167 lines
4.8 KiB
HCL
167 lines
4.8 KiB
HCL
/**
|
|
* Copyright 2023 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
variable "certificates" {
|
|
description = "List of certificates to be used for Secure Web Proxy."
|
|
type = list(string)
|
|
nullable = false
|
|
default = []
|
|
}
|
|
|
|
variable "description" {
|
|
description = "Optional description for the created resources."
|
|
type = string
|
|
default = "Managed by Terraform."
|
|
}
|
|
|
|
variable "factories_config" {
|
|
description = "Path to folder with YAML resource description data files."
|
|
type = object({
|
|
policy_rules = optional(string)
|
|
url_lists = optional(string)
|
|
})
|
|
nullable = false
|
|
default = {}
|
|
}
|
|
|
|
variable "gateway_config" {
|
|
description = "Optional Secure Web Gateway configuration."
|
|
type = object({
|
|
addresses = optional(list(string), [])
|
|
delete_router_on_destroy = optional(bool, true)
|
|
labels = optional(map(string), {})
|
|
next_hop_routing_mode = optional(bool, false)
|
|
ports = optional(list(string), [443])
|
|
scope = optional(string)
|
|
})
|
|
nullable = false
|
|
}
|
|
|
|
variable "name" {
|
|
description = "Name of the Secure Web Proxy resource."
|
|
type = string
|
|
}
|
|
|
|
variable "network" {
|
|
description = "Name of the network the Secure Web Proxy is deployed into."
|
|
type = string
|
|
}
|
|
|
|
variable "policy_rules" {
|
|
description = "Policy rules definitions. Merged with policy rules defined via the factory."
|
|
type = map(object({
|
|
priority = number
|
|
allow = optional(bool, true)
|
|
description = optional(string)
|
|
enabled = optional(bool, true)
|
|
application_matcher = optional(string)
|
|
session_matcher = optional(string)
|
|
tls_inspect = optional(bool)
|
|
matcher_args = optional(object({
|
|
application = optional(list(string), [])
|
|
session = optional(list(string), [])
|
|
}), {})
|
|
}))
|
|
nullable = false
|
|
default = {}
|
|
validation {
|
|
condition = alltrue(flatten([
|
|
for k, v in var.policy_rules : concat(
|
|
[
|
|
for vv in v.matcher_args.application :
|
|
contains(["secure_tag", "service_account", "url_list"], split(":", vv)[0])
|
|
],
|
|
[
|
|
for vv in v.matcher_args.session :
|
|
contains(["secure_tag", "service_account", "url_list"], split(":", vv)[0])
|
|
],
|
|
)
|
|
]))
|
|
error_message = "Matcher arguments need to use a 'serviceaccount:' 'tag:' or 'url_list:' prefix."
|
|
}
|
|
}
|
|
|
|
variable "policy_rules_contexts" {
|
|
description = "Replacement contexts for policy rules matcher arguments."
|
|
type = object({
|
|
secure_tags = optional(map(string), {})
|
|
service_accounts = optional(map(string), {})
|
|
url_lists = optional(map(string), {})
|
|
})
|
|
nullable = false
|
|
default = {}
|
|
}
|
|
|
|
variable "project_id" {
|
|
description = "Project id of the project that holds the network."
|
|
type = string
|
|
}
|
|
|
|
variable "region" {
|
|
description = "Region where resources will be created."
|
|
type = string
|
|
}
|
|
|
|
variable "service_attachment" {
|
|
description = "PSC service attachment configuration."
|
|
type = object({
|
|
nat_subnets = list(string)
|
|
automatic_connection = optional(bool, false)
|
|
consumer_accept_lists = optional(map(string), {})
|
|
consumer_reject_lists = optional(list(string))
|
|
description = optional(string)
|
|
domain_name = optional(string)
|
|
enable_proxy_protocol = optional(bool, false)
|
|
reconcile_connections = optional(bool)
|
|
})
|
|
default = null
|
|
}
|
|
|
|
variable "subnetwork" {
|
|
description = "Name of the subnetwork the Secure Web Proxy is deployed into."
|
|
type = string
|
|
}
|
|
|
|
variable "tls_inspection_config" {
|
|
description = "TLS inspection configuration."
|
|
type = object({
|
|
create_config = optional(object({
|
|
ca_pool = optional(string, null)
|
|
description = optional(string, null)
|
|
exclude_public_ca_set = optional(bool, false)
|
|
}), null)
|
|
id = optional(string, null)
|
|
})
|
|
nullable = false
|
|
default = {}
|
|
validation {
|
|
condition = !(
|
|
var.tls_inspection_config.create_config != null &&
|
|
var.tls_inspection_config.id != null
|
|
)
|
|
error_message = "You can't assign values both to `create.config.ca_pool` and `id`."
|
|
}
|
|
}
|
|
|
|
variable "url_lists" {
|
|
description = "URL lists."
|
|
type = map(object({
|
|
values = list(string)
|
|
description = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|