diff --git a/fast/addons/2-networking-ngfw/README.md b/fast/addons/2-networking-ngfw/README.md
index eafec329c..b8589eadb 100644
--- a/fast/addons/2-networking-ngfw/README.md
+++ b/fast/addons/2-networking-ngfw/README.md
@@ -110,10 +110,6 @@ certificate_authorities = {
}
}
}
- ca_pool_config = {
- authz_nsec_sa = true
- name = "ca-pool-0"
- }
}
}
ngfw_config = {
@@ -210,16 +206,18 @@ Security profiles group defined here are exported via output variable file, and
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L28) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
-| [ngfw_config](variables.tf#L106) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | object({…}) | ✓ | | |
-| [organization](variables-fast.tf#L48) | Organization details. | object({…}) | ✓ | | 0-globals |
-| [project_id](variables.tf#L127) | Project where the network security resources will be created. | string | ✓ | | |
+| [ngfw_config](variables.tf#L113) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | object({…}) | ✓ | | |
+| [organization](variables-fast.tf#L56) | Organization details. | object({…}) | ✓ | | 0-globals |
+| [project_id](variables.tf#L134) | Project where the network security resources will be created. | string | ✓ | | |
| [_fast_debug](variables-fast.tf#L19) | Internal FAST variable used for testing and debugging. Do not use. | object({…}) | | {} | |
| [certificate_authorities](variables.tf#L17) | Certificate Authority Service pool and CAs. If host project ids is null identical pools and CAs are created in every host project. | map(object({…})) | | {} | |
| [certificate_authority_pools](variables-fast.tf#L36) | Certificate authority pools. | map(object({…})) | | {} | 2-security |
-| [names](variables.tf#L97) | Configuration for names used for output files. | object({…}) | | {} | |
-| [outputs_location](variables.tf#L121) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [security_profiles](variables.tf#L133) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | map(object({…})) | | {…} | |
-| [tls_inspection_policies](variables.tf#L175) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | map(object({…})) | | {} | |
-| [trust_configs](variables.tf#L217) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | map(object({…})) | | {…} | |
-| [vpc_self_links](variables-fast.tf#L58) | VPC network self links. | map(string) | | {} | 2-networking |
+| [enable_services](variables.tf#L97) | Configure project by enabling services required for this add-on. | bool | | true | |
+| [host_project_ids](variables-fast.tf#L48) | Networking stage host project id aliases. | map(string) | | {} | 2-networking |
+| [names](variables.tf#L104) | Configuration for names used for output files. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [security_profiles](variables.tf#L140) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | map(object({…})) | | {…} | |
+| [tls_inspection_policies](variables.tf#L182) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | map(object({…})) | | {} | |
+| [trust_configs](variables.tf#L224) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | map(object({…})) | | {…} | |
+| [vpc_self_links](variables-fast.tf#L66) | VPC network self links. | map(string) | | {} | 2-networking |
diff --git a/fast/addons/2-networking-ngfw/main.tf b/fast/addons/2-networking-ngfw/main.tf
index 606ac210f..87b03d3cd 100644
--- a/fast/addons/2-networking-ngfw/main.tf
+++ b/fast/addons/2-networking-ngfw/main.tf
@@ -15,15 +15,23 @@
*/
locals {
+ aliased_project_id = lookup(
+ var.host_project_ids, var.project_id, var.project_id
+ )
project_id = try(module.project[0].project_id, var.project_id)
}
module "project" {
source = "../../../modules/project"
count = var._fast_debug.skip_datasources == true ? 0 : 1
- name = var.project_id
+ name = local.aliased_project_id
project_create = false
- services = [
+ service_agents_config = {
+ services_enabled = [
+ "networksecurity.googleapis.com"
+ ]
+ }
+ services = var.enable_services != true ? [] : [
"certificatemanager.googleapis.com",
"networkmanagement.googleapis.com",
"networksecurity.googleapis.com",
diff --git a/fast/addons/2-networking-ngfw/tls-inspection.tf b/fast/addons/2-networking-ngfw/tls-inspection.tf
index 2d7ab1b88..5e39a098c 100644
--- a/fast/addons/2-networking-ngfw/tls-inspection.tf
+++ b/fast/addons/2-networking-ngfw/tls-inspection.tf
@@ -45,7 +45,7 @@ module "cas" {
iam_bindings_additive = merge(
each.value.iam_bindings_additive,
var._fast_debug.skip_datasources == true ? {} : {
- nsec_agent = {
+ nsec_certificate_manager = {
member = module.project[0].service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
diff --git a/fast/addons/2-networking-ngfw/variables-fast.tf b/fast/addons/2-networking-ngfw/variables-fast.tf
index 0d940305a..80767bafa 100644
--- a/fast/addons/2-networking-ngfw/variables-fast.tf
+++ b/fast/addons/2-networking-ngfw/variables-fast.tf
@@ -45,6 +45,14 @@ variable "certificate_authority_pools" {
default = {}
}
+variable "host_project_ids" {
+ # tfdoc:variable:source 2-networking
+ description = "Networking stage host project id aliases."
+ type = map(string)
+ nullable = false
+ default = {}
+}
+
variable "organization" {
# tfdoc:variable:source 0-globals
description = "Organization details."
diff --git a/fast/addons/2-networking-ngfw/variables.tf b/fast/addons/2-networking-ngfw/variables.tf
index 98b146bac..e1832d518 100644
--- a/fast/addons/2-networking-ngfw/variables.tf
+++ b/fast/addons/2-networking-ngfw/variables.tf
@@ -94,6 +94,13 @@ variable "certificate_authorities" {
default = {}
}
+variable "enable_services" {
+ description = "Configure project by enabling services required for this add-on."
+ type = bool
+ nullable = false
+ default = true
+}
+
variable "names" {
description = "Configuration for names used for output files."
type = object({
diff --git a/fast/addons/2-networking-swp/tls-inspection.tf b/fast/addons/2-networking-swp/tls-inspection.tf
index b8104536f..f0b9ba0cd 100644
--- a/fast/addons/2-networking-swp/tls-inspection.tf
+++ b/fast/addons/2-networking-swp/tls-inspection.tf
@@ -37,10 +37,10 @@ module "cas" {
iam_bindings_additive = merge(
var.certificate_authority.iam_bindings_additive,
var._fast_debug.skip_datasources == true ? {} : {
- # nsec_certificate_manager = {
- # member = module.project[0].service_agents["networksecurity"].iam_email
- # role = "roles/privateca.certificateManager"
- # }
+ nsec_certificate_manager = {
+ member = module.project[0].service_agents["networksecurity"].iam_email
+ role = "roles/privateca.certificateManager"
+ }
}
)
}