feat: Add Server TLS Policy parameter (#387)

Co-authored-by: Mickael CORNIERE <[email protected]>
terraform-google-modules · Nov 28, 2023 · c553947 · c553947
1 parent 1a35be4
commit c553947
Show file tree

Hide file tree

Showing 11 changed files with 43 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -118,6 +118,7 @@ module "gce-lb-http" {
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
 | random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
 | security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
 | ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR  3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
 | ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
 | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |

diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
@@ -123,6 +123,7 @@ resource "google_compute_target_https_proxy" "default" {
   certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
   ssl_policy       = var.ssl_policy
   quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {

diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl
@@ -310,3 +310,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}
diff --git a/main.tf b/main.tf
@@ -117,10 +117,11 @@ resource "google_compute_target_https_proxy" "default" {
   name    = "${var.name}-https-proxy"
   url_map = local.url_map
 
-  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
-  certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
-  ssl_policy       = var.ssl_policy
-  quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  ssl_certificates  = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
+  certificate_map   = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+  ssl_policy        = var.ssl_policy
+  quic_override     = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {

diff --git a/modules/dynamic_backends/README.md b/modules/dynamic_backends/README.md
@@ -111,6 +111,7 @@ module "gce-lb-http" {
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
 | random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
 | security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
 | ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR  3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
 | ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
 | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |

diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf
@@ -117,10 +117,11 @@ resource "google_compute_target_https_proxy" "default" {
   name    = "${var.name}-https-proxy"
   url_map = local.url_map
 
-  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
-  certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
-  ssl_policy       = var.ssl_policy
-  quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  ssl_certificates  = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
+  certificate_map   = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+  ssl_policy        = var.ssl_policy
+  quic_override     = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {

diff --git a/modules/dynamic_backends/variables.tf b/modules/dynamic_backends/variables.tf
@@ -297,3 +297,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}
diff --git a/modules/serverless_negs/README.md b/modules/serverless_negs/README.md
@@ -94,6 +94,7 @@ module "lb-http" {
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
 | random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
 | security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
 | ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR  3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
 | ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
 | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |

diff --git a/modules/serverless_negs/main.tf b/modules/serverless_negs/main.tf
@@ -116,10 +116,11 @@ resource "google_compute_target_https_proxy" "default" {
   name    = "${var.name}-https-proxy"
   url_map = local.url_map
 
-  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
-  certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
-  ssl_policy       = var.ssl_policy
-  quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  ssl_certificates  = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
+  certificate_map   = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+  ssl_policy        = var.ssl_policy
+  quic_override     = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {

diff --git a/modules/serverless_negs/variables.tf b/modules/serverless_negs/variables.tf
@@ -246,3 +246,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}
diff --git a/variables.tf b/variables.tf
@@ -297,3 +297,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}