Skip to content

banyansecurity/terraform-google-banyan-accesstier2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

85 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Banyan Google Cloud Access Tier 2 Module

This module creates an auto-scaling instance group and a TCP load balancer in Google Cloud (GCP) for a Banyan Access Tier. A network load balancer forwards traffic to the instance group which, when added to the proper tags and banyan zero trust policies, allows for connections to internal services or to the network via service tunnel.

This module will create an access tier definition in the Banyan API, and an access_tier scoped API key. It will populate the launch configuration of all instances in the auto-scaling group with a short script to download the latest version of the Banyan NetAgent (or a pinned version if set), install it as a service, and launch the netagent with the API key and access tier configuration name for your Banyan organization.

Why Access Tier 2?

In order to ease the installation and configuration of the access tier, the new netagent only needs an access tier scoped API key, Banyan API URL, and the name of an access tier configuration in order to successfully connect. In this new module the access tier is defined in the Banyan API with the banyan_accesstier resource from the banyan terraform provider. The API key is created specifically for the access tier and added to the launch configuration

Usage

terraform {
  required_providers {
    banyan = {
      source  = "banyansecurity/banyan"
      version = "1.0.0"
    }
  }
}

provider "banyan" {
  api_key = "ADMIN-SCOPE-API-KEY"
}

provider "google" {
  project = "my-gcloud-project"
  region  = "us-west1"
}

module "gcp_accesstier" {
  source                   = "banyansecurity/banyan-accesstier2/google"
  name                     = "example"
  project                  = "example-project"
  region                   = "us-west1"
  network                  = "us-west1"
  subnetwork               = "us-west1-external"
  tags                     = ["allow-accesstier"]
  tunnel_cidrs             = ["10.10.0.0/24"]
}

Example Stack with Service Tunnel and Wildcard DNS Record

This example will configure the Banyan terraform provider and the Google Cloud provider. It will then create an access tier with a wildcard DNS record pointing to the address of the access tier. The access tier is configured with the tunnel CIDR of 10.10.0.0/16. This corresponds to CIDR of the private network(s) (the entire VPC or individual subnets in Google Cloud). A service tunnel is configured to use this access tier, with a policy which allows any user with a High trust level access to the service tunnel.

This policy could be narrowed down further using the access.l4_access attribute of the banyan_policy_tunnel resource.

This is an effective replacement of a VPN tunnel, which leverages the device trust, continuous authorization and SAML capabilities of Banyan.

terraform {
  required_providers {
    banyan = {
      source  = "banyansecurity/banyan"
      version = "1.0.0"
    }
  }
}

provider "banyan" {
  api_key = "ADMIN-SCOPE-API-KEY"
}

provider "google" {
  project = "my-gcloud-project"
  region  = "us-west1"
}

module "gcp_accesstier" {
  source                   = "banyansecurity/banyan-accesstier2/google"
  name                     = "example"
  project                  = "example-project"
  region                   = "us-west1"
  network                  = "us-west1"
  subnetwork               = "us-west1-external"
  tags                     = ["allow-accesstier"]
  tunnel_cidrs             = ["10.10.0.0/16"]
}

resource "banyan_service_tunnel" "example" {
  name        = "example-anyone-high"
  description = "tunnel allowing anyone with a high trust level"
  access_tier = module.gcp_accesstier.name
  policy      = banyan_policy_infra.anyone-high.id
}

resource "banyan_policy_tunnel" "anyone-high" {
  name        = "allow-anyone-high-trust"
  description = "${module.gcp_accesstier.name} allow"
  access {
    roles       = ["ANY"]
    trust_level = "High"
  }
}

resource "google_dns_record_set" "frontend" {
  name = "*.${module.gcp_accesstier.name}.mycompany.com"
  type = "A"
  ttl  = 300
  managed_zone = google_dns_managed_zone.prod.name
  rrdatas = module.gcp_accesstier.address
}

Upgrading Netagent

Set netagent_version to the desired version number. This will ensure all instances are pinned to the same version number. If netagent_version is not specified, each instance will automatically install the latest version.

Notes

  • The default value for management_cidr leaves SSH closed to instances in the access tier.

  • The current recommended setup for to use a banyan SSH service to SSH to a host inside the private network, which in turn has SSH access to the instances in the auto-scaling group. This way no SSH service is exposed to the internet.

Requirements

Name Version
banyan >=1.0.0

Providers

Name Version
banyan >=1.0.0
google n/a

Modules

No modules.

Resources

Name Type
banyan_accesstier.accesstier resource
banyan_api_key.accesstier resource
google_compute_address.external resource
google_compute_firewall.accesstier_ports resource
google_compute_firewall.accesstier_ports_tunnel resource
google_compute_firewall.accesstier_ssh resource
google_compute_firewall.healthcheck resource
google_compute_forwarding_rule.accesstier resource
google_compute_health_check.accesstier_health_check resource
google_compute_instance_template.accesstier_template resource
google_compute_region_autoscaler.accesstier resource
google_compute_region_backend_service.accesstier resource
google_compute_region_health_check.backend_service_loadbalancer_health_check resource
google_compute_region_instance_group_manager.accesstier_rigm resource
google_compute_image.accesstier_image data source
google_compute_network.accesstier_network data source
google_compute_subnetwork.accesstier_subnet data source

Inputs

Name Description Type Default Required
name Name to use when registering this Access Tier with the Banyan command center string n/a yes
network Name of the network the Access Tier will belong to string n/a yes
project GCloud project name where AccessTier is deployed string n/a yes
region Region in which to create the Access Tier string n/a yes
subnetwork Name of the subnetwork the Access Tier will belong to string n/a yes
banyan_host URL to the Banyan API server string "https://net.banyanops.com/" no
cluster Name of an existing Shield cluster to register this Access Tier with. This value is set automatically if omitted from the configuration string null no
console_log_level Controls verbosity of logs to console. Must be one of "ERR", "WARN", "INFO", "DEBUG" string null no
custom_user_data Custom commands to append to the launch configuration initialization script. list(string) [] no
datadog_api_key API key for DataDog string null no
disable_snat Disable Source Network Address Translation (SNAT) bool false no
enable_hsts If enabled, Banyan will send the HTTP Strict-Transport-Security response header bool null no
event_key_rate_limiting Enable rate limiting of Access Event generated based on a derived “key” value. Each key has a separate rate limiter, and events with the same key value are subjected to the rate limiter for that key bool null no
events_rate_limiting Enable rate limiting of Access Event generation based on a credit-based rate control mechanism bool null no
file_log Whether to log to file or not bool null no
file_log_level Controls verbosity of logs to file. Must be one of "ERR", "WARN", "INFO", "DEBUG" string null no
forward_trust_cookie Forward the Banyan trust cookie to upstream servers. This may be enabled if upstream servers wish to make use of information in the Banyan trust cookie bool null no
groups_by_userinfo Derive groups information from userinfo endpoint bool false no
log_num For file logs: Number of files to use for log rotation number null no
log_size For file logs: Size of each file for log rotation number null no
machine_type Google compute instance types string "e2-standard-4" no
management_cidrs CIDR blocks to allow SSH connections from. Default is the VPC CIDR range list(string) [] no
minimum_num_of_instances The minimum number of instances that should be running number 2 no
netagent-version Specific version of netagent string null no
netagent_version Override to use a specific version of netagent (e.g. 1.49.1). Omit for the latest version available string null no
redirect_http_to_https If true, requests to the Access Tier on port 80 will be redirected to port 443 bool false no
service_source_ip_ranges List of ip ranges which will be allowed access through the firewall to the Access Tier list(string)
[
"0.0.0.0/0"
]
no
service_source_tags List of network tags which will be allows access through the firewall to the Access Tier list(string) [] no
src_nat_cidr_range CIDR range which source Network Address Translation (SNAT) will be disabled for string null no
statsd_address Address to send statsd messages: “hostname:port” for UDP, “unix:///path/to/socket” for UDS string null no
tags Additional tags to assign to this Access Tier list(string) [] no
tunnel_cidrs Backend CIDR Ranges that correspond to the IP addresses in your private network(s) list(string) null no
tunnel_port UDP port for end users to this access tier to utilize when using service tunnel number null no
tunnel_private_domains Any internal domains that can only be resolved on your internal network’s private DNS list(string) null no

Outputs

Name Description
address ip address of the google compute forwarding rule
api_key_id ID of the API key associated with the Access Tier
name Name to use when registering this Access Tier with the console