Add cloud armor policies

e2b-dev · Oct 21, 2024 · 9602386 · 9602386
1 parent 3cc60e0
commit 9602386
Show file tree

Hide file tree

Showing 5 changed files with 241 additions and 45 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/Makefile b/Makefile
@@ -122,4 +122,11 @@ switch-env:
 	@ printf "Switching from `tput setaf 1``tput bold`$(shell cat .last_used_env)`tput sgr0` to `tput setaf 2``tput bold`$(ENV)`tput sgr0`\n\n"
 	@ echo $(ENV) > .last_used_env
 	@ . .env.${ENV}
-	terraform init -input=false -reconfigure -backend-config="bucket=${TERRAFORM_STATE_BUCKET}"
+	terraform init -input=false -upgrade -reconfigure -backend-config="bucket=${TERRAFORM_STATE_BUCKET}"
+
+# Shortcut to importing resources into Terraform state (e.g. after creating resources manually or switching between different branches for the same environment)
+.PHONY: import
+import:
+	@ printf "Importing resources for env: `tput setaf 2``tput bold`$(ENV)`tput sgr0`\n\n"
+	./scripts/confirm.sh $(ENV)
+	$(tf_vars) terraform import $(TARGET) $(ID)
diff --git a/main.tf b/main.tf
@@ -10,11 +10,11 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = "5.25.0"
+      version = "5.31.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "5.25.0"
+      version = "5.31.0"
     }
     cloudflare = {
       source  = "cloudflare/cloudflare"

diff --git a/packages/api/main.tf b/packages/api/main.tf
@@ -6,7 +6,7 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = "5.25.0"
+      version = "5.31.0"
     }
     random = {
       source  = "hashicorp/random"

diff --git a/packages/cluster/network/main.tf b/packages/cluster/network/main.tf
@@ -273,6 +273,8 @@ resource "google_compute_backend_service" "default" {
   load_balancing_scheme = "EXTERNAL_MANAGED"
   health_checks         = [google_compute_health_check.default[each.key].self_link]
 
+  security_policy = google_compute_security_policy.default[each.key].self_link
+
   log_config {
     enable = true
   }
@@ -339,6 +341,23 @@ resource "google_compute_health_check" "default" {
   }
 }
 
+
+resource "google_compute_security_policy" "default" {
+  provider = google-beta
+  for_each = local.health_checked_backends
+  name     = "${var.prefix}${each.key}"
+
+  dynamic "adaptive_protection_config" {
+    for_each = each.key == "api" ? [true] : []
+
+    content {
+      layer_7_ddos_defense_config {
+        enable = true
+      }
+    }
+  }
+}
+
 resource "google_compute_firewall" "default-hc" {
   name    = "${var.prefix}load-balancer-hc"
   network = var.network_name
@@ -383,6 +402,7 @@ module "gce_lb_http_logs" {
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
       custom_response_headers         = null
+      security_policy                 = google_compute_security_policy.disable-bots-log-collector.self_link
 
       health_check = {
         check_interval_sec  = null
@@ -453,3 +473,172 @@ resource "google_compute_firewall" "orch_firewall_egress" {
   direction   = "EGRESS"
   target_tags = [var.cluster_tag_name]
 }
+
+
+# Security policy
+resource "google_compute_security_policy_rule" "api-throttling-api-key" {
+  security_policy = google_compute_security_policy.default["api"].name
+  provider        = google-beta
+  action          = "throttle"
+  priority        = "300"
+  match {
+    expr {
+      expression = "request.path == \"/sandboxes\" && request.method == \"POST\""
+    }
+  }
+
+  rate_limit_options {
+    conform_action = "allow"
+    exceed_action  = "deny(429)"
+
+    enforce_on_key_configs {
+      enforce_on_key_name = "X-API-Key"
+      enforce_on_key_type = "HTTP_HEADER"
+    }
+
+    rate_limit_threshold {
+      count        = 50
+      interval_sec = 30
+    }
+  }
+
+  description = "Sandbox creation per API key"
+}
+
+
+resource "google_compute_security_policy_rule" "api-throttling-ip" {
+  security_policy = google_compute_security_policy.default["api"].name
+  provider        = google-beta
+  action          = "throttle"
+  priority        = "500"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+
+  rate_limit_options {
+    conform_action = "allow"
+    exceed_action  = "deny(429)"
+
+    enforce_on_key = ""
+
+    enforce_on_key_configs {
+      enforce_on_key_type = "IP"
+    }
+
+    rate_limit_threshold {
+      count        = 2000
+      interval_sec = 60
+    }
+  }
+
+  description = "Requests to API from IP address"
+}
+
+resource "google_compute_security_policy_rule" "sandbox-throttling-host" {
+  security_policy = google_compute_security_policy.default["session"].name
+  provider        = google-beta
+  description     = "WS envd connection requests per sandbox"
+
+  action   = "throttle"
+  priority = "300"
+  match {
+    expr {
+      expression = "request.path == \"/ws\""
+    }
+  }
+
+  rate_limit_options {
+    conform_action = "allow"
+    exceed_action  = "deny(429)"
+
+    enforce_on_key_configs {
+      enforce_on_key_name = "host"
+      enforce_on_key_type = "HTTP_HEADER"
+    }
+
+    rate_limit_threshold {
+      count        = 40
+      interval_sec = 30
+    }
+  }
+}
+
+resource "google_compute_security_policy_rule" "sandbox-throttling-ip" {
+  security_policy = google_compute_security_policy.default["session"].name
+  provider        = google-beta
+  action          = "throttle"
+  priority        = "500"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+
+  rate_limit_options {
+    conform_action = "allow"
+    exceed_action  = "deny(429)"
+
+    enforce_on_key = ""
+
+    enforce_on_key_configs {
+      enforce_on_key_type = "IP"
+    }
+
+    rate_limit_threshold {
+      count        = 2000
+      interval_sec = 60
+    }
+  }
+
+  description = "Requests to sandboxes from IP address"
+}
+
+resource "google_compute_security_policy_rule" "disable-consul" {
+  security_policy = google_compute_security_policy.default["consul"].name
+  provider        = google-beta
+  action          = "deny(403)"
+  priority        = "1"
+  description     = "Disable all requests to Consul"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+}
+
+
+
+resource "google_compute_security_policy" "disable-bots-log-collector" {
+  name     = "disable-bots-log-collector"
+  provider = google-beta
+
+  rule {
+    action   = "allow"
+    priority = "300"
+    match {
+      expr {
+        expression = "request.path == \"/\" && request.method == \"POST\""
+      }
+    }
+
+    description = "Allow POST requests  to / (collecting logs)"
+  }
+
+  rule {
+    action      = "deny(403)"
+    priority    = "2147483647"
+    description = "Default rule, higher priority overrides it"
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+  }
+}
+