138 | 139 | resource "google_compute_instance_template" "main" { 140 | for_each = local.collector_vpc_subnets 141 | name = format("%s-%02d", local.collector_vpc_name, index(var.subnets, each.value) + 1) 142 | project = local.gcp_project_id 143 | description = var.template_description 144 | metadata_startup_script = templatefile( 145 | "${path.module}/files/startup_script.sh", 146 | { 147 | vpc_id = each.value.mirror_vpc_network 148 | project_id = element(split("/", each.value.mirror_vpc_network), 1) 149 | vpc_name = element(split("/", each.value.mirror_vpc_network), 4) 150 | ip_cidrs = format("0.0.0.0/0\tAll-Traffic\n"), 151 | collector_cidr = lookup(local.collector_vpc_subnets_cidrs, each.key) 152 | }) 153 | 154 | machine_type = var.machine_type 155 | can_ip_forward = false 156 | 157 | disk { 158 | source_image = var.golden_image 159 | auto_delete = true 160 | boot = true 161 | } 162 | 163 | # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. 164 | service_account { 165 | email = var.service_account_email 166 | scopes = ["cloud-platform", "logging-write", "monitoring"] 167 | } 168 | 169 | network_interface { 170 | network = google_compute_network.main.self_link 171 | subnetwork = google_compute_subnetwork.main[each.key].id 172 | } 173 | 174 | depends_on = [google_compute_subnetwork.main, google_compute_network_peering.collector_vpc_network_peering] 175 | } 176 | 177 | # -------------------------------------------------------------- # 178 | # HEALTH-CHECK 179 | # -------------------------------------------------------------- # 180 | 181 | resource "google_compute_health_check" "main" { 182 | name = "${local.collector_vpc_name}-http-health-check" 183 | project = local.gcp_project_id 184 | description = "Health check via http" 185 | timeout_sec = 5 186 | check_interval_sec = 10 187 | healthy_threshold = 2 188 | unhealthy_threshold = 3 189 | 190 | http_health_check { 191 | port = 80 192 | } 193 | depends_on = [google_compute_instance_template.main] 194 | } 195 | 196 | # -------------------------------------------------------------- # 197 | # MANAGED-INSTANCE-GROUP 198 | # -------------------------------------------------------------- # 199 | 200 | resource "google_compute_region_instance_group_manager" "main" { 201 | for_each = google_compute_instance_template.main 202 | name = format("%s-%02d", local.collector_vpc_name, index(local.subnet_key_count, each.key) + 1) 203 | region = format("%s", element(split("--", each.key), 2)) 204 | project = local.gcp_project_id 205 | base_instance_name = "mig-instance" 206 | 207 | version { 208 | instance_template = each.value.id 209 | } 210 | 211 | auto_healing_policies { 212 | health_check = google_compute_health_check.main.id 213 | initial_delay_sec = 90 214 | } 215 | 216 | depends_on = [google_compute_instance_template.main, google_compute_health_check.main] 217 | } 218 | 219 | # -------------------------------------------------------------- # 220 | # AUTO-SCALER 221 | # -------------------------------------------------------------- # 222 | 223 | resource "google_compute_region_autoscaler" "main" { 224 | for_each = google_compute_region_instance_group_manager.main 225 | name = format("%s-%02d", local.collector_vpc_name, index(local.subnet_key_count, each.key) + 1) 226 | project = local.gcp_project_id 227 | region = format("%s", element(split("/", each.value.id), 3)) 228 | target = each.value.id 229 | 230 | autoscaling_policy { 231 | max_replicas = 5 232 | min_replicas = 1 233 | cooldown_period = 240 234 | 235 | cpu_utilization { 236 | target = 0.75 237 | } 238 | } 239 | 240 | depends_on = [google_compute_region_instance_group_manager.main] 241 | } 242 | 243 | # -------------------------------------------------------------- # 244 | # INTERNAL-LOAD-BALANCER 245 | # -------------------------------------------------------------- # 246 | 247 | resource "google_compute_region_backend_service" "main" { 248 | for_each = google_compute_region_instance_group_manager.main 249 | name = format("%s-%02d", local.collector_vpc_name, index(local.subnet_key_count, each.key) + 1) 250 | project = local.gcp_project_id 251 | region = format("%s", element(split("/", each.value.instance_group), 8)) 252 | health_checks = [google_compute_health_check.main.id] 253 | load_balancing_scheme = "INTERNAL" 254 | 255 | backend { 256 | group = each.value.instance_group 257 | } 258 | 259 | depends_on = [google_compute_region_instance_group_manager.main, google_compute_region_autoscaler.main] 260 | } 261 | 262 | # -------------------------------------------------------------- # 263 | # FORWARDING-RULE 264 | # -------------------------------------------------------------- # 265 | 266 | resource "google_compute_forwarding_rule" "main" { 267 | for_each = google_compute_region_backend_service.main 268 | name = format("%s-%02d", local.collector_vpc_name, index(local.subnet_key_count, each.key) + 1) 269 | project = local.gcp_project_id 270 | region = format("%s", element(split("/", each.value.id), 3)) 271 | load_balancing_scheme = "INTERNAL" 272 | backend_service = each.value.id 273 | all_ports = true 274 | allow_global_access = false 275 | is_mirroring_collector = true 276 | network = google_compute_network.main.self_link 277 | subnetwork = google_compute_subnetwork.main[each.key].id 278 | depends_on = [google_compute_region_backend_service.main] 279 | } 280 | 281 | # -------------------------------------------------------------- # 282 | # PACKET-MIRRORING 283 | # -------------------------------------------------------------- # 284 | 285 | resource "google_compute_packet_mirroring" "main" { 286 | for_each = local.collector_vpc_subnets 287 | name = format("%s-%02d", local.collector_vpc_name, index(local.subnet_key_count, each.key) + 1) 288 | project = local.gcp_project_id 289 | region = each.value.collector_vpc_subnet_region 290 | 291 | network { 292 | url = each.value.mirror_vpc_network 293 | } 294 | 295 | collector_ilb { 296 | url = google_compute_forwarding_rule.main[each.key].id 297 | } 298 | 299 | mirrored_resources { 300 | dynamic "subnetworks" { 301 | for_each = lookup(local.packet_mirroring_mirror_subnet_sources, each.key, []) 302 | content { 303 | url = subnetworks.value 304 | } 305 | } 306 | 307 | tags = lookup(local.packet_mirroring_mirror_tag_sources, each.key, []) 308 | 309 | dynamic "instances" { 310 | for_each = lookup(local.packet_mirroring_mirror_instance_sources, each.key, []) 311 | content { 312 | url = instances.value 313 | } 314 | } 315 | } 316 | 317 | filter { 318 | ip_protocols = var.ip_protocols 319 | direction = var.direction 320 | cidr_ranges = var.cidr_ranges 321 | } 322 | 323 | depends_on = [google_compute_forwarding_rule.main] 324 | } -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = google_compute_network.main.id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = [for subnet in google_compute_subnetwork.main : subnet.id] 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = [for it in google_compute_instance_template.main : it.id] 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = google_compute_health_check.main.id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = [for ig in google_compute_region_instance_group_manager.main : ig.id] 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = [for ig in google_compute_region_instance_group_manager.main : ig.instance_group] 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = [for scaler in google_compute_region_autoscaler.main : scaler.id] 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = [for ilb in google_compute_region_backend_service.main : ilb.id] 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = [for rule in google_compute_forwarding_rule.main : rule.id] 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = [for policy in google_compute_packet_mirroring.main : policy.id] 65 | } -------------------------------------------------------------------------------- /packer/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .env 3 | .flaskenv 4 | *.pyc 5 | *.pyo 6 | env/ 7 | dist/ 8 | build/ 9 | *.egg 10 | *.egg-info/ 11 | _mailinglist 12 | .tox/ 13 | .cache/ 14 | .pytest_cache/ 15 | .idea/ 16 | .vscode/ 17 | docs/_build/ 18 | __pycache__/ 19 | local.env 20 | ~$*.docx 21 | 22 | # Coverage and Test output 23 | coverage.txt 24 | test.txt 25 | report.xml 26 | fn_chronicle_integration/tests/mock_data/mock_log_file.log 27 | 28 | # Coverage reports 29 | htmlcov/ 30 | .coverage 31 | .coverage.* 32 | *,cover 33 | -------------------------------------------------------------------------------- /packer/README.md: -------------------------------------------------------------------------------- 1 | # Zeek-Fluentd Golden Image 2 | 3 | ## Pre-requisites: 4 | - [GCP service account with appropriate roles](#gcp-service-account-with-appropriate-roles) 5 | - [VPC network subnet specification for instance creation](#vpc-network-subnet-specification) 6 | - [Packer](https://learn.hashicorp.com/tutorials/packer/getting-started-install) 7 | 8 | 9 | ## GCP service account with appropriate roles 10 | 11 | - Authenticating with Google Cloud services requires a JSON Service Account Key. 12 | - To create a custom service account for Packer and assign to it `Compute Instance Admin (v1)` & `Service Account User` roles, follow the below instructions: 13 | - Log in to the Google Cloud Console and select a project. 14 | - Click Select a project, choose your project, and click Open. 15 | - Click Create Service Account. 16 | - Enter a service account name (friendly display name), an optional description, select the `Compute Engine Instance Admin (v1)` and `Service Account User` roles, and then click Save. 17 | - Generate a JSON Key and save it in a secure location. 18 | 19 | 20 | ## Steps for executing Packer Script 21 | 22 | #### **Input Parameters:** 23 | - **gce_credentials:** (mandatory) - The JSON file containing GCP account credentials. Environment variable name - **GCE_CREDENTIALS**. 24 | - **gce_project_id:** (mandatory) - The ID of the GCP project that will be used to launch instances and store images. Environment variable name - **GCE_PROJECT_ID**. 25 | - **gce_zone:** (mandatory) - The zone to launch the instance used to create the image. Example: "us-central1-a". Environment variable name - **GCE_ZONE**. 26 | - **gce_subnet_id** (mandatory) - The Google Compute subnetwork id or URL to use for the launched instance. Only required if the network has been created with custom subnetting. 27 | > **Note:** If the value is not a URL, it will be interpolated to `projects/((network_project_id))/regions/((region))/subnetworks/((subnetwork))` 28 | 29 | Environment variable name - **GCE_SUBNET_ID**. 30 | - **gce_source_image_family:** (optional) - The source image family to use as a base image for the golden image. Example: "debian-10" 31 | - **ssh_username:** (optional) - The username to SSH the instance. Required if using SSH. 32 | - **custom_image_name:** (optional) - The unique name of the resulting image. Defaults to packer-{{timestamp}} 33 | - **custom_image_family:** (optional) - The name of the image family to which the resulting image belongs. 34 | 35 | **NOTE:** 36 | - All the mandatory parameters in the above list should be passed either with the environment variable or in the command line with the packer build command. Check - [How to Set Environment Variable](#how-to-set-environment-variable). 37 | - If the environment variable is provided and the parameter is passed using the command line, the value provided in the command line is preferred. 38 | - The name of the environment variable is provided in the above list. 39 | - All the optional parameters in the above list could be passed in the command line with the packer build command. 40 | 41 | --- 42 | #### **How to Set Environment Variable** 43 | - Windows: 44 | - Open command prompt. 45 | - Set the Environment Variable: 46 | ``` 47 | set GCE_CREDENTIALS=/file/path/to/credentials.json 48 | ``` 49 | - Verifying the set Environment Variable: 50 | ``` 51 | echo %GCE_CREDENTIALS% 52 | ``` 53 | - Linux/Unix or Mac: 54 | - Open Terminal. 55 | - Set the Environment Variable: 56 | ``` 57 | export GCE_CREDENTIALS=/file/path/to/credentials.json 58 | ``` 59 | - Verifying the set Environment Variable: 60 | ``` 61 | echo $GCE_CREDENTIALS 62 | ``` 63 | 64 | ## **Running the Packer Script** 65 | - If all the mandatory parameters are passed using the environment variable and it's not required to pass the optional parameters, run the packer script: 66 | ``` 67 | packer build image.json 68 | ``` 69 | - If it's required that the mandatory parameters or any of the optional parameters should be passed in the command line with the packer build command, run the packer script in the following way: 70 | ``` 71 | packer build -var 'gce_credentials=/file/path/to/credentials.json' -var 'gce_project_id=project_id_1234' -var 'gce_zone=us-central1-a' -var 'custom_image_name=image_name' image.json 72 | ``` 73 | 74 | ## VPC Network Subnet Specification 75 | 76 | ### Case A: If default VPC does not exists 77 | - If default VPC does not exists and you want to specify your own subnetted vpc network then in environment variable `GCE_SUBNET_ID` set the value of your subnet URL or subnet ID. 78 | - For example: 79 | - For subnet URL, set environment variable `GCE_SUBNET_ID` value to `"https://www.googleapis.com/compute/v1/projects/YOUR_PROJECT_ID/regions/REGION/subnetworks/SUBNETWORK"`. 80 | - For subnet ID, set environment variable `GCE_SUBNET_ID` value to `"SUBNETWORK"`. 81 | > **Note**: The region of the subnetwork must match the `region or zone` in which the VM is launched. 82 | --- 83 | ### Case B: If default VPC exists 84 | 85 | - If the default vpc exists then in environment variable `GCE_SUBNET_ID` set the value `"default"`. 86 | 87 | 88 | 89 | ## Troubleshooting 90 | 91 | - If you get error like: `command not found` then run below commands to install and update required packages. 92 | ``` 93 | sudo apt-get install software-properties-common git -y 94 | sudo apt-get update -y 95 | ``` -------------------------------------------------------------------------------- /packer/files/add_fields.zeek: -------------------------------------------------------------------------------- 1 | ## This file is added into /usr/local/zeek/share/zeek/site path. 2 | ## Used to add new attributes "vpc_name" and "project_id" in all required logs 3 | 4 | redef record Conn::Info += { 5 | vpc_name: string &default="vpc" &log; 6 | project_id: string &default="project" &log; 7 | }; 8 | 9 | redef record HTTP::Info += { 10 | vpc_name: string &default="vpc" &log; 11 | project_id: string &default="project" &log; 12 | }; 13 | 14 | redef record SSL::Info += { 15 | vpc_name: string &default="vpc" &log; 16 | project_id: string &default="project" &log; 17 | }; 18 | 19 | redef record SSH::Info += { 20 | vpc_name: string &default="vpc" &log; 21 | project_id: string &default="project" &log; 22 | }; 23 | 24 | redef record DNS::Info += { 25 | vpc_name: string &default="vpc" &log; 26 | project_id: string &default="project" &log; 27 | }; 28 | 29 | redef record DHCP::Info += { 30 | vpc_name: string &default="vpc" &log; 31 | project_id: string &default="project" &log; 32 | }; -------------------------------------------------------------------------------- /packer/files/append_local.zeek: -------------------------------------------------------------------------------- 1 | ## This will be required to configure custom Zeek 2 | 3 | # Produce JSON Streaming logs 4 | @load json-streaming-logs 5 | 6 | # add custom fields 7 | @load add_fields 8 | 9 | # Ignore checksums due top hardware offloading. 10 | redef ignore_checksums = T; -------------------------------------------------------------------------------- /packer/files/json-streaming-logs.zeek: -------------------------------------------------------------------------------- 1 | module JSONStreaming; 2 | 3 | export { 4 | ## If you would like to disable your default logs and only log the 5 | ## "JSON streaming" format of logs set this to `T`. By default this setting 6 | ## will continue logging your logs in whatever format you specified 7 | ## and also log them with the "json_streaming_" prefix and all of the 8 | ## associated settings. 9 | const JSONStreaming::disable_default_logs = T &redef; 10 | 11 | ## The number of extra files that Bro will leave laying around so that 12 | ## any process watching the inode can finish. The files will be named 13 | ## with the following scheme: `json_streaming_..log`. So, the 14 | ## first conn log would be named: `json_streaming_conn.1.log`. 15 | const JSONStreaming::extra_files = 4 &redef; 16 | 17 | ## A rotation interval specifically for the JSON streaming logs. This is 18 | ## set separately since these logs are ephemeral and meant to be 19 | ## immediately carried off to some other storage and search system. 20 | const JSONStreaming::rotation_interval = 15mins &redef; 21 | } 22 | 23 | type JsonStreamingExtension: record { 24 | ## The log stream that this log was written to. 25 | path: string &log; 26 | ## Timestamp when the log was written. This is a 27 | ## timestamp as given by most other software. Any 28 | ## other log-specific fields will still be written. 29 | write_ts: time &log; 30 | }; 31 | 32 | function add_json_streaming_log_extension(path: string): JsonStreamingExtension 33 | { 34 | return JsonStreamingExtension($path = sub(path, /^json_streaming_/, ""), 35 | $write_ts = network_time()); 36 | } 37 | 38 | # We get the log suffix just to be safe. 39 | global log_suffix = getenv("ZEEK_LOG_SUFFIX") == "" ? "log" : getenv("ZEEK_LOG_SUFFIX"); 40 | 41 | function rotate_logs(info: Log::RotationInfo): bool 42 | { 43 | local i = extra_files-1; 44 | while ( i > 0 ) 45 | { 46 | if ( file_size(info$path + "." + cat(i) + "." + log_suffix) >= 0 ) 47 | { 48 | rename(info$path + "." + cat(i) + "." + log_suffix, 49 | info$path + "." + cat(i+1) + "." + log_suffix); 50 | } 51 | --i; 52 | } 53 | rename(info$fname, info$path + ".1.log"); 54 | return T; 55 | } 56 | 57 | event zeek_init() &priority=-1000 58 | { 59 | for ( stream in Log::active_streams ) 60 | { 61 | for ( filter_name in Log::get_filter_names(stream) ) 62 | { 63 | # This is here because we're modifying the list of filters right now... 64 | if ( /-json-streaming$/ in filter_name ) 65 | next; 66 | 67 | local filt = Log::get_filter(stream, filter_name); 68 | 69 | if ( filter_name == "default" && JSONStreaming::disable_default_logs ) 70 | filt$name = "default"; 71 | else 72 | filt$name = filter_name + "-json-streaming"; 73 | 74 | if ( filt?$path ) 75 | filt$path = "json_streaming_" + filt$path; 76 | else if ( filt?$path_func ) 77 | filt$path = "json_streaming_" + filt$path_func(stream, "", []); 78 | 79 | filt$writer = Log::WRITER_ASCII; 80 | filt$postprocessor = rotate_logs; 81 | filt$interv = rotation_interval; 82 | 83 | filt$ext_func = add_json_streaming_log_extension; 84 | filt$ext_prefix = "_"; 85 | 86 | # This works around a bug in the base logging script 87 | # that sets the default value to an incompatible type 88 | if ( |filt$config| == 0 ) 89 | filt$config = table_string_of_string(); 90 | 91 | filt$config["use_json"] = "T"; 92 | filt$config["json_timestamps"] = "JSON::TS_ISO8601"; 93 | # Ensure compressed logs are disabled. 94 | filt$config["gzip_level"] = "0"; 95 | 96 | local result = Log::add_filter(stream, filt); 97 | } 98 | } 99 | } -------------------------------------------------------------------------------- /packer/files/zeek.conf: -------------------------------------------------------------------------------- 1 | ## place this file under /etc/google-fluentd/config.d 2 | 3 | @type tail 4 | format json 5 | path /usr/local/zeek/logs/current/json_streaming_conn.log 6 | pos_file /var/lib/google-fluentd/pos/zeek_json_streaming_conn.pos 7 | read_from_head true 8 | tag zeek_json_streaming_conn 9 | 10 | 11 | 12 | @type tail 13 | format json 14 | path /usr/local/zeek/logs/current/json_streaming_http.log 15 | pos_file /var/lib/google-fluentd/pos/zeek_json_streaming_http.pos 16 | read_from_head true 17 | tag zeek_json_streaming_http 18 | 19 | 20 | 21 | @type tail 22 | format json 23 | path /usr/local/zeek/logs/current/json_streaming_ssl.log 24 | pos_file /var/lib/google-fluentd/pos/zeek_json_streaming_ssl.pos 25 | read_from_head true 26 | tag zeek_json_streaming_ssl 27 | 28 | 29 | 30 | @type tail 31 | format json 32 | path /usr/local/zeek/logs/current/json_streaming_ssh.log 33 | pos_file /var/lib/google-fluentd/pos/zeek_json_streaming_ssh.pos 34 | read_from_head true 35 | tag zeek_json_streaming_ssh 36 | 37 | 38 | 39 | @type tail 40 | format json 41 | path /usr/local/zeek/logs/current/json_streaming_dns.log 42 | pos_file /var/lib/google-fluentd/pos/zeek_json_streaming_dns.pos 43 | read_from_head true 44 | tag zeek_json_streaming_dns 45 | 46 | 47 | 48 | @type tail 49 | format json 50 | path /usr/local/zeek/logs/current/json_streaming_dhcp.log 51 | pos_file /var/lib/google-fluentd/pos/zeek_json_streaming_dhcp.pos 52 | read_from_head true 53 | tag zeek_json_streaming_dhcp 54 | -------------------------------------------------------------------------------- /packer/image.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "gce_credentials": "{{env `GCE_CREDENTIALS`}}", 4 | "gce_project_id": "{{env `GCE_PROJECT_ID`}}", 5 | "gce_zone": "{{env `GCE_ZONE`}}", 6 | "gce_subnet_id": "{{env `GCE_SUBNET_ID`}}", 7 | "gce_source_image_family": "debian-10", 8 | "ssh_username": "packer", 9 | "custom_image_name": "zeek-fluentd-golden-image-v1", 10 | "custom_image_family": "zeek-fluentd-family" 11 | }, 12 | 13 | "builders": [ 14 | { 15 | "type": "googlecompute", 16 | "account_file": "{{ user `gce_credentials`}}", 17 | "project_id": "{{ user `gce_project_id`}}", 18 | "zone": "{{user `gce_zone`}}", 19 | "subnetwork": "{{user `gce_subnet_id`}}", 20 | "source_image_family": "{{user `gce_source_image_family`}}", 21 | "ssh_username": "{{user `ssh_username`}}", 22 | "image_name": "{{user `custom_image_name`}}", 23 | "image_description": "packer-{{user `custom_image_name`}}", 24 | "image_family": "{{user `custom_image_family`}}" 25 | } 26 | ], 27 | 28 | "provisioners": [ 29 | { 30 | "type": "shell", 31 | "inline": ["mkdir /tmp/files"] 32 | }, 33 | { 34 | "type": "file", 35 | "source": "files/", 36 | "destination": "/tmp/files/" 37 | }, 38 | { 39 | "type": "shell", 40 | "execute_command": "echo {{user `ssh_username`}} | sudo -S env {{ .Vars }} {{ .Path }}", 41 | "scripts": ["scripts/zeek.sh", "scripts/fluentd.sh"] 42 | } 43 | ] 44 | } 45 | -------------------------------------------------------------------------------- /packer/scripts/fluentd.sh: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | 16 | # This script adds the cloud agent's package repository to our VM and installs the Fluentd (Cloud Logging agent). 17 | # After the installation, it starts the Fluentd service. 18 | # Further, it adds the Zeek configuration file to its respective Fluentd directory and restarts the Fluentd service. 19 | 20 | 21 | #! /bin/bash 22 | 23 | curl -sSO https://dl.google.com/cloudagents/add-logging-agent-repo.sh 24 | bash add-logging-agent-repo.sh 25 | 26 | apt-get update # necessary to update 27 | apt-get install -y google-fluentd google-fluentd-catch-all-config-structured 28 | 29 | service google-fluentd start 30 | 31 | cp -f /tmp/files/zeek.conf /etc/google-fluentd/config.d/ 32 | 33 | service google-fluentd force-reload 34 | service google-fluentd restart 35 | 36 | echo "---------------------------------------- Fluentd Configurations Completed!" -------------------------------------------------------------------------------- /packer/scripts/zeek.sh: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | 16 | # This script updates the packages and installs new packages that are required for the Zeek installation. 17 | # After the packages are installed, the Zeek repository is cloned and installed. 18 | # After the installation, it copies custom Zeek scripts to their respective directory and appends the content to the "local.zeek" file for loading custom Zeek scripts. 19 | # Further, it adds Zeek path to environment variables and starts the ZeekControl (a tool for operating Zeek installations) to manage Zeek. 20 | 21 | 22 | #! /bin/bash 23 | 24 | crontab -r 25 | 26 | apt-get update 27 | apt-get -y install git cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev python-ipaddress swig zlib1g-dev python3-pip dos2unix apache2 28 | 29 | git clone --recursive https://github.com/zeek/zeek /usr/local/zeek 30 | 31 | /usr/local/zeek/configure --builddir=/usr/local/zeek/build && make -C /usr/local/zeek/build && make -C /usr/local/zeek/build install 32 | 33 | find /tmp/files/ -type f -print0 | xargs -0 dos2unix # for converting dos file format to unix file format 34 | 35 | cp -f /tmp/files/json-streaming-logs.zeek /usr/local/zeek/share/zeek/site/ 36 | cp -f /tmp/files/add_fields.zeek /usr/local/zeek/share/zeek/site/ 37 | 38 | cat /tmp/files/append_local.zeek >> /usr/local/zeek/share/zeek/site/local.zeek # appending content 39 | 40 | echo "---------------------------------------- Zeek Configurations Completed!" -------------------------------------------------------------------------------- /test/.gitignore: -------------------------------------------------------------------------------- 1 | source.sh 2 | -------------------------------------------------------------------------------- /test/fixtures/basic_configuration/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "basic_configuration" { 18 | source = "../../../examples/basic_configuration" 19 | bucket = var.bucket 20 | credentials = var.credentials 21 | gcp_project_id = var.gcp_project_id 22 | service_account_email = var.service_account_email 23 | 24 | collector_vpc_name = var.collector_vpc_name 25 | subnets = var.subnets 26 | mirror_vpc_subnets = var.mirror_vpc_subnets 27 | } -------------------------------------------------------------------------------- /test/fixtures/basic_configuration/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.basic_configuration.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.basic_configuration.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.basic_configuration.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.basic_configuration.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.basic_configuration.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.basic_configuration.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.basic_configuration.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.basic_configuration.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.basic_configuration.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.basic_configuration.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /test/fixtures/basic_configuration/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "bucket" { 22 | description = "Name of the bucket to store .tfstate file remotely." 23 | type = string 24 | } 25 | 26 | variable "credentials" { 27 | description = "GCP credentials file" 28 | type = string 29 | default = "" 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created" 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } -------------------------------------------------------------------------------- /test/fixtures/basic_configuration/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # TERRAFORM VERSION 19 | # -------------------------------------------------------------- # 20 | 21 | terraform { 22 | required_version = ">= 0.13.5" # see https://releases.hashicorp.com/terraform/ 23 | required_providers { 24 | google = { 25 | source = "hashicorp/google" 26 | version = ">= 3.55" 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /test/fixtures/mirror_resource_filtering/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "mirror_resource_filtering" { 18 | source = "../../../examples/mirror_resource_filtering" 19 | bucket = var.bucket 20 | credentials = var.credentials 21 | gcp_project_id = var.gcp_project_id 22 | service_account_email = var.service_account_email 23 | 24 | collector_vpc_name = var.collector_vpc_name 25 | subnets = var.subnets 26 | mirror_vpc_subnets = var.mirror_vpc_subnets 27 | mirror_vpc_instances = var.mirror_vpc_instances 28 | mirror_vpc_tags = var.mirror_vpc_tags 29 | } -------------------------------------------------------------------------------- /test/fixtures/mirror_resource_filtering/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.mirror_resource_filtering.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.mirror_resource_filtering.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.mirror_resource_filtering.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.mirror_resource_filtering.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.mirror_resource_filtering.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.mirror_resource_filtering.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.mirror_resource_filtering.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.mirror_resource_filtering.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.mirror_resource_filtering.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.mirror_resource_filtering.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /test/fixtures/mirror_resource_filtering/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "bucket" { 22 | description = "Name of the bucket to store .tfstate file remotely." 23 | type = string 24 | } 25 | 26 | variable "credentials" { 27 | description = "GCP credentials file" 28 | type = string 29 | default = "" 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created" 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } -------------------------------------------------------------------------------- /test/fixtures/mirror_resource_filtering/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # TERRAFORM VERSION 19 | # -------------------------------------------------------------- # 20 | 21 | terraform { 22 | required_version = ">= 0.13.5" # see https://releases.hashicorp.com/terraform/ 23 | required_providers { 24 | google = { 25 | source = "hashicorp/google" 26 | version = ">= 3.55" 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /test/fixtures/multiple_vpc_support/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "multiple_vpc_support" { 18 | source = "../../../examples/multiple_vpc_support" 19 | bucket = var.bucket 20 | credentials = var.credentials 21 | gcp_project_id = var.gcp_project_id 22 | service_account_email = var.service_account_email 23 | 24 | collector_vpc_name = var.collector_vpc_name 25 | subnets = var.subnets 26 | mirror_vpc_subnets = var.mirror_vpc_subnets 27 | mirror_vpc_instances = var.mirror_vpc_instances 28 | mirror_vpc_tags = var.mirror_vpc_tags 29 | 30 | # Optional Parameters 31 | ip_protocols = var.ip_protocols 32 | direction = var.direction 33 | cidr_ranges = var.cidr_ranges 34 | } -------------------------------------------------------------------------------- /test/fixtures/multiple_vpc_support/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.packet_mirroring_traffic_filtering.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.packet_mirroring_traffic_filtering.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.packet_mirroring_traffic_filtering.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.packet_mirroring_traffic_filtering.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.packet_mirroring_traffic_filtering.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.packet_mirroring_traffic_filtering.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.packet_mirroring_traffic_filtering.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.packet_mirroring_traffic_filtering.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.packet_mirroring_traffic_filtering.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.packet_mirroring_traffic_filtering.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /test/fixtures/multiple_vpc_support/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "bucket" { 22 | description = "Name of the bucket to store .tfstate file remotely." 23 | type = string 24 | } 25 | 26 | variable "credentials" { 27 | description = "GCP credentials file" 28 | type = string 29 | default = "" 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created" 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } -------------------------------------------------------------------------------- /test/fixtures/multiple_vpc_support/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # TERRAFORM VERSION 19 | # -------------------------------------------------------------- # 20 | 21 | terraform { 22 | required_version = ">= 0.13.5" # see https://releases.hashicorp.com/terraform/ 23 | required_providers { 24 | google = { 25 | source = "hashicorp/google" 26 | version = ">= 3.55" 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /test/fixtures/packet_mirroring_traffic_filtering/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "packet_mirroring_traffic_filtering" { 18 | source = "../../../examples/packet_mirroring_traffic_filtering" 19 | bucket = var.bucket 20 | credentials = var.credentials 21 | gcp_project_id = var.gcp_project_id 22 | service_account_email = var.service_account_email 23 | 24 | collector_vpc_name = var.collector_vpc_name 25 | subnets = var.subnets 26 | mirror_vpc_subnets = var.mirror_vpc_subnets 27 | 28 | # Optional Parameters 29 | ip_protocols = var.ip_protocols 30 | direction = var.direction 31 | cidr_ranges = var.cidr_ranges 32 | } -------------------------------------------------------------------------------- /test/fixtures/packet_mirroring_traffic_filtering/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "collector_vpc_network_id" { 18 | description = "The identifier of the VPC network with format projects/{{project}}/global/networks/{{name}}." 19 | value = module.packet_mirroring_traffic_filtering.collector_vpc_network_id 20 | } 21 | 22 | output "collector_vpc_subnets_ids" { 23 | description = "Sub Network identifier for the resource with format projects/{{project}}/regions/{{region}}/subnetworks/{{name}}" 24 | value = module.packet_mirroring_traffic_filtering.collector_vpc_subnets_ids 25 | } 26 | 27 | output "intance_template_ids" { 28 | description = "Instance Templates identifier for the resource with format projects/{{project}}/global/instanceTemplates/{{name}}" 29 | value = module.packet_mirroring_traffic_filtering.intance_template_ids 30 | } 31 | 32 | output "health_check_id" { 33 | description = "Health Check identifier for the resource with format projects/{{project}}/global/healthChecks/{{name}}" 34 | value = module.packet_mirroring_traffic_filtering.health_check_id 35 | } 36 | 37 | output "intance_group_ids" { 38 | description = "Managed Instance Group identifier for the resource with format {{disk.name}}" 39 | value = module.packet_mirroring_traffic_filtering.intance_group_ids 40 | } 41 | 42 | output "intance_groups" { 43 | description = "The full URL of the instance group created by the manager." 44 | value = module.packet_mirroring_traffic_filtering.intance_groups 45 | } 46 | 47 | output "autoscaler_ids" { 48 | description = "Autoscaler identifier for the resource with format projects/{{project}}/regions/{{region}}/autoscalers/{{name}}" 49 | value = module.packet_mirroring_traffic_filtering.autoscaler_ids 50 | } 51 | 52 | output "loadbalancer_ids" { 53 | description = "Internal Load Balancer identifier for the resource with format projects/{{project}}/regions/{{region}}/backendServices/{{name}}" 54 | value = module.packet_mirroring_traffic_filtering.loadbalancer_ids 55 | } 56 | 57 | output "forwarding_rule_ids" { 58 | description = "Forwarding Rule identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}" 59 | value = module.packet_mirroring_traffic_filtering.forwarding_rule_ids 60 | } 61 | 62 | output "packet_mirroring_policy_ids" { 63 | description = "Packet Mirroring Policy identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}" 64 | value = module.packet_mirroring_traffic_filtering.packet_mirroring_policy_ids 65 | } -------------------------------------------------------------------------------- /test/fixtures/packet_mirroring_traffic_filtering/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # BACKEND CONFIGURATION VARIABLES 19 | # -------------------------------------------------------------- # 20 | 21 | variable "bucket" { 22 | description = "Name of the bucket to store .tfstate file remotely." 23 | type = string 24 | } 25 | 26 | variable "credentials" { 27 | description = "GCP credentials file" 28 | type = string 29 | default = "" 30 | } 31 | 32 | # -------------------------------------------------------------- # 33 | # MODULE VARIABLES 34 | # -------------------------------------------------------------- # 35 | 36 | variable "gcp_project_id" { 37 | description = "GCP Project ID where collector vpc will be provisioned." 38 | type = string 39 | } 40 | 41 | variable "service_account_email" { 42 | description = "User's Service Account Email." 43 | type = string 44 | } 45 | 46 | variable "collector_vpc_name" { 47 | description = "This is name of collector vpc." 48 | type = string 49 | } 50 | 51 | variable "subnets" { 52 | description = "The list of subnets being created" 53 | type = list(object({ 54 | mirror_vpc_network = string 55 | collector_vpc_subnet_cidr = string 56 | collector_vpc_subnet_region = string 57 | })) 58 | } 59 | 60 | variable "mirror_vpc_subnets" { 61 | description = "Mirror VPC Subnets list to be mirrored." 62 | type = map(list(string)) 63 | default = {} 64 | } 65 | 66 | variable "mirror_vpc_tags" { 67 | description = "Mirror VPC Tags list to be mirrored." 68 | type = map(list(string)) 69 | default = {} 70 | } 71 | 72 | variable "mirror_vpc_instances" { 73 | description = "Mirror VPC Instances list to be mirrored. (Note: Mirror VPC should reside in the same project as collector VPC because cross project referencing of instances is not allowed by GCP)" 74 | type = map(list(string)) 75 | default = {} 76 | } 77 | 78 | variable "ip_protocols" { 79 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 80 | type = list(string) 81 | default = [] 82 | } 83 | 84 | variable "direction" { 85 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 86 | type = string 87 | default = "BOTH" 88 | } 89 | 90 | variable "cidr_ranges" { 91 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 92 | type = list(string) 93 | default = [] 94 | } -------------------------------------------------------------------------------- /test/fixtures/packet_mirroring_traffic_filtering/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # TERRAFORM VERSION 19 | # -------------------------------------------------------------- # 20 | 21 | terraform { 22 | required_version = ">= 0.13.5" # see https://releases.hashicorp.com/terraform/ 23 | required_providers { 24 | google = { 25 | source = "hashicorp/google" 26 | version = ">= 3.55" 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /test/integration/basic_configuration/controls/gcp.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | project_id = attribute('project_id') 16 | network_name = attribute('network_name') 17 | region = attribute('region') 18 | 19 | control "gcp" do 20 | title "Google Cloud configuration" 21 | describe google_compute_network( 22 | project: project_id, 23 | name: network_name 24 | ) do 25 | it { should exist } 26 | end 27 | 28 | describe google_compute_subnetwork( 29 | project: project_id, 30 | name: "#{network_name}-subnet-01", 31 | region: "#{region}" 32 | ) do 33 | it { should exist } 34 | end 35 | 36 | describe google_compute_firewalls(project: project_id) do 37 | its('firewall_names') { should include "#{network_name}-rule-allow-ingress" } 38 | its('firewall_names') { should include "#{network_name}-rule-allow-health-check" } 39 | end 40 | 41 | describe google_compute_forwarding_rule( 42 | project: project_id, 43 | region: region, 44 | name: "#{network_name}-01" 45 | ) do 46 | its('load_balancing_scheme') { should match "INTERNAL" } 47 | end 48 | 49 | describe google_compute_health_check( 50 | project: project_id, 51 | region: region, 52 | name: "#{network_name}-http-health-check" 53 | ) do 54 | it { should exist } 55 | end 56 | 57 | describe google_compute_instance_template( 58 | project: project_id, 59 | region: region, 60 | name: "#{network_name}-01" 61 | ) do 62 | it { should exist } 63 | end 64 | 65 | describe google_compute_region_instance_group_manager( 66 | project: project_id, 67 | region: region, 68 | name: "#{network_name}-01" 69 | ) do 70 | it { should exist } 71 | end 72 | end -------------------------------------------------------------------------------- /test/integration/basic_configuration/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | name: basic_configuration 17 | title: Google Cloud configuration 18 | version: 0.1.0 19 | depends: 20 | - name: inspec-gcp 21 | git: https://github.com/inspec/inspec-gcp.git 22 | attributes: 23 | - name: project_id 24 | required: true 25 | type: string 26 | - name: network_name 27 | required: true 28 | type: string 29 | - name: region 30 | required: true 31 | type: string 32 | supports: 33 | - platform: gcp -------------------------------------------------------------------------------- /test/integration/mirror_resource_filtering/controls/gcp.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | project_id = attribute('project_id') 16 | network_name = attribute('network_name') 17 | region = attribute('region') 18 | 19 | control "gcp" do 20 | title "Google Cloud configuration" 21 | describe google_compute_network( 22 | project: project_id, 23 | name: network_name 24 | ) do 25 | it { should exist } 26 | end 27 | 28 | describe google_compute_subnetwork( 29 | project: project_id, 30 | name: "#{network_name}-subnet-01", 31 | region: "#{region}" 32 | ) do 33 | it { should exist } 34 | end 35 | 36 | describe google_compute_firewalls(project: project_id) do 37 | its('firewall_names') { should include "#{network_name}-rule-allow-ingress" } 38 | its('firewall_names') { should include "#{network_name}-rule-allow-health-check" } 39 | end 40 | 41 | describe google_compute_forwarding_rule( 42 | project: project_id, 43 | region: region, 44 | name: "#{network_name}-01" 45 | ) do 46 | its('load_balancing_scheme') { should match "INTERNAL" } 47 | end 48 | 49 | describe google_compute_health_check( 50 | project: project_id, 51 | region: region, 52 | name: "#{network_name}-http-health-check" 53 | ) do 54 | it { should exist } 55 | end 56 | 57 | describe google_compute_instance_template( 58 | project: project_id, 59 | region: region, 60 | name: "#{network_name}-01" 61 | ) do 62 | it { should exist } 63 | end 64 | 65 | describe google_compute_region_instance_group_manager( 66 | project: project_id, 67 | region: region, 68 | name: "#{network_name}-01" 69 | ) do 70 | it { should exist } 71 | end 72 | end -------------------------------------------------------------------------------- /test/integration/mirror_resource_filtering/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | name: mirror_resource_filtering 17 | title: Google Cloud configuration 18 | version: 0.1.0 19 | depends: 20 | - name: inspec-gcp 21 | git: https://github.com/inspec/inspec-gcp.git 22 | attributes: 23 | - name: project_id 24 | required: true 25 | type: string 26 | - name: network_name 27 | required: true 28 | type: string 29 | - name: region 30 | required: true 31 | type: string 32 | supports: 33 | - platform: gcp -------------------------------------------------------------------------------- /test/integration/multiple_vpc_support/controls/gcp.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | project_id = attribute('project_id') 16 | network_name = attribute('network_name') 17 | region = attribute('region') 18 | 19 | control "gcp" do 20 | title "Google Cloud configuration" 21 | describe google_compute_network( 22 | project: project_id, 23 | name: network_name 24 | ) do 25 | it { should exist } 26 | end 27 | 28 | describe google_compute_subnetwork( 29 | project: project_id, 30 | name: "#{network_name}-subnet-01", 31 | region: "#{region}" 32 | ) do 33 | it { should exist } 34 | end 35 | 36 | describe google_compute_firewalls(project: project_id) do 37 | its('firewall_names') { should include "#{network_name}-rule-allow-ingress" } 38 | its('firewall_names') { should include "#{network_name}-rule-allow-health-check" } 39 | end 40 | 41 | describe google_compute_forwarding_rule( 42 | project: project_id, 43 | region: region, 44 | name: "#{network_name}-01" 45 | ) do 46 | its('load_balancing_scheme') { should match "INTERNAL" } 47 | end 48 | 49 | describe google_compute_health_check( 50 | project: project_id, 51 | region: region, 52 | name: "#{network_name}-http-health-check" 53 | ) do 54 | it { should exist } 55 | end 56 | 57 | describe google_compute_instance_template( 58 | project: project_id, 59 | region: region, 60 | name: "#{network_name}-01" 61 | ) do 62 | it { should exist } 63 | end 64 | 65 | describe google_compute_region_instance_group_manager( 66 | project: project_id, 67 | region: region, 68 | name: "#{network_name}-01" 69 | ) do 70 | it { should exist } 71 | end 72 | end -------------------------------------------------------------------------------- /test/integration/multiple_vpc_support/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | name: packet_mirroring_traffic_filtering 17 | title: Google Cloud configuration 18 | version: 0.1.0 19 | depends: 20 | - name: inspec-gcp 21 | git: https://github.com/inspec/inspec-gcp.git 22 | attributes: 23 | - name: project_id 24 | required: true 25 | type: string 26 | - name: network_name 27 | required: true 28 | type: string 29 | - name: region 30 | required: true 31 | type: string 32 | supports: 33 | - platform: gcp -------------------------------------------------------------------------------- /test/integration/packet_mirroring_traffic_filtering/controls/gcp.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | project_id = attribute('project_id') 16 | network_name = attribute('network_name') 17 | region = attribute('region') 18 | 19 | control "gcp" do 20 | title "Google Cloud configuration" 21 | describe google_compute_network( 22 | project: project_id, 23 | name: network_name 24 | ) do 25 | it { should exist } 26 | end 27 | 28 | describe google_compute_subnetwork( 29 | project: project_id, 30 | name: "#{network_name}-subnet-01", 31 | region: "#{region}" 32 | ) do 33 | it { should exist } 34 | end 35 | 36 | describe google_compute_firewalls(project: project_id) do 37 | its('firewall_names') { should include "#{network_name}-rule-allow-ingress" } 38 | its('firewall_names') { should include "#{network_name}-rule-allow-health-check" } 39 | end 40 | 41 | describe google_compute_forwarding_rule( 42 | project: project_id, 43 | region: region, 44 | name: "#{network_name}-01" 45 | ) do 46 | its('load_balancing_scheme') { should match "INTERNAL" } 47 | end 48 | 49 | describe google_compute_health_check( 50 | project: project_id, 51 | region: region, 52 | name: "#{network_name}-http-health-check" 53 | ) do 54 | it { should exist } 55 | end 56 | 57 | describe google_compute_instance_template( 58 | project: project_id, 59 | region: region, 60 | name: "#{network_name}-01" 61 | ) do 62 | it { should exist } 63 | end 64 | 65 | describe google_compute_region_instance_group_manager( 66 | project: project_id, 67 | region: region, 68 | name: "#{network_name}-01" 69 | ) do 70 | it { should exist } 71 | end 72 | end -------------------------------------------------------------------------------- /test/integration/packet_mirroring_traffic_filtering/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | name: packet_mirroring_traffic_filtering 17 | title: Google Cloud configuration 18 | version: 0.1.0 19 | depends: 20 | - name: inspec-gcp 21 | git: https://github.com/inspec/inspec-gcp.git 22 | attributes: 23 | - name: project_id 24 | required: true 25 | type: string 26 | - name: network_name 27 | required: true 28 | type: string 29 | - name: region 30 | required: true 31 | type: string 32 | supports: 33 | - platform: gcp -------------------------------------------------------------------------------- /test/setup/.gitignore: -------------------------------------------------------------------------------- 1 | terraform.tfvars 2 | source.sh 3 | -------------------------------------------------------------------------------- /test/setup/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | vm_required_roles = [ 19 | "roles/owner", 20 | "roles/compute.admin", 21 | "roles/compute.networkAdmin", 22 | "roles/iam.serviceAccountUser", 23 | "roles/storage.admin", 24 | "roles/compute.packetMirroringUser", 25 | "roles/compute.packetMirroringAdmin", 26 | "roles/logging.logWriter", 27 | "roles/monitoring.metricWriter", 28 | "roles/iam.serviceAccountTokenCreator", 29 | ] 30 | } 31 | 32 | resource "google_service_account" "ci_vm_account" { 33 | project = module.project_ci_vm.project_id 34 | account_id = "ci-vm-account" 35 | display_name = "ci-vm-account" 36 | } 37 | 38 | resource "google_project_iam_member" "ci_vm_account" { 39 | count = length(local.vm_required_roles) 40 | 41 | project = module.project_ci_vm.project_id 42 | role = local.vm_required_roles[count.index] 43 | member = "serviceAccount:${google_service_account.ci_vm_account.email}" 44 | } 45 | 46 | resource "google_service_account_key" "ci_vm_account" { 47 | service_account_id = google_service_account.ci_vm_account.id 48 | } -------------------------------------------------------------------------------- /test/setup/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | provider "google" { 18 | version = "~> 3.0" 19 | } 20 | 21 | provider "google-beta" { 22 | version = "~> 3.0" 23 | } 24 | 25 | provider "null" { 26 | version = "~> 2.1" 27 | } 28 | 29 | provider "random" { 30 | version = "~> 2.2" 31 | } 32 | 33 | module "project_ci_vm" { 34 | source = "terraform-google-modules/project-factory/google" 35 | version = "~> 9.0" 36 | 37 | name = "ci-vm-module" 38 | random_project_id = true 39 | org_id = var.org_id 40 | folder_id = var.folder_id 41 | billing_account = var.billing_account 42 | skip_gcloud_download = true 43 | 44 | activate_apis = [ 45 | "cloudresourcemanager.googleapis.com", 46 | "storage.googleapis.com", 47 | "serviceusage.googleapis.com", 48 | "compute.googleapis.com", 49 | "monitoring.googleapis.com", 50 | "iam.googleapis.com", 51 | "logging.googleapis.com", 52 | "cloudbilling.googleapis.com", 53 | ] 54 | } -------------------------------------------------------------------------------- /test/setup/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = module.project_ci_vm.project_id 19 | } 20 | 21 | output "sa_key" { 22 | value = google_service_account_key.ci_vm_account.private_key 23 | sensitive = true 24 | } 25 | 26 | output "service_account" { 27 | value = { 28 | email = google_service_account.ci_vm_account.email 29 | scopes = ["cloud-platform"] 30 | } 31 | } -------------------------------------------------------------------------------- /test/setup/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | variable "org_id" { 17 | description = "The numeric organization id" 18 | } 19 | 20 | variable "folder_id" { 21 | description = "The folder to deploy in" 22 | } 23 | 24 | variable "billing_account" { 25 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 26 | } -------------------------------------------------------------------------------- /test/setup/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">=0.12.6" 19 | } -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # -------------------------------------------------------------- # 18 | # PROJECT variables 19 | # -------------------------------------------------------------- # 20 | 21 | variable "gcp_project" { 22 | description = "GCP Project Id" 23 | type = string 24 | } 25 | 26 | # -------------------------------------------------------------- # 27 | # VPC module variables 28 | # -------------------------------------------------------------- # 29 | 30 | variable "collector_vpc_name" { 31 | description = "Portion of name to be generated for the VPC network." 32 | type = string 33 | } 34 | 35 | variable "vpc_description" { 36 | description = "The description of the VPC Network." 37 | type = string 38 | default = "This is collector VPC network." 39 | } 40 | 41 | variable "vpc_routing_mode" { 42 | description = "Routing mode of the VPC. A 'GLOBAL' routing mode can have adverse impacts on load balancers. Prefer 'REGIONAL'." 43 | type = string 44 | default = "REGIONAL" 45 | } 46 | 47 | variable "auto_create_subnetworks" { 48 | description = "When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources." 49 | type = bool 50 | default = false 51 | } 52 | 53 | variable "delete_default_internet_gateway_routes" { 54 | description = "If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted" 55 | type = bool 56 | default = false 57 | } 58 | 59 | variable "mtu" { 60 | description = "The network MTU. Must be a value between 1460 and 1500 inclusive. If set to 0 (meaning MTU is unset), the network will default to 1460 automatically." 61 | type = number 62 | default = 0 63 | } 64 | 65 | variable "private_ip_google_access" { 66 | description = "When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access." 67 | type = bool 68 | default = true 69 | } 70 | 71 | variable "subnets" { 72 | type = list(object({ 73 | mirror_vpc_network = string 74 | collector_vpc_subnet_cidr = string 75 | collector_vpc_subnet_region = string 76 | })) 77 | description = "The list of subnets being created" 78 | } 79 | # -------------------------------------------------------------- # 80 | # VPC-PEERING module variables 81 | # -------------------------------------------------------------- # 82 | 83 | variable "export_peer_custom_routes" { 84 | description = "Export custom routes to local network from peer network." 85 | type = bool 86 | default = false 87 | } 88 | 89 | variable "export_local_custom_routes" { 90 | description = "Export custom routes to peer network from local network." 91 | type = bool 92 | default = false 93 | } 94 | 95 | # -------------------------------------------------------------- # 96 | # INSTANCE-TEMPLATE module variables 97 | # -------------------------------------------------------------- # 98 | 99 | variable "template_description" { 100 | description = "This is instance template description." 101 | type = string 102 | default = "This instance template is used to create zeek-fluentd instances." 103 | } 104 | 105 | variable "golden_image" { 106 | description = "This is name of zeek-fluentd packer image" 107 | type = string 108 | default = "projects/zeekautomation/global/images/zeek-fluentd-golden-image-v1" 109 | } 110 | 111 | variable "machine_type" { 112 | description = "This is instance template machine type." 113 | type = string 114 | default = "e2-medium" 115 | } 116 | 117 | variable "service_account_email" { 118 | description = "User's Service Account Email." 119 | type = string 120 | } 121 | 122 | # -------------------------------------------------------------- # 123 | # PACKET-MIRRORING module variables 124 | # -------------------------------------------------------------- # 125 | 126 | variable "mirror_vpc_subnets" { 127 | description = "Mirror VPC Subnets list to be mirrored." 128 | type = map(list(string)) 129 | default = {} 130 | } 131 | 132 | variable "mirror_vpc_tags" { 133 | description = "Mirror VPC Tags list to be mirrored." 134 | type = map(list(string)) 135 | default = {} 136 | } 137 | 138 | variable "mirror_vpc_instances" { 139 | description = "Mirror VPC Instances list to be mirrored." 140 | type = map(list(string)) 141 | default = {} 142 | } 143 | 144 | variable "ip_protocols" { 145 | description = "Protocols that apply as a filter on mirrored traffic. Possible values: [\"tcp\", \"udp\", \"icmp\"]" 146 | type = list(string) 147 | default = [] 148 | } 149 | 150 | variable "direction" { 151 | description = "Direction of traffic to mirror. Default value: \"BOTH\" Possible values: [\"INGRESS\", \"EGRESS\", \"BOTH\"]" 152 | type = string 153 | default = "BOTH" 154 | } 155 | 156 | variable "cidr_ranges" { 157 | description = "IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported." 158 | type = list(string) 159 | default = [] 160 | } 161 | 162 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13.5" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.55" 23 | } 24 | } 25 | } --------------------------------------------------------------------------------