GS2-Deploy/CDK Reference of GS2-Guard

Template format used to create GS2-Deploy stacks and examples of template output implementation in various languages using CDK

Entities

Namespace

Namespace is a mechanism that allows multiple uses of the same service for different purposes within a single project. Basically, GS2 services have a layer called namespace, and different namespaces are treated as completely different data spaces, even for the same service.

Therefore, it is necessary to create a namespace before starting to use each service.

	Type	Require	Limitation	Description
name	string	✓	~ 128 chars	Namespace name
description	string		~ 1024 chars	Description
blockingPolicy	BlockingPolicyModel	✓		Blocking Policy

GetAttr

Generation results of resources that can be obtained with the !GetAttr tag

	Type	Description
Item	Namespace	Namespace created

Implementation Example

Type: GS2::Guard::Namespace
Properties:
  Name: namespace-0001
  Description: null
  BlockingPolicy: 
    PassServices: 
    - account
    DefaultRestriction: Deny
    LocationDetection: Disable
    AnonymousIpDetection: Disable
    HostingProviderIpDetection: Disable
    ReputationIpDetection: Disable
    IpAddressesDetection: Enable
    IpAddresses: 
    - 192.168.0.0/24
    IpAddressRestriction: Allow

import (
    "github.com/gs2io/gs2-golang-cdk/core"
    "github.com/gs2io/gs2-golang-cdk/guard"
    "github.com/openlyinc/pointy"
)

SampleStack := core.NewStack()
guard.NewNamespace(
    &SampleStack,
    "namespace-0001",
    guard.BlockingPolicyModel{
        PassServices: []string{
            "account",
        },
        DefaultRestriction: guard.BlockingPolicyModelDefaultRestrictionDeny,
        LocationDetection: guard.BlockingPolicyModelLocationDetectionDisable,
        AnonymousIpDetection: guard.BlockingPolicyModelAnonymousIpDetectionDisable,
        HostingProviderIpDetection: guard.BlockingPolicyModelHostingProviderIpDetectionDisable,
        ReputationIpDetection: guard.BlockingPolicyModelReputationIpDetectionDisable,
        IpAddressesDetection: guard.BlockingPolicyModelIpAddressesDetectionEnable,
        IpAddresses: []string{
            "192.168.0.0/24",
        },
        IpAddressRestriction: guard.BlockingPolicyModelIpAddressRestrictionAllow.Pointer(),
    },
    guard.NamespaceOptions{},
)

println(SampleStack.Yaml())  // Generate Template

class SampleStack extends \Gs2Cdk\Core\Model\Stack
{
    function __construct() {
        parent::__construct();
        new \Gs2Cdk\Guard\Model\Namespace_(
            stack: $this,
            name: "namespace-0001",
            blockingPolicy: new \Gs2Cdk\Guard\Model\BlockingPolicyModel(
                passServices: [
                    "account",
                ],
                defaultRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelDefaultRestriction::DENY,
                locationDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelLocationDetection::DISABLE,
                anonymousIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelAnonymousIpDetection::DISABLE,
                hostingProviderIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelHostingProviderIpDetection::DISABLE,
                reputationIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelReputationIpDetection::DISABLE,
                ipAddressesDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressesDetection::ENABLE,
                options: new \Gs2Cdk\Guard\Model\Options\BlockingPolicyModelOptions(
                    ipAddresses: [
                        "192.168.0.0/24",
                    ],
                    ipAddressRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressRestriction::ALLOW
                )
            )
        );
    }
}

print((new SampleStack())->yaml());  // Generate Template

class SampleStack extends io.gs2.cdk.core.model.Stack
{
    public SampleStack() {
        super();
        new io.gs2.cdk.guard.model.Namespace(
                this,
                "namespace-0001",
                new io.gs2.cdk.guard.model.BlockingPolicyModel(
                Arrays.asList(
                    "account"
                ),
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelDefaultRestriction.DENY,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelLocationDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelAnonymousIpDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelReputationIpDetection.DISABLE,
                io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressesDetection.ENABLE,
                new io.gs2.cdk.guard.model.options.BlockingPolicyModelOptions()
                    .withIpAddresses(
                        Arrays.asList(
                            "192.168.0.0/24"
                        )
                    )
                    .withIpAddressRestriction(
                        io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressRestriction.ALLOW
                    )
            )
        );
    }
}

System.out.println(new SampleStack().yaml());  // Generate Template

public class SampleStack : Gs2Cdk.Core.Model.Stack
{
    public SampleStack() {
        new Gs2Cdk.Gs2Guard.Model.Namespace(
            stack: this,
            name: "namespace-0001",
            blockingPolicy: new Gs2Cdk.Gs2Guard.Model.BlockingPolicyModel(
                passServices: new string[]
                {
                    "account"
                },
                defaultRestriction: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelDefaultRestriction.Deny,
                locationDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelLocationDetection.Disable,
                anonymousIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelAnonymousIpDetection.Disable,
                hostingProviderIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelHostingProviderIpDetection.Disable,
                reputationIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelReputationIpDetection.Disable,
                ipAddressesDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressesDetection.Enable,
                options: new Gs2Cdk.Gs2Guard.Model.Options.BlockingPolicyModelOptions
                {
                    ipAddresses = new string[]
                    {
                        "192.168.0.0/24"
                    },
                    ipAddressRestriction = Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressRestriction.Allow
                }
            )
        );
    }
}

Debug.Log(new SampleStack().Yaml());  // Generate Template

import core from "@/gs2cdk/core";
import guard from "@/gs2cdk/guard";

class SampleStack extends core.Stack
{
    public constructor() {
        super();
        new guard.model.Namespace(
            this,
            "namespace-0001",
            new guard.model.BlockingPolicyModel(
                [
                    "account",
                ],
                guard.model.BlockingPolicyModelDefaultRestriction.DENY,
                guard.model.BlockingPolicyModelLocationDetection.DISABLE,
                guard.model.BlockingPolicyModelAnonymousIpDetection.DISABLE,
                guard.model.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
                guard.model.BlockingPolicyModelReputationIpDetection.DISABLE,
                guard.model.BlockingPolicyModelIpAddressesDetection.ENABLE,
                {
                    ipAddresses:
                    [
                        "192.168.0.0/24",
                    ],
                    ipAddressRestriction:
                    guard.model.BlockingPolicyModelIpAddressRestriction.ALLOW
                }
            )
        );
    }
}

console.log(new SampleStack().yaml());  // Generate Template

from gs2_cdk import Stack, core, guard

class SampleStack(Stack):

    def __init__(self):
        super().__init__()
        guard.Namespace(
            stack=self,
            name='namespace-0001',
            blocking_policy=guard.BlockingPolicyModel(
            pass_services=[
                'account',
            ],
            default_restriction=guard.BlockingPolicyModelDefaultRestriction.DENY,
            location_detection=guard.BlockingPolicyModelLocationDetection.DISABLE,
            anonymous_ip_detection=guard.BlockingPolicyModelAnonymousIpDetection.DISABLE,
            hosting_provider_ip_detection=guard.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
            reputation_ip_detection=guard.BlockingPolicyModelReputationIpDetection.DISABLE,
            ip_addresses_detection=guard.BlockingPolicyModelIpAddressesDetection.ENABLE,
            options=guard.BlockingPolicyModelOptions(
                ip_addresses=[
                    '192.168.0.0/24',
                ],
                ip_address_restriction=guard.BlockingPolicyModelIpAddressRestriction.ALLOW,
            )
        ),
        )

print(SampleStack().yaml())  # Generate Template

BlockingPolicyModel

Blocking Policy

	Type	Condition	Require	Default	Limitation	Description
passServices	List<string>		✓		1 ~ 100 items	List of GS2 services that can be accessed
defaultRestriction	enum { “Allow”, “Deny” }		✓	“Allow”	~ 128 chars	Default restriction [Definition of enumeration type to be specified for defaultRestriction](#definition-of-enumeration-type-to-be-specified-for-defaultrestriction
locationDetection	enum { “Enable”, “Disable” }		✓	“Disable”	~ 128 chars	Location detection [Definition of enumeration type to be specified for locationDetection](#definition-of-enumeration-type-to-be-specified-for-locationdetection
locations	List<string>	{locationDetection} == “Enable”	✓	[]	1 ~ 100 items	List of countries to detect access If locationDetection is “Enable”, then required
locationRestriction	enum { “Allow”, “Deny” }	{locationDetection} == “Enable”	✓		~ 128 chars	Behavior when matched with the country list If locationDetection is “Enable”, then required
anonymousIpDetection	enum { “Enable”, “Disable” }		✓	“Disable”	~ 128 chars	Anonymous IP Service Detection [Definition of enumeration type to be specified for anonymousIpDetection](#definition-of-enumeration-type-to-be-specified-for-anonymousipdetection
anonymousIpRestriction	enum { “Deny” }	{anonymousIpDetection} == “Enable”	✓	“Deny”	~ 128 chars	Behavior when detected anonymous IP service If anonymousIpDetection is “Enable”, then required
hostingProviderIpDetection	enum { “Enable”, “Disable” }		✓	“Disable”	~ 128 chars	Hosting Service Detection [Definition of enumeration type to be specified for hostingProviderIpDetection](#definition-of-enumeration-type-to-be-specified-for-hostingprovideripdetection
hostingProviderIpRestriction	enum { “Deny” }	{hostingProviderIpDetection} == “Enable”	✓	“Deny”	~ 128 chars	Behavior when detected hosting service If hostingProviderIpDetection is “Enable”, then required
reputationIpDetection	enum { “Enable”, “Disable” }		✓	“Disable”	~ 128 chars	Reputation access IP Detection [Definition of enumeration type to be specified for reputationIpDetection](#definition-of-enumeration-type-to-be-specified-for-reputationipdetection
reputationIpRestriction	enum { “Deny” }	{reputationIpDetection} == “Enable”	✓	“Deny”	~ 128 chars	Behavior when detected malicious access source IP If reputationIpDetection is “Enable”, then required
ipAddressesDetection	enum { “Enable”, “Disable” }		✓	“Disable”	~ 128 chars	Access source IP detection [Definition of enumeration type to be specified for ipAddressesDetection](#definition-of-enumeration-type-to-be-specified-for-ipaddressesdetection
ipAddresses	List<string>	{ipAddressesDetection} == “Enable”			~ 100 items	List of ip addresses If ipAddressesDetection is “Enable”, then enabled
ipAddressRestriction	enum { “Allow”, “Deny” }	{ipAddressesDetection} == “Enable”	✓		~ 128 chars	Behavior when matched with the IP address list If ipAddressesDetection is “Enable”, then required

Definition of enumeration type to be specified for defaultRestriction

Enumerator String Definition	Description
Allow	Allow access from a predetermined access source
Deny	Deny access from a predetermined access source

Definition of enumeration type to be specified for locationDetection

Enumerator String Definition	Description
Enable	Enable
Disable	Disable

Definition of enumeration type to be specified for locationRestriction

Enumerator String Definition	Description
Allow	Allow
Deny	Deny

Definition of enumeration type to be specified for anonymousIpDetection

Enumerator String Definition	Description
Enable	Enable
Disable	Disable

Definition of enumeration type to be specified for anonymousIpRestriction

Enumerator String Definition	Description
Deny	Deny

Definition of enumeration type to be specified for hostingProviderIpDetection

Enumerator String Definition	Description
Enable	Enable
Disable	Disable

Definition of enumeration type to be specified for hostingProviderIpRestriction

Enumerator String Definition	Description
Deny	Deny

Definition of enumeration type to be specified for reputationIpDetection

Enumerator String Definition	Description
Enable	Enable
Disable	Disable

Definition of enumeration type to be specified for reputationIpRestriction

Enumerator String Definition	Description
Deny	Deny

Definition of enumeration type to be specified for ipAddressesDetection

Enumerator String Definition	Description
Enable	Enable
Disable	Disable

Definition of enumeration type to be specified for ipAddressRestriction

Enumerator String Definition	Description
Allow	Allow
Deny	Deny