SWP module refactor (#2737)

* new swp interface and factory * outputs * tests and fixes
GoogleCloudPlatform · Nov 27, 2024 · 5e08789 · 5e08789
1 parent 7c858f4
commit 5e08789
Show file tree

Hide file tree

Showing 13 changed files with 717 additions and 336 deletions.
diff --git a/modules/net-swp/README.md b/modules/net-swp/README.md
diff --git a/modules/net-swp/main.tf b/modules/net-swp/main.tf
@@ -15,10 +15,19 @@
  */
 
 locals {
-  create_url_lists = {
-    for k, v in var.policy_rules.url_lists
-    : v.url_list => v if v.values != null
+  _url_lists_path = try(pathexpand(var.factories_config.url_lists), null)
+  _url_lists = {
+    for f in try(fileset(local._url_lists_path, "**/*.yaml"), []) :
+    trimsuffix(f, ".yaml") => yamldecode(file(
+      "${local._url_lists_path}/${f}"
+    ))
   }
+  url_lists = merge(var.url_lists, {
+    for k, v in local._url_lists : k => {
+      description = lookup(v, "description", null)
+      values      = lookup(v, "values", [])
+    }
+  })
 }
 
 moved {
@@ -53,67 +62,13 @@ resource "google_network_security_tls_inspection_policy" "default" {
   exclude_public_ca_set = var.tls_inspection_config.create_config.exclude_public_ca_set
 }
 
-resource "google_network_security_gateway_security_policy_rule" "secure_tag_rules" {
-  for_each                = var.policy_rules.secure_tags
-  project                 = var.project_id
-  name                    = each.key
-  location                = var.region
-  description             = coalesce(each.value.description, var.description)
-  gateway_security_policy = google_network_security_gateway_security_policy.default.name
-  enabled                 = each.value.enabled
-  priority                = each.value.priority
-  session_matcher = trimspace(<<-EOT
-  source.matchTag('${each.value.tag}')%{if each.value.session_matcher != null} && (${each.value.session_matcher})%{endif~}
-  EOT
-  )
-  application_matcher    = each.value.application_matcher
-  tls_inspection_enabled = each.value.tls_inspection_enabled
-  basic_profile          = each.value.action
-}
-
-resource "google_network_security_gateway_security_policy_rule" "url_list_rules" {
-  for_each                = var.policy_rules.url_lists
-  project                 = var.project_id
-  name                    = each.key
-  location                = var.region
-  description             = coalesce(each.value.description, var.description)
-  gateway_security_policy = google_network_security_gateway_security_policy.default.name
-  enabled                 = each.value.enabled
-  priority                = each.value.priority
-  session_matcher = trimspace(<<-EOT
-    inUrlList(host(), '%{~if each.value.values != null~}
-    ${~google_network_security_url_lists.default[each.value.url_list].id~}
-    %{~else~}
-    ${~each.value.url_list~}
-    %{~endif~}') %{~if each.value.session_matcher != null} && (${each.value.session_matcher})%{~endif~}
-  EOT
-  )
-  application_matcher    = each.value.application_matcher
-  tls_inspection_enabled = each.value.tls_inspection_enabled
-  basic_profile          = each.value.action
-}
-
-resource "google_network_security_gateway_security_policy_rule" "custom_rules" {
-  for_each                = var.policy_rules.custom
-  project                 = var.project_id
-  name                    = each.key
-  location                = var.region
-  description             = coalesce(each.value.description, var.description)
-  gateway_security_policy = google_network_security_gateway_security_policy.default.name
-  enabled                 = each.value.enabled
-  priority                = each.value.priority
-  session_matcher         = each.value.session_matcher
-  application_matcher     = each.value.application_matcher
-  tls_inspection_enabled  = each.value.tls_inspection_enabled
-  basic_profile           = each.value.action
-}
-
 moved {
   from = google_network_security_url_lists.url_list_rules
   to   = google_network_security_url_lists.default
 }
+
 resource "google_network_security_url_lists" "default" {
-  for_each    = local.create_url_lists
+  for_each    = local.url_lists
   project     = var.project_id
   name        = each.key
   location    = var.region
@@ -127,20 +82,24 @@ moved {
 }
 
 resource "google_network_services_gateway" "default" {
-  project                              = var.project_id
-  name                                 = var.name
-  location                             = var.region
-  description                          = var.description
-  labels                               = var.labels
-  addresses                            = var.addresses != null ? var.addresses : []
-  type                                 = "SECURE_WEB_GATEWAY"
-  ports                                = var.ports
-  scope                                = var.scope != null ? var.scope : ""
-  certificate_urls                     = var.certificates
-  gateway_security_policy              = google_network_security_gateway_security_policy.default.id
-  network                              = var.network
-  subnetwork                           = var.subnetwork
-  delete_swg_autogen_router_on_destroy = var.delete_swg_autogen_router_on_destroy
+  project          = var.project_id
+  name             = var.name
+  location         = var.region
+  description      = var.description
+  labels           = var.gateway_config.labels
+  addresses        = var.gateway_config.addresses
+  type             = "SECURE_WEB_GATEWAY"
+  ports            = var.gateway_config.ports
+  scope            = var.gateway_config.scope
+  certificate_urls = var.certificates
+  gateway_security_policy = (
+    google_network_security_gateway_security_policy.default.id
+  )
+  network    = var.network
+  subnetwork = var.subnetwork
+  delete_swg_autogen_router_on_destroy = (
+    var.gateway_config.delete_router_on_destroy
+  )
 }
 
 resource "google_compute_service_attachment" "default" {
@@ -152,11 +111,15 @@ resource "google_compute_service_attachment" "default" {
   target_service = google_network_services_gateway.default.self_link
   nat_subnets    = var.service_attachment.nat_subnets
   connection_preference = (
-    var.service_attachment.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
+    var.service_attachment.automatic_connection
+    ? "ACCEPT_AUTOMATIC"
+    : "ACCEPT_MANUAL"
   )
   consumer_reject_lists = var.service_attachment.consumer_reject_lists
   domain_names = (
-    var.service_attachment.domain_name == null ? null : [var.service_attachment.domain_name]
+    var.service_attachment.domain_name == null
+    ? null
+    : [var.service_attachment.domain_name]
   )
   enable_proxy_protocol = var.service_attachment.enable_proxy_protocol
   reconcile_connections = var.service_attachment.reconcile_connections

diff --git a/modules/net-swp/outputs.tf b/modules/net-swp/outputs.tf
@@ -31,5 +31,5 @@ output "id" {
 
 output "service_attachment" {
   description = "ID of the service attachment resource, if created."
-  value       = var.service_attachment == null ? "" : google_compute_service_attachment.default[0].id
+  value       = try(google_compute_service_attachment.default[0].id, null)
 }
diff --git a/modules/net-swp/policy-rules.tf b/modules/net-swp/policy-rules.tf
@@ -0,0 +1,92 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  _policy_rules_path = try(pathexpand(var.factories_config.policy_rules), null)
+  _policy_rules = {
+    for f in try(fileset(local._policy_rules_path, "**/*.yaml"), []) :
+    trimsuffix(f, ".yaml") => yamldecode(file(
+      "${local._policy_rules_path}/${f}"
+    ))
+  }
+  policy_rules_args = {
+    for k, v in local.policy_rules : k => {
+      application = [
+        for vv in v.matcher_args.application :
+        zipmap(["context", "value"], split(":", vv))
+      ]
+      session = [
+        for vv in v.matcher_args.session :
+        zipmap(["context", "value"], split(":", vv))
+      ]
+    }
+  }
+  policy_rules_contexts = {
+    secure_tag      = var.policy_rules_contexts.secure_tags
+    service_account = var.policy_rules_contexts.service_accounts
+    url_list = merge(var.policy_rules_contexts.url_lists, {
+      for k, v in google_network_security_url_lists.default : k => v.id
+    })
+  }
+  policy_rules = merge(var.policy_rules, {
+    for k, v in local._policy_rules : k => {
+      priority            = v.priority
+      allow               = lookup(v, "allow", true)
+      description         = lookup(v, "description", null)
+      enabled             = lookup(v, "enable", true)
+      application_matcher = lookup(v, "application_matcher", null)
+      session_matcher     = lookup(v, "session_matcher", null)
+      tls_inspect         = lookup(v, "tls_inspect", null)
+      matcher_args = {
+        application = try(v.matcher_args.application, [])
+        session     = try(v.matcher_args.session, [])
+      }
+    }
+  })
+}
+
+resource "google_network_security_gateway_security_policy_rule" "default" {
+  for_each               = local.policy_rules
+  project                = var.project_id
+  location               = var.region
+  description            = coalesce(each.value.description, var.description)
+  enabled                = each.value.enabled
+  name                   = each.key
+  priority               = each.value.priority
+  tls_inspection_enabled = each.value.tls_inspect
+  gateway_security_policy = (
+    google_network_security_gateway_security_policy.default.name
+  )
+  application_matcher = each.value.application_matcher == null ? null : format(
+    each.value.application_matcher, [
+      for v in local.policy_rules_args[each.key].application :
+      lookup(local.policy_rules_contexts[v.context], v.value, v.value)
+    ]...
+  )
+  session_matcher = each.value.session_matcher == null ? null : format(
+    each.value.session_matcher, [
+      for v in local.policy_rules_args[each.key].session :
+      lookup(local.policy_rules_contexts[v.context], v.value, v.value)
+    ]...
+  )
+  basic_profile = (
+    each.value.allow == true
+    ? "ALLOW"
+    : (
+      each.value.allow == false ? "DENY" : "BASIC_PROFILE_UNSPECIFIED"
+    )
+  )
+}
diff --git a/modules/net-swp/schemas/policy-rule.schema.json b/modules/net-swp/schemas/policy-rule.schema.json
@@ -0,0 +1,52 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Policy rule",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "priority"
+  ],
+  "properties": {
+    "priority": {
+      "type": "integer"
+    },
+    "allow": {
+      "type": "boolean",
+      "default": true
+    },
+    "description": {
+      "type": "string"
+    },
+    "enabled": {
+      "type": "boolean",
+      "default": true
+    },
+    "application_matcher": {
+      "type": "string"
+    },
+    "session_matcher": {
+      "type": "string"
+    },
+    "tls_inspect": {
+      "type": "boolean"
+    },
+    "matcher_args": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "application": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "session": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/net-swp/schemas/url-list.schema.json b/modules/net-swp/schemas/url-list.schema.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "URL list",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "description": {
+      "type": "string"
+    },
+    "values": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    }
+  }
+}