Creates an autoscaling Access Tier for use with Banyan Security.
This module creates an autoscaler and a TCP load balancer in Google Cloud (GCP) for a Banyan Access Tier. Only the load balancer is exposed to the public internet. The Access Tier and your applications live in private subnets with no ingress from the internet.
provider "google" {
project = "my-gcloud-project"
region = "us-west1"
}
module "gcp_accesstier" {
name = "my-accesstier"
project = "my-project"
region = "us-west1"
network = "my-network"
subnetwork = "my-subnet"
cluster_name = "us-west1"
site_name = "my-banyan-site"
site_domain_names = ["*.bnndemos.com"]
minimum_num_of_instances = 2
refresh_token = var.refresh_token
}It's probably also a good idea to leave the refresh_token out of your code and pass it as a variable instead, so you don't accidentally commit your Banyan API token to your version control system:
variable "refresh_token" {
type = string
}
module "gcp_accesstier" {
source = "banyansecurity/banyan-accesstier/google"
refresh_token = var.refresh_token
...
}export TF_VAR_refresh_token="eyJhbGciOiJSUzI1NiIsIm..."
terraform plan| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api_server | URL to the Banyan API server | string |
"https://net.banyanops.com/api/v1" |
no |
| at_version | version specified to install if left blank, latest will be installed | string |
"" |
no |
| cluster_name | Name of an existing Shield cluster to register this AccessTier with | string |
n/a | yes |
| deb_repo | the repo holding the netagent binaries | string |
"www.banyanops.com" |
no |
| machine_type | Google compute instance types | string |
"e2-standard-4" |
no |
| minimum_num_of_instances | The minimum number of instances that should be running | number |
2 |
no |
| name | Name of the environment being protected. All resources will be prefixed with this name | string |
n/a | yes |
| network | Name of the network the AccessTier will belong to | string |
n/a | yes |
| project | GCloud project name where AccessTier is deployed | string |
n/a | yes |
| redirect_http_to_https | If true, requests to the AccessTier on port 80 will be redirected to port 443 | bool |
false |
no |
| refresh_token | API token generated from the Banyan console | string |
n/a | yes |
| region | Region in which to create the Accestier | string |
n/a | yes |
| site_domain_names | List of aliases or CNAMEs that will direct traffic to this AccessTier | list(string) |
n/a | yes |
| site_name | Name to use when registering this AccessTier with the console | string |
n/a | yes |
| subnetwork | Name of the subnetwork the AccessTier will belong to | string |
n/a | yes |
| Name | Description |
|---|---|
| lb_ip_address | External IP address of the load balancer |
- Add support for access event rate-limiting paramters
- Adjust kernel tunables according to Banyan best-practice docs
Module created and managed by Todd Radel.
Licensed under Apache 2. See LICENSE for details.
Needs cloudNAT setup on the network used so instances can talk outside of their network