This repository provides an API to create and manage Firewall rules in a GCP host project using API for an application.
THis project is deployed on 2 environements:
- Production: https://api.cloudservices.tech.adeo.cloud
- Stagging: https://gcp-firewall-api-2q3jhrmuuq-ew.a.run.app
Rules are based on Google compute API rest/v1/firewalls So, create a Google Rule, for example:
{
"network": "global/networks/lh-network",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["443"]
}
]
}And POST it to /project/<LH>/service_project/<LZV2>/application/<APP>/firewall_rule/<NAME>.
<LH>Landing Hub project ID which host your Landing Zone v2<LZV2>your Landing Zone v2 project ID<APP>an arbitrary application name<NAME>your wanted firewall rule name
The final firewall rule name will be <LZV2>-<APP>-<NAME>. It will be the same for the target tag.
It will return the given schema
GET /project/<LH>/service_project/<LZV2>/application/<APP>/
It will return the given schema
GET /project/<LH>/service_project/<LZV2>/application/<APP>/firewall_rule/<NAME>
It will return the given schema
DELETE /project/<LH>/service_project/<LZV2>/application/<APP>/firewall_rule/<NAME>
It will return the given schema
{
"application": "<APP>",
"data": [
{
"custom_name": "<NAME>",
"item": "*GoogleRule"
}
],
"project": "<LH>",
"service_project": "<LZV2>"
}Deployements are made by GitLabCI with service accounts.
Deployer service account have roles:
roles/run.adminto deploy a new Cloud Run revisionroles/storage.adminto store built Docker imageroles/iam.serviceAccountUserhttps://cloud.google.com/run/docs/reference/iam/roles#additional-configuration
Runtime service account, on each environement, have roles:
roles/viewerto view Compute resourcesroles/compute.securityAdminto create network resources (of course to create firewall rules)
All theses credentials are stored in Vault on path secret/gcp-firewall-api/*