GCP Cloud Run Jobs module for using a domain name as a f/w rule source
Containerized BASH script for creating and updating a firewall rule using a domain name as the source ip for a firewall rule.
Improvements made in this fork
- Lower CPU/RAM consumption: Make use of Cloud Run Jobs (in Preview), remove the need to create a server listening to incoming HTTP requests.
- More efficient: Cloud Run Job containers will self-terminate immediately after completion, no waiting period for container termination.
- Greater flexibilities: Removed hardcoded configurations such as deployment location and timezone.
Disclaimer
- This is not an officially supported Google product.
- Proper testing should be done before running this tool in production.
- Should the DNS servers being queried become exploited or not within the control of the customer, the firewall would then become at risk.
License Summary
This sample code is made available under Apache 2 license. See the LICENSE file.
GCP Costs
GCP Cloud Run Invocation and Cloud Scheduler Jobs
(Usually Free https://cloud.google.com/run/pricing#tables, https://cloud.google.com/scheduler/pricing)
Prerequisites
-
Setup GCP SDK or use the Cloud Shell - https://cloud.google.com/sdk, https://cloud.google.com/shell
-
Initialize the SDK for the target account
gcloud init
- https://cloud.google.com/sdk/docs/initializing
-
Run prerequisite.sh to create the required IAM objects and enable the required APIs.
sh prerequisite.sh
Building
-
Set the ENV variable for the Cloud Run Service name so that N different rules can be made for different domain names.
DOMAIN_FW_NAME='openfwusingdomain'
export DOMAIN_FW_NAME
-
Export the PROJECT_ID env variable to make it available for build and deploy shell scripts.
export PROJECT_ID
-
Run build.sh to build a new cloud run container image.
sh build.sh
Deploying
-
Update the env values and schedule frequency in the deploy.sh for your f/w rules settings.
example:
PRIORITY='1000'
RULES='tcp:80,tcp:8080,udp:8000'
DOMAIN='reddit.com'
TARGETTAGS='tags1'
NETWORK='default'
FREQUENCY='0 */1 * * *' -
Run deploy.sh to deploy to Cloud Run and create a new Cloud Scheduler Job.
sh deploy.sh