Skip to content

Commit

Permalink
Update SWP (#2666)
Browse files Browse the repository at this point in the history
  • Loading branch information
LucaPrete authored Nov 9, 2024
1 parent caddfef commit 02d14da
Show file tree
Hide file tree
Showing 4 changed files with 143 additions and 39 deletions.
68 changes: 52 additions & 16 deletions modules/net-swp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,8 @@ module "secure-web-proxy" {

### Secure Web Proxy with TLS inspection

You can activate TLS inspection and let the module handle the TLS inspection policy creation.

```hcl
resource "google_privateca_ca_pool" "pool" {
name = "secure-web-proxy-capool"
Expand Down Expand Up @@ -194,31 +196,65 @@ module "secure-web-proxy" {
}
}
tls_inspection_config = {
ca_pool = google_privateca_ca_pool.pool.id
create_config = {
ca_pool = google_privateca_ca_pool.pool.id
}
}
}
# tftest modules=1 resources=7 inventory=tls.yaml
```

You can also refer to existing TLS inspection policies (even cross-project).

```hcl
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [443]
policy_rules = {
custom = {
custom-rule-1 = {
priority = 1000
session_matcher = "host() == 'google.com'"
application_matcher = "request.path.contains('generate_204')"
action = "ALLOW"
tls_inspection_enabled = true
}
}
}
tls_inspection_config = {
id = "projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0"
}
}
# tftest modules=1 resources=3 inventory=tls-no-ip.yaml
```
<!-- BEGIN TFDOC -->
## Variables

| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [addresses](variables.tf#L19) | One or more IP addresses to be used for Secure Web Proxy. | <code>list&#40;string&#41;</code> || |
| [certificates](variables.tf#L28) | List of certificates to be used for Secure Web Proxy. | <code>list&#40;string&#41;</code> || |
| [name](variables.tf#L51) | Name of the Secure Web Proxy resource. | <code>string</code> || |
| [network](variables.tf#L56) | Name of the network the Secure Web Proxy is deployed into. | <code>string</code> || |
| [project_id](variables.tf#L120) | Project id of the project that holds the network. | <code>string</code> || |
| [region](variables.tf#L125) | Region where resources will be created. | <code>string</code> || |
| [subnetwork](variables.tf#L151) | Name of the subnetwork the Secure Web Proxy is deployed into. | <code>string</code> || |
| [delete_swg_autogen_router_on_destroy](variables.tf#L33) | Delete automatically provisioned Cloud Router on destroy. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L39) | Optional description for the created resources. | <code>string</code> | | <code>&#34;Managed by Terraform.&#34;</code> |
| [labels](variables.tf#L45) | Resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [policy_rules](variables.tf#L61) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | <code title="object&#40;&#123;&#10; secure_tags &#61; optional&#40;map&#40;object&#40;&#123;&#10; tag &#61; string&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; url_lists &#61; optional&#40;map&#40;object&#40;&#123;&#10; url_list &#61; string&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; custom &#61; optional&#40;map&#40;object&#40;&#123;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ports](variables.tf#L114) | Ports to use for Secure Web Proxy. | <code>list&#40;number&#41;</code> | | <code>&#91;443&#93;</code> |
| [scope](variables.tf#L130) | Scope determines how configuration across multiple Gateway instances are merged. | <code>string</code> | | <code>null</code> |
| [service_attachment](variables.tf#L136) | PSC service attachment configuration. | <code title="object&#40;&#123;&#10; nat_subnets &#61; list&#40;string&#41;&#10; automatic_connection &#61; optional&#40;bool, false&#41;&#10; consumer_accept_lists &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; consumer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10; description &#61; optional&#40;string&#41;&#10; domain_name &#61; optional&#40;string&#41;&#10; enable_proxy_protocol &#61; optional&#40;bool, false&#41;&#10; reconcile_connections &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [tls_inspection_config](variables.tf#L156) | TLS inspection configuration. | <code title="object&#40;&#123;&#10; ca_pool &#61; optional&#40;string, null&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [addresses](variables.tf#L17) | One or more IP addresses to be used for Secure Web Proxy. | <code>list&#40;string&#41;</code> || |
| [certificates](variables.tf#L26) | List of certificates to be used for Secure Web Proxy. | <code>list&#40;string&#41;</code> || |
| [name](variables.tf#L49) | Name of the Secure Web Proxy resource. | <code>string</code> || |
| [network](variables.tf#L54) | Name of the network the Secure Web Proxy is deployed into. | <code>string</code> || |
| [project_id](variables.tf#L118) | Project id of the project that holds the network. | <code>string</code> || |
| [region](variables.tf#L123) | Region where resources will be created. | <code>string</code> || |
| [subnetwork](variables.tf#L149) | Name of the subnetwork the Secure Web Proxy is deployed into. | <code>string</code> || |
| [delete_swg_autogen_router_on_destroy](variables.tf#L31) | Delete automatically provisioned Cloud Router on destroy. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L37) | Optional description for the created resources. | <code>string</code> | | <code>&#34;Managed by Terraform.&#34;</code> |
| [labels](variables.tf#L43) | Resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [policy_rules](variables.tf#L59) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | <code title="object&#40;&#123;&#10; secure_tags &#61; optional&#40;map&#40;object&#40;&#123;&#10; tag &#61; string&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; url_lists &#61; optional&#40;map&#40;object&#40;&#123;&#10; url_list &#61; string&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; custom &#61; optional&#40;map&#40;object&#40;&#123;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ports](variables.tf#L112) | Ports to use for Secure Web Proxy. | <code>list&#40;number&#41;</code> | | <code>&#91;443&#93;</code> |
| [scope](variables.tf#L128) | Scope determines how configuration across multiple Gateway instances are merged. | <code>string</code> | | <code>null</code> |
| [service_attachment](variables.tf#L134) | PSC service attachment configuration. | <code title="object&#40;&#123;&#10; nat_subnets &#61; list&#40;string&#41;&#10; automatic_connection &#61; optional&#40;bool, false&#41;&#10; consumer_accept_lists &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; consumer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10; description &#61; optional&#40;string&#41;&#10; domain_name &#61; optional&#40;string&#41;&#10; enable_proxy_protocol &#61; optional&#40;bool, false&#41;&#10; reconcile_connections &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [tls_inspection_config](variables.tf#L154) | TLS inspection configuration. | <code title="object&#40;&#123;&#10; create_config &#61; optional&#40;object&#40;&#123;&#10; ca_pool &#61; optional&#40;string, null&#41;&#10; description &#61; optional&#40;string, null&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, null&#41;&#10; id &#61; optional&#40;string, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |

## Outputs

Expand Down
34 changes: 17 additions & 17 deletions modules/net-swp/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@
*/

locals {
create_url_lists = { for k, v in var.policy_rules.url_lists : v.url_list => v if v.values != null }
create_url_lists = {
for k, v in var.policy_rules.url_lists
: v.url_list => v if v.values != null
}
}

moved {
Expand All @@ -24,12 +27,15 @@ moved {
}

resource "google_network_security_gateway_security_policy" "default" {
provider = google-beta
project = var.project_id
name = var.name
location = var.region
description = var.description
tls_inspection_policy = var.tls_inspection_config != null ? google_network_security_tls_inspection_policy.default[0].id : null
provider = google-beta
project = var.project_id
name = var.name
location = var.region
description = var.description
tls_inspection_policy = try(coalesce(
var.tls_inspection_config.id,
try(google_network_security_tls_inspection_policy.default[0].id, null)
), null)
}

moved {
Expand All @@ -38,19 +44,17 @@ moved {
}

resource "google_network_security_tls_inspection_policy" "default" {
count = var.tls_inspection_config != null ? 1 : 0
provider = google
count = var.tls_inspection_config.create_config != null ? 1 : 0
project = var.project_id
name = var.name
location = var.region
description = coalesce(var.tls_inspection_config.description, var.description)
ca_pool = var.tls_inspection_config.ca_pool
exclude_public_ca_set = var.tls_inspection_config.exclude_public_ca_set
description = coalesce(var.tls_inspection_config.create_config.description, var.description)
ca_pool = var.tls_inspection_config.create_config.ca_pool
exclude_public_ca_set = var.tls_inspection_config.create_config.exclude_public_ca_set
}

resource "google_network_security_gateway_security_policy_rule" "secure_tag_rules" {
for_each = var.policy_rules.secure_tags
provider = google
project = var.project_id
name = each.key
location = var.region
Expand All @@ -69,7 +73,6 @@ resource "google_network_security_gateway_security_policy_rule" "secure_tag_rule

resource "google_network_security_gateway_security_policy_rule" "url_list_rules" {
for_each = var.policy_rules.url_lists
provider = google
project = var.project_id
name = each.key
location = var.region
Expand All @@ -93,7 +96,6 @@ resource "google_network_security_gateway_security_policy_rule" "url_list_rules"
resource "google_network_security_gateway_security_policy_rule" "custom_rules" {
for_each = var.policy_rules.custom
project = var.project_id
provider = google
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
Expand All @@ -112,7 +114,6 @@ moved {
}
resource "google_network_security_url_lists" "default" {
for_each = local.create_url_lists
provider = google
project = var.project_id
name = each.key
location = var.region
Expand All @@ -126,7 +127,6 @@ moved {
}

resource "google_network_services_gateway" "default" {
provider = google
project = var.project_id
name = var.name
location = var.region
Expand Down
21 changes: 15 additions & 6 deletions modules/net-swp/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@
* limitations under the License.
*/



variable "addresses" {
description = "One or more IP addresses to be used for Secure Web Proxy."
type = list(string)
Expand Down Expand Up @@ -156,9 +154,20 @@ variable "subnetwork" {
variable "tls_inspection_config" {
description = "TLS inspection configuration."
type = object({
ca_pool = optional(string, null)
exclude_public_ca_set = optional(bool, false)
description = optional(string)
create_config = optional(object({
ca_pool = optional(string, null)
description = optional(string, null)
exclude_public_ca_set = optional(bool, false)
}), null)
id = optional(string, null)
})
default = null
nullable = false
default = {}
validation {
condition = !(
var.tls_inspection_config.create_config != null &&
var.tls_inspection_config.id != null
)
error_message = "You can't assign values both to `create.config.ca_pool` and `id`."
}
}
59 changes: 59 additions & 0 deletions tests/modules/net_swp/examples/tls-no-ip.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# file: tests/modules/net_swp/examples/tls.yaml
values:
module.secure-web-proxy.google_network_security_gateway_security_policy.default:
description: Managed by Terraform.
location: europe-west4
name: secure-web-proxy
project: my-project
timeouts: null
tls_inspection_policy: projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
application_matcher: request.path.contains('generate_204')
basic_profile: ALLOW
description: Managed by Terraform.
enabled: true
location: europe-west4
name: custom-rule-1
priority: 1000
project: my-project
session_matcher: host() == 'google.com'
timeouts: null
tls_inspection_enabled: true
module.secure-web-proxy.google_network_services_gateway.default:
addresses:
- 10.142.68.3
certificate_urls:
- projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert
delete_swg_autogen_router_on_destroy: true
description: Managed by Terraform.
labels: null
location: europe-west4
name: secure-web-proxy
network: projects/my-project/global/networks/my-network
ports:
- 443
project: my-project
scope: ''
server_tls_policy: null
subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork
timeouts: null
type: SECURE_WEB_GATEWAY

counts:
google_network_security_gateway_security_policy: 1
google_network_services_gateway: 1
google_network_security_gateway_security_policy_rule: 1

0 comments on commit 02d14da

Please sign in to comment.