Add support for URL filtering profiles to FAST NGFW add-on (#3768)
* add support for URL filtering profiles to FAST NGFW add-on * fix YAML linting, add yamllint to pre-commit
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
99e27b988e
commit
0eb171b21e
@@ -198,6 +198,18 @@ security_profiles = {
|
||||
}
|
||||
}
|
||||
}
|
||||
url_filtering_profile = {
|
||||
allow-example = {
|
||||
action = "ALLOW"
|
||||
priority = 100
|
||||
urls = ["example.com"]
|
||||
}
|
||||
deny-all = {
|
||||
action = "DENY"
|
||||
priority = 200
|
||||
# urls defaults to ["*"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
tls_inspection_policies = {
|
||||
@@ -271,8 +283,8 @@ Security profiles group defined here are exported via output variable file, and
|
||||
| [host_project_ids](variables-fast.tf#L48) | Networking stage host project id aliases. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking</code> |
|
||||
| [names](variables.tf#L104) | Configuration for names used for output files. | <code title="object({ output_files_prefix = optional(string, "2-networking-ngfw") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [security_profiles](variables.tf#L140) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code title="map(object({ description = optional(string) threat_prevention_profile = optional(object({ severity_overrides = optional(map(object({ action = string severity = string }))) threat_overrides = optional(map(object({ action = string threat_id = string }))) }), {}) }))">map(object({…}))</code> | | <code title="{ ngfw-default = {} }">{…}</code> | |
|
||||
| [tls_inspection_policies](variables.tf#L182) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code title="map(object({ ca_pool_id = string location = string exclude_public_ca_set = optional(bool) trust_config = optional(string) tls = optional(object({ custom_features = optional(list(string)) feature_profile = optional(string) min_version = optional(string) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [trust_configs](variables.tf#L224) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code title="map(object({ location = string description = optional(string) allowlisted_certificates = optional(map(string)) trust_stores = optional(map(object({ intermediate_cas = optional(map(string)) trust_anchors = optional(map(string)) }))) }))">map(object({…}))</code> | | <code title="{ }">{…}</code> | |
|
||||
| [security_profiles](variables.tf#L140) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code title="map(object({ description = optional(string) threat_prevention_profile = optional(object({ severity_overrides = optional(map(object({ action = string severity = string }))) threat_overrides = optional(map(object({ action = string threat_id = string }))) }), {}) url_filtering_profile = optional(map(object({ action = string priority = number urls = optional(list(string), ["*"]) })), {}) }))">map(object({…}))</code> | | <code title="{ ngfw-default = {} }">{…}</code> | |
|
||||
| [tls_inspection_policies](variables.tf#L223) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code title="map(object({ ca_pool_id = string location = string exclude_public_ca_set = optional(bool) trust_config = optional(string) tls = optional(object({ custom_features = optional(list(string)) feature_profile = optional(string) min_version = optional(string) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [trust_configs](variables.tf#L265) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code title="map(object({ location = string description = optional(string) allowlisted_certificates = optional(map(string)) trust_stores = optional(map(object({ intermediate_cas = optional(map(string)) trust_anchors = optional(map(string)) }))) }))">map(object({…}))</code> | | <code title="{ }">{…}</code> | |
|
||||
| [vpc_self_links](variables-fast.tf#L66) | VPC network self links. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking</code> |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2026 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -25,9 +25,14 @@ locals {
|
||||
)
|
||||
})
|
||||
}
|
||||
url_filtering_profiles = {
|
||||
for k, v in var.security_profiles : k => v.url_filtering_profile
|
||||
if v.url_filtering_profile != {}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_network_security_security_profile" "default" {
|
||||
provider = google-beta
|
||||
for_each = local.security_profiles
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
@@ -56,11 +61,41 @@ resource "google_network_security_security_profile" "default" {
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_network_security_security_profile_group" "default" {
|
||||
for_each = var.security_profiles
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
parent = "organizations/${var.organization.id}"
|
||||
location = "global"
|
||||
threat_prevention_profile = google_network_security_security_profile.default[each.key].id
|
||||
resource "google_network_security_security_profile" "url_filtering" {
|
||||
provider = google-beta
|
||||
for_each = local.url_filtering_profiles
|
||||
name = "url-${each.key}"
|
||||
description = var.security_profiles[each.key].description
|
||||
parent = "organizations/${var.organization.id}"
|
||||
location = "global"
|
||||
type = "URL_FILTERING"
|
||||
dynamic "url_filtering_profile" {
|
||||
for_each = length(each.value) > 0 ? [""] : []
|
||||
content {
|
||||
dynamic "url_filters" {
|
||||
for_each = each.value
|
||||
content {
|
||||
filtering_action = url_filters.value.action
|
||||
priority = url_filters.value.priority
|
||||
urls = url_filters.value.urls
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_network_security_security_profile_group" "default" {
|
||||
provider = google-beta
|
||||
for_each = var.security_profiles
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
parent = "organizations/${var.organization.id}"
|
||||
location = "global"
|
||||
threat_prevention_profile = (
|
||||
google_network_security_security_profile.default[each.key].id
|
||||
)
|
||||
url_filtering_profile = try(
|
||||
google_network_security_security_profile.url_filtering[each.key].id,
|
||||
null
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2024 Google LLC
|
||||
* Copyright 2026 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -151,6 +151,11 @@ variable "security_profiles" {
|
||||
threat_id = string
|
||||
})))
|
||||
}), {})
|
||||
url_filtering_profile = optional(map(object({
|
||||
action = string
|
||||
priority = number
|
||||
urls = optional(list(string), ["*"])
|
||||
})), {})
|
||||
}))
|
||||
nullable = false
|
||||
default = {
|
||||
@@ -167,6 +172,16 @@ variable "security_profiles" {
|
||||
]))
|
||||
error_message = "Incorrect severity override token."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue(flatten([
|
||||
for k, v in var.security_profiles : [
|
||||
for lk, lv in coalesce(v.threat_prevention_profile.severity_overrides, {}) : (
|
||||
contains(["ALERT", "ALLOW", "DEFAULT_ACTION", "DENY"], lv.action)
|
||||
)
|
||||
]
|
||||
]))
|
||||
error_message = "Severity override action must be one of ALERT, ALLOW, DEFAULT_ACTION, DENY."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue(flatten([
|
||||
for _, v in var.security_profiles : [
|
||||
@@ -177,6 +192,32 @@ variable "security_profiles" {
|
||||
]))
|
||||
error_message = "Incorrect threat override token."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue(flatten([
|
||||
for k, v in var.security_profiles : [
|
||||
for lk, lv in coalesce(v.threat_prevention_profile.threat_overrides, {}) : (
|
||||
contains(["ALERT", "ALLOW", "DEFAULT_ACTION", "DENY"], lv.action)
|
||||
)
|
||||
]
|
||||
]))
|
||||
error_message = "Threat override action must be one of ALERT, ALLOW, DEFAULT_ACTION, DENY."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue(flatten([
|
||||
for k, v in var.security_profiles : [
|
||||
for lk, lv in coalesce(v.url_filtering_profile, {}) : length(lv.urls) > 0
|
||||
]
|
||||
]))
|
||||
error_message = "URL filtering rules must have at least one URL."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue(flatten([
|
||||
for k, v in var.security_profiles : [
|
||||
for lk, lv in coalesce(v.url_filtering_profile, {}) : contains(["ALLOW", "DENY"], lv.action)
|
||||
]
|
||||
]))
|
||||
error_message = "URL filtering rule action must be ALLOW or DENY."
|
||||
}
|
||||
}
|
||||
|
||||
variable "tls_inspection_policies" {
|
||||
|
||||
Reference in New Issue
Block a user