kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

net-swp module cleanup (#2510)

Browse Source 
* net-swp: add support for PSC SA
* Doc updates
This commit is contained in:
Simone Ruffilli
2024-08-21 11:28:20 +02:00
committed by GitHub
parent 13595f1499
commit e82cc35f50
8 changed files with 453 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
modules/net-swp/README.md
View File

@@ -7,6 +7,13 @@ policies:
- Url list rules via the `policy_rules.url_lists` variable
- Custom rules via the `policy_rules.custom`
It also allows to deploy SWP as a Private Service Connect service.
This means that a single SWP deployment can be used from across different VPCs, regardless of whether they are interconnected.
A [Proxy-only subnet](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) must exist in the VPC where SWP is deployed.
When deploying SWP, the required ad-hoc [Cloud Router](https://cloud.google.com/network-connectivity/docs/router) is also created.
## Examples
### Minimal Secure Web Proxy
@@ -31,6 +38,35 @@ module "secure-web-proxy" {
# tftest modules=1 resources=2 inventory=basic.yaml
```
### PSC service attachments
The optional `service_attachment` variable allows [deploying SWP as a Private Service Connect service attachment](https://cloud.google.com/secure-web-proxy/docs/deploy-service-attachment)
```hcl
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
labels = {
example = "value"
}
service_attachment = {
nat_subnets = ["projects/my-project/regions/europe-west4/subnetworks/my-psc-subnetwork"]
consumer_accept_lists = {
"my-autoaccept-project-1" = 1,
"my-autoaccept-project-2" = 1
}
}
}
# tftest modules=1 resources=3 inventory=psc.yaml
```
### Secure Web Proxy with rules
```hcl
@@ -174,14 +210,15 @@ module "secure-web-proxy" {
| [network](variables.tf#L56) | Name of the network the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L120) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
| [region](variables.tf#L125) | Region where resources will be created. | <code>string</code> | ✓ | |
| [subnetwork](variables.tf#L136) | Name of the subnetwork the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [subnetwork](variables.tf#L151) | Name of the subnetwork the Secure Web Proxy is deployed into. | <code>string</code> | ✓ | |
| [delete_swg_autogen_router_on_destroy](variables.tf#L33) | Delete automatically provisioned Cloud Router on destroy. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L39) | Optional description for the created resources. | <code>string</code> | | <code>&#34;Managed by Terraform.&#34;</code> |
| [labels](variables.tf#L45) | Resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [policy_rules](variables.tf#L61) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | <code title="object&#40;&#123;&#10; secure_tags &#61; optional&#40;map&#40;object&#40;&#123;&#10; tag &#61; string&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; url_lists &#61; optional&#40;map&#40;object&#40;&#123;&#10; url_list &#61; string&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; custom &#61; optional&#40;map&#40;object&#40;&#123;&#10; session_matcher &#61; optional&#40;string&#41;&#10; application_matcher &#61; optional&#40;string&#41;&#10; priority &#61; number&#10; action &#61; optional&#40;string, &#34;ALLOW&#34;&#41;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; tls_inspection_enabled &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ports](variables.tf#L114) | Ports to use for Secure Web Proxy. | <code>list&#40;number&#41;</code> | | <code>&#91;443&#93;</code> |
| [scope](variables.tf#L130) | Scope determines how configuration across multiple Gateway instances are merged. | <code>string</code> | | <code>null</code> |
| [tls_inspection_config](variables.tf#L141) | TLS inspection configuration. | <code title="object&#40;&#123;&#10; ca_pool &#61; optional&#40;string, null&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [service_attachment](variables.tf#L136) | PSC service attachment configuration. | <code title="object&#40;&#123;&#10; nat_subnets &#61; list&#40;string&#41;&#10; automatic_connection &#61; optional&#40;bool, false&#41;&#10; consumer_accept_lists &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; consumer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10; description &#61; optional&#40;string&#41;&#10; domain_name &#61; optional&#40;string&#41;&#10; enable_proxy_protocol &#61; optional&#40;bool, false&#41;&#10; reconcile_connections &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [tls_inspection_config](variables.tf#L156) | TLS inspection configuration. | <code title="object&#40;&#123;&#10; ca_pool &#61; optional&#40;string, null&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
## Outputs
@@ -190,4 +227,5 @@ module "secure-web-proxy" {
| [gateway](outputs.tf#L17) | The gateway resource. | |
| [gateway_security_policy](outputs.tf#L22) | The gateway security policy resource. | |
| [id](outputs.tf#L27) | ID of the gateway resource. | |
| [service_attachment](outputs.tf#L32) | ID of the service attachment resource, if created. | |
<!-- END TFDOC -->

95
modules/net-swp/main.tf
View File

@@ -18,18 +18,28 @@ locals {
create_url_lists = { for k, v in var.policy_rules.url_lists : v.url_list => v if v.values != null }
}
resource "google_network_security_gateway_security_policy" "policy" {
moved {
from = google_network_security_gateway_security_policy.policy
to = google_network_security_gateway_security_policy.default
}
resource "google_network_security_gateway_security_policy" "default" {
provider = google-beta
project = var.project_id
name = var.name
location = var.region
description = var.description
tls_inspection_policy = var.tls_inspection_config != null ? google_network_security_tls_inspection_policy.tls-policy[0].id : null
tls_inspection_policy = var.tls_inspection_config != null ? google_network_security_tls_inspection_policy.default[0].id : null
}
resource "google_network_security_tls_inspection_policy" "tls-policy" {
moved {
from = google_network_security_tls_inspection_policy.tls-policy
to = google_network_security_tls_inspection_policy.default
}
resource "google_network_security_tls_inspection_policy" "default" {
count = var.tls_inspection_config != null ? 1 : 0
provider = google-beta
provider = google
project = var.project_id
name = var.name
location = var.region
@@ -40,12 +50,12 @@ resource "google_network_security_tls_inspection_policy" "tls-policy" {
resource "google_network_security_gateway_security_policy_rule" "secure_tag_rules" {
for_each = var.policy_rules.secure_tags
provider = google-beta
provider = google
project = var.project_id
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
gateway_security_policy = google_network_security_gateway_security_policy.policy.name
gateway_security_policy = google_network_security_gateway_security_policy.default.name
enabled = each.value.enabled
priority = each.value.priority
session_matcher = trimspace(<<-EOT
@@ -57,29 +67,19 @@ resource "google_network_security_gateway_security_policy_rule" "secure_tag_rule
basic_profile = each.value.action
}
resource "google_network_security_url_lists" "url_lists" {
for_each = local.create_url_lists
provider = google-beta
project = var.project_id
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
values = each.value.values
}
resource "google_network_security_gateway_security_policy_rule" "url_list_rules" {
for_each = var.policy_rules.url_lists
provider = google-beta
provider = google
project = var.project_id
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
gateway_security_policy = google_network_security_gateway_security_policy.policy.name
gateway_security_policy = google_network_security_gateway_security_policy.default.name
enabled = each.value.enabled
priority = each.value.priority
session_matcher = trimspace(<<-EOT
inUrlList(host(), '%{~if each.value.values != null~}
${~google_network_security_url_lists.url_lists[each.value.url_list].id~}
${~google_network_security_url_lists.default[each.value.url_list].id~}
%{~else~}
${~each.value.url_list~}
%{~endif~}') %{~if each.value.session_matcher != null} && (${each.value.session_matcher})%{~endif~}
@@ -93,11 +93,11 @@ resource "google_network_security_gateway_security_policy_rule" "url_list_rules"
resource "google_network_security_gateway_security_policy_rule" "custom_rules" {
for_each = var.policy_rules.custom
project = var.project_id
provider = google-beta
provider = google
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
gateway_security_policy = google_network_security_gateway_security_policy.policy.name
gateway_security_policy = google_network_security_gateway_security_policy.default.id
enabled = each.value.enabled
priority = each.value.priority
session_matcher = each.value.session_matcher
@@ -106,8 +106,27 @@ resource "google_network_security_gateway_security_policy_rule" "custom_rules" {
basic_profile = each.value.action
}
resource "google_network_services_gateway" "gateway" {
provider = google-beta
moved {
from = google_network_security_url_lists.url_list_rules
to = google_network_security_url_lists.default
}
resource "google_network_security_url_lists" "default" {
for_each = local.create_url_lists
provider = google
project = var.project_id
name = each.key
location = var.region
description = coalesce(each.value.description, var.description)
values = each.value.values
}
moved {
from = google_network_services_gateway.gateway
to = google_network_services_gateway.default
}
resource "google_network_services_gateway" "default" {
provider = google
project = var.project_id
name = var.name
location = var.region
@@ -118,9 +137,35 @@ resource "google_network_services_gateway" "gateway" {
ports = var.ports
scope = var.scope != null ? var.scope : ""
certificate_urls = var.certificates
gateway_security_policy = google_network_security_gateway_security_policy.policy.id
gateway_security_policy = google_network_security_gateway_security_policy.default.id
network = var.network
subnetwork = var.subnetwork
delete_swg_autogen_router_on_destroy = var.delete_swg_autogen_router_on_destroy
}
resource "google_compute_service_attachment" "default" {
count = var.service_attachment == null ? 0 : 1
project = var.project_id
region = var.region
name = var.name
description = "Service attachment for SWP ${var.name}"
target_service = google_network_services_gateway.default.self_link
nat_subnets = var.service_attachment.nat_subnets
connection_preference = (
var.service_attachment.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
)
consumer_reject_lists = var.service_attachment.consumer_reject_lists
domain_names = (
var.service_attachment.domain_name == null ? null : [var.service_attachment.domain_name]
)
enable_proxy_protocol = var.service_attachment.enable_proxy_protocol
reconcile_connections = var.service_attachment.reconcile_connections
dynamic "consumer_accept_lists" {
for_each = var.service_attachment.consumer_accept_lists
iterator = accept
content {
project_id_or_num = accept.key
connection_limit = accept.value
}
}
}

11
modules/net-swp/outputs.tf
View File

@@ -16,15 +16,20 @@
output "gateway" {
description = "The gateway resource."
value = google_network_services_gateway.gateway
value = google_network_services_gateway.default
}
output "gateway_security_policy" {
description = "The gateway security policy resource."
value = google_network_services_gateway.gateway.gateway_security_policy
value = google_network_services_gateway.default.gateway_security_policy
}
output "id" {
description = "ID of the gateway resource."
value = google_network_services_gateway.gateway.id
value = google_network_services_gateway.default.id
}
output "service_attachment" {
description = "ID of the service attachment resource, if created."
value = var.service_attachment == null ? "" : google_compute_service_attachment.default[0].id
}

15
modules/net-swp/variables.tf
View File

@@ -133,6 +133,21 @@ variable "scope" {
default = null
}
variable "service_attachment" {
description = "PSC service attachment configuration."
type = object({
nat_subnets = list(string)
automatic_connection = optional(bool, false)
consumer_accept_lists = optional(map(string), {})
consumer_reject_lists = optional(list(string))
description = optional(string)
domain_name = optional(string)
enable_proxy_protocol = optional(bool, false)
reconcile_connections = optional(bool)
})
default = null
}
variable "subnetwork" {
description = "Name of the subnetwork the Secure Web Proxy is deployed into."
type = string

48
tests/modules/net_swp/examples/basic.yaml
View File

@@ -14,26 +14,40 @@
# file: tests/modules/net_swp/examples/basic.yaml
values:
module.secure-web-proxy.google_network_security_gateway_security_policy.policy:
name: "secure-web-proxy"
project: "my-project"
location: "europe-west4"
module.secure-web-proxy.google_network_services_gateway.gateway:
project: "my-project"
name: "secure-web-proxy"
location: "europe-west4"
type: "SECURE_WEB_GATEWAY"
addresses:
- "10.142.68.3"
ports: [443]
certificate_urls: ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
network: "projects/my-project/global/networks/my-network"
subnetwork: "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
module.secure-web-proxy.google_network_security_gateway_security_policy.default:
description: Managed by Terraform.
location: europe-west4
name: secure-web-proxy
project: my-project
timeouts: null
tls_inspection_policy: null
module.secure-web-proxy.google_network_services_gateway.default:
addresses:
- 10.142.68.3
certificate_urls:
- projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert
delete_swg_autogen_router_on_destroy: true
description: Managed by Terraform.
effective_labels:
example: value
labels:
example: "value"
description: "Managed by Terraform."
example: value
location: europe-west4
name: secure-web-proxy
network: projects/my-project/global/networks/my-network
ports:
- 443
project: my-project
scope: ''
server_tls_policy: null
subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork
terraform_labels:
example: value
timeouts: null
type: SECURE_WEB_GATEWAY
counts:
google_network_security_gateway_security_policy: 1
google_network_services_gateway: 1
modules: 1
resources: 2

73
tests/modules/net_swp/examples/psc.yaml Normal file
View File

@@ -0,0 +1,73 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# file: tests/modules/net_swp/examples/basic.yaml
values:
module.secure-web-proxy.google_compute_service_attachment.default[0]:
connection_preference: ACCEPT_MANUAL
consumer_accept_lists:
- connection_limit: 1
network_url: ''
project_id_or_num: my-autoaccept-project-1
- connection_limit: 1
network_url: ''
project_id_or_num: my-autoaccept-project-2
consumer_reject_lists: null
description: Service attachment for SWP secure-web-proxy
domain_names: null
enable_proxy_protocol: false
name: secure-web-proxy
nat_subnets:
- projects/my-project/regions/europe-west4/subnetworks/my-psc-subnetwork
project: my-project
region: europe-west4
timeouts: null
module.secure-web-proxy.google_network_security_gateway_security_policy.default:
description: Managed by Terraform.
location: europe-west4
name: secure-web-proxy
project: my-project
timeouts: null
tls_inspection_policy: null
module.secure-web-proxy.google_network_services_gateway.default:
addresses:
- 10.142.68.3
certificate_urls:
- projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert
delete_swg_autogen_router_on_destroy: true
description: Managed by Terraform.
effective_labels:
example: value
labels:
example: value
location: europe-west4
name: secure-web-proxy
network: projects/my-project/global/networks/my-network
ports:
- 443
project: my-project
scope: ''
server_tls_policy: null
subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork
terraform_labels:
example: value
timeouts: null
type: SECURE_WEB_GATEWAY
counts:
google_compute_service_attachment: 1
google_network_security_gateway_security_policy: 1
google_network_services_gateway: 1
modules: 1
resources: 3

171
tests/modules/net_swp/examples/rules.yaml
View File

@@ -14,85 +14,106 @@
#
# file: tests/modules/net_swp/examples/rules.yaml
values:
module.secure-web-proxy.google_network_security_gateway_security_policy.policy:
name: "secure-web-proxy"
project: "my-project"
location: "europe-west4"
module.secure-web-proxy.google_network_services_gateway.gateway:
project: "my-project"
name: "secure-web-proxy"
location: "europe-west4"
type: "SECURE_WEB_GATEWAY"
addresses:
- "10.142.68.3"
ports: [80, 443]
certificate_urls: ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
network: "projects/my-project/global/networks/my-network"
subnetwork: "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
delete_swg_autogen_router_on_destroy: true
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.secure_tag_rules["secure-tag-1"]:
project: "my-project"
name: "secure-tag-1"
location: "europe-west4"
enabled: true
priority: 1000
session_matcher: "source.matchTag('tagValues/281484836404786')"
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.secure_tag_rules["secure-tag-2"]:
project: "my-project"
name: "secure-tag-2"
location: "europe-west4"
enabled: true
priority: 1001
session_matcher: "source.matchTag('tagValues/281484836404786') && (host() != 'google.com')"
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.url_list_rules["url-list-1"]:
project: "my-project"
name: "url-list-1"
location: "europe-west4"
enabled: true
priority: 1002
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.url_list_rules["url-list-2"]:
project: "my-project"
name: "url-list-2"
location: "europe-west4"
enabled: false
priority: 1003
session_matcher: "inUrlList(host(), 'projects/my-project/locations/europe-west4/urlLists/my-url-list') && (source.matchServiceAccount('my-sa@my-project.iam.gserviceaccount.com'))"
application_matcher: null
tls_inspection_enabled: false
basic_profile: "ALLOW"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy.default:
description: Managed by Terraform.
location: europe-west4
name: secure-web-proxy
project: my-project
timeouts: null
tls_inspection_policy: null
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
project: "my-project"
name: "custom-rule-1"
location: "europe-west4"
enabled: true
priority: 1004
session_matcher: "host() == 'google.com'"
application_matcher: null
basic_profile: DENY
description: Managed by Terraform.
enabled: true
location: europe-west4
name: custom-rule-1
priority: 1004
project: my-project
session_matcher: host() == 'google.com'
timeouts: null
tls_inspection_enabled: false
basic_profile: "DENY"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_url_lists.url_lists["my-url-list"]:
project: "my-project"
name: "my-url-list"
location: "europe-west4"
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.secure_tag_rules["secure-tag-1"]:
application_matcher: null
basic_profile: ALLOW
description: Managed by Terraform.
enabled: true
gateway_security_policy: secure-web-proxy
location: europe-west4
name: secure-tag-1
priority: 1000
project: my-project
session_matcher: source.matchTag('tagValues/281484836404786')
timeouts: null
tls_inspection_enabled: false
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.secure_tag_rules["secure-tag-2"]:
application_matcher: null
basic_profile: ALLOW
description: Managed by Terraform.
enabled: true
gateway_security_policy: secure-web-proxy
location: europe-west4
name: secure-tag-2
priority: 1001
project: my-project
session_matcher: source.matchTag('tagValues/281484836404786') && (host() != 'google.com')
timeouts: null
tls_inspection_enabled: false
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.url_list_rules["url-list-1"]:
application_matcher: null
basic_profile: ALLOW
description: Managed by Terraform.
enabled: true
gateway_security_policy: secure-web-proxy
location: europe-west4
name: url-list-1
priority: 1002
project: my-project
timeouts: null
tls_inspection_enabled: false
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.url_list_rules["url-list-2"]:
application_matcher: null
basic_profile: ALLOW
description: Managed by Terraform.
enabled: false
gateway_security_policy: secure-web-proxy
location: europe-west4
name: url-list-2
priority: 1003
project: my-project
session_matcher: inUrlList(host(), 'projects/my-project/locations/europe-west4/urlLists/my-url-list')
&& (source.matchServiceAccount('my-sa@my-project.iam.gserviceaccount.com'))
timeouts: null
tls_inspection_enabled: false
module.secure-web-proxy.google_network_security_url_lists.default["my-url-list"]:
description: Managed by Terraform.
location: europe-west4
name: my-url-list
project: my-project
timeouts: null
values:
- "www.google.com"
- "google.com"
description: "Managed by Terraform."
- www.google.com
- google.com
module.secure-web-proxy.google_network_services_gateway.default:
addresses:
- 10.142.68.3
certificate_urls:
- projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert
delete_swg_autogen_router_on_destroy: true
description: Managed by Terraform.
labels: null
location: europe-west4
name: secure-web-proxy
network: projects/my-project/global/networks/my-network
ports:
- 80
- 443
project: my-project
scope: ''
server_tls_policy: null
subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork
timeouts: null
type: SECURE_WEB_GATEWAY
counts:
google_network_security_gateway_security_policy: 1

165
tests/modules/net_swp/examples/tls.yaml
View File

@@ -14,53 +14,128 @@
#
# file: tests/modules/net_swp/examples/tls.yaml
values:
module.secure-web-proxy.google_network_security_gateway_security_policy.policy:
name: "secure-web-proxy"
project: "my-project"
location: "europe-west4"
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_tls_inspection_policy.tls-policy[0]:
project: "my-project"
name: "secure-web-proxy"
location: "europe-west4"
exclude_public_ca_set: false
description: "Managed by Terraform."
module.secure-web-proxy.google_network_services_gateway.gateway:
project: "my-project"
name: "secure-web-proxy"
location: "europe-west4"
type: "SECURE_WEB_GATEWAY"
addresses:
- "10.142.68.3"
ports: [443]
certificate_urls: ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
network: "projects/my-project/global/networks/my-network"
subnetwork: "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
delete_swg_autogen_router_on_destroy: true
description: "Managed by Terraform."
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
project: "my-project"
name: "custom-rule-1"
location: "europe-west4"
enabled: true
priority: 1000
session_matcher: "host() == 'google.com'"
application_matcher: "request.path.contains('generate_204')"
tls_inspection_enabled: true
basic_profile: "ALLOW"
description: "Managed by Terraform."
google_privateca_ca_pool.pool:
name: "secure-web-proxy-capool"
location: "europe-west4"
project: "my-project"
tier: "DEVOPS"
google_privateca_certificate_authority.ca:
certificate_authority_id: "secure-web-proxy-ca"
location: "europe-west4"
project: "my-project"
issuance_policy: []
labels: null
location: europe-west4
name: secure-web-proxy-capool
project: my-project
publishing_options: []
tier: DEVOPS
timeouts: null
google_privateca_ca_pool_iam_member.member:
role: "roles/privateca.certificateManager"
member: "serviceAccount:service-123456789@gcp-sa-networksecurity.iam.gserviceaccount.com"
condition: []
member: serviceAccount:service-123456789@gcp-sa-networksecurity.iam.gserviceaccount.com
role: roles/privateca.certificateManager
google_privateca_certificate_authority.ca:
certificate_authority_id: secure-web-proxy-ca
config:
- subject_config:
- subject:
- common_name: fabric
country_code: null
locality: null
organization: Cloud Foundation Fabric
organizational_unit: null
postal_code: null
province: null
street_address: null
subject_alt_name: []
subject_key_id: []
x509_config:
- additional_extensions: []
aia_ocsp_servers: null
ca_options:
- is_ca: true
max_issuer_path_length: null
non_ca: null
zero_max_issuer_path_length: null
key_usage:
- base_key_usage:
- cert_sign: true
content_commitment: null
crl_sign: true
data_encipherment: null
decipher_only: null
digital_signature: null
encipher_only: null
key_agreement: null
key_encipherment: null
extended_key_usage:
- client_auth: null
code_signing: null
email_protection: null
ocsp_signing: null
server_auth: true
time_stamping: null
unknown_extended_key_usages: []
name_constraints: []
policy_ids: []
deletion_protection: false
desired_state: null
gcs_bucket: null
ignore_active_certificates_on_deletion: false
key_spec:
- algorithm: EC_P256_SHA256
cloud_kms_key_version: null
labels: null
lifetime: 1209600s
location: europe-west4
pem_ca_certificate: null
pool: secure-web-proxy-capool
project: my-project
skip_grace_period: false
subordinate_config: []
timeouts: null
type: SELF_SIGNED
module.secure-web-proxy.google_network_security_gateway_security_policy.default:
description: Managed by Terraform.
location: europe-west4
name: secure-web-proxy
project: my-project
timeouts: null
module.secure-web-proxy.google_network_security_gateway_security_policy_rule.custom_rules["custom-rule-1"]:
application_matcher: request.path.contains('generate_204')
basic_profile: ALLOW
description: Managed by Terraform.
enabled: true
location: europe-west4
name: custom-rule-1
priority: 1000
project: my-project
session_matcher: host() == 'google.com'
timeouts: null
tls_inspection_enabled: true
module.secure-web-proxy.google_network_security_tls_inspection_policy.default[0]:
custom_tls_features: null
description: Managed by Terraform.
exclude_public_ca_set: false
location: europe-west4
min_tls_version: null
name: secure-web-proxy
project: my-project
timeouts: null
tls_feature_profile: null
trust_config: null
module.secure-web-proxy.google_network_services_gateway.default:
addresses:
- 10.142.68.3
certificate_urls:
- projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert
delete_swg_autogen_router_on_destroy: true
description: Managed by Terraform.
labels: null
location: europe-west4
name: secure-web-proxy
network: projects/my-project/global/networks/my-network
ports:
- 443
project: my-project
scope: ''
server_tls_policy: null
subnetwork: projects/my-project/regions/europe-west4/subnetworks/my-subnetwork
timeouts: null
type: SECURE_WEB_GATEWAY
counts:
google_network_security_gateway_security_policy: 1