osinfra-io · brettcurtis · Aug 30, 2024 · Aug 25, 2024 · Aug 25, 2024 · Aug 25, 2024
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -11,7 +11,7 @@ repos:
       - id: check-symlinks
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.92.3
     hooks:
       - id: terraform_fmt
 
@@ -29,7 +29,7 @@ repos:
       - id: terraform_docs
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.228
+    rev: 3.2.238
     hooks:
       - id: checkov
         verbose: true

diff --git a/README.md b/README.md
@@ -73,7 +73,8 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.40.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.0.1 |
+| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | 6.0.1 |
 
 ### Modules
 
@@ -83,6 +84,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google-beta_google_compute_security_policy.pre_configured_waf](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_security_policy) | resource |
 | [google_compute_global_address.istio_gateway_mci](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource |
 | [google_compute_managed_ssl_certificate.istio_gateway_mci](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_managed_ssl_certificate) | resource |
 | [google_compute_ssl_policy.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy) | resource |

diff --git a/locals.tf b/locals.tf
@@ -1,7 +1,136 @@
 # Local Values
 # https://www.terraform.io/docs/language/values/locals.html
 
-
 locals {
   istio_gateway_domains = keys(var.istio_gateway_dns)
+
+  preconfigured_waf_rules = [
+    # Google Cloud Armor provides preconfigured WAF rules, each consisting of multiple signatures sourced from:
+    # https://github.com/coreruleset/coreruleset/releases/tag/v3.3.3
+
+    # Each signature has a sensitivity level that corresponds to a ModSecurity paranoia level. You can select a
+    # sensitivity between 0 and 4, though sensitivity level 0 means that no rules are enabled by default.
+    # A lower sensitivity level indicates higher confidence signatures, which are less likely to generate a false positive.
+    # A higher sensitivity level increases security, but also increases the risk of generating a false positive.
+
+    {
+      name        = "sqli-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: SQL injection"
+      preview     = false
+      priority    = 10000
+      sensitivity = 1
+    },
+    {
+      name        = "xss-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Cross-site scripting"
+      preview     = false
+      priority    = 10010
+      sensitivity = 1
+    },
+    {
+      name        = "lfi-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Local file inclusion"
+      preview     = false
+      priority    = 10020
+      sensitivity = 1
+    },
+    {
+      name        = "rfi-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Remote file inclusion"
+      preview     = false
+      priority    = 10030
+      sensitivity = 1
+    },
+    {
+      name        = "rce-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Remote code execution"
+      preview     = false
+      priority    = 10040
+      sensitivity = 1
+    },
+    {
+      name        = "methodenforcement-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Method enforcement"
+      preview     = false
+      priority    = 10050
+      sensitivity = 1
+    },
+    {
+      name        = "scannerdetection-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Scanner detection"
+      preview     = false
+      priority    = 10060
+      sensitivity = 1
+    },
+    {
+      name        = "protocolattack-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Protocol attack"
+      preview     = false
+      priority    = 10070
+      sensitivity = 1
+    },
+    {
+      name        = "php-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: PHP injection attack"
+      preview     = false
+      priority    = 10080
+      sensitivity = 1
+    },
+    {
+      name        = "sessionfixation-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Session fixation"
+      preview     = false
+      priority    = 10090
+      sensitivity = 1
+    },
+    {
+      name        = "java-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: Java attack"
+      preview     = false
+      priority    = 10100
+      sensitivity = 1
+    },
+    {
+      name        = "nodejs-v33-stable"
+      action      = "deny(403)"
+      description = "OWASP: NodeJS attack"
+      preview     = false
+      priority    = 10110
+      sensitivity = 1
+    },
+
+    # Additional rules that detect and optionally block the following
+    # vulnerabilities:
+
+    # CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities
+    # 942550-sqli JSON-formatted content vulnerability
+
+    {
+      name        = "cve-canary"
+      action      = "deny(403)"
+      description = "Log4j vulnerability"
+      preview     = false
+      priority    = 10120
+      sensitivity = 1
+    },
+    {
+      name        = "json-sqli-canary"
+      action      = "deny(403)"
+      description = "JSON-based SQL injection bypass vulnerability"
+      preview     = false
+      priority    = 10130
+      sensitivity = 1
+    }
+  ]
 }
diff --git a/main.tf b/main.tf
@@ -26,6 +26,110 @@ resource "google_compute_managed_ssl_certificate" "istio_gateway_mci" {
   project = var.project
 }
 
+# Google Compute Security Policy Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_security_policy
+
+resource "google_compute_security_policy" "pre_configured_waf" {
+  provider = google-beta # Required for the adaptive_protection_config auto_deploy_config block
+
+  # Ensure Cloud Armor prevents message lookup in Log4j2
+  # checkov:skip=CKV_GCP_73: False positive
+
+  count = var.gke_fleet_host_project_id == "" ? 1 : 0
+
+  adaptive_protection_config {
+    auto_deploy_config {
+
+      # Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.
+
+      confidence_threshold = "0.5"
+
+      # Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration.
+
+      expiration_sec = 7200
+
+      # Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold
+
+      impacted_baseline_threshold = "0.01"
+
+      # During an alerted attack, Adaptive Protection identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.
+
+      load_threshold = "0.8"
+    }
+
+    layer_7_ddos_defense_config {
+      enable = true
+    }
+  }
+
+  advanced_options_config {
+    log_level = "VERBOSE"
+  }
+
+  name    = "preconfigured-waf-policy"
+  project = var.project
+
+  rule {
+    action   = "throttle"
+    preview  = false
+    priority = "30000"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+
+    rate_limit_options {
+      enforce_on_key = "ALL"
+      conform_action = "allow"
+      exceed_action  = "deny(429)"
+
+      rate_limit_threshold {
+        count        = "500"
+        interval_sec = "60"
+      }
+    }
+
+    description = "Rate limit all user IPs"
+  }
+
+  rule {
+    action      = "allow"
+    description = "Default allow rule"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+
+    priority = "2147483647" # Use the maximum allowed priority value to ensure this is the default rule
+  }
+
+  dynamic "rule" {
+    for_each = local.preconfigured_waf_rules
+
+    content {
+      action      = rule.value.action
+      description = rule.value.description
+
+      match {
+        expr {
+          expression = "evaluatePreconfiguredWaf('${rule.value.name}', {'sensitivity': ${rule.value.sensitivity}})"
+        }
+      }
+
+      priority = rule.value.priority
+      preview  = rule.value.preview
+    }
+  }
+}
+
 # Google Compute SSL Policy Resource
 # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy
 

diff --git a/regional/README.md b/regional/README.md
@@ -11,9 +11,9 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.40.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.14.1 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.31.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.0.1 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.15.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.32.0 |
 
 ## Modules
 
@@ -34,7 +34,6 @@ No modules.
 | [kubernetes_manifest.istio_gateway_managed_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_manifest.istio_gateway_mci](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_manifest.istio_gateway_mcs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
-| [kubernetes_manifest.istio_service_exports](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_namespace_v1.istio_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [kubernetes_namespace_v1.istio_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 
@@ -48,9 +47,6 @@ No modules.
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment must be one of `sandbox`, `non-production`, `production` | `string` | `"sandbox"` | no |
 | <a name="input_gateway_autoscale_min"></a> [gateway\_autoscale\_min](#input\_gateway\_autoscale\_min) | The minimum number of gateway replicas to run | `number` | `1` | no |
 | <a name="input_istio_chart_repository"></a> [istio\_chart\_repository](#input\_istio\_chart\_repository) | The repository to pull the Istio Helm chart from | `string` | `"https://istio-release.storage.googleapis.com/charts"` | no |
-| <a name="input_istio_config_cluster"></a> [istio\_config\_cluster](#input\_istio\_config\_cluster) | Boolean to configure a remote cluster as the config cluster for an external istiod | `bool` | `false` | no |
-| <a name="input_istio_control_plane_clusters"></a> [istio\_control\_plane\_clusters](#input\_istio\_control\_plane\_clusters) | The GKE clusters that will be used as Istio control planes | `string` | `null` | no |
-| <a name="input_istio_external_istiod"></a> [istio\_external\_istiod](#input\_istio\_external\_istiod) | Boolean to configure a remote cluster data plane controlled by an external istiod | `bool` | `false` | no |
 | <a name="input_istio_gateway_cpu_limit"></a> [istio\_gateway\_cpu\_limit](#input\_istio\_gateway\_cpu\_limit) | The CPU limit for the Istio gateway | `string` | `"2000m"` | no |
 | <a name="input_istio_gateway_cpu_request"></a> [istio\_gateway\_cpu\_request](#input\_istio\_gateway\_cpu\_request) | The CPU request for the Istio gateway | `string` | `"100m"` | no |
 | <a name="input_istio_gateway_dns"></a> [istio\_gateway\_dns](#input\_istio\_gateway\_dns) | Map of attributes for the Istio gateway domain names, it is also used to create the managed certificate resource | <pre>map(object({<br>    managed_zone = string<br>    project      = string<br>  }))</pre> | `{}` | no |
@@ -67,8 +63,6 @@ No modules.
 | <a name="input_istio_proxy_cpu_request"></a> [istio\_proxy\_cpu\_request](#input\_istio\_proxy\_cpu\_request) | The CPU request for the Istio proxy | `string` | `"100m"` | no |
 | <a name="input_istio_proxy_memory_limit"></a> [istio\_proxy\_memory\_limit](#input\_istio\_proxy\_memory\_limit) | The memory limit for the Istio proxy | `string` | `"1024Mi"` | no |
 | <a name="input_istio_proxy_memory_request"></a> [istio\_proxy\_memory\_request](#input\_istio\_proxy\_memory\_request) | The memory request for the Istio proxy | `string` | `"128Mi"` | no |
-| <a name="input_istio_remote_injection_path"></a> [istio\_remote\_injection\_path](#input\_istio\_remote\_injection\_path) | The sidecar injector mutating webhook configuration path value for the clientConfig.service field | `string` | `"/inject"` | no |
-| <a name="input_istio_remote_injection_url"></a> [istio\_remote\_injection\_url](#input\_istio\_remote\_injection\_url) | The sidecar injector mutating webhook configuration clientConfig.url value | `string` | `""` | no |
 | <a name="input_istio_version"></a> [istio\_version](#input\_istio\_version) | The version of istio to install | `string` | `"1.23.0"` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | A map of key/value pairs to assign to the resources being created | `map(string)` | `{}` | no |
 | <a name="input_multi_cluster_service_clusters"></a> [multi\_cluster\_service\_clusters](#input\_multi\_cluster\_service\_clusters) | List of clusters to be included in the MultiClusterService | <pre>list(object({<br>    link = string<br>  }))</pre> | `[]` | no |

diff --git a/regional/helm/gateway.yml b/regional/helm/gateway.yml
@@ -16,7 +16,6 @@ podAnnotations:
     ]
 
   ad.datadoghq.com/istio-proxy.logs: '[{"source":"envoy"}]'
-  # proxy.istio.io/config: '{"tracing":{"datadog"}}'
 
 podDisruptionBudget:
   maxUnavailable: 1

diff --git a/regional/helm/istiod.yml b/regional/helm/istiod.yml
@@ -1,15 +1,11 @@
 global:
-  proxy:
-    tracer: datadog
-
   meshID: default
   network: standard-shared
 
 meshConfig:
   accessLogFile: /dev/stdout
   defaultConfig:
     proxyMetadata:
-      DD_REMOTE_CONFIGURATION_ENABLED: "false"
       ISTIO_META_DNS_CAPTURE: "true"
       ISTIO_META_DNS_AUTO_ALLOCATE: "true"
 
@@ -49,3 +45,5 @@ pilot:
       labelSelector:
         matchLabels:
           app: istiod
+
+  traceSampling: 100.0
diff --git a/regional/locals.tf b/regional/locals.tf
@@ -10,6 +10,10 @@ locals {
     }
   EOF
 
+  istio_gateway_proxy_config = <<EOF
+    {\"tracing\":{\"datadog\":{\"address\":\"$(HOST_IP):8126\"}}\,\"proxyMetadata\":{\"DD_ENV\":\"${var.environment}\"\,\"DD_SERVICE\":\"istio-gateway\"\,\"DD_VERSION\":\"${var.istio_version}\"\,\"ISTIO_META_DNS_AUTO_ALLOCATE\":\"true\"\,\"ISTIO_META_DNS_CAPTURE\":\"true\"\,\"meshId\":\"default\"}
+  EOF
+
   istio_gateway_domains = keys(var.istio_gateway_dns)
   name                  = var.node_location == null ? var.region : "${var.region}-${var.node_location}"
   multi_cluster_name    = "${var.cluster_prefix}-${var.region}-${var.environment}"