feat: DEVOPS-1640 Use Google Cloud Armor to protect the faucet (#2080)

Zilliqa · Dec 26, 2024 · 2eb8fec · 2eb8fec
1 parent 81e989c
commit 2eb8fec
Show file tree

Hide file tree

Showing 8 changed files with 1,962 additions and 21 deletions.
diff --git a/infra/tf/apps.tf b/infra/tf/apps.tf
@@ -7,7 +7,7 @@ resource "google_compute_firewall" "allow_apps_external_http" {
   network = local.network_name
 
   direction     = "INGRESS"
-  source_ranges = ["0.0.0.0/0"]
+  source_ranges = local.google_load_balancer_ip_ranges
 
   target_tags = [format("%s-%s", var.chain_name, "apps")]
 
@@ -17,21 +17,6 @@ resource "google_compute_firewall" "allow_apps_external_http" {
   }
 }
 
-resource "google_compute_firewall" "allow_apps_external_https" {
-  name    = "${var.chain_name}-apps-allow-external-https"
-  network = local.network_name
-
-  direction     = "INGRESS"
-  source_ranges = ["0.0.0.0/0"]
-
-  target_tags = [format("%s-%s", var.chain_name, "apps")]
-
-  allow {
-    protocol = "tcp"
-    ports    = ["443"]
-  }
-}
-
 module "apps" {
   source = "./modules/node"
 
@@ -124,6 +109,9 @@ resource "google_compute_backend_service" "spout" {
       capacity_scaler = 1.0
     }
   }
+
+  ## Attach Cloud Armor policy to the backend service
+  security_policy = module.spout_security_policies.policy.self_link
 }
 
 resource "google_compute_url_map" "apps" {
@@ -213,3 +201,35 @@ resource "google_compute_global_forwarding_rule" "faucet_https" {
   target                = google_compute_target_https_proxy.apps.id
   ip_address            = data.google_compute_global_address.faucet.address
 }
+
+module "spout_security_policies" {
+  source = "./modules/google-cloud-armor"
+
+  project_id          = var.project_id
+  name                = "${var.chain_name}-apps-spout"
+  description         = "Cloud Armor security policy for the ${var.chain_name} faucet"
+  default_rule_action = "deny(403)"
+  type                = "CLOUD_ARMOR"
+
+  security_rules = {
+    allow_whitelisted_ip_ranges = {
+      action        = "allow"
+      priority      = 999
+      description   = "Allow whitelisted IP address ranges"
+      src_ip_ranges = ["*"]
+    }
+    throttle = {
+      action        = "throttle"
+      priority      = 990
+      description   = "Limit requests per IP"
+      src_ip_ranges = ["0.0.0.0/0"]
+
+      rate_limit_options = {
+        enforce_on_key                       = "IP"
+        exceed_action                        = "deny(429)"
+        rate_limit_http_request_count        = var.apps.faucet_max_hourly_requests
+        rate_limit_http_request_interval_sec = 3600
+      }
+    }
+  }
+}
diff --git a/infra/tf/modules/google-cloud-armor/.gitignore b/infra/tf/modules/google-cloud-armor/.gitignore
@@ -0,0 +1,48 @@
+# OSX leaves these everywhere on SMB shares
+._*
+
+# OSX trash
+.DS_Store
+
+# Python
+*.pyc
+
+# Emacs save files
+*~
+\#*\#
+.\#*
+
+# Vim-related files
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+
+### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform/*
+.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Kitchen files
+**/inspec.lock
+**/.kitchen
+**/.kitchen.local.yml
+**/Gemfile.lock
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+test/fixtures/shared/terraform.tfvars
+
+credentials.json
diff --git a/infra/tf/modules/google-cloud-armor/README.md b/infra/tf/modules/google-cloud-armor/README.md