GS2-Deploy/CDK Reference of GS2-Guard
Template format used to create GS2-Deploy stacks and examples of template output implementation in various languages using CDK
Entities
Namespace
Namespace
Namespace is a mechanism that allows multiple uses of the same service for different purposes within a single project. Basically, GS2 services have a layer called namespace, and different namespaces are treated as completely different data spaces, even for the same service.
Therefore, it is necessary to create a namespace before starting to use each service.
| Type | Condition | Require | Default | Limitation | Description | |
|---|---|---|---|---|---|---|
| name | string | ✓ | ~ 128 chars | Namespace name | ||
| description | string | ~ 1024 chars | Description | |||
| blockingPolicy | BlockingPolicyModel | ✓ | Blocking Policy |
GetAttr
Generation results of resources that can be obtained with the !GetAttr tag
| Type | Description | |
|---|---|---|
| Item | Namespace | Namespace created |
Implementation Example
Type: GS2::Guard::Namespace
Properties:
Name: namespace-0001
Description: null
BlockingPolicy:
PassServices:
- account
DefaultRestriction: Deny
LocationDetection: Disable
AnonymousIpDetection: Disable
HostingProviderIpDetection: Disable
ReputationIpDetection: Disable
IpAddressesDetection: Enable
IpAddresses:
- 192.168.0.0/24
IpAddressRestriction: Allowimport (
"github.com/gs2io/gs2-golang-cdk/core"
"github.com/gs2io/gs2-golang-cdk/guard"
"github.com/openlyinc/pointy"
)
SampleStack := core.NewStack()
guard.NewNamespace(
&SampleStack,
"namespace-0001",
guard.BlockingPolicyModel{
PassServices: []string{
"account",
},
DefaultRestriction: guard.BlockingPolicyModelDefaultRestrictionDeny,
LocationDetection: guard.BlockingPolicyModelLocationDetectionDisable,
AnonymousIpDetection: guard.BlockingPolicyModelAnonymousIpDetectionDisable,
HostingProviderIpDetection: guard.BlockingPolicyModelHostingProviderIpDetectionDisable,
ReputationIpDetection: guard.BlockingPolicyModelReputationIpDetectionDisable,
IpAddressesDetection: guard.BlockingPolicyModelIpAddressesDetectionEnable,
IpAddresses: []string{
"192.168.0.0/24",
},
IpAddressRestriction: guard.BlockingPolicyModelIpAddressRestrictionAllow.Pointer(),
},
guard.NamespaceOptions{},
)
println(SampleStack.Yaml()) // Generate Template
class SampleStack extends \Gs2Cdk\Core\Model\Stack
{
function __construct() {
parent::__construct();
new \Gs2Cdk\Guard\Model\Namespace_(
stack: $this,
name: "namespace-0001",
blockingPolicy: new \Gs2Cdk\Guard\Model\BlockingPolicyModel(
passServices: [
"account",
],
defaultRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelDefaultRestriction::DENY,
locationDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelLocationDetection::DISABLE,
anonymousIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelAnonymousIpDetection::DISABLE,
hostingProviderIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelHostingProviderIpDetection::DISABLE,
reputationIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelReputationIpDetection::DISABLE,
ipAddressesDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressesDetection::ENABLE,
options: new \Gs2Cdk\Guard\Model\Options\BlockingPolicyModelOptions(
ipAddresses: [
"192.168.0.0/24",
],
ipAddressRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressRestriction::ALLOW
)
)
);
}
}
print((new SampleStack())->yaml()); // Generate Template
class SampleStack extends io.gs2.cdk.core.model.Stack
{
public SampleStack() {
super();
new io.gs2.cdk.guard.model.Namespace(
this,
"namespace-0001",
new io.gs2.cdk.guard.model.BlockingPolicyModel(
Arrays.asList(
"account"
),
io.gs2.cdk.guard.model.enums.BlockingPolicyModelDefaultRestriction.DENY,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelLocationDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelAnonymousIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelReputationIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressesDetection.ENABLE,
new io.gs2.cdk.guard.model.options.BlockingPolicyModelOptions()
.withIpAddresses(
Arrays.asList(
"192.168.0.0/24"
)
)
.withIpAddressRestriction(
io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressRestriction.ALLOW
)
)
);
}
}
System.out.println(new SampleStack().yaml()); // Generate Templatepublic class SampleStack : Gs2Cdk.Core.Model.Stack
{
public SampleStack() {
new Gs2Cdk.Gs2Guard.Model.Namespace(
stack: this,
name: "namespace-0001",
blockingPolicy: new Gs2Cdk.Gs2Guard.Model.BlockingPolicyModel(
passServices: new string[]
{
"account"
},
defaultRestriction: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelDefaultRestriction.Deny,
locationDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelLocationDetection.Disable,
anonymousIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelAnonymousIpDetection.Disable,
hostingProviderIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelHostingProviderIpDetection.Disable,
reputationIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelReputationIpDetection.Disable,
ipAddressesDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressesDetection.Enable,
options: new Gs2Cdk.Gs2Guard.Model.Options.BlockingPolicyModelOptions
{
ipAddresses = new string[]
{
"192.168.0.0/24"
},
ipAddressRestriction = Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressRestriction.Allow
}
)
);
}
}
Debug.Log(new SampleStack().Yaml()); // Generate Templateimport core from "@/gs2cdk/core";
import guard from "@/gs2cdk/guard";
class SampleStack extends core.Stack
{
public constructor() {
super();
new guard.model.Namespace(
this,
"namespace-0001",
new guard.model.BlockingPolicyModel(
[
"account",
],
guard.model.BlockingPolicyModelDefaultRestriction.DENY,
guard.model.BlockingPolicyModelLocationDetection.DISABLE,
guard.model.BlockingPolicyModelAnonymousIpDetection.DISABLE,
guard.model.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
guard.model.BlockingPolicyModelReputationIpDetection.DISABLE,
guard.model.BlockingPolicyModelIpAddressesDetection.ENABLE,
{
ipAddresses:
[
"192.168.0.0/24",
],
ipAddressRestriction:
guard.model.BlockingPolicyModelIpAddressRestriction.ALLOW
}
)
);
}
}
console.log(new SampleStack().yaml()); // Generate Template
from gs2_cdk import Stack, core, guard
class SampleStack(Stack):
def __init__(self):
super().__init__()
guard.Namespace(
stack=self,
name='namespace-0001',
blocking_policy=guard.BlockingPolicyModel(
pass_services=[
'account',
],
default_restriction=guard.BlockingPolicyModelDefaultRestriction.DENY,
location_detection=guard.BlockingPolicyModelLocationDetection.DISABLE,
anonymous_ip_detection=guard.BlockingPolicyModelAnonymousIpDetection.DISABLE,
hosting_provider_ip_detection=guard.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
reputation_ip_detection=guard.BlockingPolicyModelReputationIpDetection.DISABLE,
ip_addresses_detection=guard.BlockingPolicyModelIpAddressesDetection.ENABLE,
options=guard.BlockingPolicyModelOptions(
ip_addresses=[
'192.168.0.0/24',
],
ip_address_restriction=guard.BlockingPolicyModelIpAddressRestriction.ALLOW,
)
),
)
print(SampleStack().yaml()) # Generate TemplateBlockingPolicyModel
Blocking Policy
| Type | Condition | Require | Default | Limitation | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| passServices | List<string> | ✓ | 1 ~ 100 items | List of GS2 services that can be accessed | ||||||||
| defaultRestriction | String Enum enum { “Allow”, “Deny” } | ✓ | “Allow” | ~ 128 chars | Default restriction
| |||||||
| locationDetection | String Enum enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128 chars | Location detection
| |||||||
| locations | List<string> | {locationDetection} == “Enable” | ✓ | [] | 1 ~ 100 items | List of countries to detect access If locationDetection is “Enable”, then required | ||||||
| locationRestriction | String Enum enum { “Allow”, “Deny” } | {locationDetection} == “Enable” | ✓ | ~ 128 chars | Behavior when matched with the country list If locationDetection is “Enable”, then required | |||||||
| anonymousIpDetection | String Enum enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128 chars | Anonymous IP Service Detection
| |||||||
| anonymousIpRestriction | String Enum enum { “Deny” } | {anonymousIpDetection} == “Enable” | ✓ | “Deny” | ~ 128 chars | Behavior when detected anonymous IP service If anonymousIpDetection is “Enable”, then required | ||||||
| hostingProviderIpDetection | String Enum enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128 chars | Hosting Service Detection
| |||||||
| hostingProviderIpRestriction | String Enum enum { “Deny” } | {hostingProviderIpDetection} == “Enable” | ✓ | “Deny” | ~ 128 chars | Behavior when detected hosting service If hostingProviderIpDetection is “Enable”, then required | ||||||
| reputationIpDetection | String Enum enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128 chars | Reputation access IP Detection
| |||||||
| reputationIpRestriction | String Enum enum { “Deny” } | {reputationIpDetection} == “Enable” | ✓ | “Deny” | ~ 128 chars | Behavior when detected malicious access source IP If reputationIpDetection is “Enable”, then required | ||||||
| ipAddressesDetection | String Enum enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128 chars | Access source IP detection
| |||||||
| ipAddresses | List<string> | {ipAddressesDetection} == “Enable” | ~ 100 items | List of ip addresses If ipAddressesDetection is “Enable”, then enabled | ||||||||
| ipAddressRestriction | String Enum enum { “Allow”, “Deny” } | {ipAddressesDetection} == “Enable” | ✓ | ~ 128 chars | Behavior when matched with the IP address list If ipAddressesDetection is “Enable”, then required |