@@ -110,10 +110,6 @@ certificate_authorities = {
110110 }
111111 }
112112 }
113- ca_pool_config = {
114- authz_nsec_sa = true
115- name = "ca-pool-0"
116- }
117113 }
118114}
119115ngfw_config = {
@@ -210,16 +206,18 @@ Security profiles group defined here are exported via output variable file, and
210206| name | description | type | required | default | producer |
211207| ---| ---| :---:| :---:| :---:| :---:|
212208| [ automation] ( variables-fast.tf#L28 ) | Automation resources created by the bootstrap stage. | <code title =" object( ;{ ;
 ; outputs_bucket = ; string
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | ✓ | | <code >0-bootstrap</code > |
213- | [ ngfw_config] ( variables.tf#L106 ) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | <code title =" object( ;{ ;
 ; endpoint_zones = ; list( ; string) ;
 ; name = ; optional( ; string, " ; ngfw-0" ;) ;
 ; network_associations = ; optional( ; map( ; object( ;{ ;
 ; vpc_id = ; string
 ; disabled = ; optional( ; bool) ;
 ; tls_inspection_policy = ; optional( ; string) ;
 ; zones = ; optional( ; list( ; string) ;) ;
 ; } ;) ;) ; , { ;} ;) ;
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | ✓ | | |
214- | [ organization] ( variables-fast.tf#L48 ) | Organization details. | <code title =" object( ;{ ;
 ; domain = ; string
 ; id = ; number
 ; customer_id = ; string
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | ✓ | | <code >0-globals</code > |
215- | [ project_id] ( variables.tf#L127 ) | Project where the network security resources will be created. | <code >string</code > | ✓ | | |
209+ | [ ngfw_config] ( variables.tf#L113 ) | Configuration for NGFW Enterprise endpoints. Billing project defaults to the automation project. Network and TLS inspection policy ids support interpolation. | <code title =" object( ;{ ;
 ; endpoint_zones = ; list( ; string) ;
 ; name = ; optional( ; string, " ; ngfw-0" ;) ;
 ; network_associations = ; optional( ; map( ; object( ;{ ;
 ; vpc_id = ; string
 ; disabled = ; optional( ; bool) ;
 ; tls_inspection_policy = ; optional( ; string) ;
 ; zones = ; optional( ; list( ; string) ;) ;
 ; } ;) ;) ; , { ;} ;) ;
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | ✓ | | |
210+ | [ organization] ( variables-fast.tf#L56 ) | Organization details. | <code title =" object( ;{ ;
 ; domain = ; string
 ; id = ; number
 ; customer_id = ; string
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | ✓ | | <code >0-globals</code > |
211+ | [ project_id] ( variables.tf#L134 ) | Project where the network security resources will be created. | <code >string</code > | ✓ | | |
216212| [ _ fast_debug] ( variables-fast.tf#L19 ) | Internal FAST variable used for testing and debugging. Do not use. | <code title =" object( ;{ ;
 ; skip_datasources = ; optional( ; bool, false) ;
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | | <code >{ ;} ; </code > | |
217213| [certificate_authorities](variables.tf#L17) | Certificate Authority Service pool and CAs. If host project ids is null identical pools and CAs are created in every host project. | <code title="map(object({ location = string iam = optional(map(list(string)), {}) iam_bindings = optional(map(any), {}) iam_bindings_additive = optional(map(any), {}) iam_by_principals = optional(map(list(string)), {}) ca_configs = map(object({ deletion_protection = optional(string, true) type = optional(string, "SELF_SIGNED") is_ca = optional(bool, true) lifetime = optional(string, null) pem_ca_certificate = optional(string, null) ignore_active_certificates_on_deletion = optional(bool, false) skip_grace_period = optional(bool, true) labels = optional(map(string), null) gcs_bucket = optional(string, null) key_spec = optional(object({ algorithm = optional(string, "RSA_PKCS1_2048_SHA256") kms_key_id = optional(string, null) }), {}) key_usage = optional(object({ cert_sign = optional(bool, true) client_auth = optional(bool, false) code_signing = optional(bool, false) content_commitment = optional(bool, false) crl_sign = optional(bool, true) data_encipherment = optional(bool, false) decipher_only = optional(bool, false) digital_signature = optional(bool, false) email_protection = optional(bool, false) encipher_only = optional(bool, false) key_agreement = optional(bool, false) key_encipherment = optional(bool, true) ocsp_signing = optional(bool, false) server_auth = optional(bool, true) time_stamping = optional(bool, false) }), {}) subject = optional( object({ common_name = string organization = string country_code = optional(string) locality = optional(string) organizational_unit = optional(string) postal_code = optional(string) province = optional(string) street_address = optional(string) }), { common_name = "test.example.com" organization = "Test Example" } ) subject_alt_name = optional(object({ dns_names = optional(list(string), null) email_addresses = optional(list(string), null) ip_addresses = optional(list(string), null) uris = optional(list(string), null) }), null) subordinate_config = optional(object({ root_ca_id = optional(string) pem_issuer_certificates = optional(list(string)) }), null) })) ca_pool_config = optional(object({ create_pool = optional(object({ name = optional(string) tier = optional(string, "DEVOPS") })) use_pool = optional(object({ id = string })) })) }))">map(object({…}))</code> | | <code>{}</code> | |
218214| [ certificate_authority_pools] ( variables-fast.tf#L36 ) | Certificate authority pools. | <code title =" map( ; object( ;{ ;
 ; id = ; string
 ; ca_ids = ; map( ; string) ;
 ; location = ; string
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code >{ ;} ; </code > | <code >2-security</code > |
219- | [ names] ( variables.tf#L97 ) | Configuration for names used for output files. | <code title =" object( ;{ ;
 ; output_files_prefix = ; optional( ; string, " ; 2-networking-ngfw" ;) ;
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | | <code >{ ;} ; </code > | |
220- | [ outputs_location] ( variables.tf#L121 ) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code >string</code > | | <code >null</code > | |
221- | [ security_profiles] ( variables.tf#L133 ) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code title =" map( ; object( ;{ ;
 ; description = ; optional( ; string) ;
 ; threat_prevention_profile = ; optional( ; object( ;{ ;
 ; severity_overrides = ; optional( ; map( ; object( ;{ ;
 ; action = ; string
 ; severity = ; string
 ; } ;) ;) ;) ;
 ; threat_overrides = ; optional( ; map( ; object( ;{ ;
 ; action = ; string
 ; threat_id = ; string
 ; } ;) ;) ;) ;
 ; } ;) ; , { ;} ;) ;
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code title =" { ;
 ; ngfw-default = ; { ;} ;
 ;} ; " >{ ;… ;} ; </code > | |
222- | [ tls_inspection_policies] ( variables.tf#L175 ) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code title =" map( ; object( ;{ ;
 ; ca_pool_id = ; string
 ; location = ; string
 ; exclude_public_ca_set = ; optional( ; bool) ;
 ; trust_config = ; optional( ; string) ;
 ; tls = ; optional( ; object( ;{ ;
 ; custom_features = ; optional( ; list( ; string) ;) ;
 ; feature_profile = ; optional( ; string) ;
 ; min_version = ; optional( ; string) ;
 ; } ;) ; , { ;} ;) ;
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code >{ ;} ; </code > | |
223- | [ trust_configs] ( variables.tf#L217 ) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code title =" map( ; object( ;{ ;
 ; location = ; string
 ; description = ; optional( ; string) ;
 ; allowlisted_certificates = ; optional( ; map( ; string) ;) ;
 ; trust_stores = ; optional( ; map( ; object( ;{ ;
 ; intermediate_cas = ; optional( ; map( ; string) ;) ;
 ; trust_anchors = ; optional( ; map( ; string) ;) ;
 ; } ;) ;) ;) ;
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code title =" { ;
 ;} ; " >{ ;… ;} ; </code > | |
224- | [ vpc_self_links] ( variables-fast.tf#L58 ) | VPC network self links. | <code >map( ; string) ; </code > | | <code >{ ;} ; </code > | <code >2-networking</code > |
215+ | [ enable_services] ( variables.tf#L97 ) | Configure project by enabling services required for this add-on. | <code >bool</code > | | <code >true</code > | |
216+ | [ host_project_ids] ( variables-fast.tf#L48 ) | Networking stage host project id aliases. | <code >map( ; string) ; </code > | | <code >{ ;} ; </code > | <code >2-networking</code > |
217+ | [ names] ( variables.tf#L104 ) | Configuration for names used for output files. | <code title =" object( ;{ ;
 ; output_files_prefix = ; optional( ; string, " ; 2-networking-ngfw" ;) ;
 ;} ;) ; " >object( ;{ ;… ;} ;) ; </code > | | <code >{ ;} ; </code > | |
218+ | [ outputs_location] ( variables.tf#L128 ) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code >string</code > | | <code >null</code > | |
219+ | [ security_profiles] ( variables.tf#L140 ) | Security profile groups for Layer 7 inspection. Null environment list means all environments. | <code title =" map( ; object( ;{ ;
 ; description = ; optional( ; string) ;
 ; threat_prevention_profile = ; optional( ; object( ;{ ;
 ; severity_overrides = ; optional( ; map( ; object( ;{ ;
 ; action = ; string
 ; severity = ; string
 ; } ;) ;) ;) ;
 ; threat_overrides = ; optional( ; map( ; object( ;{ ;
 ; action = ; string
 ; threat_id = ; string
 ; } ;) ;) ;) ;
 ; } ;) ; , { ;} ;) ;
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code title =" { ;
 ; ngfw-default = ; { ;} ;
 ;} ; " >{ ;… ;} ; </code > | |
220+ | [ tls_inspection_policies] ( variables.tf#L182 ) | TLS inspection policies configuration. CA pools, trust configs and host project ids support interpolation. | <code title =" map( ; object( ;{ ;
 ; ca_pool_id = ; string
 ; location = ; string
 ; exclude_public_ca_set = ; optional( ; bool) ;
 ; trust_config = ; optional( ; string) ;
 ; tls = ; optional( ; object( ;{ ;
 ; custom_features = ; optional( ; list( ; string) ;) ;
 ; feature_profile = ; optional( ; string) ;
 ; min_version = ; optional( ; string) ;
 ; } ;) ; , { ;} ;) ;
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code >{ ;} ; </code > | |
221+ | [ trust_configs] ( variables.tf#L224 ) | Certificate Manager trust configurations for TLS inspection policies. Project ids and region can reference keys in the relevant FAST variables. | <code title =" map( ; object( ;{ ;
 ; location = ; string
 ; description = ; optional( ; string) ;
 ; allowlisted_certificates = ; optional( ; map( ; string) ;) ;
 ; trust_stores = ; optional( ; map( ; object( ;{ ;
 ; intermediate_cas = ; optional( ; map( ; string) ;) ;
 ; trust_anchors = ; optional( ; map( ; string) ;) ;
 ; } ;) ;) ;) ;
 ;} ;) ;) ; " >map( ; object( ;{ ;… ;} ;) ;) ; </code > | | <code title =" { ;
 ;} ; " >{ ;… ;} ; </code > | |
222+ | [ vpc_self_links] ( variables-fast.tf#L66 ) | VPC network self links. | <code >map( ; string) ; </code > | | <code >{ ;} ; </code > | <code >2-networking</code > |
225223<!-- END TFDOC -->
0 commit comments