Skip to content

Commit

Permalink
First changes for new design
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 21, 2024
1 parent 34c34b4 commit ff90bd9
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 80 deletions.
40 changes: 10 additions & 30 deletions fast/stages/2-security/core-dev.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,38 +15,18 @@
*/

locals {
_ngfw_cas_config_dev = {
dev-ca-0 = {
ca_configs = {
dev-root-ngfw-ca-0 = {
deletion_protection = false #delete
subject = {
common_name = try(var.ngfw_tls_configs.dev.cas_config.common_name, null)
organization = try(var.ngfw_tls_configs.dev.cas_config.organization, null)
}
}
}
ca_pool_config = {
authz_nsec_sa = true
name = "dev-ngfw-ca-pool-3" #fix
}
iam = {}
iam_bindings = {}
iam_bindings_additive = {
nsec_dev_sa_binding = {
member = module.dev-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
iam_by_principals = {}
location = var.ngfw_tls_configs.dev.location
_ngfw_dev_cas_iam_bindings_additive = {
nsec_dev_sa_binding = {
member = module.dev-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
_ngfw_trust_config_dev = {
dev-trust-0 = merge(
{ location = var.ngfw_tls_configs.dev.location },
var.ngfw_tls_configs.dev.trust_config
)
_ngfw_cas_config_dev = {
for k, v in var.ngfw_tls_configs.dev.cas_configs
: k => merge(
v,
_ngfw_dev_cas_iam_bindings_additive
) if
}
cas_config_dev = merge(
var.cas_configs.dev,
Expand Down
38 changes: 19 additions & 19 deletions fast/stages/2-security/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,14 @@ locals {
}
]
]),
flatten([
for location, mod in module.prod-sec-kms : [
for name, id in mod.key_ids : {
key = "prod-${name}:${location}"
id = id
}
]
])
# flatten([
# for location, mod in module.prod-sec-kms : [
# for name, id in mod.key_ids : {
# key = "prod-${name}:${location}"
# id = id
# }
# ]
# ])
)
cas_ids = {
dev = {
Expand All @@ -41,13 +41,13 @@ locals {
ca_ids = v.ca_ids
}
}
prod = {
for k, v in module.prod-sec-cas
: k => {
ca_pool_id = v.ca_pool_id
ca_ids = v.ca_ids
}
}
# prod = {
# for k, v in module.prod-sec-cas
# : k => {
# ca_pool_id = v.ca_pool_id
# ca_ids = v.ca_ids
# }
# }
}
output_kms_keys = { for k in local._output_kms_keys : k.key => k.id }
tfvars = {
Expand All @@ -60,10 +60,10 @@ locals {
for k, v in google_certificate_manager_trust_config.dev_trust_configs
: k => v.id
}
prod = {
for k, v in google_certificate_manager_trust_config.prod_trust_configs
: k => v.id
}
# prod = {
# for k, v in google_certificate_manager_trust_config.prod_trust_configs
# : k => v.id
# }
}
}

Expand Down
58 changes: 27 additions & 31 deletions fast/stages/2-security/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -89,43 +89,39 @@ variable "kms_keys" {
}

variable "ngfw_tls_configs" {
description = "The CAS NGFW Enterprise configuration, used for TLS Inspection."
description = "The CAS and trust configurations key names to be used for NGFW Enterprise."
type = object({
dev = optional(object({
cas_config = optional(object({
common_name = optional(string, "dev.example.com")
organization = optional(string, "Example")
}))
location = optional(string, "europe-west1")
trust_config = optional(object({
description = optional(string)
allowlisted_certificates = optional(map(string), {})
trust_stores = optional(map(object({
intermediate_cas = optional(map(string), {})
trust_anchors = optional(map(string), {})
})), {})
}))
}), {})
cas_configs = optional(map(string))
trust_configs = optional(map(string))
}))
prod = optional(object({
cas_config = optional(object({
common_name = optional(string, "prod.example.com")
organization = optional(string, "Example")
}))
location = optional(string, "europe-west1")
trust_config = optional(object({
description = optional(string)
allowlisted_certificates = optional(map(string), {})
trust_stores = optional(map(object({
intermediate_cas = optional(map(string), {})
trust_anchors = optional(map(string), {})
})), {})
}))
}), {})
cas_configs = optional(map(string))
trust_configs = optional(map(string))
}))
})
nullable = false
default = {
dev = {}
prod = {}
dev = {
cas_configs = {
ngfw_dev_cas_primary = "ngfw-dev-cas-primary"
ngfw_dev_cas_secondary = "ngfw-dev-cas-secondary"
}
trust_configs = {
ngfw_dev_tc_primary = "ngfw-dev-tc-primary"
ngfw_dev_tc_secondary = "ngfw-dev-tc-secondary"
}
}
prod = {
cas_configs = {
ngfw_prod_cas_primary = "ngfw-prod-cas-primary"
ngfw_prod_cas_secondary = "ngfw-prod-cas-secondary"
}
trust_configs = {
ngfw_prod_tc_primary = "ngfw-prod-tc-primary"
ngfw_prod_tc_secondary = "ngfw-prod-tc-secondary"
}
}
}
}

Expand Down

0 comments on commit ff90bd9

Please sign in to comment.