Add example with transparent proxy and E2E test

modules/net-swp/README.md

@@ -14,6 +14,7 @@ When deploying SWP, the required ad-hoc [Cloud Router](https://cloud.google.com/
 - [PSC service attachments](#psc-service-attachments)
 - [Secure Web Proxy with rules](#secure-web-proxy-with-rules)
 - [Secure Web Proxy with TLS inspection](#secure-web-proxy-with-tls-inspection)
+- [Secure Web Proxy as transparent proxy](#secure-web-proxy-as-transparent-proxy)
 - [Factories](#factories)
 - [Variables](#variables)
 - [Outputs](#outputs)
@@ -78,7 +79,7 @@ module "secure-web-proxy" {
 
 ## Secure Web Proxy with rules
 
-This example shows different ways of definining policy rules, including how to leverage substition for internally generated URL maps, or externally defined resources.
+This example shows different ways of defining policy rules, including how to leverage substitution for internally generated URL maps, or externally defined resources.
 
 ```hcl
 module "secure-web-proxy" {
@@ -274,6 +275,67 @@ module "secure-web-proxy" {
 # tftest modules=1 resources=3 inventory=tls-no-ip.yaml
 ```
 
+## Secure Web Proxy as transparent proxy
+To use Secure Web Proxy as transparent proxy, define it as a default gateway for the tag or create policy based routes as described in the [documentation](https://cloud.google.com/secure-web-proxy/docs/deploy-next-hop). Secure Web Proxy passes only traffic on the ports that it listens. Configure rules as documented in earlier sections.
+
+```hcl
+locals {
+  swp_address = "10.0.2.2"
+}
+module "vpc" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = var.project_id
+  name       = "swp-network"
+  routes = {
+    gateway = {
+      dest_range    = "0.0.0.0/0",
+      priority      = 100
+      tags          = ["swp"] # only traffic from instances tagged 'swp' will be inspected
+      next_hop_type = "ilb",
+      next_hop      = local.swp_address # resource doesn't allow to obtain address
+    }
+  }
+  subnets_proxy_only = [ # SWP requires proxy-only subnet
+    {
+      ip_cidr_range = "10.0.1.0/24"
+      name          = "regional-proxy"
+      region        = var.region
+      active        = true
+    }
+  ]
+  subnets = [
+    {
+      ip_cidr_range = "10.0.2.0/24"
+      name          = "production"
+      region        = var.region
+    }
+  ]
+}
+
+module "secure-web-proxy" {
+  source     = "./fabric/modules/net-swp"
+  project_id = var.project_id
+  region     = var.region
+  name       = "secure-web-proxy"
+  network    = module.vpc.id
+  subnetwork = module.vpc.subnets["${var.region}/production"].id
+  gateway_config = {
+    addresses             = [local.swp_address] # SWP allows only providing unreserved addresses, must provide address to avoid drift
+    next_hop_routing_mode = true
+    ports                 = [80, 443] # specify all ports to be intercepted
+  }
+  policy_rules = {
+    proxy-rule = {
+      priority        = 100
+      session_matcher = "true" # pass all traffic
+      tls_inspect     = false
+    }
+  }
+}
+
+# tftest inventory=transparent-proxy.yaml e2e
+```
+
 ## Factories
 
 URL lists and policies rules can also be defined via YAML-based factories, similarly to several other modules. Data coming from factories is internally merged with variables data, with factories having precedence in case duplicate keys are present in both.

modules/net-swp/main.tf

@@ -60,6 +60,8 @@ resource "google_network_security_tls_inspection_policy" "default" {
   description           = coalesce(var.tls_inspection_config.create_config.description, var.description)
   ca_pool               = var.tls_inspection_config.create_config.ca_pool
   exclude_public_ca_set = var.tls_inspection_config.create_config.exclude_public_ca_set
+  min_tls_version       = "TLS_VERSION_UNSPECIFIED" # to avoid drift, not supported by Secure Web Proxy
+  tls_feature_profile   = "PROFILE_UNSPECIFIED"     # to avoid drift, not supported by Secure Web Proxy
 }
 
 moved {

modules/net-swp/policy-rules.tf

@@ -89,4 +89,9 @@ resource "google_network_security_gateway_security_policy_rule" "default" {
       each.value.allow == false ? "DENY" : "BASIC_PROFILE_UNSPECIFIED"
     )
   )
+  lifecycle {
+    # add a trigger to recreate rules, if the policy is replaced
+    # because it is referenced by name, this won't happen automatically, as it would, if referenced by id
+    replace_triggered_by = [google_network_security_gateway_security_policy.default.id]
+  }
 }

tests/examples_e2e/setup_module/main.tf

@@ -27,6 +27,7 @@ locals {
     "artifactregistry.googleapis.com",
     "assuredworkloads.googleapis.com",
     "bigquery.googleapis.com",
+    "certificatemanager.googleapis.com",
     "cloudbuild.googleapis.com",
     "cloudfunctions.googleapis.com",
     "cloudkms.googleapis.com",
@@ -44,6 +45,9 @@ locals {
     "looker.googleapis.com",
     "monitoring.googleapis.com",
     "networkconnectivity.googleapis.com",
+    "networksecurity.googleapis.com",
+    "networkservices.googleapis.com",
+    "privateca.googleapis.com",
     "pubsub.googleapis.com",
     "run.googleapis.com",
     "secretmanager.googleapis.com",

tests/modules/net_swp/examples/tls.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -121,9 +121,11 @@ values:
     description: Managed by Terraform.
     exclude_public_ca_set: false
     location: europe-west4
+    min_tls_version: TLS_VERSION_UNSPECIFIED
     name: secure-web-proxy
     project: my-project
     timeouts: null
+    tls_feature_profile: PROFILE_UNSPECIFIED
     trust_config: null
   module.secure-web-proxy.google_network_services_gateway.default:
     addresses:

tests/modules/net_swp/examples/transparent-proxy.yaml

@@ -0,0 +1,93 @@
+
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+values:
+  module.secure-web-proxy.google_network_security_gateway_security_policy.default:
+    description: Managed by Terraform.
+    location: europe-west8
+    name: secure-web-proxy
+    project: project-id
+    tls_inspection_policy: null
+  module.secure-web-proxy.google_network_security_gateway_security_policy_rule.default["proxy-rule"]:
+    application_matcher: null
+    basic_profile: ALLOW
+    description: Managed by Terraform.
+    enabled: true
+    gateway_security_policy: secure-web-proxy
+    location: europe-west8
+    name: proxy-rule
+    priority: 100
+    project: project-id
+    session_matcher: 'true'
+    tls_inspection_enabled: false
+  module.secure-web-proxy.google_network_services_gateway.default:
+    addresses:
+    - 10.0.2.2
+    certificate_urls: []
+    delete_swg_autogen_router_on_destroy: true
+    description: Managed by Terraform.
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    location: europe-west8
+    name: secure-web-proxy
+    ports:
+    - 80
+    - 443
+    project: project-id
+    routing_mode: NEXT_HOP_ROUTING_MODE
+    scope: null
+    server_tls_policy: null
+    type: SECURE_WEB_GATEWAY
+  module.vpc.google_compute_network.network[0]:
+    name: swp-network
+    project: project-id
+  module.vpc.google_compute_route.ilb["gateway"]:
+    description: Terraform-managed.
+    dest_range: 0.0.0.0/0
+    name: swp-network-gateway
+    network: swp-network
+    next_hop_gateway: null
+    next_hop_ilb: 10.0.2.2
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 100
+    project: project-id
+    tags:
+    - swp
+  module.vpc.google_compute_subnetwork.proxy_only["europe-west8/regional-proxy"]:
+    description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal
+      HTTPS or Cross-Regional HTTPS Internal LB.
+    ip_cidr_range: 10.0.1.0/24
+    log_config: []
+    name: regional-proxy
+    network: swp-network
+    project: project-id
+    purpose: REGIONAL_MANAGED_PROXY
+    region: europe-west8
+    role: ACTIVE
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west8/production"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.2.0/24
+    log_config: []
+    name: production
+    network: swp-network
+    private_ip_google_access: true
+    project: project-id
+    region: europe-west8
+    send_secondary_ip_range_if_empty: true
+
+counts:
+  google_network_security_gateway_security_policy: 1