chore: add SFB vpc example (#180)

* chore: add SFB vpc example

* add fw rules, vpc desc

* add missing project ids

* fix: add project-id to fw rules

Co-authored-by: kaariger <[email protected]>

catalog/networking/firewall/common-rules/README.md

@@ -45,6 +45,7 @@ Contents:
 | google-api-cidr        | [199.36.153.8/30]   | array |     1 |
 | network-name           | network-name        | str   |    14 |
 | priority               |               10000 | int   |     4 |
+| project-id             | project-id          | str   |     7 |
 
 ## Sub-packages
 

catalog/networking/firewall/common-rules/egress/allow-google-apis.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 65534
   allow:

catalog/networking/firewall/common-rules/egress/allow-windows-kms.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 100
   allow:

catalog/networking/firewall/common-rules/egress/deny-all.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 65535
   deny:

catalog/networking/firewall/common-rules/ingress/allow-gcp-lb.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 10000 # kpt-set: ${priority}
   allow:

catalog/networking/firewall/common-rules/ingress/allow-iap-rdp.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 10000 # kpt-set: ${priority}
   allow:

catalog/networking/firewall/common-rules/ingress/allow-iap-ssh.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 10000 # kpt-set: ${priority}
   allow:

catalog/networking/firewall/common-rules/ingress/allow-internal-common.yaml

@@ -18,6 +18,7 @@ metadata:
   namespace: firewalls-namespace # kpt-set: ${firewalls-namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
   priority: 10000 # kpt-set: ${priority}
   allow:

catalog/networking/firewall/common-rules/setters.yaml

@@ -26,3 +26,4 @@ data:
   google-api-cidr: |
     - 199.36.153.8/30
   network-name: network-name
+  project-id: project-id

examples/dual-svpc/README.md

@@ -0,0 +1,3 @@
+# Dual Shared VPC Networking Pattern
+
+This example showcases an implementation of the [dual Shared VPC networking pattern](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) defined by the Security Foundations Blueprint.

examples/dual-svpc/vpc-shared-base/Kptfile

@@ -0,0 +1,27 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: vpc-shared-base
+  annotations:
+    blueprints.cloud.google.com/title: Virtual Private Cloud blueprint
+upstream:
+  type: git
+  git:
+    repo: https://github.com/GoogleCloudPlatform/blueprints
+    directory: /catalog/networking/network/vpc
+    ref: main
+  updateStrategy: resource-merge
+upstreamLock:
+  type: git
+  git:
+    repo: https://github.com/GoogleCloudPlatform/blueprints
+    directory: /catalog/networking/network/vpc
+    ref: main
+    commit: 783380ce4e6c3f21e9e90055b3a88bada0410154
+info:
+  description: A Virtual Private Cloud (VPC)
+pipeline:
+  mutators:
+    - image: gcr.io/kpt-fn/apply-setters:v0.2
+      configPath: setters.yaml
+

examples/dual-svpc/vpc-shared-base/README.md

@@ -0,0 +1,72 @@
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+# Virtual Private Cloud blueprint
+
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->
+A Virtual Private Cloud (VPC)
+
+## Setters
+
+|     Name     |    Value     | Type | Count |
+|--------------|--------------|------|-------|
+| namespace    | networking   | str  |     1 |
+| network-name | network-name | str  |     1 |
+| project-id   | project-id   | str  |     3 |
+
+## Sub-packages
+
+This package has no sub-packages.
+
+## Resources
+
+|     File      |                 APIVersion                 |      Kind      |        Name        | Namespace  |
+|---------------|--------------------------------------------|----------------|--------------------|------------|
+| services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service        | project-id-compute | projects   |
+| vpc.yaml      | compute.cnrm.cloud.google.com/v1beta1      | ComputeNetwork | network-name       | networking |
+
+## Resource References
+
+- [ComputeNetwork](https://cloud.google.com/config-connector/docs/reference/resource-docs/compute/computenetwork)
+- [Service](https://cloud.google.com/config-connector/docs/reference/resource-docs/serviceusage/service)
+
+## Usage
+
+1.  Clone the package:
+    ```shell
+    kpt pkg get https://github.com/GoogleCloudPlatform/blueprints.git/catalog/networking/network/vpc@${VERSION}
+    ```
+    Replace `${VERSION}` with the desired repo branch or tag
+    (for example, `main`).
+
+1.  Move into the local package:
+    ```shell
+    cd "./vpc/"
+    ```
+
+1.  Edit the function config file(s):
+    - setters.yaml
+
+1.  Execute the function pipeline
+    ```shell
+    kpt fn render
+    ```
+
+1.  Initialize the resource inventory
+    ```shell
+    kpt live init --namespace ${NAMESPACE}"
+    ```
+    Replace `${NAMESPACE}` with the namespace in which to manage
+    the inventory ResourceGroup (for example, `config-control`).
+
+1.  Apply the package resources to your cluster
+    ```shell
+    kpt live apply
+    ```
+
+1.  Wait for the resources to be ready
+    ```shell
+    kpt live status --output table --poll-until current
+    ```
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->

examples/dual-svpc/vpc-shared-base/fw/Kptfile

@@ -0,0 +1,53 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: fw
+  annotations:
+    blueprints.cloud.google.com/title: Firewall Common Rules blueprint
+upstream:
+  type: git
+  git:
+    repo: https://github.com/GoogleCloudPlatform/blueprints
+    directory: /catalog/networking/firewall/common-rules
+    ref: main
+  updateStrategy: resource-merge
+upstreamLock:
+  type: git
+  git:
+    repo: https://github.com/GoogleCloudPlatform/blueprints
+    directory: /catalog/networking/firewall/common-rules
+    ref: main
+    commit: c1ddf5efcc0cdb6b80b734c32f60501f55c703a4
+info:
+  description: |
+    Common firewall rules for projects with a private network.
+
+    Included rules:
+
+    - allow common ports between private IP ranges
+    - allow common ports from GCP load balancer ranges
+    - allow ssh and rdp from GCP IAP ranges
+
+    Contents:
+    -   egress
+        -   allow-google-apis.yaml - creates a firewall rule that allows traffic
+            to private.googleapis.com IP range
+        -   allow-windows-kms.yaml - creates a firewall rule that allows traffic
+            to kms.windows.googlecloud.com IP range
+        -   deny-all.yaml - creates a firewall rule that denys all egress traffic
+            on TCP/UDP. It is recommended that if this rule is enabled, to also
+            enable the "allow-google-apis" rule.
+    -   ingress
+        -   allow-gcp-lb.yaml - creates a firewall rule that allows traffic from
+            GCP load balancer ranges for health check and proxy traffic on ports
+            80, 443, and 8080
+        -   allow-iap-rdp.yaml - creates a firewall rule that allow traffic from
+            IAP forwarding ranges for RDP
+        -   allow-iap-ssh.yaml - creates a firewall rule that allow traffic from
+            IAP forwarding ranges for SSH
+        -   allow-internal-common.yaml - creates a firewall rule that allows SSH,
+            SSL, HTTP (8080), and ICMP traffic on all RFC1918 ranges
+pipeline:
+  mutators:
+    - image: gcr.io/kpt-fn/apply-setters:v0.1
+      configPath: setters.yaml

examples/dual-svpc/vpc-shared-base/fw/README.md

@@ -0,0 +1,108 @@
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+# Firewall Common Rules blueprint
+
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->
+Common firewall rules for projects with a private network.
+
+Included rules:
+
+- allow common ports between private IP ranges
+- allow common ports from GCP load balancer ranges
+- allow ssh and rdp from GCP IAP ranges
+
+Contents:
+-   egress
+    -   allow-google-apis.yaml - creates a firewall rule that allows traffic
+        to private.googleapis.com IP range
+    -   allow-windows-kms.yaml - creates a firewall rule that allows traffic
+        to kms.windows.googlecloud.com IP range
+    -   deny-all.yaml - creates a firewall rule that denys all egress traffic
+        on TCP/UDP. It is recommended that if this rule is enabled, to also
+        enable the "allow-google-apis" rule.
+-   ingress
+    -   allow-gcp-lb.yaml - creates a firewall rule that allows traffic from
+        GCP load balancer ranges for health check and proxy traffic on ports
+        80, 443, and 8080
+    -   allow-iap-rdp.yaml - creates a firewall rule that allow traffic from
+        IAP forwarding ranges for RDP
+    -   allow-iap-ssh.yaml - creates a firewall rule that allow traffic from
+        IAP forwarding ranges for SSH
+    -   allow-internal-common.yaml - creates a firewall rule that allows SSH,
+        SSL, HTTP (8080), and ICMP traffic on all RFC1918 ranges
+
+## Setters
+
+|          Name          |        Value        | Type  | Count |
+|------------------------|---------------------|-------|-------|
+| allow-default-egress   | true                | bool  |     1 |
+| dont-allow-google-apis | true                | bool  |     1 |
+| dont-allow-windows-kms | true                | bool  |     1 |
+| enable-logging         | false               | bool  |     7 |
+| firewall-project-id    | firewall-project-id | str   |     0 |
+| firewalls-namespace    | firewalls-namespace | str   |     7 |
+| google-api-cidr        | [199.36.153.8/30]   | array |     1 |
+| network-name           | network-name        | str   |    14 |
+| priority               |               10000 | int   |     4 |
+
+## Sub-packages
+
+This package has no sub-packages.
+
+## Resources
+
+|                File                |              APIVersion               |      Kind       |                 Name                  |      Namespace      |
+|------------------------------------|---------------------------------------|-----------------|---------------------------------------|---------------------|
+| egress/allow-google-apis.yaml      | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-allow-google-apis     | firewalls-namespace |
+| egress/allow-windows-kms.yaml      | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-allow-windows-kms     | firewalls-namespace |
+| egress/deny-all.yaml               | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-deny-all-egress       | firewalls-namespace |
+| ingress/allow-gcp-lb.yaml          | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-allow-gcp-lb          | firewalls-namespace |
+| ingress/allow-iap-rdp.yaml         | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-allow-iap-rdp         | firewalls-namespace |
+| ingress/allow-iap-ssh.yaml         | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-allow-iap-ssh         | firewalls-namespace |
+| ingress/allow-internal-common.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | network-name-fw-allow-internal-common | firewalls-namespace |
+
+## Resource References
+
+- [ComputeFirewall](https://cloud.google.com/config-connector/docs/reference/resource-docs/compute/computefirewall)
+
+## Usage
+
+1.  Clone the package:
+    ```shell
+    kpt pkg get https://github.com/GoogleCloudPlatform/blueprints.git/catalog/networking/firewall/common-rules@${VERSION}
+    ```
+    Replace `${VERSION}` with the desired repo branch or tag
+    (for example, `main`).
+
+1.  Move into the local package:
+    ```shell
+    cd "./common-rules/"
+    ```
+
+1.  Edit the function config file(s):
+    - setters.yaml
+
+1.  Execute the function pipeline
+    ```shell
+    kpt fn render
+    ```
+
+1.  Initialize the resource inventory
+    ```shell
+    kpt live init --namespace ${NAMESPACE}"
+    ```
+    Replace `${NAMESPACE}` with the namespace in which to manage
+    the inventory ResourceGroup (for example, `config-control`).
+
+1.  Apply the package resources to your cluster
+    ```shell
+    kpt live apply
+    ```
+
+1.  Wait for the resources to be ready
+    ```shell
+    kpt live status --output table --poll-until current
+    ```
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->

examples/dual-svpc/vpc-shared-base/fw/ingress/allow-iap-rdp.yaml

@@ -0,0 +1,36 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata: # kpt-merge: firewalls-namespace/network-name-fw-allow-iap-rdp
+  name: vpc-shared-base-allow-iap-rdp # kpt-set: ${network-name}-allow-iap-rdp
+  namespace: config-control # kpt-set: ${namespace}
+  annotations:
+    cnrm.cloud.google.com/blueprint: cnrm/landing-zone:networking/v0.4.0,kpt-pkg-fn-live
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  priority: 10000 # kpt-set: ${priority}
+  allow:
+    - ports:
+        - "3389"
+      protocol: tcp
+  direction: INGRESS
+  disabled: false
+  enableLogging: true # kpt-set: ${enable-logging}
+  networkRef:
+    name: vpc-shared-base # kpt-set: ${network-name}
+  sourceRanges:
+    - "35.235.240.0/20"
+  targetTags:
+    - allow-iap-rdp