-
Notifications
You must be signed in to change notification settings - Fork 921
/
Copy pathpolicy-rules.tf
92 lines (90 loc) · 3.3 KB
/
policy-rules.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_policy_rules_path = try(pathexpand(var.factories_config.policy_rules), null)
_policy_rules = {
for f in try(fileset(local._policy_rules_path, "**/*.yaml"), []) :
basename(trimsuffix(f, ".yaml")) => yamldecode(file(
"${local._policy_rules_path}/${f}"
))
}
policy_rules_args = {
for k, v in local.policy_rules : k => {
application = [
for vv in v.matcher_args.application :
zipmap(["context", "value"], split(":", vv))
]
session = [
for vv in v.matcher_args.session :
zipmap(["context", "value"], split(":", vv))
]
}
}
policy_rules_contexts = {
secure_tag = var.policy_rules_contexts.secure_tags
service_account = var.policy_rules_contexts.service_accounts
url_list = merge(var.policy_rules_contexts.url_lists, {
for k, v in google_network_security_url_lists.default : k => v.id
})
}
policy_rules = merge(var.policy_rules, {
for k, v in local._policy_rules : k => {
priority = v.priority
allow = lookup(v, "allow", true)
description = lookup(v, "description", null)
enabled = lookup(v, "enable", true)
application_matcher = lookup(v, "application_matcher", null)
session_matcher = lookup(v, "session_matcher", null)
tls_inspect = lookup(v, "tls_inspect", null)
matcher_args = {
application = try(v.matcher_args.application, [])
session = try(v.matcher_args.session, [])
}
}
})
}
resource "google_network_security_gateway_security_policy_rule" "default" {
for_each = local.policy_rules
project = var.project_id
location = var.region
description = coalesce(each.value.description, var.description)
enabled = each.value.enabled
name = each.key
priority = each.value.priority
tls_inspection_enabled = each.value.tls_inspect
gateway_security_policy = (
google_network_security_gateway_security_policy.default.name
)
application_matcher = each.value.application_matcher == null ? null : format(
each.value.application_matcher, [
for v in local.policy_rules_args[each.key].application :
lookup(local.policy_rules_contexts[v.context], v.value, v.value)
]...
)
session_matcher = each.value.session_matcher == null ? null : format(
each.value.session_matcher, [
for v in local.policy_rules_args[each.key].session :
lookup(local.policy_rules_contexts[v.context], v.value, v.value)
]...
)
basic_profile = (
each.value.allow == true
? "ALLOW"
: (
each.value.allow == false ? "DENY" : "BASIC_PROFILE_UNSPECIFIED"
)
)
}