Google Cloud Secure Web Proxy
This module allows creation and management of Secure Web Proxy alongside with its security
policies:
- Secure tag based rules via the
policy_rules.secure_tags
variable
- Url list rules via the
policy_rules.url_lists
variable
- Custom rules via the
policy_rules.custom
Examples
Minimal Secure Web Proxy
(Note that this will not allow any request to pass.)
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
labels = {
example = "value"
}
}
# tftest modules=1 resources=2 inventory=basic.yaml
Secure Web Proxy with rules
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [80, 443]
policy_rules = {
secure_tags = {
secure-tag-1 = {
tag = "tagValues/281484836404786"
priority = 1000
}
secure-tag-2 = {
tag = "tagValues/281484836404786"
session_matcher = "host() != 'google.com'"
priority = 1001
}
}
url_lists = {
url-list-1 = {
url_list = "my-url-list"
values = ["www.google.com", "google.com"]
priority = 1002
}
url-list-2 = {
url_list = "projects/my-project/locations/europe-west4/urlLists/my-url-list"
session_matcher = "source.matchServiceAccount('my-sa@my-project.iam.gserviceaccount.com')"
enabled = false
priority = 1003
}
}
custom = {
custom-rule-1 = {
priority = 1004
session_matcher = "host() == 'google.com'"
action = "DENY"
}
}
}
}
# tftest modules=1 resources=8 inventory=rules.yaml
Secure Web Proxy with TLS inspection
resource "google_privateca_ca_pool" "pool" {
name = "secure-web-proxy-capool"
location = "europe-west4"
project = "my-project"
tier = "DEVOPS"
}
resource "google_privateca_certificate_authority" "ca" {
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "secure-web-proxy-ca"
location = "europe-west4"
project = "my-project"
deletion_protection = "false"
config {
subject_config {
subject {
organization = "Cloud Foundation Fabric"
common_name = "fabric"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
lifetime = "1209600s"
key_spec {
algorithm = "EC_P256_SHA256"
}
}
resource "google_privateca_ca_pool_iam_member" "member" {
ca_pool = google_privateca_ca_pool.pool.id
role = "roles/privateca.certificateManager"
member = "serviceAccount:service-123456789@gcp-sa-networksecurity.iam.gserviceaccount.com"
}
module "secure-web-proxy" {
source = "./fabric/modules/net-swp"
project_id = "my-project"
region = "europe-west4"
name = "secure-web-proxy"
network = "projects/my-project/global/networks/my-network"
subnetwork = "projects/my-project/regions/europe-west4/subnetworks/my-subnetwork"
addresses = ["10.142.68.3"]
certificates = ["projects/my-project/locations/europe-west4/certificates/secure-web-proxy-cert"]
ports = [443]
policy_rules = {
custom = {
custom-rule-1 = {
priority = 1000
session_matcher = "host() == 'google.com'"
application_matcher = "request.path.contains('generate_204')"
action = "ALLOW"
tls_inspection_enabled = true
}
}
}
tls_inspection_config = {
ca_pool = google_privateca_ca_pool.pool.id
}
}
# tftest modules=1 resources=7 inventory=tls.yaml
Variables
name |
description |
type |
required |
default |
addresses |
One or more IP addresses to be used for Secure Web Proxy. |
list(string) |
✓ |
|
certificates |
List of certificates to be used for Secure Web Proxy. |
list(string) |
✓ |
|
name |
Name of the Secure Web Proxy resource. |
string |
✓ |
|
network |
Name of the network the Secure Web Proxy is deployed into. |
string |
✓ |
|
project_id |
Project id of the project that holds the network. |
string |
✓ |
|
region |
Region where resources will be created. |
string |
✓ |
|
subnetwork |
Name of the subnetwork the Secure Web Proxy is deployed into. |
string |
✓ |
|
delete_swg_autogen_router_on_destroy |
Delete automatically provisioned Cloud Router on destroy. |
bool |
|
true |
description |
Optional description for the created resources. |
string |
|
"Managed by Terraform." |
labels |
Resource labels. |
map(string) |
|
{} |
policy_rules |
List of policy rule definitions, default to allow action. Available keys: secure_tags, url_lists, custom. URL lists that only have values set will be created. |
object({…}) |
|
{} |
ports |
Ports to use for Secure Web Proxy. |
list(number) |
|
[443] |
scope |
Scope determines how configuration across multiple Gateway instances are merged. |
string |
|
null |
tls_inspection_config |
TLS inspection configuration. |
object({…}) |
|
null |
Outputs