Gateway represents the configuration for a proxy, typically a load balancer. It captures the ip:port over which the services are exposed by the proxy, along with any policy configurations. Routes have reference to to Gateways to dictate how requests should be routed by this Gateway.
To get more information about Gateway, see:
resource "google_network_services_gateway" "default" {
name = "my-gateway"
scope = "default-scope-basic"
type = "OPEN_MESH"
ports = [443]
}
resource "google_network_services_gateway" "default" {
name = "my-gateway"
labels = {
foo = "bar"
}
description = "my description"
type = "OPEN_MESH"
ports = [443]
scope = "default-scope-advance"
}
resource "google_certificate_manager_certificate" "default" {
name = "my-certificate"
location = "us-central1"
self_managed {
pem_certificate = file("test-fixtures/cert.pem")
pem_private_key = file("test-fixtures/private-key.pem")
}
}
resource "google_compute_network" "default" {
name = "my-network"
routing_mode = "REGIONAL"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "default" {
name = "my-subnetwork-name"
purpose = "PRIVATE"
ip_cidr_range = "10.128.0.0/20"
region = "us-central1"
network = google_compute_network.default.id
role = "ACTIVE"
}
resource "google_compute_subnetwork" "proxyonlysubnet" {
name = "my-proxy-only-subnetwork"
purpose = "REGIONAL_MANAGED_PROXY"
ip_cidr_range = "192.168.0.0/23"
region = "us-central1"
network = google_compute_network.default.id
role = "ACTIVE"
}
resource "google_network_security_gateway_security_policy" "default" {
name = "my-policy-name"
location = "us-central1"
}
resource "google_network_security_gateway_security_policy_rule" "default" {
name = "my-policyrule-name"
location = "us-central1"
gateway_security_policy = google_network_security_gateway_security_policy.default.name
enabled = true
priority = 1
session_matcher = "host() == 'example.com'"
basic_profile = "ALLOW"
}
resource "google_network_services_gateway" "default" {
name = "my-gateway1"
location = "us-central1"
addresses = ["10.128.0.99"]
type = "SECURE_WEB_GATEWAY"
ports = [443]
scope = "my-default-scope1"
certificate_urls = [google_certificate_manager_certificate.default.id]
gateway_security_policy = google_network_security_gateway_security_policy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
delete_swg_autogen_router_on_destroy = true
depends_on = [google_compute_subnetwork.proxyonlysubnet]
}
resource "google_certificate_manager_certificate" "default" {
name = "my-certificate"
location = "us-south1"
self_managed {
pem_certificate = file("test-fixtures/cert.pem")
pem_private_key = file("test-fixtures/private-key.pem")
}
}
resource "google_compute_network" "default" {
name = "my-network"
routing_mode = "REGIONAL"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "default" {
name = "my-subnetwork-name"
purpose = "PRIVATE"
ip_cidr_range = "10.128.0.0/20"
region = "us-south1"
network = google_compute_network.default.id
role = "ACTIVE"
}
resource "google_compute_subnetwork" "proxyonlysubnet" {
name = "my-proxy-only-subnetwork"
purpose = "REGIONAL_MANAGED_PROXY"
ip_cidr_range = "192.168.0.0/23"
region = "us-south1"
network = google_compute_network.default.id
role = "ACTIVE"
}
resource "google_network_security_gateway_security_policy" "default" {
name = "my-policy-name"
location = "us-south1"
}
resource "google_network_security_gateway_security_policy_rule" "default" {
name = "my-policyrule-name"
location = "us-south1"
gateway_security_policy = google_network_security_gateway_security_policy.default.name
enabled = true
priority = 1
session_matcher = "host() == 'example.com'"
basic_profile = "ALLOW"
}
resource "google_network_services_gateway" "default" {
name = "my-gateway1"
location = "us-south1"
addresses = ["10.128.0.99"]
type = "SECURE_WEB_GATEWAY"
ports = [443]
scope = "my-default-scope1"
certificate_urls = [google_certificate_manager_certificate.default.id]
gateway_security_policy = google_network_security_gateway_security_policy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
delete_swg_autogen_router_on_destroy = true
depends_on = [google_compute_subnetwork.proxyonlysubnet]
}
resource "google_network_services_gateway" "gateway2" {
name = "my-gateway2"
location = "us-south1"
addresses = ["10.128.0.98"]
type = "SECURE_WEB_GATEWAY"
ports = [443]
scope = "my-default-scope2"
certificate_urls = [google_certificate_manager_certificate.default.id]
gateway_security_policy = google_network_security_gateway_security_policy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
delete_swg_autogen_router_on_destroy = true
depends_on = [google_compute_subnetwork.proxyonlysubnet]
}
The following arguments are supported:
type
-
(Required)
Immutable. The type of the customer-managed gateway. Possible values are: * OPEN_MESH * SECURE_WEB_GATEWAY.
Possible values are: TYPE_UNSPECIFIED
, OPEN_MESH
, SECURE_WEB_GATEWAY
.
ports
-
(Required)
One or more port numbers (1-65535), on which the Gateway will receive traffic.
The proxy binds to the specified ports. Gateways of type 'SECURE_WEB_GATEWAY' are
limited to 1 port. Gateways of type 'OPEN_MESH' listen on 0.0.0.0 and support multiple ports.
name
-
(Required)
Short name of the Gateway resource to be created.
labels
-
(Optional)
Set of label tags associated with the Gateway resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
description
-
(Optional)
A free-text description of the resource. Max length 1024 characters.
scope
-
(Optional)
Immutable. Scope determines how configuration across multiple Gateway instances are merged.
The configuration for multiple Gateway instances with the same scope will be merged as presented as
a single coniguration to the proxy/load balancer.
Max length 64 characters. Scope should start with a letter and can only have letters, numbers, hyphens.
server_tls_policy
-
(Optional)
A fully-qualified ServerTLSPolicy URL reference. Specifies how TLS traffic is terminated.
If empty, TLS termination is disabled.
addresses
-
(Optional)
Zero or one IPv4-address on which the Gateway will receive the traffic. When no address is provided,
an IP from the subnetwork is allocated This field only applies to gateways of type 'SECURE_WEB_GATEWAY'.
Gateways of type 'OPEN_MESH' listen on 0.0.0.0.
subnetwork
-
(Optional)
The relative resource name identifying the subnetwork in which this SWG is allocated.
For example: projects/*/regions/us-central1/subnetworks/network-1
.
Currently, this field is specific to gateways of type 'SECURE_WEB_GATEWAY.
network
-
(Optional)
The relative resource name identifying the VPC network that is using this configuration.
For example: projects/*/global/networks/network-1
.
Currently, this field is specific to gateways of type 'SECURE_WEB_GATEWAY'.
gateway_security_policy
-
(Optional)
A fully-qualified GatewaySecurityPolicy URL reference. Defines how a server should apply security policy to inbound (VM to Proxy) initiated connections.
For example: projects/*/locations/*/gatewaySecurityPolicies/swg-policy
.
This policy is specific to gateways of type 'SECURE_WEB_GATEWAY'.
certificate_urls
-
(Optional)
A fully-qualified Certificates URL reference. The proxy presents a Certificate (selected based on SNI) when establishing a TLS connection.
This feature only applies to gateways of type 'SECURE_WEB_GATEWAY'.
location
-
(Optional)
The location of the gateway.
The default value is global
.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
delete_swg_autogen_router_on_destroy
- (Optional) When deleting a gateway of type 'SECURE_WEB_GATEWAY', this boolean option will also delete auto generated router by the gateway creation.
If there is no other gateway of type 'SECURE_WEB_GATEWAY' remaining for that region and network it will be deleted.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/gateways/{{name}}
self_link
-
Server-defined URL of this resource.
create_time
-
Time the AccessPolicy was created in UTC.
update_time
-
Time the AccessPolicy was updated in UTC.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 30 minutes.update
- Default is 30 minutes.delete
- Default is 30 minutes.Gateway can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/gateways/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import Gateway using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/gateways/{{name}}"
to = google_network_services_gateway.default
}
When using the terraform import
command, Gateway can be imported using one of the formats above. For example:
$ terraform import google_network_services_gateway.default projects/{{project}}/locations/{{location}}/gateways/{{name}}
$ terraform import google_network_services_gateway.default {{project}}/{{location}}/{{name}}
$ terraform import google_network_services_gateway.default {{location}}/{{name}}
This resource supports User Project Overrides.