This project contains examples how to provision all necessary resources to use Secure Web Gateway in Google Cloud Platform through terraform. It covers the quickstart tutorial but using the terraform instead.
- Terraform ~> 1.1.x
- terraform-provider-google plugin ~> v4.XY.x
A project where all resources will be created. The project must contain the following service apis enabled:
- compute.googleapis.com
- certificatemanager.googleapis.com
- networksecurity.googleapis.com
- networkservices.googleapis.com
A user account that contains the following roles at project level:
- Compute Network Admin
- Compute Security Admin
- Certificate Manager Owner
A valid SSL certificate to be uploaded to the certificate manager.
Note: You may want to generate a self signed certificate for test purpose. For further information you may access here
export KEY_PATH="<the path to save the key, such as `./selfsignedkeys/key.pem`>"
export CERTIFICATE_PATH="<the path to save the certificate, such as `./selfsignedkeys/cert.pem`>"
export SWP_HOST_NAME="<the hostname for your Secure Web Proxy instance, such as `myswp.example.com`>"
openssl req -x509 -newkey rsa:2048 \
-keyout ${KEY_PATH} \
-out ${CERTIFICATE_PATH} -days 365 \
-subj '/CN=${SWP_HOST_NAME}' -nodes -addext \
"subjectAltName=DNS:${SWP_HOST_NAME}"
You will find different examples under the examples
folder in this directory.
Inside of each folder there is a file called terraform.example.tfvars.json
. These files contain all necessary parameters to run the examples easily.
Currently there are 2 examples:
- basic_swg: provision the secure web gateways resource to a existent VPC network.
- network_swg: provision a VPC network and the secure web gateways resources inside the VPC network.
-
Enable the application default credentials:
gcloud auth application-default login
-
Choose one example and go to its folder. For example:
cd examples/basic_swg
-
Copy
terraform.example.tfvars.json
toterraform.tfvars.json
and updateterraform.tfvars.json
with values from your environment.cp terraform.example.tfvars.json terraform.tfvars.json
-
Run
terraform plan
and review the plan.terraform plan
-
Run
terraform apply
.terraform apply
-
Run
terraform destroy
in order to delete all secure web gateway related resources when you are good with your tests.terraform destroy
You may want to test if all resources are successfully working as expected by performing a request through the created secure web gateway
.
-
Create a vm instance under the same subnetwork where the gateway resources were created. You may create by using
gcloud
CLI tool:export SUBNETWORK_NAME="<the chosen subnetwork where the resources were created `default`>" export ZONE="<a zone for the region where the swg esources were created such as `us-central1-a`>" export VM_INSTANCE_NAME="<vm instance name whetever you like such as `swg-test-vm`>" export PROJECT_ID="<project_id where the resources were created>"
gcloud compute instances create ${VM_INSTANCE_NAME} \ --project=${PROJECT_ID} \ --machine-type=e2-micro \ --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=${SUBNETWORK_NAME} \ --zone=${ZONE} \ --create-disk=auto-delete=yes,boot=yes,device-name=${VM_INSTANCE_NAME},image=projects/ubuntu-os-cloud/global/images/ubuntu-2304-lunar-amd64-v20230502,mode=rw,size=10,type=projects/${PROJECT_ID}/zones/${ZONE}/diskTypes/pd-balanced
-
SSH into the vm instance. You may access the vm instance by using
gcloud
CLI tool:gcloud compute ssh ${VM_INSTANCE_NAME} \ --zone=${ZONE}
Note: You may have to create a ssh firewall rule in order to ssh into the machine:
export NETWORK_NAME="<the chosen network where the resources were created such as `default`>" export DEST_RANGES="<the chosen `subnet_ip_cidr_range` usend in `terraform.tfvars.json` such as `10.128.0.0/20`"
gcloud compute firewall-rules create allow-ssh --network ${NETWORK_NAME} --direction ingress --action=ALLOW --rules=tcp:22 --rules all --destination-ranges ${DEST_RANGES} --project=${PROJECT_ID}
-
Perform a https request through the secure web gateway to hit the allowed
session_matcher_rule
you defined interraform.tfvars.json
export GATEWAY_ADDRESS="<the chosen `gateway_address` in `terraform.tfvars.json`>" export TARGET_HOST="<the chosen address you defined in `session_matcher_rule` in `terraform.tfvars.json` such as `example.com`>"
curl -x https://${GATEWAY_ADDRESS}:443 https://${TARGET_HOST}
Note: If you are using a self signed certificate, the
curl
cmd may complains about it. To solve that you should choosehttp
vshttps
for proxy tunnel or add the flag--proxy-insecure
.curl -x http://${GATEWAY_ADDRESS}:443 https://${TARGET_HOST}
curl -x https://${GATEWAY_ADDRESS}:443 https://${TARGET_HOST} --proxy-insecure