logging for default ingress rules in FAST (#2030)

* Add default ingress deny rule with logging to FAST net stages.

Fixes #2024

* Allow firewall factory to omit rules key

* Fix tests

* Fix fast tests

* fix fast tests
This commit is contained in:
Julio Castillo 2024-01-30 17:53:01 +01:00 committed by GitHub
parent 7b58114d65
commit da95434308
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
22 changed files with 161 additions and 17 deletions

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
trusted-ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
untrusted-ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
trusted-ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
untrusted-ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -0,0 +1,9 @@
# skip boilerplate check
ingress:
ingress-default-deny:
description: "Deny and log any unmatched ingress traffic."
deny: true
priority: 65535
enable_logging:
include_metadata: false

View File

@ -1,5 +1,5 @@
/** /**
* Copyright 2022 Google LLC * Copyright 2024 Google LLC
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,7 +27,7 @@ locals {
for name, rule in ruleset : { for name, rule in ruleset : {
name = name name = name
deny = try(rule.deny, false) deny = try(rule.deny, false)
rules = try(rule.rules, [{ protocol = "all" }]) rules = try(rule.rules, [{ protocol = "all", ports = null }])
description = try(rule.description, null) description = try(rule.description, null)
destination_ranges = try(rule.destination_ranges, null) destination_ranges = try(rule.destination_ranges, null)
direction = upper(direction) direction = upper(direction)

View File

@ -1,4 +1,4 @@
# Copyright 2023 Google LLC # Copyright 2024 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -13,5 +13,5 @@
# limitations under the License. # limitations under the License.
counts: counts:
modules: 28 modules: 29
resources: 148 resources: 151

View File

@ -1,4 +1,4 @@
# Copyright 2023 Google LLC # Copyright 2024 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -13,5 +13,5 @@
# limitations under the License. # limitations under the License.
counts: counts:
modules: 30 modules: 31
resources: 185 resources: 188

View File

@ -1,4 +1,4 @@
# Copyright 2023 Google LLC # Copyright 2024 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -13,5 +13,5 @@
# limitations under the License. # limitations under the License.
counts: counts:
modules: 42 modules: 43
resources: 195 resources: 199

View File

@ -1,4 +1,4 @@
# Copyright 2023 Google LLC # Copyright 2024 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -13,5 +13,5 @@
# limitations under the License. # limitations under the License.
counts: counts:
modules: 21 modules: 22
resources: 170 resources: 172

View File

@ -1,4 +1,4 @@
# Copyright 2023 Google LLC # Copyright 2024 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -13,5 +13,5 @@
# limitations under the License. # limitations under the License.
counts: counts:
modules: 36 modules: 37
resources: 206 resources: 210