diff --git a/modules/net-swp/README.md b/modules/net-swp/README.md
index 87526dd8dd..fed778afce 100644
--- a/modules/net-swp/README.md
+++ b/modules/net-swp/README.md
@@ -120,6 +120,8 @@ module "secure-web-proxy" {
### Secure Web Proxy with TLS inspection
+You can activate TLS inspection and let the module handle the TLS inspection policy creation.
+
```hcl
resource "google_privateca_ca_pool" "pool" {
name = "secure-web-proxy-capool"
@@ -194,31 +196,65 @@ module "secure-web-proxy" {
}
}
tls_inspection_config = {
- ca_pool = google_privateca_ca_pool.pool.id
+ create_config = {
+ ca_pool = google_privateca_ca_pool.pool.id
+ }
}
}
# tftest modules=1 resources=7 inventory=tls.yaml
```
+
+You can also refer to existing TLS inspection policies (even cross-project).
+
+```hcl
+module "secure-web-proxy" {
+ source = "./fabric/modules/net-swp"
+
+ project_id = "my-project"
+ region = "europe-west4"
+ name = "secure-web-proxy"
+ network = "projects/my-project/global/networks/my-network"
+ subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
+ addresses = ["10.142.68.3"]
+ certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
+ ports = [443]
+ policy_rules = {
+ custom = {
+ custom-rule-1 = {
+ priority = 1000
+ session_matcher = "host() == 'google.com'"
+ application_matcher = "request.path.contains('generate_204')"
+ action = "ALLOW"
+ tls_inspection_enabled = true
+ }
+ }
+ }
+ tls_inspection_config = {
+ id = "projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0"
+ }
+}
+# tftest modules=1 resources=3 inventory=tls-no-ip.yaml
+```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [addresses](variables.tf#L19) | One or more IP addresses to be used for Secure Web Proxy. | list(string)
| ✓ | |
-| [certificates](variables.tf#L28) | List of certificates to be used for Secure Web Proxy. | list(string)
| ✓ | |
-| [name](variables.tf#L51) | Name of the Secure Web Proxy resource. | string
| ✓ | |
-| [network](variables.tf#L56) | Name of the network the Secure Web Proxy is deployed into. | string
| ✓ | |
-| [project_id](variables.tf#L120) | Project id of the project that holds the network. | string
| ✓ | |
-| [region](variables.tf#L125) | Region where resources will be created. | string
| ✓ | |
-| [subnetwork](variables.tf#L151) | Name of the subnetwork the Secure Web Proxy is deployed into. | string
| ✓ | |
-| [delete_swg_autogen_router_on_destroy](variables.tf#L33) | Delete automatically provisioned Cloud Router on destroy. | bool
| | true
|
-| [description](variables.tf#L39) | Optional description for the created resources. | string
| | "Managed by Terraform."
|
-| [labels](variables.tf#L45) | Resource labels. | map(string)
| | {}
|
-| [policy_rules](variables.tf#L61) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | object({…})
| | {}
|
-| [ports](variables.tf#L114) | Ports to use for Secure Web Proxy. | list(number)
| | [443]
|
-| [scope](variables.tf#L130) | Scope determines how configuration across multiple Gateway instances are merged. | string
| | null
|
-| [service_attachment](variables.tf#L136) | PSC service attachment configuration. | object({…})
| | null
|
-| [tls_inspection_config](variables.tf#L156) | TLS inspection configuration. | object({…})
| | null
|
+| [addresses](variables.tf#L17) | One or more IP addresses to be used for Secure Web Proxy. | list(string)
| ✓ | |
+| [certificates](variables.tf#L26) | List of certificates to be used for Secure Web Proxy. | list(string)
| ✓ | |
+| [name](variables.tf#L49) | Name of the Secure Web Proxy resource. | string
| ✓ | |
+| [network](variables.tf#L54) | Name of the network the Secure Web Proxy is deployed into. | string
| ✓ | |
+| [project_id](variables.tf#L118) | Project id of the project that holds the network. | string
| ✓ | |
+| [region](variables.tf#L123) | Region where resources will be created. | string
| ✓ | |
+| [subnetwork](variables.tf#L149) | Name of the subnetwork the Secure Web Proxy is deployed into. | string
| ✓ | |
+| [delete_swg_autogen_router_on_destroy](variables.tf#L31) | Delete automatically provisioned Cloud Router on destroy. | bool
| | true
|
+| [description](variables.tf#L37) | Optional description for the created resources. | string
| | "Managed by Terraform."
|
+| [labels](variables.tf#L43) | Resource labels. | map(string)
| | {}
|
+| [policy_rules](variables.tf#L59) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | object({…})
| | {}
|
+| [ports](variables.tf#L112) | Ports to use for Secure Web Proxy. | list(number)
| | [443]
|
+| [scope](variables.tf#L128) | Scope determines how configuration across multiple Gateway instances are merged. | string
| | null
|
+| [service_attachment](variables.tf#L134) | PSC service attachment configuration. | object({…})
| | null
|
+| [tls_inspection_config](variables.tf#L154) | TLS inspection configuration. | object({…})
| | {}
|
## Outputs
diff --git a/modules/net-swp/main.tf b/modules/net-swp/main.tf
index b2bb754fb2..cc84300269 100644
--- a/modules/net-swp/main.tf
+++ b/modules/net-swp/main.tf
@@ -15,7 +15,10 @@
*/
locals {
- create_url_lists = { for k, v in var.policy_rules.url_lists : v.url_list => v if v.values != null }
+ create_url_lists = {
+ for k, v in var.policy_rules.url_lists
+ : v.url_list => v if v.values != null
+ }
}
moved {
@@ -24,12 +27,14 @@ moved {
}
resource "google_network_security_gateway_security_policy" "default" {
- provider = google-beta
- project = var.project_id
- name = var.name
- location = var.region
- description = var.description
- tls_inspection_policy = var.tls_inspection_config != null ? google_network_security_tls_inspection_policy.default[0].id : null
+ project = var.project_id
+ name = var.name
+ location = var.region
+ description = var.description
+ tls_inspection_policy = try(coalesce(
+ var.tls_inspection_config.id,
+ try(google_network_security_tls_inspection_policy.default[0].id, null)
+ ), null)
}
moved {
@@ -38,19 +43,17 @@ moved {
}
resource "google_network_security_tls_inspection_policy" "default" {
- count = var.tls_inspection_config != null ? 1 : 0
- provider = google
+ count = var.tls_inspection_config.create_config != null ? 1 : 0
project = var.project_id
name = var.name
location = var.region
- description = coalesce(var.tls_inspection_config.description, var.description)
- ca_pool = var.tls_inspection_config.ca_pool
- exclude_public_ca_set = var.tls_inspection_config.exclude_public_ca_set
+ description = coalesce(var.tls_inspection_config.create_config.description, var.description)
+ ca_pool = var.tls_inspection_config.create_config.ca_pool
+ exclude_public_ca_set = var.tls_inspection_config.create_config.exclude_public_ca_set
}
resource "google_network_security_gateway_security_policy_rule" "secure_tag_rules" {
for_each = var.policy_rules.secure_tags
- provider = google
project = var.project_id
name = each.key
location = var.region
@@ -69,7 +72,6 @@ resource "google_network_security_gateway_security_policy_rule" "secure_tag_rule
resource "google_network_security_gateway_security_policy_rule" "url_list_rules" {
for_each = var.policy_rules.url_lists
- provider = google
project = var.project_id
name = each.key
location = var.region
@@ -93,7 +95,6 @@ resource "google_network_security_gateway_security_policy_rule" "url_list_rules"
resource "google_network_security_gateway_security_policy_rule" "custom_rules" {
for_each = var.policy_rules.custom
project = var.project_id
- provider = google
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
@@ -112,7 +113,6 @@ moved {
}
resource "google_network_security_url_lists" "default" {
for_each = local.create_url_lists
- provider = google
project = var.project_id
name = each.key
location = var.region
@@ -126,7 +126,6 @@ moved {
}
resource "google_network_services_gateway" "default" {
- provider = google
project = var.project_id
name = var.name
location = var.region
diff --git a/modules/net-swp/variables.tf b/modules/net-swp/variables.tf
index af45efc080..1abf46874d 100644
--- a/modules/net-swp/variables.tf
+++ b/modules/net-swp/variables.tf
@@ -14,8 +14,6 @@
* limitations under the License.
*/
-
-
variable "addresses" {
description = "One or more IP addresses to be used for Secure Web Proxy."
type = list(string)
@@ -156,9 +154,20 @@ variable "subnetwork" {
variable "tls_inspection_config" {
description = "TLS inspection configuration."
type = object({
- ca_pool = optional(string, null)
- exclude_public_ca_set = optional(bool, false)
- description = optional(string)
+ create_config = optional(object({
+ ca_pool = optional(string, null)
+ description = optional(string, null)
+ exclude_public_ca_set = optional(bool, false)
+ }), null)
+ id = optional(string, null)
})
- default = null
+ nullable = false
+ default = {}
+ validation {
+ condition = !(
+ var.tls_inspection_config.create_config != null &&
+ var.tls_inspection_config.id != null
+ )
+ error_message = "You can't assign values both to `create.config.ca_pool` and `id`."
+ }
}
diff --git a/tests/modules/net_swp/examples/tls-no-ip.yaml b/tests/modules/net_swp/examples/tls-no-ip.yaml
new file mode 100644
index 0000000000..defa4d5e4a
--- /dev/null
+++ b/tests/modules/net_swp/examples/tls-no-ip.yaml
@@ -0,0 +1,59 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# file: tests/modules/net_swp/examples/tls.yaml
+values:
+ module.secure-web-proxy.google_network_security_gateway_security_policy.default:
+ description: Managed by Terraform.
+ location: europe-west4
+ name: secure-web-proxy
+ project: my-project
+ timeouts: null
+ tls_inspection_policy: projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0
+ module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
+ application_matcher: request.path.contains('generate_204')
+ basic_profile: ALLOW
+ description: Managed by Terraform.
+ enabled: true
+ location: europe-west4
+ name: custom-rule-1
+ priority: 1000
+ project: my-project
+ session_matcher: host() == 'google.com'
+ timeouts: null
+ tls_inspection_enabled: true
+ module.secure-web-proxy.google_network_services_gateway.default:
+ addresses:
+ - 10.142.68.3
+ certificate_urls:
+ - projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert
+ delete_swg_autogen_router_on_destroy: true
+ description: Managed by Terraform.
+ labels: null
+ location: europe-west4
+ name: secure-web-proxy
+ network: projects/my-project/global/networks/my-network
+ ports:
+ - 443
+ project: my-project
+ scope: ''
+ server_tls_policy: null
+ subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork
+ timeouts: null
+ type: SECURE_WEB_GATEWAY
+
+counts:
+ google_network_security_gateway_security_policy: 1
+ google_network_services_gateway: 1
+ google_network_security_gateway_security_policy_rule: 1