GS2-Deploy/CDK Reference of GS2-Guard

Template format used to create GS2-Deploy stacks and examples of template output implementation in various languages using CDK

Entities

Namespace

Namespace

Namespace is a mechanism that allows multiple uses of the same service for different purposes within a single project. Basically, GS2 services have a layer called namespace, and different namespaces are treated as completely different data spaces, even for the same service.

Therefore, it is necessary to create a namespace before starting to use each service.

TypeConditionRequireDefaultLimitationDescription
namestring
~ 128 charsNamespace name
descriptionstring~ 1024 charsDescription
blockingPolicyBlockingPolicyModel
Blocking Policy

GetAttr

Generation results of resources that can be obtained with the !GetAttr tag

TypeDescription
ItemNamespaceNamespace created

Implementation Example

Type: GS2::Guard::Namespace
Properties:
  Name: namespace-0001
  Description: null
  BlockingPolicy: 
    PassServices: 
    - account
    DefaultRestriction: Deny
    LocationDetection: Disable
    AnonymousIpDetection: Disable
    HostingProviderIpDetection: Disable
    ReputationIpDetection: Disable
    IpAddressesDetection: Enable
    IpAddresses: 
    - 192.168.0.0/24
    IpAddressRestriction: Allow
import (
    "github.com/gs2io/gs2-golang-cdk/core"
    "github.com/gs2io/gs2-golang-cdk/guard"
    "github.com/openlyinc/pointy"
)

SampleStack := core.NewStack()
guard.NewNamespace(
    &SampleStack,
    "namespace-0001",
    guard.BlockingPolicyModel{
        PassServices: []string{
            "account",
        },
        DefaultRestriction: guard.BlockingPolicyModelDefaultRestrictionDeny,
        LocationDetection: guard.BlockingPolicyModelLocationDetectionDisable,
        AnonymousIpDetection: guard.BlockingPolicyModelAnonymousIpDetectionDisable,
        HostingProviderIpDetection: guard.BlockingPolicyModelHostingProviderIpDetectionDisable,
        ReputationIpDetection: guard.BlockingPolicyModelReputationIpDetectionDisable,
        IpAddressesDetection: guard.BlockingPolicyModelIpAddressesDetectionEnable,
        IpAddresses: []string{
            "192.168.0.0/24",
        },
        IpAddressRestriction: guard.BlockingPolicyModelIpAddressRestrictionAllow.Pointer(),
    },
    guard.NamespaceOptions{},
)

println(SampleStack.Yaml())  // Generate Template
class SampleStack extends \Gs2Cdk\Core\Model\Stack
{
    function __construct() {
        parent::__construct();
        new \Gs2Cdk\Guard\Model\Namespace_(
            stack: $this,
            name: "namespace-0001",
            blockingPolicy: new \Gs2Cdk\Guard\Model\BlockingPolicyModel(
                passServices: [
                    "account",
                ],
                defaultRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelDefaultRestriction::DENY,
                locationDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelLocationDetection::DISABLE,
                anonymousIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelAnonymousIpDetection::DISABLE,
                hostingProviderIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelHostingProviderIpDetection::DISABLE,
                reputationIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelReputationIpDetection::DISABLE,
                ipAddressesDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressesDetection::ENABLE,
                options: new \Gs2Cdk\Guard\Model\Options\BlockingPolicyModelOptions(
                    ipAddresses: [
                        "192.168.0.0/24",
                    ],
                    ipAddressRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressRestriction::ALLOW
                )
            )
        );
    }
}

print((new SampleStack())->yaml());  // Generate Template
class SampleStack extends io.gs2.cdk.core.model.Stack
{
    public SampleStack() {
        super();
        new io.gs2.cdk.guard.model.Namespace(
                this,
                "namespace-0001",
                new io.gs2.cdk.guard.model.BlockingPolicyModel(
                Arrays.asList(
                    "account"
                ),
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelDefaultRestriction.DENY,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelLocationDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelAnonymousIpDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelReputationIpDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressesDetection.ENABLE,
                new io.gs2.cdk.guard.model.options.BlockingPolicyModelOptions()
                    .withIpAddresses(
                        Arrays.asList(
                            "192.168.0.0/24"
                        )
                    )
                    .withIpAddressRestriction(
                        io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressRestriction.ALLOW
                    )
            )
        );
    }
}

System.out.println(new SampleStack().yaml());  // Generate Template
public class SampleStack : Gs2Cdk.Core.Model.Stack
{
    public SampleStack() {
        new Gs2Cdk.Gs2Guard.Model.Namespace(
            stack: this,
            name: "namespace-0001",
            blockingPolicy: new Gs2Cdk.Gs2Guard.Model.BlockingPolicyModel(
                passServices: new string[]
                {
                    "account"
                },
                defaultRestriction: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelDefaultRestriction.Deny,
                locationDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelLocationDetection.Disable,
                anonymousIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelAnonymousIpDetection.Disable,
                hostingProviderIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelHostingProviderIpDetection.Disable,
                reputationIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelReputationIpDetection.Disable,
                ipAddressesDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressesDetection.Enable,
                options: new Gs2Cdk.Gs2Guard.Model.Options.BlockingPolicyModelOptions
                {
                    ipAddresses = new string[]
                    {
                        "192.168.0.0/24"
                    },
                    ipAddressRestriction = Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressRestriction.Allow
                }
            )
        );
    }
}

Debug.Log(new SampleStack().Yaml());  // Generate Template
import core from "@/gs2cdk/core";
import guard from "@/gs2cdk/guard";

class SampleStack extends core.Stack
{
    public constructor() {
        super();
        new guard.model.Namespace(
            this,
            "namespace-0001",
            new guard.model.BlockingPolicyModel(
                [
                    "account",
                ],
                guard.model.BlockingPolicyModelDefaultRestriction.DENY,
                guard.model.BlockingPolicyModelLocationDetection.DISABLE,
                guard.model.BlockingPolicyModelAnonymousIpDetection.DISABLE,
                guard.model.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
                guard.model.BlockingPolicyModelReputationIpDetection.DISABLE,
                guard.model.BlockingPolicyModelIpAddressesDetection.ENABLE,
                {
                    ipAddresses:
                    [
                        "192.168.0.0/24",
                    ],
                    ipAddressRestriction:
                    guard.model.BlockingPolicyModelIpAddressRestriction.ALLOW
                }
            )
        );
    }
}

console.log(new SampleStack().yaml());  // Generate Template
from gs2_cdk import Stack, core, guard

class SampleStack(Stack):

    def __init__(self):
        super().__init__()
        guard.Namespace(
            stack=self,
            name='namespace-0001',
            blocking_policy=guard.BlockingPolicyModel(
            pass_services=[
                'account',
            ],
            default_restriction=guard.BlockingPolicyModelDefaultRestriction.DENY,
            location_detection=guard.BlockingPolicyModelLocationDetection.DISABLE,
            anonymous_ip_detection=guard.BlockingPolicyModelAnonymousIpDetection.DISABLE,
            hosting_provider_ip_detection=guard.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
            reputation_ip_detection=guard.BlockingPolicyModelReputationIpDetection.DISABLE,
            ip_addresses_detection=guard.BlockingPolicyModelIpAddressesDetection.ENABLE,
            options=guard.BlockingPolicyModelOptions(
                ip_addresses=[
                    '192.168.0.0/24',
                ],
                ip_address_restriction=guard.BlockingPolicyModelIpAddressRestriction.ALLOW,
            )
        ),
        )

print(SampleStack().yaml())  # Generate Template

BlockingPolicyModel

Blocking Policy

TypeConditionRequireDefaultLimitationDescription
passServicesList<string>
1 ~ 100 itemsList of GS2 services that can be accessed
defaultRestrictionString Enum
enum {
  “Allow”,
  “Deny”
}
“Allow”~ 128 charsDefault restriction
Enumerator String DefinitionDescription
“Allow”Allow access from a predetermined access source
“Deny”Deny access from a predetermined access source
locationDetectionString Enum
enum {
  “Enable”,
  “Disable”
}
“Disable”~ 128 charsLocation detection
Enumerator String DefinitionDescription
“Enable”Enable
“Disable”Disable
locationsList<string>{locationDetection} == “Enable”
[]1 ~ 100 itemsList of countries to detect access
If locationDetection is “Enable”, then required
locationRestrictionString Enum
enum {
  “Allow”,
  “Deny”
}
{locationDetection} == “Enable”
~ 128 charsBehavior when matched with the country list
If locationDetection is “Enable”, then required
anonymousIpDetectionString Enum
enum {
  “Enable”,
  “Disable”
}
“Disable”~ 128 charsAnonymous IP Service Detection
Enumerator String DefinitionDescription
“Enable”Enable
“Disable”Disable
anonymousIpRestrictionString Enum
enum {
  “Deny”
}
{anonymousIpDetection} == “Enable”
“Deny”~ 128 charsBehavior when detected anonymous IP service
If anonymousIpDetection is “Enable”, then required
hostingProviderIpDetectionString Enum
enum {
  “Enable”,
  “Disable”
}
“Disable”~ 128 charsHosting Service Detection
Enumerator String DefinitionDescription
“Enable”Enable
“Disable”Disable
hostingProviderIpRestrictionString Enum
enum {
  “Deny”
}
{hostingProviderIpDetection} == “Enable”
“Deny”~ 128 charsBehavior when detected hosting service
If hostingProviderIpDetection is “Enable”, then required
reputationIpDetectionString Enum
enum {
  “Enable”,
  “Disable”
}
“Disable”~ 128 charsReputation access IP Detection
Enumerator String DefinitionDescription
“Enable”Enable
“Disable”Disable
reputationIpRestrictionString Enum
enum {
  “Deny”
}
{reputationIpDetection} == “Enable”
“Deny”~ 128 charsBehavior when detected malicious access source IP
If reputationIpDetection is “Enable”, then required
ipAddressesDetectionString Enum
enum {
  “Enable”,
  “Disable”
}
“Disable”~ 128 charsAccess source IP detection
Enumerator String DefinitionDescription
“Enable”Enable
“Disable”Disable
ipAddressesList<string>{ipAddressesDetection} == “Enable”~ 100 itemsList of ip addresses
If ipAddressesDetection is “Enable”, then enabled
ipAddressRestrictionString Enum
enum {
  “Allow”,
  “Deny”
}
{ipAddressesDetection} == “Enable”
~ 128 charsBehavior when matched with the IP address list
If ipAddressesDetection is “Enable”, then required