Skip to content

Latest commit

 

History

History
 
 

net-swp

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

Google Cloud Secure Web Proxy

This module allows creation and management of Secure Web Proxy alongside with its security policies:

  • Secure tag based rules via the policy_rules.secure_tags variable
  • Url list rules via the policy_rules.url_lists variable
  • Custom rules via the policy_rules.custom

It also allows to deploy SWP as a Private Service Connect service. This means that a single SWP deployment can be used from across different VPCs, regardless of whether they are interconnected.

A Proxy-only subnet must exist in the VPC where SWP is deployed.

When deploying SWP, the required ad-hoc Cloud Router is also created.

Examples

Minimal Secure Web Proxy

(Note that this will not allow any request to pass.)

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  labels = {
    example = "value"
  }
}
# tftest modules=1 resources=2 inventory=basic.yaml

PSC service attachments

The optional service_attachment variable allows deploying SWP as a Private Service Connect service attachment

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  labels = {
    example = "value"
  }
  service_attachment = {
    nat_subnets = ["projects/my-project/regions/europe-west4/subnetworks/my-psc-subnetwork"]
    consumer_accept_lists = {
      "my-autoaccept-project-1" = 1,
      "my-autoaccept-project-2" = 1
    }
  }
}
# tftest modules=1 resources=3 inventory=psc.yaml

Secure Web Proxy with rules

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [80, 443]
  policy_rules = {
    secure_tags = {
      secure-tag-1 = {
        tag      = "tagValues/281484836404786"
        priority = 1000
      }
      secure-tag-2 = {
        tag             = "tagValues/281484836404786"
        session_matcher = "host() != 'google.com'"
        priority        = 1001
      }
    }
    url_lists = {
      url-list-1 = {
        url_list = "my-url-list"
        values   = ["www.google.com", "google.com"]
        priority = 1002
      }
      url-list-2 = {
        url_list        = "projects/my-project/locations/europe-west4/urlLists/my-url-list"
        session_matcher = "source.matchServiceAccount('[email protected]')"
        enabled         = false
        priority        = 1003
      }
    }
    custom = {
      custom-rule-1 = {
        priority        = 1004
        session_matcher = "host() == 'google.com'"
        action          = "DENY"
      }
    }
  }
}
# tftest modules=1 resources=8 inventory=rules.yaml

Secure Web Proxy with TLS inspection

You can activate TLS inspection and let the module handle the TLS inspection policy creation.

resource "google_privateca_ca_pool" "pool" {
  name     = "secure-web-proxy-capool"
  location = "europe-west4"
  project  = "my-project"

  tier = "DEVOPS"
}

resource "google_privateca_certificate_authority" "ca" {
  pool                     = google_privateca_ca_pool.pool.name
  certificate_authority_id = "secure-web-proxy-ca"
  location                 = "europe-west4"
  project                  = "my-project"

  deletion_protection = "false"

  config {
    subject_config {
      subject {
        organization = "Cloud Foundation Fabric"
        common_name  = "fabric"
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  lifetime = "1209600s"
  key_spec {
    algorithm = "EC_P256_SHA256"
  }
}

resource "google_privateca_ca_pool_iam_member" "member" {
  ca_pool = google_privateca_ca_pool.pool.id
  role    = "roles/privateca.certificateManager"
  member  = "serviceAccount:[email protected]"
}

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [443]
  policy_rules = {
    custom = {
      custom-rule-1 = {
        priority               = 1000
        session_matcher        = "host() == 'google.com'"
        application_matcher    = "request.path.contains('generate_204')"
        action                 = "ALLOW"
        tls_inspection_enabled = true
      }
    }
  }
  tls_inspection_config = {
    create_config = {
      ca_pool = google_privateca_ca_pool.pool.id
    }
  }
}
# tftest modules=1 resources=7 inventory=tls.yaml

You can also refer to existing TLS inspection policies (even cross-project).

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [443]
  policy_rules = {
    custom = {
      custom-rule-1 = {
        priority               = 1000
        session_matcher        = "host() == 'google.com'"
        application_matcher    = "request.path.contains('generate_204')"
        action                 = "ALLOW"
        tls_inspection_enabled = true
      }
    }
  }
  tls_inspection_config = {
    id = "projects/another-project/locations/europe-west1/tlsInspectionPolicies/tls-ip-0"
  }
}
# tftest modules=1 resources=3 inventory=tls-no-ip.yaml

Variables

name description type required default
certificates List of certificates to be used for Secure Web Proxy. list(string)
name Name of the Secure Web Proxy resource. string
network Name of the network the Secure Web Proxy is deployed into. string
project_id Project id of the project that holds the network. string
region Region where resources will be created. string
subnetwork Name of the subnetwork the Secure Web Proxy is deployed into. string
addresses Optional IP addresses to be used for Secure Web Proxy. list(string) null
delete_swg_autogen_router_on_destroy Delete automatically provisioned Cloud Router on destroy. bool true
description Optional description for the created resources. string "Managed by Terraform."
labels Resource labels. map(string) {}
policy_rules List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. object({…}) {}
ports Ports to use for Secure Web Proxy. list(number) [443]
scope Scope determines how configuration across multiple Gateway instances are merged. string null
service_attachment PSC service attachment configuration. object({…}) null
tls_inspection_config TLS inspection configuration. object({…}) {}

Outputs

name description sensitive
gateway The gateway resource.
gateway_security_policy The gateway security policy resource.
id ID of the gateway resource.
service_attachment ID of the service attachment resource, if created.