No pure-TF way to add NAT IPs to swg-autogen-nat created by google_network_services_gateway of type SECURE_WEB_GATEWAY

[glasser]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

The "Secure Web Proxy" feature (aka google_network_services_gateway with type SECURE_WEB_GATEWAY) automatically creates (within GCP itself) a google_compute_router named swg-autogen-NETWORKNUMERICID and a google_compute_router_nat named swg-autogen-nat.

As far as I can tell, there's no clean way in TF to configure the NAT to use your own manually-assigned IP addresses.

You would think that google_compute_router_nat_address would let you do that, since its whole point is to be a separate resource that lets you add addresses to an existing NAT. However, it can only do that if the NAT's nat_ip_allocate_option is MANUAL_ONLY, and the autogenerated NAT is AUTO_ONLY.

You can sorta make it work by importing:

resource "google_compute_router_nat" "swg-autogen-nat" {
  project = var.host_project_id
  region  = var.region
  router  = "swg-autogen-router-${data.google_compute_network.host_network.network_id}"
  name    = "swg-autogen-nat"

  nat_ip_allocate_option             = "MANUAL_ONLY"
  nat_ips                            = [google_compute_address.fixed_egress_proxy_nat_ip.self_link]
  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
  endpoint_types                     = ["ENDPOINT_TYPE_SWG"]
  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }

  # The Router and NAT are created by the gateway.
  depends_on = [
    google_network_services_gateway.fixed_egress_proxy,
  ]
}

# We don't create or destroy this (the SWG does). Unfortunately there's no clean
# way to destroy this module automatically.
import {
  id = "projects/${var.host_project_id}/regions/${var.region}/routers/swg-autogen-router-${data.google_compute_network.host_network.network_id}/swg-autogen-nat"
  to = google_compute_router_nat.swg-autogen-nat
}

but there's no clean way to destroy a module/project that has this in it, and you can't just include this in the module directly since you can't import until you've created the gateway.

Ideally this overall use case could be better supported:

• Maybe you can pass an argument to google_compute_router_nat_address that tells it to set the allocation option to MANUAL_ONLY?
• Maybe google_network_services_gateway would expose attributes that give you the router and NAT name directly?
• Or maybe google_network_services_gateway just would have a block that lets you set NAT configuration on its auto-generated NAT directly?

New or Affected Resource(s)

• google_network_services_gateway
• google_compute_router_nat
• google_compute_router_nat_address

Potential Terraform Configuration

No response

References

No response