adds NGFW support for google_network_security_tls_inspection_policy r…

…esource (#9864) (#18139) [upstream:ebfd96bd8d7a1f13c352a2645d02407da4317021] Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · May 14, 2024 · 9fd2d10 · 9fd2d10
1 parent b7d709b
commit 9fd2d10
Show file tree

Hide file tree

Showing 2 changed files with 293 additions and 0 deletions.
diff --git a/google/services/networksecurity/resource_network_security_tls_inspection_policy.go b/google/services/networksecurity/resource_network_security_tls_inspection_policy.go
@@ -30,6 +30,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
 	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+	"github.com/hashicorp/terraform-provider-google/google/verify"
 )
 
 func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
@@ -64,6 +65,14 @@ func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
 				Required:    true,
 				Description: `Short name of the TlsInspectionPolicy resource to be created.`,
 			},
+			"custom_tls_features": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.`,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"description": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -79,6 +88,24 @@ func ResourceNetworkSecurityTlsInspectionPolicy() *schema.Resource {
 				Optional:    true,
 				Description: `The location of the tls inspection policy.`,
 			},
+			"min_tls_version": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"TLS_VERSION_UNSPECIFIED", "TLS_1_0", "TLS_1_1", "TLS_1_2", "TLS_1_3", ""}),
+				Description:  `Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. Possible values: ["TLS_VERSION_UNSPECIFIED", "TLS_1_0", "TLS_1_1", "TLS_1_2", "TLS_1_3"]`,
+			},
+			"tls_feature_profile": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"PROFILE_UNSPECIFIED", "PROFILE_COMPATIBLE", "PROFILE_MODERN", "PROFILE_RESTRICTED", "PROFILE_CUSTOM", ""}),
+				Description:  `The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. Possible values: ["PROFILE_UNSPECIFIED", "PROFILE_COMPATIBLE", "PROFILE_MODERN", "PROFILE_RESTRICTED", "PROFILE_CUSTOM"]`,
+			},
+			"trust_config": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				DiffSuppressFunc: tpgresource.ProjectNumberDiffSuppress,
+				Description:      `A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field.`,
+			},
 			"create_time": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -120,6 +147,30 @@ func resourceNetworkSecurityTlsInspectionPolicyCreate(d *schema.ResourceData, me
 	} else if v, ok := d.GetOkExists("ca_pool"); !tpgresource.IsEmptyValue(reflect.ValueOf(caPoolProp)) && (ok || !reflect.DeepEqual(v, caPoolProp)) {
 		obj["caPool"] = caPoolProp
 	}
+	trustConfigProp, err := expandNetworkSecurityTlsInspectionPolicyTrustConfig(d.Get("trust_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("trust_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(trustConfigProp)) && (ok || !reflect.DeepEqual(v, trustConfigProp)) {
+		obj["trustConfig"] = trustConfigProp
+	}
+	minTlsVersionProp, err := expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(d.Get("min_tls_version"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("min_tls_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(minTlsVersionProp)) && (ok || !reflect.DeepEqual(v, minTlsVersionProp)) {
+		obj["minTlsVersion"] = minTlsVersionProp
+	}
+	tlsFeatureProfileProp, err := expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(d.Get("tls_feature_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tls_feature_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(tlsFeatureProfileProp)) && (ok || !reflect.DeepEqual(v, tlsFeatureProfileProp)) {
+		obj["tlsFeatureProfile"] = tlsFeatureProfileProp
+	}
+	customTlsFeaturesProp, err := expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(d.Get("custom_tls_features"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_tls_features"); !tpgresource.IsEmptyValue(reflect.ValueOf(customTlsFeaturesProp)) && (ok || !reflect.DeepEqual(v, customTlsFeaturesProp)) {
+		obj["customTlsFeatures"] = customTlsFeaturesProp
+	}
 	excludePublicCaSetProp, err := expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(d.Get("exclude_public_ca_set"), d, config)
 	if err != nil {
 		return err
@@ -237,6 +288,18 @@ func resourceNetworkSecurityTlsInspectionPolicyRead(d *schema.ResourceData, meta
 	if err := d.Set("ca_pool", flattenNetworkSecurityTlsInspectionPolicyCaPool(res["caPool"], d, config)); err != nil {
 		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
 	}
+	if err := d.Set("trust_config", flattenNetworkSecurityTlsInspectionPolicyTrustConfig(res["trustConfig"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
+	if err := d.Set("min_tls_version", flattenNetworkSecurityTlsInspectionPolicyMinTlsVersion(res["minTlsVersion"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
+	if err := d.Set("tls_feature_profile", flattenNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(res["tlsFeatureProfile"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
+	if err := d.Set("custom_tls_features", flattenNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(res["customTlsFeatures"], d, config)); err != nil {
+		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
+	}
 	if err := d.Set("exclude_public_ca_set", flattenNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(res["excludePublicCaSet"], d, config)); err != nil {
 		return fmt.Errorf("Error reading TlsInspectionPolicy: %s", err)
 	}
@@ -272,6 +335,30 @@ func resourceNetworkSecurityTlsInspectionPolicyUpdate(d *schema.ResourceData, me
 	} else if v, ok := d.GetOkExists("ca_pool"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, caPoolProp)) {
 		obj["caPool"] = caPoolProp
 	}
+	trustConfigProp, err := expandNetworkSecurityTlsInspectionPolicyTrustConfig(d.Get("trust_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("trust_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, trustConfigProp)) {
+		obj["trustConfig"] = trustConfigProp
+	}
+	minTlsVersionProp, err := expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(d.Get("min_tls_version"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("min_tls_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, minTlsVersionProp)) {
+		obj["minTlsVersion"] = minTlsVersionProp
+	}
+	tlsFeatureProfileProp, err := expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(d.Get("tls_feature_profile"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tls_feature_profile"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, tlsFeatureProfileProp)) {
+		obj["tlsFeatureProfile"] = tlsFeatureProfileProp
+	}
+	customTlsFeaturesProp, err := expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(d.Get("custom_tls_features"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("custom_tls_features"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, customTlsFeaturesProp)) {
+		obj["customTlsFeatures"] = customTlsFeaturesProp
+	}
 	excludePublicCaSetProp, err := expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(d.Get("exclude_public_ca_set"), d, config)
 	if err != nil {
 		return err
@@ -296,6 +383,22 @@ func resourceNetworkSecurityTlsInspectionPolicyUpdate(d *schema.ResourceData, me
 		updateMask = append(updateMask, "caPool")
 	}
 
+	if d.HasChange("trust_config") {
+		updateMask = append(updateMask, "trustConfig")
+	}
+
+	if d.HasChange("min_tls_version") {
+		updateMask = append(updateMask, "minTlsVersion")
+	}
+
+	if d.HasChange("tls_feature_profile") {
+		updateMask = append(updateMask, "tlsFeatureProfile")
+	}
+
+	if d.HasChange("custom_tls_features") {
+		updateMask = append(updateMask, "customTlsFeatures")
+	}
+
 	if d.HasChange("exclude_public_ca_set") {
 		updateMask = append(updateMask, "excludePublicCaSet")
 	}
@@ -434,6 +537,22 @@ func flattenNetworkSecurityTlsInspectionPolicyCaPool(v interface{}, d *schema.Re
 	return v
 }
 
+func flattenNetworkSecurityTlsInspectionPolicyTrustConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecurityTlsInspectionPolicyMinTlsVersion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -446,6 +565,22 @@ func expandNetworkSecurityTlsInspectionPolicyCaPool(v interface{}, d tpgresource
 	return v, nil
 }
 
+func expandNetworkSecurityTlsInspectionPolicyTrustConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecurityTlsInspectionPolicyMinTlsVersion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecurityTlsInspectionPolicyTlsFeatureProfile(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandNetworkSecurityTlsInspectionPolicyCustomTlsFeatures(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandNetworkSecurityTlsInspectionPolicyExcludePublicCaSet(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
diff --git a/website/docs/r/network_security_tls_inspection_policy.html.markdown b/website/docs/r/network_security_tls_inspection_policy.html.markdown
@@ -114,6 +114,146 @@ resource "google_network_security_tls_inspection_policy" "default" {
   depends_on            = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=network_security_tls_inspection_policy_custom&open_in_editor=main.tf" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Network Security Tls Inspection Policy Custom
+
+
+```hcl
+resource "google_privateca_ca_pool" "default" {
+  provider = google-beta
+  name     = "my-basic-ca-pool"
+  location = "us-central1"
+  tier     = "DEVOPS"
+
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl = false
+  }
+
+  issuance_policy {
+    maximum_lifetime = "1209600s"
+    baseline_values {
+      ca_options {
+        is_ca = false
+      }
+      key_usage {
+        base_key_usage {}
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+}
+
+resource "google_privateca_certificate_authority" "default" {
+  provider = google-beta
+  pool     = google_privateca_ca_pool.default.name
+
+  certificate_authority_id = "my-basic-certificate-authority"
+  location                 = "us-central1"
+  lifetime                 = "86400s"
+  type                     = "SELF_SIGNED"
+  deletion_protection      = false
+  skip_grace_period        = true
+
+  ignore_active_certificates_on_deletion = true
+
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name  = "my-ca"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+resource "google_project_service_identity" "ns_sa" {
+  provider = google-beta
+  service  = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "default" {
+  provider = google-beta
+  ca_pool  = google_privateca_ca_pool.default.id
+  role     = "roles/privateca.certificateManager"
+  member   = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
+resource "google_certificate_manager_trust_config" "default" {
+  provider    = google-beta
+  name        = "my-trust-config"
+  description = "sample trust config description"
+  location    = "us-central1"
+
+  trust_stores {
+    trust_anchors {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+    intermediate_cas {
+      pem_certificate = file("test-fixtures/ca_cert.pem")
+    }
+  }
+}
+
+resource "google_network_security_tls_inspection_policy" "default" {
+  provider = google-beta
+  name     = "my-tls-inspection-policy"
+  location = "us-central1"
+  ca_pool  = google_privateca_ca_pool.default.id
+
+  exclude_public_ca_set = false
+  min_tls_version       = "TLS_1_0"
+  trust_config          = google_certificate_manager_trust_config.default.id
+  tls_feature_profile   = "PROFILE_CUSTOM"
+
+  custom_tls_features = [
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    "TLS_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_RSA_WITH_AES_256_GCM_SHA384",
+  ]
+
+  depends_on = [
+    google_privateca_certificate_authority.default,
+    google_privateca_ca_pool_iam_member.default,
+  ]
+}
+```
 
 ## Argument Reference
 
@@ -136,6 +276,24 @@ The following arguments are supported:
   (Optional)
   Free-text description of the resource.
 
+* `trust_config` -
+  (Optional)
+  A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field.
+
+* `min_tls_version` -
+  (Optional)
+  Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
+  Possible values are: `TLS_VERSION_UNSPECIFIED`, `TLS_1_0`, `TLS_1_1`, `TLS_1_2`, `TLS_1_3`.
+
+* `tls_feature_profile` -
+  (Optional)
+  The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
+  Possible values are: `PROFILE_UNSPECIFIED`, `PROFILE_COMPATIBLE`, `PROFILE_MODERN`, `PROFILE_RESTRICTED`, `PROFILE_CUSTOM`.
+
+* `custom_tls_features` -
+  (Optional)
+  List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.
+
 * `exclude_public_ca_set` -
   (Optional)
   If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trustConfig. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trustConfig will be accepted.