Skip to content

Commit

Permalink
adds NGFW support for google_network_security_tls_inspection_policy r…
Browse files Browse the repository at this point in the history 
…esource (#9864) (#7368)

[upstream:ebfd96bd8d7a1f13c352a2645d02407da4317021]

Signed-off-by: Modular Magician <magic-modules@google.com>
  • Loading branch information
@modular-magician
modular-magician committed May 14, 2024
1 parent 19a4049 commit 3d8fce7
Show file tree
Hide file tree
Showing 3 changed files with 453 additions and 0 deletions.
135 changes: 135 additions & 0 deletions google-beta/services/networksecurity/resource_network_security_tls_inspection_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (

"github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
"github.com/hashicorp/terraform-provider-google-beta/google-beta/verify"
)

func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
Expand Down Expand Up @@ -64,6 +65,14 @@ func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
Required: true,
Description: `Short name of the TlsInspectionPolicy resource to be created.`,
},
"custom_tls_features": {
Type: schema.TypeList,
Optional: true,
Description: `List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.`,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"description": {
Type: schema.TypeString,
Optional: true,
Expand All @@ -79,6 +88,24 @@ func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
Optional: true,
Description: `The location of the tls inspection policy.`,
},
"min_tls_version": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidateEnum([]string{"TLS_VERSION_UNSPECIFIED", "TLS_1_0", "TLS_1_1", "TLS_1_2", "TLS_1_3", ""}),
Description: `Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. Possible values: ["TLS_VERSION_UNSPECIFIED", "TLS_1_0", "TLS_1_1", "TLS_1_2", "TLS_1_3"]`,
},
"tls_feature_profile": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidateEnum([]string{"PROFILE_UNSPECIFIED", "PROFILE_COMPATIBLE", "PROFILE_MODERN", "PROFILE_RESTRICTED", "PROFILE_CUSTOM", ""}),
Description: `The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. Possible values: ["PROFILE_UNSPECIFIED", "PROFILE_COMPATIBLE", "PROFILE_MODERN", "PROFILE_RESTRICTED", "PROFILE_CUSTOM"]`,
},
"trust_config": {
Type: schema.TypeString,
Optional: true,
DiffSuppressFunc: tpgresource.ProjectNumberDiffSuppress,
Description: `A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field.`,
},
"create_time": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -120,6 +147,30 @@ func resourceNetworkSecurityTlsInspectionPolicyCreate(d *schema.ResourceData, me
} else if v, ok := d.GetOkExists("ca_pool"); !tpgresource.IsEmptyValue(reflect.ValueOf(caPoolProp)) && (ok || !reflect.DeepEqual(v, caPoolProp)) {
obj["caPool"] = caPoolProp
}
trustConfigProp, err := expandNetworkSecurityTlsInspectionPolicyTrustConfig(d.Get("trust_config"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("trust_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(trustConfigProp)) && (ok || !reflect.DeepEqual(v, trustConfigProp)) {
obj["trustConfig"] = trustConfigProp
}
minTlsVersionProp, err := expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(d.Get("min_tls_version"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("min_tls_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(minTlsVersionProp)) && (ok || !reflect.DeepEqual(v, minTlsVersionProp)) {
obj["minTlsVersion"] = minTlsVersionProp
}
tlsFeatureProfileProp, err := expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(d.Get("tls_feature_profile"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("tls_feature_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(tlsFeatureProfileProp)) && (ok || !reflect.DeepEqual(v, tlsFeatureProfileProp)) {
obj["tlsFeatureProfile"] = tlsFeatureProfileProp
}
customTlsFeaturesProp, err := expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(d.Get("custom_tls_features"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("custom_tls_features"); !tpgresource.IsEmptyValue(reflect.ValueOf(customTlsFeaturesProp)) && (ok || !reflect.DeepEqual(v, customTlsFeaturesProp)) {
obj["customTlsFeatures"] = customTlsFeaturesProp
}
excludePublicCaSetProp, err := expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(d.Get("exclude_public_ca_set"), d, config)
if err != nil {
return err
Expand Down Expand Up @@ -237,6 +288,18 @@ func resourceNetworkSecurityTlsInspectionPolicyRead(d *schema.ResourceData, meta
if err := d.Set("ca_pool", flattenNetworkSecurityTlsInspectionPolicyCaPool(res["caPool"], d, config)); err != nil {
return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
}
if err := d.Set("trust_config", flattenNetworkSecurityTlsInspectionPolicyTrustConfig(res["trustConfig"], d, config)); err != nil {
return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
}
if err := d.Set("min_tls_version", flattenNetworkSecurityTlsInspectionPolicyMinTlsVersion(res["minTlsVersion"], d, config)); err != nil {
return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
}
if err := d.Set("tls_feature_profile", flattenNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(res["tlsFeatureProfile"], d, config)); err != nil {
return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
}
if err := d.Set("custom_tls_features", flattenNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(res["customTlsFeatures"], d, config)); err != nil {
return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
}
if err := d.Set("exclude_public_ca_set", flattenNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(res["excludePublicCaSet"], d, config)); err != nil {
return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
}
Expand Down Expand Up @@ -272,6 +335,30 @@ func resourceNetworkSecurityTlsInspectionPolicyUpdate(d *schema.ResourceData, me
} else if v, ok := d.GetOkExists("ca_pool"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, caPoolProp)) {
obj["caPool"] = caPoolProp
}
trustConfigProp, err := expandNetworkSecurityTlsInspectionPolicyTrustConfig(d.Get("trust_config"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("trust_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, trustConfigProp)) {
obj["trustConfig"] = trustConfigProp
}
minTlsVersionProp, err := expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(d.Get("min_tls_version"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("min_tls_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, minTlsVersionProp)) {
obj["minTlsVersion"] = minTlsVersionProp
}
tlsFeatureProfileProp, err := expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(d.Get("tls_feature_profile"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("tls_feature_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, tlsFeatureProfileProp)) {
obj["tlsFeatureProfile"] = tlsFeatureProfileProp
}
customTlsFeaturesProp, err := expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(d.Get("custom_tls_features"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("custom_tls_features"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, customTlsFeaturesProp)) {
obj["customTlsFeatures"] = customTlsFeaturesProp
}
excludePublicCaSetProp, err := expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(d.Get("exclude_public_ca_set"), d, config)
if err != nil {
return err
Expand All @@ -296,6 +383,22 @@ func resourceNetworkSecurityTlsInspectionPolicyUpdate(d *schema.ResourceData, me
updateMask = append(updateMask, "caPool")
}

if d.HasChange("trust_config") {
updateMask = append(updateMask, "trustConfig")
}

if d.HasChange("min_tls_version") {
updateMask = append(updateMask, "minTlsVersion")
}

if d.HasChange("tls_feature_profile") {
updateMask = append(updateMask, "tlsFeatureProfile")
}

if d.HasChange("custom_tls_features") {
updateMask = append(updateMask, "customTlsFeatures")
}

if d.HasChange("exclude_public_ca_set") {
updateMask = append(updateMask, "excludePublicCaSet")
}
Expand Down Expand Up @@ -434,6 +537,22 @@ func flattenNetworkSecurityTlsInspectionPolicyCaPool(v interface{}, d *schema.Re
return v
}

func flattenNetworkSecurityTlsInspectionPolicyTrustConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenNetworkSecurityTlsInspectionPolicyMinTlsVersion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func flattenNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}
Expand All @@ -446,6 +565,22 @@ func expandNetworkSecurityTlsInspectionPolicyCaPool(v interface{}, d tpgresource
return v, nil
}

func expandNetworkSecurityTlsInspectionPolicyTrustConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}
160 changes: 160 additions & 0 deletions ...ervices/networksecurity/resource_network_security_tls_inspection_policy_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,166 @@ resource "google_network_security_tls_inspection_policy" "default" {
`, context)
}

func TestAccNetworkSecurityTlsInspectionPolicy_networkSecurityTlsInspectionPolicyCustomExample(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
CheckDestroy: testAccCheckNetworkSecurityTlsInspectionPolicyDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccNetworkSecurityTlsInspectionPolicy_networkSecurityTlsInspectionPolicyCustomExample(context),
},
{
ResourceName: "google_network_security_tls_inspection_policy.default",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"location", "name"},
},
},
})
}

func testAccNetworkSecurityTlsInspectionPolicy_networkSecurityTlsInspectionPolicyCustomExample(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_privateca_ca_pool" "default" {
provider = google-beta
name = "tf-test-my-basic-ca-pool%{random_suffix}"
location = "us-central1"
tier = "DEVOPS"
publishing_options {
publish_ca_cert = false
publish_crl = false
}
issuance_policy {
maximum_lifetime = "1209600s"
baseline_values {
ca_options {
is_ca = false
}
key_usage {
base_key_usage {}
extended_key_usage {
server_auth = true
}
}
}
}
}
resource "google_privateca_certificate_authority" "default" {
provider = google-beta
pool = google_privateca_ca_pool.default.name
certificate_authority_id = "tf-test-my-basic-certificate-authority%{random_suffix}"
location = "us-central1"
lifetime = "86400s"
type = "SELF_SIGNED"
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "Test LLC"
common_name = "my-ca"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_project_service_identity" "ns_sa" {
provider = google-beta
service = "networksecurity.googleapis.com"
}
resource "google_privateca_ca_pool_iam_member" "default" {
provider = google-beta
ca_pool = google_privateca_ca_pool.default.id
role = "roles/privateca.certificateManager"
member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
}
resource "google_certificate_manager_trust_config" "default" {
provider = google-beta
name = "tf-test-my-trust-config%{random_suffix}"
description = "sample trust config description"
location = "us-central1"
trust_stores {
trust_anchors {
pem_certificate = file("test-fixtures/ca_cert.pem")
}
intermediate_cas {
pem_certificate = file("test-fixtures/ca_cert.pem")
}
}
}
resource "google_network_security_tls_inspection_policy" "default" {
provider = google-beta
name = "tf-test-my-tls-inspection-policy%{random_suffix}"
location = "us-central1"
ca_pool = google_privateca_ca_pool.default.id
exclude_public_ca_set = false
min_tls_version = "TLS_1_0"
trust_config = google_certificate_manager_trust_config.default.id
tls_feature_profile = "PROFILE_CUSTOM"
custom_tls_features = [
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
]
depends_on = [
google_privateca_certificate_authority.default,
google_privateca_ca_pool_iam_member.default,
]
}
`, context)
}

func testAccCheckNetworkSecurityTlsInspectionPolicyDestroyProducer(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
for name, rs := range s.RootModule().Resources {
Expand Down

0 comments on commit 3d8fce7

Please sign in to comment.