fix: Secure Web Proxy fix (#46)

Co-authored-by: Amanda Karina Lopes de Oliveira <amandak@ciandt.com>
GoogleCloudPlatform · Jun 8, 2023 · 1743c51 · 1743c51
1 parent 749e871
commit 1743c51
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 18 deletions.
diff --git a/examples/secure_cloud_function_bigquery_trigger/main.tf b/examples/secure_cloud_function_bigquery_trigger/main.tf
@@ -28,7 +28,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.7"
+  version = "~> 0.8"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-security"
@@ -53,6 +53,7 @@ module "secure_harness" {
   ingress_policies                            = var.ingress_policies
   serverless_type                             = "CLOUD_FUNCTION"
   use_shared_vpc                              = true
+  time_to_wait_vpc_sc_propagation             = "600s"
 
   service_account_project_roles = {
     "prj-secure-cloud-function" = ["roles/eventarc.eventReceiver", "roles/viewer", "roles/compute.networkViewer", "roles/run.invoker"]

diff --git a/examples/secure_cloud_function_with_sql/main.tf b/examples/secure_cloud_function_with_sql/main.tf
@@ -32,7 +32,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.7"
+  version = "~> 0.8"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-security"
@@ -57,6 +57,7 @@ module "secure_harness" {
   ingress_policies                            = var.ingress_policies
   serverless_type                             = "CLOUD_FUNCTION"
   use_shared_vpc                              = true
+  time_to_wait_vpc_sc_propagation             = "600s"
 
   serverless_project_extra_apis = {
     "prj-secure-cloud-function" = ["servicenetworking.googleapis.com", "sqladmin.googleapis.com", "cloudscheduler.googleapis.com"],

diff --git a/modules/secure-web-proxy/main.tf b/modules/secure-web-proxy/main.tf
@@ -14,10 +14,15 @@
  * limitations under the License.
  */
 
+locals {
+  swp_addresses    = "[ ${join(",", [for s in var.addresses : format("%q", s)])} ]"
+  swp_ports        = "[ ${join(",", [for s in var.ports : s])} ]"
+  swp_certificates = "[ ${join(",", [for s in var.certificates : format("%q", s)])} ]"
+}
 
 resource "google_compute_subnetwork" "swp_subnetwork_proxy" {
   name          = "sb-swp-${var.region}"
-  ip_cidr_range = "10.129.0.0/23"
+  ip_cidr_range = var.proxy_ip_range
   project       = var.project_id
   region        = var.region
   network       = var.network_id
@@ -36,11 +41,11 @@ module "swp_firewall_rule" {
     description = "Allow Cloud Build to connect in Secure Web Proxy"
     direction   = "EGRESS"
     priority    = 100
-    ranges      = ["10.129.0.0/23", "10.0.0.0/28"]
+    ranges      = [var.proxy_ip_range, var.subnetwork_ip_range]
     source_tags = []
     allow = [{
       protocol = "tcp"
-      ports    = ["443"]
+      ports    = var.ports
     }]
     deny = []
     log_config = {
@@ -54,7 +59,7 @@ resource "google_compute_global_address" "private_ip_allocation" {
   project       = var.project_id
   address_type  = "INTERNAL"
   purpose       = "VPC_PEERING"
-  prefix_length = 16
+  prefix_length = var.global_address_prefix_length
   network       = var.network_id
 }
 
@@ -68,6 +73,16 @@ resource "google_service_networking_connection" "private_service_connect" {
   ]
 }
 
+resource "time_sleep" "wait_network_config_propagation" {
+  create_duration  = "1m"
+  destroy_duration = "5m"
+
+  depends_on = [
+    google_service_networking_connection.private_service_connect,
+    google_compute_subnetwork.swp_subnetwork_proxy
+  ]
+}
+
 resource "google_network_security_gateway_security_policy" "swp_security_policy" {
   provider    = google-beta
   name        = "swp-security-policy"
@@ -108,26 +123,27 @@ resource "null_resource" "swp_generate_gateway_config" {
   provisioner "local-exec" {
     command = <<EOF
       cat << EOF > gateway.yaml
-      name: projects/${var.project_id}/locations/${var.region}/gateways/secure-web-proxy
+      name: projects/${var.project_id}/locations/${var.region}/gateways/${var.proxy_name}
       type: SECURE_WEB_GATEWAY
-      addresses: ["10.0.0.10"]
-      ports: [443]
-      certificateUrls: ["${var.certificate_id}"]
+      addresses: ${local.swp_addresses}
+      ports: ${local.swp_ports}
+      certificateUrls: ${local.swp_certificates}
       gatewaySecurityPolicy: ${google_network_security_gateway_security_policy.swp_security_policy.id}
       network: ${var.network_id}
-      subnetwork: projects/${var.project_id}/regions/${var.region}/subnetworks/sb-restricted-${var.region}
+      subnetwork: ${var.subnetwork_id}
       scope: samplescope
     EOF
   }
 
   depends_on = [
-    google_network_security_gateway_security_policy.swp_security_policy
+    google_network_security_gateway_security_policy_rule.swp_security_policy_rule
   ]
 }
 
 resource "null_resource" "swp_deploy" {
 
   triggers = {
+    proxy_name = var.proxy_name
     project_id = var.project_id
     location   = var.region
     network_id = var.network_id
@@ -136,7 +152,7 @@ resource "null_resource" "swp_deploy" {
   provisioner "local-exec" {
     when    = create
     command = <<EOF
-      gcloud alpha network-services gateways import secure-web-proxy \
+      gcloud network-services gateways import ${var.proxy_name} \
         --source=gateway.yaml \
         --location=${var.region} \
         --project=${var.project_id}
@@ -146,7 +162,7 @@ resource "null_resource" "swp_deploy" {
   provisioner "local-exec" {
     when    = destroy
     command = <<EOF
-      gcloud network-services gateways delete secure-web-proxy \
+      gcloud network-services gateways delete ${self.triggers.proxy_name} \
         --location=${self.triggers.location} \
         --project=${self.triggers.project_id} \
         --quiet
@@ -164,13 +180,14 @@ resource "null_resource" "swp_deploy" {
     google_network_security_gateway_security_policy.swp_security_policy,
     google_network_security_url_lists.swp_url_lists,
     google_network_security_gateway_security_policy_rule.swp_security_policy_rule,
-    null_resource.swp_generate_gateway_config
+    null_resource.swp_generate_gateway_config,
+    google_service_networking_connection.private_service_connect
   ]
 }
 
 resource "time_sleep" "wait_secure_web_proxy" {
   create_duration  = "3m"
-  destroy_duration = "1m"
+  destroy_duration = "5m"
 
   depends_on = [
     null_resource.swp_deploy

diff --git a/modules/secure-web-proxy/outputs.tf b/modules/secure-web-proxy/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "global_address_name" {
+  description = "Google compute global address name."
+  value       = google_compute_global_address.private_ip_allocation.name
+}
diff --git a/modules/secure-web-proxy/variables.tf b/modules/secure-web-proxy/variables.tf
@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "proxy_name" {
+  description = "Secure Web Proxy name."
+  type        = string
+  default     = "secure-web-proxy"
+}
+
 variable "project_id" {
   description = "The network project id where the SWP should be deployed."
   type        = string
@@ -29,13 +35,44 @@ variable "network_id" {
   type        = string
 }
 
+variable "subnetwork_id" {
+  description = "The sub-network id where the SWP should be deployed."
+  type        = string
+}
+
+variable "subnetwork_ip_range" {
+  description = "The sub-network ip range."
+  type        = string
+}
+
 variable "url_lists" {
   description = "A [URL list](https://cloud.google.com/secure-web-proxy/docs/url-list-syntax-reference) to allow access during Cloud Function build time."
   type        = list(string)
   default     = []
 }
 
-variable "certificate_id" {
-  description = "The certificate id to be used on the Secure Web Proxy Gateway."
+variable "certificates" {
+  description = "Certificate id list to be used on the Secure Web Proxy Gateway."
+  type        = list(string)
+}
+
+variable "addresses" {
+  description = "IP address list to be used to access the Secure Web Proxy Gateway. Must be inside the range of the sub-network."
+  type        = list(string)
+}
+
+variable "ports" {
+  description = "Protocol port list to be used to access the Secure Web Proxy Gateway."
+  type        = list(number)
+}
+
+variable "proxy_ip_range" {
+  description = "The proxy sub-network ip range to be used by Secure Web Proxy Gateway. We recommend a subnet size of /23, or 512 proxy-only addresses."
   type        = string
 }
+
+variable "global_address_prefix_length" {
+  description = "The prefix length of the IP range for the private service connect. Defaults to /16."
+  type        = number
+  default     = 16
+}