Skip to content

Latest commit

 

History

History
193 lines (171 loc) · 8.98 KB

File metadata and controls

193 lines (171 loc) · 8.98 KB

Google Cloud Secure Web Proxy

This module allows creation and management of Secure Web Proxy alongside with its security policies:

  • Secure tag based rules via the policy_rules.secure_tags variable
  • Url list rules via the policy_rules.url_lists variable
  • Custom rules via the policy_rules.custom

Examples

Minimal Secure Web Proxy

(Note that this will not allow any request to pass.)

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  labels = {
    example = "value"
  }
}
# tftest modules=1 resources=2 inventory=basic.yaml

Secure Web Proxy with rules

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [80, 443]
  policy_rules = {
    secure_tags = {
      secure-tag-1 = {
        tag      = "tagValues/281484836404786"
        priority = 1000
      }
      secure-tag-2 = {
        tag             = "tagValues/281484836404786"
        session_matcher = "host() != 'google.com'"
        priority        = 1001
      }
    }
    url_lists = {
      url-list-1 = {
        url_list = "my-url-list"
        values   = ["www.google.com", "google.com"]
        priority = 1002
      }
      url-list-2 = {
        url_list        = "projects/my-project/locations/europe-west4/urlLists/my-url-list"
        session_matcher = "source.matchServiceAccount('[email protected]')"
        enabled         = false
        priority        = 1003
      }
    }
    custom = {
      custom-rule-1 = {
        priority        = 1004
        session_matcher = "host() == 'google.com'"
        action          = "DENY"
      }
    }
  }
}
# tftest modules=1 resources=8 inventory=rules.yaml

Secure Web Proxy with TLS inspection

resource "google_privateca_ca_pool" "pool" {
  name     = "secure-web-proxy-capool"
  location = "europe-west4"
  project  = "my-project"

  tier = "DEVOPS"
}

resource "google_privateca_certificate_authority" "ca" {
  pool                     = google_privateca_ca_pool.pool.name
  certificate_authority_id = "secure-web-proxy-ca"
  location                 = "europe-west4"
  project                  = "my-project"

  deletion_protection = "false"

  config {
    subject_config {
      subject {
        organization = "Cloud Foundation Fabric"
        common_name  = "fabric"
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  lifetime = "1209600s"
  key_spec {
    algorithm = "EC_P256_SHA256"
  }
}

resource "google_privateca_ca_pool_iam_member" "member" {
  ca_pool = google_privateca_ca_pool.pool.id
  role    = "roles/privateca.certificateManager"
  member  = "serviceAccount:[email protected]"
}

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [443]
  policy_rules = {
    custom = {
      custom-rule-1 = {
        priority               = 1000
        session_matcher        = "host() == 'google.com'"
        application_matcher    = "request.path.contains('generate_204')"
        action                 = "ALLOW"
        tls_inspection_enabled = true
      }
    }
  }
  tls_inspection_config = {
    ca_pool = google_privateca_ca_pool.pool.id
  }
}
# tftest modules=1 resources=7 inventory=tls.yaml

Variables

name description type required default
addresses One or more IP addresses to be used for Secure Web Proxy. list(string)
certificates List of certificates to be used for Secure Web Proxy. list(string)
name Name of the Secure Web Proxy resource. string
network Name of the network the Secure Web Proxy is deployed into. string
project_id Project id of the project that holds the network. string
region Region where resources will be created. string
subnetwork Name of the subnetwork the Secure Web Proxy is deployed into. string
delete_swg_autogen_router_on_destroy Delete automatically provisioned Cloud Router on destroy. bool true
description Optional description for the created resources. string "Managed by Terraform."
labels Resource labels. map(string) {}
policy_rules List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. object({…}) {}
ports Ports to use for Secure Web Proxy. list(number) [443]
scope Scope determines how configuration across multiple Gateway instances are merged. string null
tls_inspection_config TLS inspection configuration. object({…}) null

Outputs

name description sensitive
gateway The gateway resource.
gateway_security_policy The gateway security policy resource.
id ID of the gateway resource.