GS2-Guard GS2-Deploy/CDK リファレンス
GS2-Deployのスタックの作成に使用するテンプレートのフォーマットと、CDKによる各種言語のテンプレート出力の実装例
エンティティ
Namespace
ネームスペース
ネームスペースは一つのプロジェクトで同じサービスを異なる用途で複数利用できるようにするための仕組みです。
GS2 のサービスは基本的にネームスペースというレイヤーがあり、ネームスペースが異なれば同じサービスでもまったく別のデータ空間として取り扱われます。
そのため、各サービスの利用を開始するにあたってネームスペースを作成する必要があります。
| 型 | 有効化条件 | 必須 | デフォルト | 値の制限 | 説明 | |
|---|---|---|---|---|---|---|
| name | string | ✓ | ~ 128文字 | ネームスペース名 | ||
| description | string | ~ 1024文字 | 説明文 | |||
| blockingPolicy | BlockingPolicyModel | ✓ | ブロッキングポリシー |
GetAttr
!GetAttrタグで取得可能なリソースの生成結果
| 型 | 説明 | |
|---|---|---|
| Item | Namespace | 作成したネームスペース |
実装例
Type: GS2::Guard::Namespace
Properties:
Name: namespace-0001
Description: null
BlockingPolicy:
PassServices:
- account
DefaultRestriction: Deny
LocationDetection: Disable
AnonymousIpDetection: Disable
HostingProviderIpDetection: Disable
ReputationIpDetection: Disable
IpAddressesDetection: Enable
IpAddresses:
- 192.168.0.0/24
IpAddressRestriction: Allowimport (
"github.com/gs2io/gs2-golang-cdk/core"
"github.com/gs2io/gs2-golang-cdk/guard"
"github.com/openlyinc/pointy"
)
SampleStack := core.NewStack()
guard.NewNamespace(
&SampleStack,
"namespace-0001",
guard.BlockingPolicyModel{
PassServices: []string{
"account",
},
DefaultRestriction: guard.BlockingPolicyModelDefaultRestrictionDeny,
LocationDetection: guard.BlockingPolicyModelLocationDetectionDisable,
AnonymousIpDetection: guard.BlockingPolicyModelAnonymousIpDetectionDisable,
HostingProviderIpDetection: guard.BlockingPolicyModelHostingProviderIpDetectionDisable,
ReputationIpDetection: guard.BlockingPolicyModelReputationIpDetectionDisable,
IpAddressesDetection: guard.BlockingPolicyModelIpAddressesDetectionEnable,
IpAddresses: []string{
"192.168.0.0/24",
},
IpAddressRestriction: guard.BlockingPolicyModelIpAddressRestrictionAllow.Pointer(),
},
guard.NamespaceOptions{},
)
println(SampleStack.Yaml()) // Generate Template
class SampleStack extends \Gs2Cdk\Core\Model\Stack
{
function __construct() {
parent::__construct();
new \Gs2Cdk\Guard\Model\Namespace_(
stack: $this,
name: "namespace-0001",
blockingPolicy: new \Gs2Cdk\Guard\Model\BlockingPolicyModel(
passServices: [
"account",
],
defaultRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelDefaultRestriction::DENY,
locationDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelLocationDetection::DISABLE,
anonymousIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelAnonymousIpDetection::DISABLE,
hostingProviderIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelHostingProviderIpDetection::DISABLE,
reputationIpDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelReputationIpDetection::DISABLE,
ipAddressesDetection: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressesDetection::ENABLE,
options: new \Gs2Cdk\Guard\Model\Options\BlockingPolicyModelOptions(
ipAddresses: [
"192.168.0.0/24",
],
ipAddressRestriction: Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressRestriction::ALLOW
)
)
);
}
}
print((new SampleStack())->yaml()); // Generate Template
class SampleStack extends io.gs2.cdk.core.model.Stack
{
public SampleStack() {
super();
new io.gs2.cdk.guard.model.Namespace(
this,
"namespace-0001",
new io.gs2.cdk.guard.model.BlockingPolicyModel(
Arrays.asList(
"account"
),
io.gs2.cdk.guard.model.enums.BlockingPolicyModelDefaultRestriction.DENY,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelLocationDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelAnonymousIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelReputationIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressesDetection.ENABLE,
new io.gs2.cdk.guard.model.options.BlockingPolicyModelOptions()
.withIpAddresses(
Arrays.asList(
"192.168.0.0/24"
)
)
.withIpAddressRestriction(
io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressRestriction.ALLOW
)
)
);
}
}
System.out.println(new SampleStack().yaml()); // Generate Templatepublic class SampleStack : Gs2Cdk.Core.Model.Stack
{
public SampleStack() {
new Gs2Cdk.Gs2Guard.Model.Namespace(
stack: this,
name: "namespace-0001",
blockingPolicy: new Gs2Cdk.Gs2Guard.Model.BlockingPolicyModel(
passServices: new string[]
{
"account"
},
defaultRestriction: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelDefaultRestriction.Deny,
locationDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelLocationDetection.Disable,
anonymousIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelAnonymousIpDetection.Disable,
hostingProviderIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelHostingProviderIpDetection.Disable,
reputationIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelReputationIpDetection.Disable,
ipAddressesDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressesDetection.Enable,
options: new Gs2Cdk.Gs2Guard.Model.Options.BlockingPolicyModelOptions
{
ipAddresses = new string[]
{
"192.168.0.0/24"
},
ipAddressRestriction = Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressRestriction.Allow
}
)
);
}
}
Debug.Log(new SampleStack().Yaml()); // Generate Templateimport core from "@/gs2cdk/core";
import guard from "@/gs2cdk/guard";
class SampleStack extends core.Stack
{
public constructor() {
super();
new guard.model.Namespace(
this,
"namespace-0001",
new guard.model.BlockingPolicyModel(
[
"account",
],
guard.model.BlockingPolicyModelDefaultRestriction.DENY,
guard.model.BlockingPolicyModelLocationDetection.DISABLE,
guard.model.BlockingPolicyModelAnonymousIpDetection.DISABLE,
guard.model.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
guard.model.BlockingPolicyModelReputationIpDetection.DISABLE,
guard.model.BlockingPolicyModelIpAddressesDetection.ENABLE,
{
ipAddresses:
[
"192.168.0.0/24",
],
ipAddressRestriction:
guard.model.BlockingPolicyModelIpAddressRestriction.ALLOW
}
)
);
}
}
console.log(new SampleStack().yaml()); // Generate Template
from gs2_cdk import Stack, core, guard
class SampleStack(Stack):
def __init__(self):
super().__init__()
guard.Namespace(
stack=self,
name='namespace-0001',
blocking_policy=guard.BlockingPolicyModel(
pass_services=[
'account',
],
default_restriction=guard.BlockingPolicyModelDefaultRestriction.DENY,
location_detection=guard.BlockingPolicyModelLocationDetection.DISABLE,
anonymous_ip_detection=guard.BlockingPolicyModelAnonymousIpDetection.DISABLE,
hosting_provider_ip_detection=guard.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
reputation_ip_detection=guard.BlockingPolicyModelReputationIpDetection.DISABLE,
ip_addresses_detection=guard.BlockingPolicyModelIpAddressesDetection.ENABLE,
options=guard.BlockingPolicyModelOptions(
ip_addresses=[
'192.168.0.0/24',
],
ip_address_restriction=guard.BlockingPolicyModelIpAddressRestriction.ALLOW,
)
),
)
print(SampleStack().yaml()) # Generate TemplateBlockingPolicyModel
ブロッキングポリシー
| 型 | 有効化条件 | 必須 | デフォルト | 値の制限 | 説明 | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| passServices | List<string> | ✓ | 1 ~ 100 items | アクセス可能なGS2サービスのリスト | ||||||||
| defaultRestriction | 文字列列挙型 enum { “Allow”, “Deny” } | ✓ | “Allow” | ~ 128文字 | 制限の方針
| |||||||
| locationDetection | 文字列列挙型 enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128文字 | アクセス元国検知
| |||||||
| locations | List<string> | {locationDetection} == “Enable” | ✓ | [] | 1 ~ 100 items | アクセスを検知する国リスト locationDetection が “Enable” であれば必須 | ||||||
| locationRestriction | 文字列列挙型 enum { “Allow”, “Deny” } | {locationDetection} == “Enable” | ✓ | ~ 128文字 | 国リストにマッチした際の挙動 locationDetection が “Enable” であれば必須 | |||||||
| anonymousIpDetection | 文字列列挙型 enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128文字 | 匿名IPサービス検知
| |||||||
| anonymousIpRestriction | 文字列列挙型 enum { “Deny” } | {anonymousIpDetection} == “Enable” | ✓ | “Deny” | ~ 128文字 | 匿名IPサービス検知時の挙動 anonymousIpDetection が “Enable” であれば必須 | ||||||
| hostingProviderIpDetection | 文字列列挙型 enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128文字 | ホスティングサービス検知
| |||||||
| hostingProviderIpRestriction | 文字列列挙型 enum { “Deny” } | {hostingProviderIpDetection} == “Enable” | ✓ | “Deny” | ~ 128文字 | ホスティングサービス検知時の挙動 hostingProviderIpDetection が “Enable” であれば必須 | ||||||
| reputationIpDetection | 文字列列挙型 enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128文字 | 悪意のあるアクセス元IP検知
| |||||||
| reputationIpRestriction | 文字列列挙型 enum { “Deny” } | {reputationIpDetection} == “Enable” | ✓ | “Deny” | ~ 128文字 | 悪意のあるアクセス元IP検知時の挙動 reputationIpDetection が “Enable” であれば必須 | ||||||
| ipAddressesDetection | 文字列列挙型 enum { “Enable”, “Disable” } | ✓ | “Disable” | ~ 128文字 | アクセス元IP検知
| |||||||
| ipAddresses | List<string> | {ipAddressesDetection} == “Enable” | ~ 100 items | IPリスト ipAddressesDetection が “Enable” であれば有効 | ||||||||
| ipAddressRestriction | 文字列列挙型 enum { “Allow”, “Deny” } | {ipAddressesDetection} == “Enable” | ✓ | ~ 128文字 | IPアドレスリストにマッチした際の挙動 ipAddressesDetection が “Enable” であれば必須 |