-
Notifications
You must be signed in to change notification settings - Fork 5
/
main.tf
80 lines (75 loc) · 3.51 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# Network Services Gateway
resource "google_network_services_gateway" "this" {
name = var.gateway_name
project = var.project_id
location = var.region
addresses = var.ip_address != "" ? [var.ip_address] : null # Only supports 0 or 1 IP address.
type = "SECURE_WEB_GATEWAY"
labels = var.labels
ports = [443] # Gateways of type 'SECURE_WEB_GATEWAY' are limited to 1 port.
scope = var.scope != "" ? var.scope : var.region
certificate_urls = var.certificate_urls
gateway_security_policy = google_network_security_gateway_security_policy.this.id
network = var.network
subnetwork = var.subnetwork
delete_swg_autogen_router_on_destroy = var.delete_swg_autogen_router_on_destroy
}
# Gateway Security Policy
resource "google_network_security_gateway_security_policy" "this" {
name = lookup(var.policy, "name", "${var.gateway_name}-policy")
provider = google-beta
project = var.project_id
location = var.region
description = lookup(var.policy, "description", "Policy for SWP gateway - ${var.gateway_name}")
tls_inspection_policy = lookup(var.policy, "tls_inspection_policy", null) != null ? google_network_security_tls_inspection_policy.this[0].id : null
}
# Gateway Security Policy Rules
resource "google_network_security_gateway_security_policy_rule" "this" {
for_each = var.rules
name = each.key
project = var.project_id
location = var.region
gateway_security_policy = google_network_security_gateway_security_policy.this.name
enabled = each.value.enabled
description = each.value.description
priority = each.value.priority
session_matcher = each.value.session_matcher
application_matcher = each.value.application_matcher
basic_profile = each.value.basic_profile
depends_on = [
google_network_security_url_lists.this
]
}
# TLS Inspection Policy
resource "google_network_security_tls_inspection_policy" "this" {
count = lookup(var.policy, "tls_inspection_policy", null) != null ? 1 : 0
provider = google-beta
name = lookup(var.policy.tls_inspection_policy, "name")
project = var.project_id
location = var.region
ca_pool = lookup(var.policy.tls_inspection_policy, "ca_pool")
}
# URL List - The created list can be within the swp policy rules.
resource "google_network_security_url_lists" "this" {
for_each = var.url_lists
project = var.project_id
name = each.key
location = var.region
description = each.value.description
values = each.value.values
}