# Google Cloud Secure Web Proxy
This module allows creation and management of [Secure Web Proxy](https://cloud.google.com/secure-web-proxy/docs/overview) alongside with its security
policies:
- Secure tag based rules via the `policy_rules.secure_tags` variable
- Url list rules via the `policy_rules.url_lists` variable
- Custom rules via the `policy_rules.custom`
## Examples
### Minimal Secure Web Proxy
(Note that this will not allow any request to pass.)
```hcl
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
labels = {
example = "value"
}
}
# tftest modules=1 resources=2 inventory=basic.yaml
```
### Secure Web Proxy with rules
```hcl
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [80, 443]
policy_rules = {
secure_tags = {
secure-tag-1 = {
tag = "tagValues/281484836404786"
priority = 1000
}
secure-tag-2 = {
tag = "tagValues/281484836404786"
session_matcher = "host() != 'google.com'"
priority = 1001
}
}
url_lists = {
url-list-1 = {
url_list = "my-url-list"
values = ["www.google.com", "google.com"]
priority = 1002
}
url-list-2 = {
url_list = "projects/my-project/locations/europe-west4/urlLists/my-url-list"
session_matcher = "source.matchServiceAccount('my-sa@my-project.iam.gserviceaccount.com')"
enabled = false
priority = 1003
}
}
custom = {
custom-rule-1 = {
priority = 1004
session_matcher = "host() == 'google.com'"
action = "DENY"
}
}
}
}
# tftest modules=1 resources=8 inventory=rules.yaml
```
### Secure Web Proxy with TLS inspection
```hcl
resource "google_privateca_ca_pool" "pool" {
name = "secure-web-proxy-capool"
location = "europe-west4"
project = "my-project"
tier = "DEVOPS"
}
resource "google_privateca_certificate_authority" "ca" {
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "secure-web-proxy-ca"
location = "europe-west4"
project = "my-project"
deletion_protection = "false"
config {
subject_config {
subject {
organization = "Cloud Foundation Fabric"
common_name = "fabric"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
lifetime = "1209600s"
key_spec {
algorithm = "EC_P256_SHA256"
}
}
resource "google_privateca_ca_pool_iam_member" "member" {
ca_pool = google_privateca_ca_pool.pool.id
role = "roles/privateca.certificateManager"
member = "serviceAccount:service-123456789@gcp-sa-networksecurity.iam.gserviceaccount.com"
}
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [443]
policy_rules = {
custom = {
custom-rule-1 = {
priority = 1000
session_matcher = "host() == 'google.com'"
application_matcher = "request.path.contains('generate_204')"
action = "ALLOW"
tls_inspection_enabled = true
}
}
}
tls_inspection_config = {
ca_pool = google_privateca_ca_pool.pool.id
}
}
# tftest modules=1 resources=7 inventory=tls.yaml
```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [addresses](variables.tf#L19) | One or more IP addresses to be used for Secure Web Proxy. | list(string) | ✓ | |
| [certificates](variables.tf#L28) | List of certificates to be used for Secure Web Proxy. | list(string) | ✓ | |
| [name](variables.tf#L51) | Name of the Secure Web Proxy resource. | string | ✓ | |
| [network](variables.tf#L56) | Name of the network the Secure Web Proxy is deployed into. | string | ✓ | |
| [project_id](variables.tf#L120) | Project id of the project that holds the network. | string | ✓ | |
| [region](variables.tf#L125) | Region where resources will be created. | string | ✓ | |
| [subnetwork](variables.tf#L136) | Name of the subnetwork the Secure Web Proxy is deployed into. | string | ✓ | |
| [delete_swg_autogen_router_on_destroy](variables.tf#L33) | Delete automatically provisioned Cloud Router on destroy. | bool | | true |
| [description](variables.tf#L39) | Optional description for the created resources. | string | | "Managed by Terraform." |
| [labels](variables.tf#L45) | Resource labels. | map(string) | | {} |
| [policy_rules](variables.tf#L61) | List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. | object({…}) | | {} |
| [ports](variables.tf#L114) | Ports to use for Secure Web Proxy. | list(number) | | [443] |
| [scope](variables.tf#L130) | Scope determines how configuration across multiple Gateway instances are merged. | string | | null |
| [tls_inspection_config](variables.tf#L141) | TLS inspection configuration. | object({…}) | | null |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [gateway](outputs.tf#L17) | The gateway resource. | |
| [gateway_security_policy](outputs.tf#L22) | The gateway security policy resource. | |
| [id](outputs.tf#L27) | ID of the gateway resource. | |