From 1c2e3c56773ade103b55e6dc5a2cc3f673081e38 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sat, 18 Jan 2025 14:23:23 +0100 Subject: [PATCH] Update service activation in ngfw add-on (#2823) * align services use in ngfw add-on with swp * update ngfw README example --- fast/addons/2-networking-ngfw/README.md | 24 +++++++++---------- fast/addons/2-networking-ngfw/main.tf | 12 ++++++++-- .../2-networking-ngfw/tls-inspection.tf | 2 +- .../2-networking-ngfw/variables-fast.tf | 8 +++++++ fast/addons/2-networking-ngfw/variables.tf | 7 ++++++ .../addons/2-networking-swp/tls-inspection.tf | 8 +++---- 6 files changed, 41 insertions(+), 20 deletions(-) diff --git a/fast/addons/2-networking-ngfw/README.md b/fast/addons/2-networking-ngfw/README.md index eafec329c..b8589eadb 100644 --- a/fast/addons/2-networking-ngfw/README.md +++ b/fast/addons/2-networking-ngfw/README.md @@ -110,10 +110,6 @@ certificate_authorities = { } } } - ca_pool_config = { - authz_nsec_sa = true - name = "ca-pool-0" - } } } ngfw_config = { @@ -210,16 +206,18 @@ Security profiles group defined here are exported via output variable file, and | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L28) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [ngfw_config](variables.tf#L106) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | object({…}) | ✓ | | | -| [organization](variables-fast.tf#L48) | Organization details. | object({…}) | ✓ | | 0-globals | -| [project_id](variables.tf#L127) | Project where the network security resources will be created. | string | ✓ | | | +| [ngfw_config](variables.tf#L113) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | object({…}) | ✓ | | | +| [organization](variables-fast.tf#L56) | Organization details. | object({…}) | ✓ | | 0-globals | +| [project_id](variables.tf#L134) | Project where the network security resources will be created. | string | ✓ | | | | [_fast_debug](variables-fast.tf#L19) | Internal FAST variable used for testing and debugging. Do not use. | object({…}) | | {} | | | [certificate_authorities](variables.tf#L17) | Certificate Authority Service pool and CAs. If host project ids is null identical pools and CAs are created in every host project. | map(object({…})) | | {} | | | [certificate_authority_pools](variables-fast.tf#L36) | Certificate authority pools. | map(object({…})) | | {} | 2-security | -| [names](variables.tf#L97) | Configuration for names used for output files. | object({…}) | | {} | | -| [outputs_location](variables.tf#L121) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [security_profiles](variables.tf#L133) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | map(object({…})) | | {…} | | -| [tls_inspection_policies](variables.tf#L175) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | map(object({…})) | | {} | | -| [trust_configs](variables.tf#L217) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | map(object({…})) | | {…} | | -| [vpc_self_links](variables-fast.tf#L58) | VPC network self links. | map(string) | | {} | 2-networking | +| [enable_services](variables.tf#L97) | Configure project by enabling services required for this add-on. | bool | | true | | +| [host_project_ids](variables-fast.tf#L48) | Networking stage host project id aliases. | map(string) | | {} | 2-networking | +| [names](variables.tf#L104) | Configuration for names used for output files. | object({…}) | | {} | | +| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [security_profiles](variables.tf#L140) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | map(object({…})) | | {…} | | +| [tls_inspection_policies](variables.tf#L182) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | map(object({…})) | | {} | | +| [trust_configs](variables.tf#L224) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | map(object({…})) | | {…} | | +| [vpc_self_links](variables-fast.tf#L66) | VPC network self links. | map(string) | | {} | 2-networking | diff --git a/fast/addons/2-networking-ngfw/main.tf b/fast/addons/2-networking-ngfw/main.tf index 606ac210f..87b03d3cd 100644 --- a/fast/addons/2-networking-ngfw/main.tf +++ b/fast/addons/2-networking-ngfw/main.tf @@ -15,15 +15,23 @@ */ locals { + aliased_project_id = lookup( + var.host_project_ids, var.project_id, var.project_id + ) project_id = try(module.project[0].project_id, var.project_id) } module "project" { source = "../../../modules/project" count = var._fast_debug.skip_datasources == true ? 0 : 1 - name = var.project_id + name = local.aliased_project_id project_create = false - services = [ + service_agents_config = { + services_enabled = [ + "networksecurity.googleapis.com" + ] + } + services = var.enable_services != true ? [] : [ "certificatemanager.googleapis.com", "networkmanagement.googleapis.com", "networksecurity.googleapis.com", diff --git a/fast/addons/2-networking-ngfw/tls-inspection.tf b/fast/addons/2-networking-ngfw/tls-inspection.tf index 2d7ab1b88..5e39a098c 100644 --- a/fast/addons/2-networking-ngfw/tls-inspection.tf +++ b/fast/addons/2-networking-ngfw/tls-inspection.tf @@ -45,7 +45,7 @@ module "cas" { iam_bindings_additive = merge( each.value.iam_bindings_additive, var._fast_debug.skip_datasources == true ? {} : { - nsec_agent = { + nsec_certificate_manager = { member = module.project[0].service_agents["networksecurity"].iam_email role = "roles/privateca.certificateManager" } diff --git a/fast/addons/2-networking-ngfw/variables-fast.tf b/fast/addons/2-networking-ngfw/variables-fast.tf index 0d940305a..80767bafa 100644 --- a/fast/addons/2-networking-ngfw/variables-fast.tf +++ b/fast/addons/2-networking-ngfw/variables-fast.tf @@ -45,6 +45,14 @@ variable "certificate_authority_pools" { default = {} } +variable "host_project_ids" { + # tfdoc:variable:source 2-networking + description = "Networking stage host project id aliases." + type = map(string) + nullable = false + default = {} +} + variable "organization" { # tfdoc:variable:source 0-globals description = "Organization details." diff --git a/fast/addons/2-networking-ngfw/variables.tf b/fast/addons/2-networking-ngfw/variables.tf index 98b146bac..e1832d518 100644 --- a/fast/addons/2-networking-ngfw/variables.tf +++ b/fast/addons/2-networking-ngfw/variables.tf @@ -94,6 +94,13 @@ variable "certificate_authorities" { default = {} } +variable "enable_services" { + description = "Configure project by enabling services required for this add-on." + type = bool + nullable = false + default = true +} + variable "names" { description = "Configuration for names used for output files." type = object({ diff --git a/fast/addons/2-networking-swp/tls-inspection.tf b/fast/addons/2-networking-swp/tls-inspection.tf index b8104536f..f0b9ba0cd 100644 --- a/fast/addons/2-networking-swp/tls-inspection.tf +++ b/fast/addons/2-networking-swp/tls-inspection.tf @@ -37,10 +37,10 @@ module "cas" { iam_bindings_additive = merge( var.certificate_authority.iam_bindings_additive, var._fast_debug.skip_datasources == true ? {} : { - # nsec_certificate_manager = { - # member = module.project[0].service_agents["networksecurity"].iam_email - # role = "roles/privateca.certificateManager" - # } + nsec_certificate_manager = { + member = module.project[0].service_agents["networksecurity"].iam_email + role = "roles/privateca.certificateManager" + } } ) }