Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

optional description in modules/net-vpc-swp #1513

Merged
merged 6 commits into from
Aug 1, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions modules/net-vpc-swp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -171,17 +171,19 @@ module "secure-web-proxy" {
|---|---|:---:|:---:|:---:|
| [addresses](variables.tf#L19) | One or more IP addresses to be used for Secure Web Proxy. | <code></code> | ✓ | |
| [certificates](variables.tf#L27) | List of certificates to be used for Secure Web Proxy. | <code>list&#40;string&#41;</code> | ✓ | |
| [name](variables.tf#L44) | Name of the Secure Web Proxy resource. | <code>string</code> | ✓ | |
| [network](variables.tf#L49) | Name of the network the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L110) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
| [region](variables.tf#L115) | Region where resources will be created. | <code>string</code> | ✓ | |
| [subnetwork](variables.tf#L126) | Name of the subnetwork the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [name](variables.tf#L56) | Name of the Secure Web Proxy resource. | <code>string</code> | ✓ | |
| [network](variables.tf#L61) | Name of the network the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L125) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
| [region](variables.tf#L130) | Region where resources will be created. | <code>string</code> | ✓ | |
| [subnetwork](variables.tf#L141) | Name of the subnetwork the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [delete_swg_autogen_router_on_destroy](variables.tf#L32) | Delete automatically provisioned Cloud Router on destroy. | <code>bool</code> | | <code>true</code> |
| [labels](variables.tf#L38) | Resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [policy_rules](variables.tf#L54) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | <code title="object&#40;&#123;&#10; secure_tags &#61; optional&#40;map&#40;object&#40;&#123;&#10; tag &#61; string&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; url_lists &#61; optional&#40;map&#40;object&#40;&#123;&#10; url_list &#61; string&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; custom &#61; optional&#40;map&#40;object&#40;&#123;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ports](variables.tf#L104) | Ports to use for Secure Web Proxy. | <code>list&#40;number&#41;</code> | | <code>&#91;443&#93;</code> |
| [scope](variables.tf#L120) | Scope determines how configuration across multiple Gateway instances are merged. | <code>string</code> | | <code>null</code> |
| [tls_inspection_config](variables.tf#L131) | TLS inspection configuration. | <code title="object&#40;&#123;&#10; ca_pool &#61; string&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [description](variables.tf#L38) | Optional description for the SWG. | <code>string</code> | | <code>&#34;Managed by Terraform.&#34;</code> |
| [gateway_security_policy_description](variables.tf#L44) | Optional description for the gateway security policy. | <code>string</code> | | <code>&#34;Managed by Terraform.&#34;</code> |
| [labels](variables.tf#L50) | Resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [policy_rules](variables.tf#L66) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | <code title="object&#40;&#123;&#10; secure_tags &#61; optional&#40;map&#40;object&#40;&#123;&#10; tag &#61; string&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string, &#34;Managed by Terraform.&#34;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; url_lists &#61; optional&#40;map&#40;object&#40;&#123;&#10; url_list &#61; string&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string, &#34;Managed by Terraform.&#34;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; custom &#61; optional&#40;map&#40;object&#40;&#123;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string, &#34;Managed by Terraform.&#34;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ports](variables.tf#L119) | Ports to use for Secure Web Proxy. | <code>list&#40;number&#41;</code> | | <code>&#91;443&#93;</code> |
| [scope](variables.tf#L135) | Scope determines how configuration across multiple Gateway instances are merged. | <code>string</code> | | <code>null</code> |
| [tls_inspection_config](variables.tf#L146) | TLS inspection configuration. | <code title="object&#40;&#123;&#10; ca_pool &#61; optional&#40;string, null&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string, &#34;Managed by Terraform.&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |

## Outputs

Expand Down
9 changes: 7 additions & 2 deletions modules/net-vpc-swp/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ resource "google_network_security_gateway_security_policy" "policy" {
project = var.project_id
name = var.name
location = var.region
description = "Managed by Terraform."
description = var.gateway_security_policy_description
tls_inspection_policy = var.tls_inspection_config != null ? google_network_security_tls_inspection_policy.tls-policy.0.id : null
}

Expand All @@ -33,6 +33,7 @@ resource "google_network_security_tls_inspection_policy" "tls-policy" {
project = var.project_id
name = var.name
location = var.region
description = var.tls_inspection_config.description
ca_pool = var.tls_inspection_config.ca_pool
exclude_public_ca_set = var.tls_inspection_config.exclude_public_ca_set
}
Expand All @@ -43,6 +44,7 @@ resource "google_network_security_gateway_security_policy_rule" "secure_tag_rule
project = var.project_id
name = each.key
location = var.region
description = each.value.description
gateway_security_policy = google_network_security_gateway_security_policy.policy.name
enabled = each.value.enabled
priority = each.value.priority
Expand All @@ -61,7 +63,7 @@ resource "google_network_security_url_lists" "url_lists" {
project = var.project_id
name = each.key
location = var.region
description = "Managed by Terraform."
description = each.value.description
values = each.value.values
}

Expand All @@ -71,6 +73,7 @@ resource "google_network_security_gateway_security_policy_rule" "url_list_rules"
project = var.project_id
name = each.key
location = var.region
description = each.value.description
gateway_security_policy = google_network_security_gateway_security_policy.policy.name
enabled = each.value.enabled
priority = each.value.priority
Expand All @@ -93,6 +96,7 @@ resource "google_network_security_gateway_security_policy_rule" "custom_rules" {
provider = google-beta
name = each.key
location = var.region
description = each.value.description
gateway_security_policy = google_network_security_gateway_security_policy.policy.name
enabled = each.value.enabled
priority = each.value.priority
Expand All @@ -107,6 +111,7 @@ resource "google_network_services_gateway" "gateway" {
project = var.project_id
name = var.name
location = var.region
description = var.description
labels = var.labels
addresses = var.addresses != null ? var.addresses : []
type = "SECURE_WEB_GATEWAY"
Expand Down
18 changes: 17 additions & 1 deletion modules/net-vpc-swp/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,18 @@ variable "delete_swg_autogen_router_on_destroy" {
default = true
}

variable "description" {
description = "Optional description for the SWG."
type = string
default = "Managed by Terraform."
}

variable "gateway_security_policy_description" {
skalolazka marked this conversation as resolved.
Show resolved Hide resolved
description = "Optional description for the gateway security policy."
type = string
default = "Managed by Terraform."
}

variable "labels" {
description = "Resource labels."
type = map(string)
Expand Down Expand Up @@ -62,6 +74,7 @@ variable "policy_rules" {
action = optional(string, "ALLOW")
enabled = optional(bool, true)
tls_inspection_enabled = optional(bool, false)
description = optional(string, "Managed by Terraform.")
skalolazka marked this conversation as resolved.
Show resolved Hide resolved
})), {})

url_lists = optional(map(object({
Expand All @@ -73,6 +86,7 @@ variable "policy_rules" {
action = optional(string, "ALLOW")
enabled = optional(bool, true)
tls_inspection_enabled = optional(bool, false)
description = optional(string, "Managed by Terraform.")
})), {})

custom = optional(map(object({
Expand All @@ -82,6 +96,7 @@ variable "policy_rules" {
action = optional(string, "ALLOW")
enabled = optional(bool, true)
tls_inspection_enabled = optional(bool, false)
description = optional(string, "Managed by Terraform.")
})), {})
})
validation {
Expand Down Expand Up @@ -131,8 +146,9 @@ variable "subnetwork" {
variable "tls_inspection_config" {
description = "TLS inspection configuration."
type = object({
ca_pool = string
ca_pool = optional(string, null)
exclude_public_ca_set = optional(bool, false)
description = optional(string, "Managed by Terraform.")
})
default = null
}
1 change: 1 addition & 0 deletions tests/modules/net_vpc_swp/examples/basic.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ values:
delete_swg_autogen_router_on_destroy: true
labels:
example: "value"
description: "Managed by Terraform."

counts:
google_network_security_gateway_security_policy: 1
Expand Down
7 changes: 7 additions & 0 deletions tests/modules/net_vpc_swp/examples/rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ values:
network: "projects/my-project/global/networks/my-network"
subnetwork: "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
delete_swg_autogen_router_on_destroy: true
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.secure_tag_rules["secure-tag-1"]:
project: "my-project"
name: "secure-tag-1"
Expand All @@ -40,6 +41,7 @@ values:
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.secure_tag_rules["secure-tag-2"]:
project: "my-project"
name: "secure-tag-2"
Expand All @@ -50,6 +52,7 @@ values:
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.url_list_rules["url-list-1"]:
project: "my-project"
name: "url-list-1"
Expand All @@ -59,6 +62,7 @@ values:
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.url_list_rules["url-list-2"]:
project: "my-project"
name: "url-list-2"
Expand All @@ -69,6 +73,7 @@ values:
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
project: "my-project"
name: "custom-rule-1"
Expand All @@ -79,13 +84,15 @@ values:
application_matcher: null
tls_inspection_enabled: false
basic_profile: "DENY"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_url_lists.url_lists["my-url-list"]:
project: "my-project"
name: "my-url-list"
location: "europe-west4"
values:
- "www.google.com"
- "google.com"
description: "Managed by Terraform."

counts:
google_network_security_gateway_security_policy: 1
Expand Down
4 changes: 4 additions & 0 deletions tests/modules/net_vpc_swp/examples/tls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ values:
name: "secure-web-proxy"
project: "my-project"
location: "europe-west4"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_tls_inspection_policy.tls-policy[0]:
project: "my-project"
name: "secure-web-proxy"
location: "europe-west4"
exclude_public_ca_set: false
description: "Managed by Terraform."
module.secure-web-proxy.google_network_services_gateway.gateway:
project: "my-project"
name: "secure-web-proxy"
Expand All @@ -35,6 +37,7 @@ values:
network: "projects/my-project/global/networks/my-network"
subnetwork: "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
delete_swg_autogen_router_on_destroy: true
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
project: "my-project"
name: "custom-rule-1"
Expand All @@ -45,6 +48,7 @@ values:
application_matcher: "request.path.contains('generate_204')"
tls_inspection_enabled: true
basic_profile: "ALLOW"
description: "Managed by Terraform."
google_privateca_ca_pool.pool:
name: "secure-web-proxy-capool"
location: "europe-west4"
Expand Down