1label: Config Connector ComputeSecurityPolicy
2markdownDescription: Creates yaml for a ComputeSecurityPolicy resource
3insertText: |
4 apiVersion: compute.cnrm.cloud.google.com/v1beta1
5 kind: ComputeSecurityPolicy
6 metadata:
7 name: \${1:computesecuritypolicy-name}
8 spec:
9 description: \${2:A generally permissive policy that locks out a large block of
10 untrusted IPs, except for some allowed trusted IP ranges within them, and never
11 allows IPs from a denylist.}
12 rule:
13 - action: \${3:allow}
14 priority: \${4:2147483647}
15 match:
16 versionedExpr: \${5:SRC_IPS_V1}
17 config:
18 srcIpRanges:
19 - \${6:*}
20 description: \${7:This rule must be included in any rule array. Action can change.}
21 - action: \${8:deny(502)}
22 priority: \${9:111111111}
23 match:
24 versionedExpr: \${10:SRC_IPS_V1}
25 config:
26 srcIpRanges:
27 - \${11:60.0.0.0/6}
28 description: \${12:Untrusted range. Block IPs and return 502.}
29 - action: \${13:allow}
30 priority: \${14:555}
31 match:
32 versionedExpr: \${15:SRC_IPS_V1}
33 config:
34 srcIpRanges:
35 - \${16:63.0.0.0/8}
36 - \${17:61.128.0.0/10}
37 description: \${18:Even though they're in an untrusted block, these ranges are
38 OK.}
39 - action: \${19:deny(403)}
40 priority: \${20:0}
41 match:
42 versionedExpr: \${21:SRC_IPS_V1}
43 config:
44 srcIpRanges:
45 - \${22:145.4.56.4/30}
46 - \${23:63.63.63.63/32}
47 - \${24:4.5.4.0/24}
48 description: \${25:Never allow these denylisted IP ranges.}
View as plain text