Skip to content

GoogleCloudPlatform/terraform-google-cloud-ids

Repository files navigation

Cloud IDS Terraform Module

This module makes it easy to setup Cloud IDS, set up private services access and a packet mirroring policy.

The packet mirroring policy requires at least one of the three below options:

  • Tags: Up to 5 asset tags can be specified.
  • Subnets: Up to 5 subnets can be specified.
  • Instances: Up to 50 instance can be specified.

Usage

module cloud_ids {
  source  = "GoogleCloudPlatform/cloud-ids/google"

  project_id                          = "<PROJECT_ID>"
  vpc_network_name                    = "<VPC_NETWORK_NAME>"
  network_region                      = "<NETWORK_REGION>"
  network_zone                        = "<NETWORK_ZONE>"
  instance_list = [
    "projects/<PROJECT_ID>/zones/<ZONE-1>/instances/<INSTANCE-1>",
    "projects/<PROJECT_ID>/zones/<ZONE-2>/instances/<INSTANCE-2>",
  ]
  subnet_list = [
    "projects/<PROJECT_ID>/regions/<ZONE-1>/subnetworks/<SUBNETWORK-1>",
    "projects/<PROJECT_ID>/regions/<ZONE-1>/subnetworks/<SUBNETWORK-1>",
  ]
  tag_list = ["<TAG-1>", "<TAG-2>", "<TAG-3>", "<TAG-4>"]
  ids_private_ip_range_name           = "ids-private-address"
  ids_private_ip_address              = "10.10.10.0"
  ids_private_ip_prefix_length        = 24
  ids_private_ip_description          = "Cloud IDS reserved IP Range"
  ids_name                            = "cloud-ids"
  severity                            = "INFORMATIONAL"
  packet_mirroring_policy_name        = "cloud-ids-packet-mirroring"
  packet_mirroring_policy_description = "Packet mirroring policy for Cloud IDS"
}

Inputs

Name Description Type Default Required
cidr_ranges_filter IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported. list(string) [] no
create_service_networking_connection Whether to create service networking connection and IP range. bool true no
direction_filter Direction of traffic to mirror. Possible values are INGRESS, EGRESS, and BOTH. string "BOTH" no
ids_name Cloud IDS instance name string "cloud-ids" no
ids_private_ip_address Cloud IDS private IP address string null no
ids_private_ip_description Cloud IDS private IP address description string "Cloud IDS reserved IP Range" no
ids_private_ip_prefix_length Cloud IDS private IP address prefix length string 24 no
ids_private_ip_range_name Cloud IDS private IP address range name string "ids-private-address" no
instance_list Instance list to monitor with Cloud IDS list(string) null no
ip_protocols_filter IP Protocols filter for packet mirroing policy. Can include 'tcp', 'udp', 'icmp', and 'esp' list(string) [] no
network_region Network region for IDS string n/a yes
network_zone Network zone for IDS string n/a yes
packet_mirroring_policy_description Packet mirroring policy description string "Packet mirroring policy for Cloud IDS" no
packet_mirroring_policy_name Packet mirroring policy name string "cloud-ids-packet-mirroring" no
project_id Project ID to deploy resources string n/a yes
severity The minimum alert severity level that is reported by the endpoint string "INFORMATIONAL" no
subnet_list Subnet list to monitor with Cloud IDS list(string) null no
tag_list Tag list to monitor with Cloud IDS list(string) null no
threat_exceptions Threat_exceptions list to excluded from generating alerts. Limit: 99 IDs. list(string) null no
vpc_network_name VPC network name for IDS string n/a yes

Outputs

Name Description
ids_endpoint_id IDS Endpoint id
ids_endpoint_severity IDS Endpoint severity

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

  • [Terraform][terraform] v1.3
  • [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • Cloud IDS Admin: roles/ids.admin
  • Compute Packet Mirroring User: roles/compute.packetMirroringUser
  • Logs Viewer: roles/logging.viewer

The [Project Factory module][project-factory-module] and the [IAM module][iam-module] may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Cloud IDS API: ids.googleapis.com
  • Cloud Logging API: logging.googleapis.com
  • Compute Engine API: compute.googleapis.com
  • Service Networking API: servicenetworking.googleapis.com

The [Project Factory module][project-factory-module] can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.