zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/net-swp
History
Ludovico Magnocavallo 6941313c7d
Factories refactor (#1843) 
* factories refactor doc

* Adds file schema and filesystem organization

* Update 20231106-factories.md

* move factories out of blueprints and create new factories  README

* align factory in billing-account module

* align factory in dataplex-datascan module

* align factory in billing-account module

* align factory in net-firewall-policy module

* align factory in dns-response-policy module

* align factory in net-vpc-firewall module

* align factory in net-vpc module

* align factory variable names in FAST

* remove decentralized firewall blueprint

* bump terraform version

* bump module versions

* update top-level READMEs

* move project factory to modules

* fix variable names and tests

* tfdoc

* remove changelog link

* add project factory to top-level README

* fix cludrun eventarc diff

* fix README

* fix cludrun eventarc diff

---------

Co-authored-by: Simone Ruffilli <sruffilli@google.com>
 		2024-02-26 10:16:52 +00:00
..
README.md Enforce mandatory types in all variables (#1737) 2023-10-06 09:44:33 +00:00
main.tf renaming net-vpc-swp to net-swp 2023-08-01 16:23:12 +02:00
outputs.tf renaming net-vpc-swp to net-swp 2023-08-01 16:23:12 +02:00
variables.tf Enforce mandatory types in all variables (#1737) 2023-10-06 09:44:33 +00:00
versions.tf Factories refactor (#1843) 2024-02-26 10:16:52 +00:00

README.md

Google Cloud Secure Web Proxy

This module allows creation and management of Secure Web Proxy alongside with its security policies:

  • Secure tag based rules via the policy_rules.secure_tags variable
  • Url list rules via the policy_rules.url_lists variable
  • Custom rules via the policy_rules.custom

Examples

Minimal Secure Web Proxy

(Note that this will not allow any request to pass.)

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  labels = {
    example = "value"
  }
}
# tftest modules=1 resources=2 inventory=basic.yaml

Secure Web Proxy with rules

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [80, 443]
  policy_rules = {
    secure_tags = {
      secure-tag-1 = {
        tag      = "tagValues/281484836404786"
        priority = 1000
      }
      secure-tag-2 = {
        tag             = "tagValues/281484836404786"
        session_matcher = "host() != 'google.com'"
        priority        = 1001
      }
    }
    url_lists = {
      url-list-1 = {
        url_list = "my-url-list"
        values   = ["www.google.com", "google.com"]
        priority = 1002
      }
      url-list-2 = {
        url_list        = "projects/my-project/locations/europe-west4/urlLists/my-url-list"
        session_matcher = "source.matchServiceAccount('my-sa@my-project.iam.gserviceaccount.com')"
        enabled         = false
        priority        = 1003
      }
    }
    custom = {
      custom-rule-1 = {
        priority        = 1004
        session_matcher = "host() == 'google.com'"
        action          = "DENY"
      }
    }
  }
}
# tftest modules=1 resources=8 inventory=rules.yaml

Secure Web Proxy with TLS inspection

resource "google_privateca_ca_pool" "pool" {
  name     = "secure-web-proxy-capool"
  location = "europe-west4"
  project  = "my-project"

  tier = "DEVOPS"
}

resource "google_privateca_certificate_authority" "ca" {
  pool                     = google_privateca_ca_pool.pool.name
  certificate_authority_id = "secure-web-proxy-ca"
  location                 = "europe-west4"
  project                  = "my-project"

  deletion_protection = "false"

  config {
    subject_config {
      subject {
        organization = "Cloud Foundation Fabric"
        common_name  = "fabric"
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  lifetime = "1209600s"
  key_spec {
    algorithm = "EC_P256_SHA256"
  }
}

resource "google_privateca_ca_pool_iam_member" "member" {
  ca_pool = google_privateca_ca_pool.pool.id
  role    = "roles/privateca.certificateManager"
  member  = "serviceAccount:service-123456789@gcp-sa-networksecurity.iam.gserviceaccount.com"
}

module "secure-web-proxy" {
  source = "./fabric/modules/net-swp"

  project_id   = "my-project"
  region       = "europe-west4"
  name         = "secure-web-proxy"
  network      = "projects/my-project/global/networks/my-network"
  subnetwork   = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
  addresses    = ["10.142.68.3"]
  certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
  ports        = [443]
  policy_rules = {
    custom = {
      custom-rule-1 = {
        priority               = 1000
        session_matcher        = "host() == 'google.com'"
        application_matcher    = "request.path.contains('generate_204')"
        action                 = "ALLOW"
        tls_inspection_enabled = true
      }
    }
  }
  tls_inspection_config = {
    ca_pool = google_privateca_ca_pool.pool.id
  }
}
# tftest modules=1 resources=7 inventory=tls.yaml

Variables

name description type required default
addresses One or more IP addresses to be used for Secure Web Proxy. list(string)
certificates List of certificates to be used for Secure Web Proxy. list(string)
name Name of the Secure Web Proxy resource. string
network Name of the network the Secure Web Proxy is deployed into. string
project_id Project id of the project that holds the network. string
region Region where resources will be created. string
subnetwork Name of the subnetwork the Secure Web Proxy is deployed into. string
delete_swg_autogen_router_on_destroy Delete automatically provisioned Cloud Router on destroy. bool true
description Optional description for the created resources. string "Managed by Terraform."
labels Resource labels. map(string) {}
policy_rules List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. object({…}) {}
ports Ports to use for Secure Web Proxy. list(number) [443]
scope Scope determines how configuration across multiple Gateway instances are merged. string null
tls_inspection_config TLS inspection configuration. object({…}) null

Outputs

name description sensitive
gateway The gateway resource.
gateway_security_policy The gateway security policy resource.
id ID of the gateway resource.