diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index 6d30f03925..b3848ee001 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -7,6 +7,7 @@ Simple Cloud NAT management, with optional router creation.
- [Subnetwork configuration](#subnetwork-configuration)
- [Reserved IPs and custom rules](#reserved-ips-and-custom-rules)
- [Hybrid NAT](#hybrid-nat)
+- [NAT for Proxy net or Secure Web Proxy](#nat-for-proxy-net-or-secure-web-proxy)
- [Variables](#variables)
- [Outputs](#outputs)
@@ -156,25 +157,41 @@ module "vpc1-nat" {
}
# tftest modules=2 resources=7 inventory=hybrid.yaml
```
+
+## NAT for Proxy net or Secure Web Proxy
+By default NAT is provided only for VMs (`ENDPOINT_TYPE_VM`). You can also define endpoint type for managed proxy (`ENDPOINT_TYPE_MANAGED_PROXY_LB`) or Secure Web Proxy (`ENDPOINT_TYPE_SWG`). Currently only one `endpoint_type` can be provided per NAT instance.
+
+```hcl
+module "nat" {
+ source = "./fabric/modules/net-cloudnat"
+ project_id = var.project_id
+ region = var.region
+ name = "default"
+ endpoint_types = ["ENDPOINT_TYPE_MANAGED_PROXY_LB"]
+ router_network = var.vpc.self_link
+}
+# tftest modules=1 resources=2 inventory=proxy-net-nat.yaml e2e
+```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L77) | Name of the Cloud NAT resource. | string | ✓ | |
-| [project_id](variables.tf#L82) | Project where resources will be created. | string | ✓ | |
-| [region](variables.tf#L87) | Region where resources will be created. | string | ✓ | |
+| [name](variables.tf#L92) | Name of the Cloud NAT resource. | string | ✓ | |
+| [project_id](variables.tf#L97) | Project where resources will be created. | string | ✓ | |
+| [region](variables.tf#L102) | Region where resources will be created. | string | ✓ | |
| [addresses](variables.tf#L17) | Optional list of external address self links. | list(string) | | [] |
| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | object({…}) | | {} |
| [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | object({…}) | | {} |
-| [config_timeouts](variables.tf#L58) | Timeout configurations. | object({…}) | | {} |
-| [logging_filter](variables.tf#L71) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null |
-| [router_asn](variables.tf#L92) | Router ASN used for auto-created router. | number | | null |
-| [router_create](variables.tf#L98) | Create router. | bool | | true |
-| [router_name](variables.tf#L104) | Router name, leave blank if router will be created to use auto generated name. | string | | null |
-| [router_network](variables.tf#L110) | Name of the VPC used for auto-created router. | string | | null |
-| [rules](variables.tf#L116) | List of rules associated with this NAT. | list(object({…})) | | [] |
-| [type](variables.tf#L136) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | string | | "PUBLIC" |
+| [config_timeouts](variables.tf#L54) | Timeout configurations. | object({…}) | | {} |
+| [endpoint_types](variables.tf#L67) | Specifies the endpoint Types supported by the NAT Gateway. Supported values include: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG, ENDPOINT_TYPE_MANAGED_PROXY_LB. | list(string) | | null |
+| [logging_filter](variables.tf#L86) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null |
+| [router_asn](variables.tf#L107) | Router ASN used for auto-created router. | number | | null |
+| [router_create](variables.tf#L113) | Create router. | bool | | true |
+| [router_name](variables.tf#L119) | Router name, leave blank if router will be created to use auto generated name. | string | | null |
+| [router_network](variables.tf#L125) | Name of the VPC used for auto-created router. | string | | null |
+| [rules](variables.tf#L131) | List of rules associated with this NAT. | list(object({…})) | | [] |
+| [type](variables.tf#L151) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | string | | "PUBLIC" |
## Outputs
diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf
index bf5b7bc785..b5fc4a6cea 100644
--- a/modules/net-cloudnat/main.tf
+++ b/modules/net-cloudnat/main.tf
@@ -47,13 +47,14 @@ resource "google_compute_router" "router" {
}
resource "google_compute_router_nat" "nat" {
- provider = google-beta
- project = var.project_id
- region = var.region
- name = var.name
- type = var.type
- router = local.router_name
- nat_ips = var.addresses
+ provider = google-beta
+ project = var.project_id
+ region = var.region
+ name = var.name
+ endpoint_types = var.endpoint_types
+ type = var.type
+ router = local.router_name
+ nat_ips = var.addresses
nat_ip_allocate_option = (
var.type == "PRIVATE"
? null
@@ -128,4 +129,3 @@ resource "google_compute_router_nat" "nat" {
}
}
}
-
diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf
index d8ca6413c2..b7f5216410 100644
--- a/modules/net-cloudnat/variables.tf
+++ b/modules/net-cloudnat/variables.tf
@@ -51,10 +51,6 @@ variable "config_source_subnetworks" {
default = {}
}
-output "foo" {
- value = var.config_source_subnetworks.subnetworks
-}
-
variable "config_timeouts" {
description = "Timeout configurations."
type = object({
@@ -68,6 +64,25 @@ variable "config_timeouts" {
nullable = false
}
+variable "endpoint_types" {
+ description = "Specifies the endpoint Types supported by the NAT Gateway. Supported values include: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG, ENDPOINT_TYPE_MANAGED_PROXY_LB."
+ type = list(string)
+ default = null
+ validation {
+ condition = (var.endpoint_types == null ? true : setunion([
+ "ENDPOINT_TYPE_VM",
+ "ENDPOINT_TYPE_SWG",
+ "ENDPOINT_TYPE_MANAGED_PROXY_LB",
+ ], var.endpoint_types) == toset([
+ "ENDPOINT_TYPE_VM",
+ "ENDPOINT_TYPE_SWG",
+ "ENDPOINT_TYPE_MANAGED_PROXY_LB",
+ ])
+ )
+ error_message = "Proivde one of: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG or ENDPOINT_TYPE_MANAGED_PROXY_LB as endpoint_types"
+ }
+}
+
variable "logging_filter" {
description = "Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'."
type = string
diff --git a/tests/modules/net_cloudnat/examples/proxy-net-nat.yaml b/tests/modules/net_cloudnat/examples/proxy-net-nat.yaml
new file mode 100644
index 0000000000..ff3148c00b
--- /dev/null
+++ b/tests/modules/net_cloudnat/examples/proxy-net-nat.yaml
@@ -0,0 +1,31 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+values:
+ module.nat.google_compute_router.router[0]:
+ name: default-nat
+ network: projects/xxx/global/networks/aaa
+ project: project-id
+ region: europe-west8
+ module.nat.google_compute_router_nat.nat:
+ endpoint_types:
+ - ENDPOINT_TYPE_MANAGED_PROXY_LB
+ icmp_idle_timeout_sec: 30
+ name: default
+ project: project-id
+ region: europe-west8
+ router: default-nat
+ source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES
+ type: PUBLIC
diff --git a/tools/pre-commit-tfdoc.sh b/tools/pre-commit-tfdoc.sh
index 0743f8f56f..b2c5b67645 100755
--- a/tools/pre-commit-tfdoc.sh
+++ b/tools/pre-commit-tfdoc.sh
@@ -17,6 +17,8 @@
set -e
SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$0")")
+TFDOC_CMD="${SCRIPT_DIR}/tfdoc.py"
+CHECKDOC_CMD="${SCRIPT_DIR}/check_documentation.py"
for file in "$@"; do
if [ -d "${file}" ]; then
@@ -28,4 +30,4 @@ for file in "$@"; do
echo "${dir}"
fi
-done | sort | uniq | xargs -I {} /bin/sh -c "echo python \"${SCRIPT_DIR}/tfdoc.py\" {} ; python \"${SCRIPT_DIR}/tfdoc.py\" {}"
+done | sort | uniq | xargs -I {} /bin/sh -c "echo python \"${TFDOC_CMD}\" {} ; python \"${TFDOC_CMD}\" {} ; echo python \"${CHECKDOC_CMD}\" {} ; python \"${CHECKDOC_CMD}\" {}"