Merge pull request #118 from artusiep/artusiep/configurable_ssl_policy

runatlantis · Jun 14, 2023 · a2a844f · a2a844f
2 parents d2157aa + f534881
commit a2a844f
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -229,8 +229,9 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | <pre>object({<br>    email  = string,<br>    scopes = list(string)<br>  })</pre> | <pre>{<br>  "email": "",<br>  "scopes": [<br>    "cloud-platform"<br>  ]<br>}</pre> | no |
-| <a name="input_shielded_instance_config"></a> [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded instance configuration | <pre>object({<br>    enable_integrity_monitoring = bool<br>    enable_vtpm                 = bool<br>    enable_secure_boot          = bool<br>})</pre> | <pre>{<br>  enable_integrity_monitoring = true<br>  enable_vtpm                 = true<br>  enable_secure_boot          = true<br>}</pre> | no |
+| <a name="input_shielded_instance_config"></a> [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | <pre>object({<br>    enable_integrity_monitoring = optional(bool)<br>    enable_vtpm                 = optional(bool)<br>    enable_secure_boot          = optional(bool)<br>  })</pre> | <pre>{<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": true,<br>  "enable_vtpm": true<br>}</pre> | no |
 | <a name="input_spot_machine_enabled"></a> [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no |
+| <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no |
 | <a name="input_startup_script"></a> [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no |
 | <a name="input_subnetwork"></a> [subnetwork](#input\_subnetwork) | Name of the subnetwork to attach a network interface to | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to attach to the instance running Atlantis | `list(string)` | `[]` | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -105,3 +105,10 @@ resource "google_dns_record_set" "default" {
   ]
   project = local.project_id
 }
+
+resource "google_compute_ssl_policy" "default" {
+  name            = "example-ssl-policy"
+  profile         = "RESTRICTED"
+  min_tls_version = "TLS_1_2"
+  project         = local.project_id
+}
diff --git a/main.tf b/main.tf
@@ -381,7 +381,8 @@ resource "google_compute_target_https_proxy" "default" {
   ssl_certificates = [
     google_compute_managed_ssl_certificate.default.id,
   ]
-  project = var.project
+  ssl_policy = var.ssl_policy
+  project    = var.project
 }
 
 resource "google_compute_global_forwarding_rule" "https" {

diff --git a/variables.tf b/variables.tf
@@ -122,6 +122,12 @@ variable "iap" {
   default     = null
 }
 
+variable "ssl_policy" {
+  type        = string
+  description = "The SSL policy name that the certificate must follow"
+  default     = null
+}
+
 variable "tags" {
   type        = list(string)
   description = "Tags to attach to the instance running Atlantis"