Create a deployment with an Out of Band Security Appliance.
This solution aids in the creation and management of scalable Terraform Deployments of VM-based Third Party Security Appliances which inspect mirrored traffic.
To deploy this blueprint you must have an active billing account and billing permissions.
Basic usage of this module is as follows:
module "out_of_band_security" {
source = "terraform-google-modules/out-of-band-security/google"
version = "~> 0.15"
project_id = "<PROJECT ID>"
naming_prefix = "example-prefix"
source_image = "https://www.exampleapis.com/path_to_img"
}
Functional examples are included in the examples directory.
Name | Description | Type | Default | Required |
---|---|---|---|---|
add_protected_network | Allow the creation of a protected network interface for the instance template. | bool |
false |
no |
additional_disks | Allow the creation of one or more additional persistent disks for the VM instance. | map(any) |
{} |
no |
block_project_ssh_keys | Ability for customers to block or allow the use of project-wide ssh keys in their VM. | bool |
false |
no |
compute_instance_metadata | Key/value pairs that are made available within each VM instance. | map(string) |
{} |
no |
cpu_target | CPU target for autoscaling. | number |
0.75 |
no |
create_public_management_ip | Allow the creation of a public IP address for the management interface of each VM. IP will be ephemeral instead of static. | bool |
false |
no |
health_check_port | Allow overriding of the default port for health check. | number |
80 |
no |
machine_type | The machine type for the firewall compute instances. | string |
"n1-standard-4" |
no |
max_instances | Maximum compute instances in the cluster. | number |
3 |
no |
mgmt_network | The name of an existing VPC that will be used for the management interface of the deployed firewall VMs. | string |
"default" |
no |
mgmt_subnet | The name of an existing subnet within this VPC (and available for every chosen zone) that will be used for the management interface of the deployed firewall VMs. | string |
"default" |
no |
min_instances | Minimum compute instances in the cluster. | number |
2 |
no |
naming_prefix | A prefix string to be appended in front of all deployed resources so they can be easily traced back. | string |
n/a | yes |
project_id | Project the resources will be deployed into. | string |
n/a | yes |
region | The GCP Region for deployment. | string |
"us-central1" |
no |
scopes | The list of access scopes for the service account attached to the VM. | list(string) |
[] |
no |
source_image | Source image url path for the security appliance being deployed. | string |
n/a | yes |
traffic_subnet_cidr | CIDR range of the subnet where the firewall VMs are inspecting traffic. This VPC will need to be peered to existing VPC's for packet-mirroring, so ensure it is a unique range for your organization. | string |
"10.127.10.0/24" |
no |
zones | List of GCP Zones for deployment. | list(string) |
[ "us-central1-a", "us-central1-b", "us-central1-c"] | no |
Name | Description |
---|---|
forwarding_rule | Name of the forwarding rule created for traffic. |
health_check | name of the health check for the LB backend service |
instance_template | Name of the instance template. |
mig | Name of managed instance group created. |
These sections describe requirements for using this module.
The following dependencies must be available:
A service account with the following roles must be used to provision the resources of this module:
roles/compute.admin
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
compute.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.
Please see our security disclosure process.