This Terraform module simplifies the deployment and management of Secure Web Proxy (SWP) across multiple Google Cloud regions. It handles the creation of SWP gateways, comprehensive policies, and fine-grained rules to control egress web traffic.
- VPC
- Subnet in the SWP region
- Proxy only subnet in the SWP region
- Regional self-magaged certificate in the SWP region
Basic usage of this module is as follows:
module "secure_web_proxy" {
source = "GoogleCloudPlatform/secure-web-proxy/google"
version = "0.1.0"
gateway_name = "simple-swp"
project_id = var.project_id
region = var.region
certificate_urls = [google_certificate_manager_certificate.this.id]
network = google_compute_network.this.id
subnetwork = google_compute_subnetwork.resource_subnet.id
policy = {
name = "simple-proxy-policy"
description = "Policy for secure web proxy"
}
rules = {
"allow-example1-com" = {
enabled = true
description = "Allow example1.com host traffic."
priority = 100
session_matcher = "host() == 'example1.com'"
basic_profile = "ALLOW"
},
"allow-url-list-1" = {
enabled = true
description = "All the URLs in URL list test-url-list-1."
priority = 102
session_matcher = "inUrlList(host(), 'projects/${var.project_id}/locations/${var.region}/urlLists/test-url-list-1')"
basic_profile = "ALLOW"
},
}
url_lists = {
"test-url-list-1" = {
description = "url-list-1 description."
values = ["www.example.com", "about.example.com", "github.com/example-org/*"]
}
}
}Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| certificate_config | Generic configuration for Certificate Manager. Supports Managed, Existing Self-Managed, or Generate Self-Signed. | object({ |
null |
no |
| certificate_urls | A fully-qualified certificates URL reference. The proxy presents a Certificate (selected based on SNI) when establishing a TLS connection. | list(string) |
[] |
no |
| delete_swg_autogen_router_on_destroy | boolean option to also delete auto generated router by the gateway creation. | bool |
true |
no |
| description | Optional description for the created resources. | string |
"Managed by Terraform." |
no |
| gateway_name | The name of secure web proxy gateway to be created. | string |
n/a | yes |
| ip_address | Static IP reservation for SWP. When no address is provided, an IP from the input subnetwork is allocated. | string |
"" |
no |
| labels | Map of labels for secure web proxy gateway. | map(string) |
{} |
no |
| network | URI of the network for which this secure web proxy will be created. | string |
n/a | yes |
| next_hop_routing_mode | Enable NEXT_HOP_ROUTING_MODE for the gateway. | bool |
false |
no |
| policy | Gateway security policy configuration. | object({ |
n/a | yes |
| project_id | The Google Cloud project ID where the secure web proxy will be deployed. | string |
n/a | yes |
| region | The region in which the secure web proxy components will be created. | string |
n/a | yes |
| rules | Security policy rules configuration. Learn more about attributes and operators for session_matcher and application_matcher from documentation | map(object({ |
{} |
no |
| scope | Scope determines how configuration across multiple gateway instances are merged. The configuration for multiple gateway instances with the same scope will be merged as presented as a single coniguration to the proxy. Defaults to name of the region. Max length - 64 characters. | string |
"" |
no |
| server_tls_policy_config | Configuration for the Server TLS Policy. Defines how the server authenticates incoming requests. | object({ |
null |
no |
| service_attachment | PSC service attachment configuration. | object({ |
null |
no |
| subnets | Optional: A map containing subnet details Used to derive the subnetwork URI if subnetwork is not provided. | list(object({ |
[] |
no |
| subnetwork | URI of the subnetwork for which this secure web proxy will be created. If empty, the module will attempt to find a suitable subnetwork from the subnets map. |
string |
"" |
no |
| url_lists | URL lists that can be used within SWP rules. Attribute values supports: FQDNs and URLs. | map(object({ |
{} |
no |
| Name | Description |
|---|---|
| certificate_id | The ID of the created certificate in Certificate Manager. |
| gateway_id | Identifier for the secure web proxy gateway. |
| gateway_ip_addresses | The IP addresses assigned to the Secure Web Proxy gateway. |
| network | The VPC network associated with the gateway. |
| policy_id | Identifier of the secure web proxy gateway policy. |
| ports | Ports of the secure web proxy resource created. |
| project_id | The project ID where the Secure Web Proxy is deployed. |
| rule_ids | Identifiers of the secure web proxy rules created. |
| self_link | The URI of the created resource. |
| server_tls_policy_id | The unique identifier of the Server TLS Policy. |
| service_attachment_id | ID of the service attachment resource, if created. |
| subnetwork | The specific subnetwork used by the gateway. |
| url_list_ids | Identifiers of the secure web proxy url lists. |
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform >= v1.3.0
- Terraform Provider for GCP plugin >= v5.1.0
A service account with the following roles must be used to provision the resources of this module:
- Compute Network Admin:
roles/compute.networkAdmin
A project with the following APIs enabled must be used to host the resources of this module:
- Network Services API:
networkservices.googleapis.com - Network Security API:
networksecurity.googleapis.com
Refer to the contribution guidelines for information on contributing to this module.
Please see our security disclosure process.