diff --git a/modules/net-swp/README.md b/modules/net-swp/README.md index 87526dd8dd..fed778afce 100644 --- a/modules/net-swp/README.md +++ b/modules/net-swp/README.md @@ -120,6 +120,8 @@ module "secure-web-proxy" { ### Secure Web Proxy with TLS inspection +You can activate TLS inspection and let the module handle the TLS inspection policy creation. + ```hcl resource "google_privateca_ca_pool" "pool" { name = "secure-web-proxy-capool" @@ -194,31 +196,65 @@ module "secure-web-proxy" { } } tls_inspection_config = { - ca_pool = google_privateca_ca_pool.pool.id + create_config = { + ca_pool = google_privateca_ca_pool.pool.id + } } } # tftest modules=1 resources=7 inventory=tls.yaml ``` + +You can also refer to existing TLS inspection policies (even cross-project). + +```hcl +module "secure-web-proxy" { + source = "./fabric/modules/net-swp" + + project_id = "my-project" + region = "europe-west4" + name = "secure-web-proxy" + network = "projects/my-project/global/networks/my-network" + subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork" + addresses = ["10.142.68.3"] + certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"] + ports = [443] + policy_rules = { + custom = { + custom-rule-1 = { + priority = 1000 + session_matcher = "host() == 'google.com'" + application_matcher = "request.path.contains('generate_204')" + action = "ALLOW" + tls_inspection_enabled = true + } + } + } + tls_inspection_config = { + id = "projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0" + } +} +# tftest modules=1 resources=3 inventory=tls-no-ip.yaml +``` ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [addresses](variables.tf#L19) | One or more IP addresses to be used for Secure Web Proxy. | list(string) | ✓ | | -| [certificates](variables.tf#L28) | List of certificates to be used for Secure Web Proxy. | list(string) | ✓ | | -| [name](variables.tf#L51) | Name of the Secure Web Proxy resource. | string | ✓ | | -| [network](variables.tf#L56) | Name of the network the Secure Web Proxy is deployed into. | string | ✓ | | -| [project_id](variables.tf#L120) | Project id of the project that holds the network. | string | ✓ | | -| [region](variables.tf#L125) | Region where resources will be created. | string | ✓ | | -| [subnetwork](variables.tf#L151) | Name of the subnetwork the Secure Web Proxy is deployed into. | string | ✓ | | -| [delete_swg_autogen_router_on_destroy](variables.tf#L33) | Delete automatically provisioned Cloud Router on destroy. | bool | | true | -| [description](variables.tf#L39) | Optional description for the created resources. | string | | "Managed by Terraform." | -| [labels](variables.tf#L45) | Resource labels. | map(string) | | {} | -| [policy_rules](variables.tf#L61) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | object({…}) | | {} | -| [ports](variables.tf#L114) | Ports to use for Secure Web Proxy. | list(number) | | [443] | -| [scope](variables.tf#L130) | Scope determines how configuration across multiple Gateway instances are merged. | string | | null | -| [service_attachment](variables.tf#L136) | PSC service attachment configuration. | object({…}) | | null | -| [tls_inspection_config](variables.tf#L156) | TLS inspection configuration. | object({…}) | | null | +| [addresses](variables.tf#L17) | One or more IP addresses to be used for Secure Web Proxy. | list(string) | ✓ | | +| [certificates](variables.tf#L26) | List of certificates to be used for Secure Web Proxy. | list(string) | ✓ | | +| [name](variables.tf#L49) | Name of the Secure Web Proxy resource. | string | ✓ | | +| [network](variables.tf#L54) | Name of the network the Secure Web Proxy is deployed into. | string | ✓ | | +| [project_id](variables.tf#L118) | Project id of the project that holds the network. | string | ✓ | | +| [region](variables.tf#L123) | Region where resources will be created. | string | ✓ | | +| [subnetwork](variables.tf#L149) | Name of the subnetwork the Secure Web Proxy is deployed into. | string | ✓ | | +| [delete_swg_autogen_router_on_destroy](variables.tf#L31) | Delete automatically provisioned Cloud Router on destroy. | bool | | true | +| [description](variables.tf#L37) | Optional description for the created resources. | string | | "Managed by Terraform." | +| [labels](variables.tf#L43) | Resource labels. | map(string) | | {} | +| [policy_rules](variables.tf#L59) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | object({…}) | | {} | +| [ports](variables.tf#L112) | Ports to use for Secure Web Proxy. | list(number) | | [443] | +| [scope](variables.tf#L128) | Scope determines how configuration across multiple Gateway instances are merged. | string | | null | +| [service_attachment](variables.tf#L134) | PSC service attachment configuration. | object({…}) | | null | +| [tls_inspection_config](variables.tf#L154) | TLS inspection configuration. | object({…}) | | {} | ## Outputs diff --git a/modules/net-swp/main.tf b/modules/net-swp/main.tf index b2bb754fb2..cc84300269 100644 --- a/modules/net-swp/main.tf +++ b/modules/net-swp/main.tf @@ -15,7 +15,10 @@ */ locals { - create_url_lists = { for k, v in var.policy_rules.url_lists : v.url_list => v if v.values != null } + create_url_lists = { + for k, v in var.policy_rules.url_lists + : v.url_list => v if v.values != null + } } moved { @@ -24,12 +27,14 @@ moved { } resource "google_network_security_gateway_security_policy" "default" { - provider = google-beta - project = var.project_id - name = var.name - location = var.region - description = var.description - tls_inspection_policy = var.tls_inspection_config != null ? google_network_security_tls_inspection_policy.default[0].id : null + project = var.project_id + name = var.name + location = var.region + description = var.description + tls_inspection_policy = try(coalesce( + var.tls_inspection_config.id, + try(google_network_security_tls_inspection_policy.default[0].id, null) + ), null) } moved { @@ -38,19 +43,17 @@ moved { } resource "google_network_security_tls_inspection_policy" "default" { - count = var.tls_inspection_config != null ? 1 : 0 - provider = google + count = var.tls_inspection_config.create_config != null ? 1 : 0 project = var.project_id name = var.name location = var.region - description = coalesce(var.tls_inspection_config.description, var.description) - ca_pool = var.tls_inspection_config.ca_pool - exclude_public_ca_set = var.tls_inspection_config.exclude_public_ca_set + description = coalesce(var.tls_inspection_config.create_config.description, var.description) + ca_pool = var.tls_inspection_config.create_config.ca_pool + exclude_public_ca_set = var.tls_inspection_config.create_config.exclude_public_ca_set } resource "google_network_security_gateway_security_policy_rule" "secure_tag_rules" { for_each = var.policy_rules.secure_tags - provider = google project = var.project_id name = each.key location = var.region @@ -69,7 +72,6 @@ resource "google_network_security_gateway_security_policy_rule" "secure_tag_rule resource "google_network_security_gateway_security_policy_rule" "url_list_rules" { for_each = var.policy_rules.url_lists - provider = google project = var.project_id name = each.key location = var.region @@ -93,7 +95,6 @@ resource "google_network_security_gateway_security_policy_rule" "url_list_rules" resource "google_network_security_gateway_security_policy_rule" "custom_rules" { for_each = var.policy_rules.custom project = var.project_id - provider = google name = each.key location = var.region description = coalesce(each.value.description, var.description) @@ -112,7 +113,6 @@ moved { } resource "google_network_security_url_lists" "default" { for_each = local.create_url_lists - provider = google project = var.project_id name = each.key location = var.region @@ -126,7 +126,6 @@ moved { } resource "google_network_services_gateway" "default" { - provider = google project = var.project_id name = var.name location = var.region diff --git a/modules/net-swp/variables.tf b/modules/net-swp/variables.tf index af45efc080..1abf46874d 100644 --- a/modules/net-swp/variables.tf +++ b/modules/net-swp/variables.tf @@ -14,8 +14,6 @@ * limitations under the License. */ - - variable "addresses" { description = "One or more IP addresses to be used for Secure Web Proxy." type = list(string) @@ -156,9 +154,20 @@ variable "subnetwork" { variable "tls_inspection_config" { description = "TLS inspection configuration." type = object({ - ca_pool = optional(string, null) - exclude_public_ca_set = optional(bool, false) - description = optional(string) + create_config = optional(object({ + ca_pool = optional(string, null) + description = optional(string, null) + exclude_public_ca_set = optional(bool, false) + }), null) + id = optional(string, null) }) - default = null + nullable = false + default = {} + validation { + condition = !( + var.tls_inspection_config.create_config != null && + var.tls_inspection_config.id != null + ) + error_message = "You can't assign values both to `create.config.ca_pool` and `id`." + } } diff --git a/tests/modules/net_swp/examples/tls-no-ip.yaml b/tests/modules/net_swp/examples/tls-no-ip.yaml new file mode 100644 index 0000000000..defa4d5e4a --- /dev/null +++ b/tests/modules/net_swp/examples/tls-no-ip.yaml @@ -0,0 +1,59 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# file: tests/modules/net_swp/examples/tls.yaml +values: + module.secure-web-proxy.google_network_security_gateway_security_policy.default: + description: Managed by Terraform. + location: europe-west4 + name: secure-web-proxy + project: my-project + timeouts: null + tls_inspection_policy: projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0 + module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]: + application_matcher: request.path.contains('generate_204') + basic_profile: ALLOW + description: Managed by Terraform. + enabled: true + location: europe-west4 + name: custom-rule-1 + priority: 1000 + project: my-project + session_matcher: host() == 'google.com' + timeouts: null + tls_inspection_enabled: true + module.secure-web-proxy.google_network_services_gateway.default: + addresses: + - 10.142.68.3 + certificate_urls: + - projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert + delete_swg_autogen_router_on_destroy: true + description: Managed by Terraform. + labels: null + location: europe-west4 + name: secure-web-proxy + network: projects/my-project/global/networks/my-network + ports: + - 443 + project: my-project + scope: '' + server_tls_policy: null + subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork + timeouts: null + type: SECURE_WEB_GATEWAY + +counts: + google_network_security_gateway_security_policy: 1 + google_network_services_gateway: 1 + google_network_security_gateway_security_policy_rule: 1