This module allows creation and management of Secure Web Proxy alongside with its security policies:
- Secure tag based rules via the
policy_rules.secure_tagsvariable - Url list rules via the
policy_rules.url_listsvariable - Custom rules via the
policy_rules.custom
It also allows to deploy SWP as a Private Service Connect service. This means that a single SWP deployment can be used from across different VPCs, regardless of whether they are interconnected.
A Proxy-only subnet must exist in the VPC where SWP is deployed.
When deploying SWP, the required ad-hoc Cloud Router is also created.
(Note that this will not allow any request to pass.)
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
labels = {
example = "value"
}
}
# tftest modules=1 resources=2 inventory=basic.yamlThe optional service_attachment variable allows deploying SWP as a Private Service Connect service attachment
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
labels = {
example = "value"
}
service_attachment = {
nat_subnets = ["projects/my-project/regions/europe-west4/subnetworks/my-psc-subnetwork"]
consumer_accept_lists = {
"my-autoaccept-project-1" = 1,
"my-autoaccept-project-2" = 1
}
}
}
# tftest modules=1 resources=3 inventory=psc.yamlmodule "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [80, 443]
policy_rules = {
secure_tags = {
secure-tag-1 = {
tag = "tagValues/281484836404786"
priority = 1000
}
secure-tag-2 = {
tag = "tagValues/281484836404786"
session_matcher = "host() != 'google.com'"
priority = 1001
}
}
url_lists = {
url-list-1 = {
url_list = "my-url-list"
values = ["www.google.com", "google.com"]
priority = 1002
}
url-list-2 = {
url_list = "projects/my-project/locations/europe-west4/urlLists/my-url-list"
session_matcher = "source.matchServiceAccount('[email protected]')"
enabled = false
priority = 1003
}
}
custom = {
custom-rule-1 = {
priority = 1004
session_matcher = "host() == 'google.com'"
action = "DENY"
}
}
}
}
# tftest modules=1 resources=8 inventory=rules.yamlresource "google_privateca_ca_pool" "pool" {
name = "secure-web-proxy-capool"
location = "europe-west4"
project = "my-project"
tier = "DEVOPS"
}
resource "google_privateca_certificate_authority" "ca" {
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "secure-web-proxy-ca"
location = "europe-west4"
project = "my-project"
deletion_protection = "false"
config {
subject_config {
subject {
organization = "Cloud Foundation Fabric"
common_name = "fabric"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
lifetime = "1209600s"
key_spec {
algorithm = "EC_P256_SHA256"
}
}
resource "google_privateca_ca_pool_iam_member" "member" {
ca_pool = google_privateca_ca_pool.pool.id
role = "roles/privateca.certificateManager"
member = "serviceAccount:[email protected]"
}
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [443]
policy_rules = {
custom = {
custom-rule-1 = {
priority = 1000
session_matcher = "host() == 'google.com'"
application_matcher = "request.path.contains('generate_204')"
action = "ALLOW"
tls_inspection_enabled = true
}
}
}
tls_inspection_config = {
ca_pool = google_privateca_ca_pool.pool.id
}
}
# tftest modules=1 resources=7 inventory=tls.yaml| name | description | type | required | default |
|---|---|---|---|---|
| addresses | One or more IP addresses to be used for Secure Web Proxy. | list(string) |
✓ | |
| certificates | List of certificates to be used for Secure Web Proxy. | list(string) |
✓ | |
| name | Name of the Secure Web Proxy resource. | string |
✓ | |
| network | Name of the network the Secure Web Proxy is deployed into. | string |
✓ | |
| project_id | Project id of the project that holds the network. | string |
✓ | |
| region | Region where resources will be created. | string |
✓ | |
| subnetwork | Name of the subnetwork the Secure Web Proxy is deployed into. | string |
✓ | |
| delete_swg_autogen_router_on_destroy | Delete automatically provisioned Cloud Router on destroy. | bool |
true |
|
| description | Optional description for the created resources. | string |
"Managed by Terraform." |
|
| labels | Resource labels. | map(string) |
{} |
|
| policy_rules | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | object({…}) |
{} |
|
| ports | Ports to use for Secure Web Proxy. | list(number) |
[443] |
|
| scope | Scope determines how configuration across multiple Gateway instances are merged. | string |
null |
|
| service_attachment | PSC service attachment configuration. | object({…}) |
null |
|
| tls_inspection_config | TLS inspection configuration. | object({…}) |
null |
| name | description | sensitive |
|---|---|---|
| gateway | The gateway resource. | |
| gateway_security_policy | The gateway security policy resource. | |
| id | ID of the gateway resource. | |
| service_attachment | ID of the service attachment resource, if created. |