feat: Allow configuring security policies per backend (#115)

Viktor Berlov · web-flow · commit ad92b2ece0b8 · 2020-10-16T10:49:58.000-04:00
diff --git a/README.md b/README.md
@@ -72,7 +72,7 @@ module "gce-lb-http" {
         },
       ]
 
-      iap_config = {
+      iap_config {
         enable               = false
         oauth2_client_id     = null
         oauth2_client_secret = null
diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
@@ -111,7 +111,7 @@ resource "google_compute_backend_service" "default" {
   description                     = lookup(each.value, "description", null)
   connection_draining_timeout_sec = lookup(each.value, "connection_draining_timeout_sec", null)
   enable_cdn                      = lookup(each.value, "enable_cdn", false)
-  security_policy                 = var.security_policy
+  security_policy                 = lookup(each.value, "security_policy", null) == null ? null : var.security_policy
   health_checks                   = lookup(each.value, "health_check", null) == null ? null : [google_compute_health_check.default[each.key].self_link]
   session_affinity                = lookup(each.value, "session_affinity", null)
   affinity_cookie_ttl_sec         = lookup(each.value, "affinity_cookie_ttl_sec", null)
diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl
@@ -76,6 +76,7 @@ variable "backends" {
     timeout_sec                     = number
     connection_draining_timeout_sec = number
     enable_cdn                      = bool
+    security_policy                 = string
     session_affinity                = string
     affinity_cookie_ttl_sec         = number
     custom_request_headers          = list(string)
diff --git a/examples/https-gke/main.tf b/examples/https-gke/main.tf
@@ -55,6 +55,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/examples/https-redirect/main.tf b/examples/https-redirect/main.tf
@@ -110,6 +110,7 @@ module "gce-lb-http" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/examples/mig-nat-http-lb/main.tf b/examples/mig-nat-http-lb/main.tf
@@ -107,6 +107,7 @@ module "gce-lb-http" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/examples/multi-backend-multi-mig-bucket-https-lb/main.tf b/examples/multi-backend-multi-mig-bucket-https-lb/main.tf
@@ -145,6 +145,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
@@ -211,6 +212,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
@@ -251,6 +253,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
@@ -291,6 +294,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/examples/multi-mig-http-lb/main.tf b/examples/multi-mig-http-lb/main.tf
@@ -89,6 +89,7 @@ module "gce-lb-http" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/examples/multiple-certs/main.tf b/examples/multiple-certs/main.tf
@@ -145,6 +145,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
@@ -211,6 +212,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
@@ -251,6 +253,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
@@ -291,6 +294,7 @@ module "gce-lb-https" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/examples/shared-vpc/main.tf b/examples/shared-vpc/main.tf
@@ -41,6 +41,7 @@ module "gce-lb-http" {
       timeout_sec                     = 10
       connection_draining_timeout_sec = null
       enable_cdn                      = false
+      security_policy                 = null
       session_affinity                = null
       affinity_cookie_ttl_sec         = null
       custom_request_headers          = null
diff --git a/main.tf b/main.tf
@@ -111,7 +111,7 @@ resource "google_compute_backend_service" "default" {
   description                     = lookup(each.value, "description", null)
   connection_draining_timeout_sec = lookup(each.value, "connection_draining_timeout_sec", null)
   enable_cdn                      = lookup(each.value, "enable_cdn", false)
-  security_policy                 = var.security_policy
+  security_policy                 = lookup(each.value, "security_policy", null) == null ? null : var.security_policy
   health_checks                   = lookup(each.value, "health_check", null) == null ? null : [google_compute_health_check.default[each.key].self_link]
   session_affinity                = lookup(each.value, "session_affinity", null)
   affinity_cookie_ttl_sec         = lookup(each.value, "affinity_cookie_ttl_sec", null)
diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf
@@ -111,7 +111,7 @@ resource "google_compute_backend_service" "default" {
   description                     = lookup(each.value, "description", null)
   connection_draining_timeout_sec = lookup(each.value, "connection_draining_timeout_sec", null)
   enable_cdn                      = lookup(each.value, "enable_cdn", false)
-  security_policy                 = var.security_policy
+  security_policy                 = lookup(each.value, "security_policy", null) == null ? null : var.security_policy
   health_checks                   = lookup(each.value, "health_check", null) == null ? null : [google_compute_health_check.default[each.key].self_link]
   session_affinity                = lookup(each.value, "session_affinity", null)
   affinity_cookie_ttl_sec         = lookup(each.value, "affinity_cookie_ttl_sec", null)
diff --git a/modules/dynamic_backends/variables.tf b/modules/dynamic_backends/variables.tf
@@ -76,6 +76,7 @@ variable "backends" {
     timeout_sec                     = number
     connection_draining_timeout_sec = number
     enable_cdn                      = bool
+    security_policy                 = string
     session_affinity                = string
     affinity_cookie_ttl_sec         = number
     custom_request_headers          = list(string)
diff --git a/variables.tf b/variables.tf
@@ -76,6 +76,7 @@ variable "backends" {
     timeout_sec                     = number
     connection_draining_timeout_sec = number
     enable_cdn                      = bool
+    security_policy                 = string
     session_affinity                = string
     affinity_cookie_ttl_sec         = number
     custom_request_headers          = list(string)

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ module "gce-lb-http" {`
`72`	`72`	`},`
`73`	`73`	`]`
`74`	`74`
`75`		`- iap_config = {`
	`75`	`+ iap_config {`
`76`	`76`	`enable = false`
`77`	`77`	`oauth2_client_id = null`
`78`	`78`	`oauth2_client_secret = null`