This repository provides an API to create and manage Firewall rules in a GCP host project using API for an application.
THis project is deployed on 2 environements:
- Production: https://api.cloudservices.tech.adeo.cloud
- Stagging: https://gcp-firewall-api-2q3jhrmuuq-ew.a.run.app
Rules are based on Google compute API rest/v1/firewalls So, create a Google Rule, for example:
{
"network": "global/networks/lh-network",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["443"]
}
]
}
And POST
it to /project/<LH>/service_project/<LZV2>/application/<APP>/firewall_rule/<NAME>
.
<LH>
Landing Hub project ID which host your Landing Zone v2<LZV2>
your Landing Zone v2 project ID<APP>
an arbitrary application name<NAME>
your wanted firewall rule name
The final firewall rule name will be <LZV2>-<APP>-<NAME>
. It will be the same for the target tag.
It will return the given schema
GET /project/<LH>/service_project/<LZV2>/application/<APP>/
It will return the given schema
GET /project/<LH>/service_project/<LZV2>/application/<APP>/firewall_rule/<NAME>
It will return the given schema
DELETE /project/<LH>/service_project/<LZV2>/application/<APP>/firewall_rule/<NAME>
It will return the given schema
{
"application": "<APP>",
"data": [
{
"custom_name": "<NAME>",
"item": "*GoogleRule"
}
],
"project": "<LH>",
"service_project": "<LZV2>"
}
Deployements are made by GitLabCI with service accounts.
Deployer service account have roles:
roles/run.admin
to deploy a new Cloud Run revisionroles/storage.admin
to store built Docker imageroles/iam.serviceAccountUser
https://cloud.google.com/run/docs/reference/iam/roles#additional-configuration
Runtime service account, on each environement, have roles:
roles/viewer
to view Compute resourcesroles/compute.securityAdmin
to create network resources (of course to create firewall rules)
All theses credentials are stored in Vault on path secret/gcp-firewall-api/*