Update service activation in ngfw add-on (#2823)
* align services use in ngfw add-on with swp * update ngfw README example
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
0b6bcdccf8
commit
1c2e3c5677
@@ -110,10 +110,6 @@ certificate_authorities = {
|
||||
}
|
||||
}
|
||||
}
|
||||
ca_pool_config = {
|
||||
authz_nsec_sa = true
|
||||
name = "ca-pool-0"
|
||||
}
|
||||
}
|
||||
}
|
||||
ngfw_config = {
|
||||
@@ -210,16 +206,18 @@ Security profiles group defined here are exported via output variable file, and
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables-fast.tf#L28) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [ngfw_config](variables.tf#L106) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | <code title="object({ endpoint_zones = list(string) name = optional(string, "ngfw-0") network_associations = optional(map(object({ vpc_id = string disabled = optional(bool) tls_inspection_policy = optional(string) zones = optional(list(string)) })), {}) })">object({…})</code> | ✓ | | |
|
||||
| [organization](variables-fast.tf#L48) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-globals</code> |
|
||||
| [project_id](variables.tf#L127) | Project where the network security resources will be created. | <code>string</code> | ✓ | | |
|
||||
| [ngfw_config](variables.tf#L113) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | <code title="object({ endpoint_zones = list(string) name = optional(string, "ngfw-0") network_associations = optional(map(object({ vpc_id = string disabled = optional(bool) tls_inspection_policy = optional(string) zones = optional(list(string)) })), {}) })">object({…})</code> | ✓ | | |
|
||||
| [organization](variables-fast.tf#L56) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-globals</code> |
|
||||
| [project_id](variables.tf#L134) | Project where the network security resources will be created. | <code>string</code> | ✓ | | |
|
||||
| [_fast_debug](variables-fast.tf#L19) | Internal FAST variable used for testing and debugging. Do not use. | <code title="object({ skip_datasources = optional(bool, false) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [certificate_authorities](variables.tf#L17) | Certificate Authority Service pool and CAs. If host project ids is null identical pools and CAs are created in every host project. | <code title="map(object({ location = string iam = optional(map(list(string)), {}) iam_bindings = optional(map(any), {}) iam_bindings_additive = optional(map(any), {}) iam_by_principals = optional(map(list(string)), {}) ca_configs = map(object({ deletion_protection = optional(string, true) type = optional(string, "SELF_SIGNED") is_ca = optional(bool, true) lifetime = optional(string, null) pem_ca_certificate = optional(string, null) ignore_active_certificates_on_deletion = optional(bool, false) skip_grace_period = optional(bool, true) labels = optional(map(string), null) gcs_bucket = optional(string, null) key_spec = optional(object({ algorithm = optional(string, "RSA_PKCS1_2048_SHA256") kms_key_id = optional(string, null) }), {}) key_usage = optional(object({ cert_sign = optional(bool, true) client_auth = optional(bool, false) code_signing = optional(bool, false) content_commitment = optional(bool, false) crl_sign = optional(bool, true) data_encipherment = optional(bool, false) decipher_only = optional(bool, false) digital_signature = optional(bool, false) email_protection = optional(bool, false) encipher_only = optional(bool, false) key_agreement = optional(bool, false) key_encipherment = optional(bool, true) ocsp_signing = optional(bool, false) server_auth = optional(bool, true) time_stamping = optional(bool, false) }), {}) subject = optional( object({ common_name = string organization = string country_code = optional(string) locality = optional(string) organizational_unit = optional(string) postal_code = optional(string) province = optional(string) street_address = optional(string) }), { common_name = "test.example.com" organization = "Test Example" } ) subject_alt_name = optional(object({ dns_names = optional(list(string), null) email_addresses = optional(list(string), null) ip_addresses = optional(list(string), null) uris = optional(list(string), null) }), null) subordinate_config = optional(object({ root_ca_id = optional(string) pem_issuer_certificates = optional(list(string)) }), null) })) ca_pool_config = optional(object({ create_pool = optional(object({ name = optional(string) tier = optional(string, "DEVOPS") })) use_pool = optional(object({ id = string })) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [certificate_authority_pools](variables-fast.tf#L36) | Certificate authority pools. | <code title="map(object({ id = string ca_ids = map(string) location = string }))">map(object({…}))</code> | | <code>{}</code> | <code>2-security</code> |
|
||||
| [names](variables.tf#L97) | Configuration for names used for output files. | <code title="object({ output_files_prefix = optional(string, "2-networking-ngfw") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L121) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [security_profiles](variables.tf#L133) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code title="map(object({ description = optional(string) threat_prevention_profile = optional(object({ severity_overrides = optional(map(object({ action = string severity = string }))) threat_overrides = optional(map(object({ action = string threat_id = string }))) }), {}) }))">map(object({…}))</code> | | <code title="{ ngfw-default = {} }">{…}</code> | |
|
||||
| [tls_inspection_policies](variables.tf#L175) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code title="map(object({ ca_pool_id = string location = string exclude_public_ca_set = optional(bool) trust_config = optional(string) tls = optional(object({ custom_features = optional(list(string)) feature_profile = optional(string) min_version = optional(string) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [trust_configs](variables.tf#L217) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code title="map(object({ location = string description = optional(string) allowlisted_certificates = optional(map(string)) trust_stores = optional(map(object({ intermediate_cas = optional(map(string)) trust_anchors = optional(map(string)) }))) }))">map(object({…}))</code> | | <code title="{ }">{…}</code> | |
|
||||
| [vpc_self_links](variables-fast.tf#L58) | VPC network self links. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking</code> |
|
||||
| [enable_services](variables.tf#L97) | Configure project by enabling services required for this add-on. | <code>bool</code> | | <code>true</code> | |
|
||||
| [host_project_ids](variables-fast.tf#L48) | Networking stage host project id aliases. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking</code> |
|
||||
| [names](variables.tf#L104) | Configuration for names used for output files. | <code title="object({ output_files_prefix = optional(string, "2-networking-ngfw") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [security_profiles](variables.tf#L140) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code title="map(object({ description = optional(string) threat_prevention_profile = optional(object({ severity_overrides = optional(map(object({ action = string severity = string }))) threat_overrides = optional(map(object({ action = string threat_id = string }))) }), {}) }))">map(object({…}))</code> | | <code title="{ ngfw-default = {} }">{…}</code> | |
|
||||
| [tls_inspection_policies](variables.tf#L182) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code title="map(object({ ca_pool_id = string location = string exclude_public_ca_set = optional(bool) trust_config = optional(string) tls = optional(object({ custom_features = optional(list(string)) feature_profile = optional(string) min_version = optional(string) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [trust_configs](variables.tf#L224) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code title="map(object({ location = string description = optional(string) allowlisted_certificates = optional(map(string)) trust_stores = optional(map(object({ intermediate_cas = optional(map(string)) trust_anchors = optional(map(string)) }))) }))">map(object({…}))</code> | | <code title="{ }">{…}</code> | |
|
||||
| [vpc_self_links](variables-fast.tf#L66) | VPC network self links. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking</code> |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -15,15 +15,23 @@
|
||||
*/
|
||||
|
||||
locals {
|
||||
aliased_project_id = lookup(
|
||||
var.host_project_ids, var.project_id, var.project_id
|
||||
)
|
||||
project_id = try(module.project[0].project_id, var.project_id)
|
||||
}
|
||||
|
||||
module "project" {
|
||||
source = "../../../modules/project"
|
||||
count = var._fast_debug.skip_datasources == true ? 0 : 1
|
||||
name = var.project_id
|
||||
name = local.aliased_project_id
|
||||
project_create = false
|
||||
services = [
|
||||
service_agents_config = {
|
||||
services_enabled = [
|
||||
"networksecurity.googleapis.com"
|
||||
]
|
||||
}
|
||||
services = var.enable_services != true ? [] : [
|
||||
"certificatemanager.googleapis.com",
|
||||
"networkmanagement.googleapis.com",
|
||||
"networksecurity.googleapis.com",
|
||||
|
||||
@@ -45,7 +45,7 @@ module "cas" {
|
||||
iam_bindings_additive = merge(
|
||||
each.value.iam_bindings_additive,
|
||||
var._fast_debug.skip_datasources == true ? {} : {
|
||||
nsec_agent = {
|
||||
nsec_certificate_manager = {
|
||||
member = module.project[0].service_agents["networksecurity"].iam_email
|
||||
role = "roles/privateca.certificateManager"
|
||||
}
|
||||
|
||||
@@ -45,6 +45,14 @@ variable "certificate_authority_pools" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "host_project_ids" {
|
||||
# tfdoc:variable:source 2-networking
|
||||
description = "Networking stage host project id aliases."
|
||||
type = map(string)
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "organization" {
|
||||
# tfdoc:variable:source 0-globals
|
||||
description = "Organization details."
|
||||
|
||||
@@ -94,6 +94,13 @@ variable "certificate_authorities" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "enable_services" {
|
||||
description = "Configure project by enabling services required for this add-on."
|
||||
type = bool
|
||||
nullable = false
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "names" {
|
||||
description = "Configuration for names used for output files."
|
||||
type = object({
|
||||
|
||||
@@ -37,10 +37,10 @@ module "cas" {
|
||||
iam_bindings_additive = merge(
|
||||
var.certificate_authority.iam_bindings_additive,
|
||||
var._fast_debug.skip_datasources == true ? {} : {
|
||||
# nsec_certificate_manager = {
|
||||
# member = module.project[0].service_agents["networksecurity"].iam_email
|
||||
# role = "roles/privateca.certificateManager"
|
||||
# }
|
||||
nsec_certificate_manager = {
|
||||
member = module.project[0].service_agents["networksecurity"].iam_email
|
||||
role = "roles/privateca.certificateManager"
|
||||
}
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user