98 lines
3.6 KiB
HCL
98 lines
3.6 KiB
HCL
/**
|
|
* Copyright 2024 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
locals {
|
|
_policy_rules_path = try(pathexpand(var.factories_config.policy_rules), null)
|
|
_policy_rules = {
|
|
for f in try(fileset(local._policy_rules_path, "**/*.yaml"), []) :
|
|
basename(trimsuffix(f, ".yaml")) => yamldecode(file(
|
|
"${local._policy_rules_path}/${f}"
|
|
))
|
|
}
|
|
policy_rules_args = {
|
|
for k, v in local.policy_rules : k => {
|
|
application = [
|
|
for vv in v.matcher_args.application :
|
|
zipmap(["context", "value"], split(":", vv))
|
|
]
|
|
session = [
|
|
for vv in v.matcher_args.session :
|
|
zipmap(["context", "value"], split(":", vv))
|
|
]
|
|
}
|
|
}
|
|
policy_rules_contexts = {
|
|
secure_tag = var.policy_rules_contexts.secure_tags
|
|
service_account = var.policy_rules_contexts.service_accounts
|
|
url_list = merge(var.policy_rules_contexts.url_lists, {
|
|
for k, v in google_network_security_url_lists.default : k => v.id
|
|
})
|
|
}
|
|
policy_rules = merge(var.policy_rules, {
|
|
for k, v in local._policy_rules : k => {
|
|
priority = v.priority
|
|
allow = lookup(v, "allow", true)
|
|
description = lookup(v, "description", null)
|
|
enabled = lookup(v, "enable", true)
|
|
application_matcher = lookup(v, "application_matcher", null)
|
|
session_matcher = lookup(v, "session_matcher", null)
|
|
tls_inspect = lookup(v, "tls_inspect", null)
|
|
matcher_args = {
|
|
application = try(v.matcher_args.application, [])
|
|
session = try(v.matcher_args.session, [])
|
|
}
|
|
}
|
|
})
|
|
}
|
|
|
|
resource "google_network_security_gateway_security_policy_rule" "default" {
|
|
for_each = local.policy_rules
|
|
project = var.project_id
|
|
location = var.region
|
|
description = coalesce(each.value.description, var.description)
|
|
enabled = each.value.enabled
|
|
name = each.key
|
|
priority = each.value.priority
|
|
tls_inspection_enabled = each.value.tls_inspect
|
|
gateway_security_policy = (
|
|
google_network_security_gateway_security_policy.default.name
|
|
)
|
|
application_matcher = each.value.application_matcher == null ? null : format(
|
|
each.value.application_matcher, [
|
|
for v in local.policy_rules_args[each.key].application :
|
|
lookup(local.policy_rules_contexts[v.context], v.value, v.value)
|
|
]...
|
|
)
|
|
session_matcher = each.value.session_matcher == null ? null : format(
|
|
each.value.session_matcher, [
|
|
for v in local.policy_rules_args[each.key].session :
|
|
lookup(local.policy_rules_contexts[v.context], v.value, v.value)
|
|
]...
|
|
)
|
|
basic_profile = (
|
|
each.value.allow == true
|
|
? "ALLOW"
|
|
: (
|
|
each.value.allow == false ? "DENY" : "BASIC_PROFILE_UNSPECIFIED"
|
|
)
|
|
)
|
|
lifecycle {
|
|
# add a trigger to recreate rules, if the policy is replaced
|
|
# because it is referenced by name, this won't happen automatically, as it would, if referenced by id
|
|
replace_triggered_by = [google_network_security_gateway_security_policy.default.id]
|
|
}
|
|
}
|