This project is intended to gather common elements for GCP infrastructures in order to centralize security configurations and best practices.
We suggest following Terraform best practices as described in https://www.terraform-best-practices.com/code-structure.
Creates a default policy for SSL that disables unsecure ciphers and tls<1.2
Creates standard logging exclusions for Google Cloud projects.
- Creates a health probe exclusion to filter out traffic from monitoring systems
- Creates a default exclusion for common Kubernetes system logs
- Configurable list of probe user agents to exclude
module "logging_exclusions" {
source = "./modules/logging-exclusions"
project_id = var.project
# Selectively enable or disable specific exclusions
enable_exclusions = {
probe_exclusion = true
default_k8s_exclusion = true
gke_metadata_server_sync_sandbox = false # Disable this exclusion
}
}Note: the Kyverno firewall rule is created only when kyverno_firewall_rule.enable = true and both kyverno_firewall_rule.network and kyverno_firewall_rule.source_ranges are provided. If any of these conditions is not met the rule will not be created. The module validates these fields and will fail with a clear error when enable is true but required fields are missing.
Example (short):
module "infrastructure_elements" {
source = "./"
project_id = var.project
kyverno_firewall_rule = {
enable = true
name = "kyverno-admission-webhook"
network = "projects/PROJECT/global/networks/example-vpc" # required
source_ranges = ["10.0.0.0/28"] # required
protocol = "tcp"
ports = ["9443"]
}
}| Name | Version |
|---|---|
| >= 5.13 |
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| >= 5.13 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_exclusions | Map of custom exclusion filters with their descriptions | map(object({ |
{} |
no |
| default_exclusion_filter | Filter for default log exclusion | string |
"resource.type=\"k8s_cluster\" AND (protoPayload.authenticationInfo.principalEmail=~\"container-engine-robot.iam.gserviceaccount.com\" OR protoPayload.authenticationInfo.principalEmail=\"system:kubestore-collector\" OR protoPayload.authenticationInfo.principalEmail=\"system:cloud-controller-manager\" OR protoPayload.authenticationInfo.principalEmail=\"system:kube-scheduler\" OR protoPayload.authenticationInfo.principalEmail=\"system:cluster-autoscaler\" OR protoPayload.authenticationInfo.principalEmail=\"system:l7-lb-controller\" OR protoPayload.authenticationInfo.principalEmail=\"system:kube-controller-manager\" OR protoPayload.authenticationInfo.principalEmail=\"system:serviceaccount:kube-system:metrics-server\" OR protoPayload.authenticationInfo.principalEmail=\"system:addon-manager\" OR protoPayload.authenticationInfo.principalEmail=\"system:vpa-recommender\" OR protoPayload.authenticationInfo.principalEmail=\"system:gke-master-healthcheck\" OR protoPayload.authenticationInfo.principalEmail=\"system:managed-certificate-controller\" OR protoPayload.authenticationInfo.principalEmail=\"system:clustermetrics\" OR protoPayload.authenticationInfo.principalEmail=\"system:pd-csi-controller\" OR protoPayload.authenticationInfo.principalEmail=\"system:konnectivity-server\" OR protoPayload.authenticationInfo.principalEmail=\"system:serviceaccount:kube-system:kube-dns-autoscaler\" OR protoPayload.authenticationInfo.principalEmail=\"system:serviceaccount:kube-system:generic-garbage-collector\" OR protoPayload.authenticationInfo.principalEmail=\"system:gke-common-webhooks\" OR protoPayload.authenticationInfo.principalEmail=\"system:serviceaccount:kube-system:resourcequota-controller\" OR protoPayload.authenticationInfo.principalEmail=\"system:serviceaccount:kube-system:konnectivity-agent-cpha\" OR protoPayload.authenticationInfo.principalEmail=\"system:serviceaccount:kube-system:persistent-volume-binder\" OR (protoPayload.authenticationInfo.principalEmail=\"system:apiserver\" AND protoPayload.methodName=\"io.k8s.core.v1.endpoints.get\") OR protoPayload.methodName=~\"watch\" OR protoPayload.methodName=~\"io.k8s.apiserver.flowcontrol\" OR protoPayload.methodName=~\"io.k8s.discovery.v1.endpointslices\" OR protoPayload.methodName=~\"io.k8s.v1.nodes.watch\" OR protoPayload.methodName=~\"io.k8s.coordination.v1.leases\" OR protoPayload.methodName=~\"io.k8s.core.v1.componentstatuses\" OR protoPayload.methodName=~\"io.k8s.autoscaling\" OR protoPayload.methodName=~\"io.k8s.metrics.v1beta1\" OR protoPayload.methodName=~\"io.k8s.authorization.v1.selfsubjectaccessreviews\" OR protoPayload.methodName=~\"io.k8s.core.v1.nodes.status.patch\" OR (protoPayload.methodName=~\"io.k8s.get\" AND protoPayload.resourceName=~\"metrics\") OR (protoPayload.methodName=~\"io.k8s.core.v1.configmaps.get\" AND protoPayload.resourceName=~\"metrics\") OR protoPayload.resourceName=\"readyz\" OR protoPayload.resourceName=\"livez\")\n" |
no |
| enable_exclusions | Map of boolean flags to enable/disable individual exclusions | map(bool) |
{ |
no |
| enable_ssl_policy | Enable SSL policy creation | bool |
true |
no |
| fluentbit_gke | Fluentbit-gke exclusion for failed to parse time | string |
"resource.labels.container_name=\"fluentbit-gke\" AND\njsonPayload.message=~\"Failed to parse time\"\n" |
no |
| fpm | FPM exclusion | string |
"resource.type=\"container\" AND\n\"fpm\" AND\n(\n ( trace:* sample(trace, 0.5) ) OR\n ( NOT trace:* operation.id:* sample(operation.id, 0.5) ) OR\n ( NOT trace:* NOT operation.id:* sample(insertId, 0.5) )\n)\n" |
no |
| gke_metadata_server_exclusion_sync_sandbox | Filter for gke-metadata-server exclusion for failed to sync sandbox | string |
"resource.type=\"k8s_container\" AND\nseverity=INFO AND\nresource.labels.namespace_name=\"kube-system\" AND\nlabels.k8s-pod/k8s-app=\"gke-metadata-server\" AND\njsonPayload.message=~\"Unable to sync sandbox\"\n" |
no |
| kyverno_firewall_rule | Rule to configure the Kyverno admission webhook firewall rule | object({ |
{ |
no |
| probe_user_agents | List of probe user agents to exclude from logs | list(string) |
[ |
no |
| project_id | The Google Cloud project ID where logging exclusions will be created | string |
n/a | yes |
| ssl_modern_policy_description | Description for the SSL policy | string |
"Modern SSL policy with minimum TLS version 1.2" |
no |
| Name | Description |
|---|---|
| default_exclusion_id | The ID of the default exclusion resource |
| fluentbit_gke_exclusion_id | The ID of the Fluentbit GKE exclusion resource |
| fpm_exclusion_id | The ID of the FPM exclusion resource |
| gke_metadata_server_exclusion_id | The ID of the GKE metadata server exclusion resource |
| probe_exclusion_filter | The filter used for probe exclusions |
| probe_exclusion_id | The ID of the probe exclusion resource |
| ssl_policy_modern_tls_1_2_id | The ID of the SSL policy resource |
| ssl_policy_restricted_tls_1_2_id | The ID of the SSL policy resource |
No modules.