2020-07-07 01:23:26 -07:00
# VPC Service Control Module
This module allows managing VPC Service Control (VPC-SC) properties:
- [Access Policy ](https://cloud.google.com/access-context-manager/docs/create-access-policy )
- [Access Levels ](https://cloud.google.com/access-context-manager/docs/manage-access-levels )
- [VPC-SC Perimeters ](https://cloud.google.com/vpc-service-controls/docs/service-perimeters )
2020-07-09 22:22:57 -07:00
The Use of this module requires credentials with the [correct permissions ](https://cloud.google.com/access-context-manager/docs/access-control ) to use Access Context Manager.
2020-07-07 01:23:26 -07:00
## Example VCP-SC standard perimeter
```hcl
module "vpc-sc" {
2020-11-07 01:28:33 -08:00
source = "./modules/vpc-sc"
2020-11-16 09:04:12 -08:00
organization_id = "organizations/112233"
2020-07-07 01:23:26 -07:00
access_policy_title = "My Access Policy"
access_levels = {
2020-11-07 01:28:33 -08:00
my_trusted_proxy = {
2020-07-07 01:23:26 -07:00
combining_function = "AND"
2020-11-07 01:28:33 -08:00
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
2021-03-18 05:04:37 -07:00
required_access_levels = null
2020-11-07 01:28:33 -08:00
members = []
negate = false
2021-03-18 05:04:37 -07:00
regions = null
2020-07-07 01:23:26 -07:00
}]
}
}
access_level_perimeters = {
2021-05-07 00:07:36 -07:00
enforced = {
2020-11-07 01:28:33 -08:00
my_trusted_proxy = ["perimeter"]
}
}
2021-05-15 23:31:55 -07:00
ingress_policies = {
ingress_1 = {
ingress_from = {
identity_type = "ANY_IDENTITY"
}
ingress_to = {
resources = ["*"]
2021-05-17 09:38:46 -07:00
operations = {
"storage.googleapis.com" = [{ method = "google.storage.objects.create" }]
"bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" }]
}
2021-05-15 23:31:55 -07:00
}
}
}
ingress_policies_perimeters = {
enforced = {
ingress_1 = ["default"]
}
}
2021-05-07 00:07:36 -07:00
egress_policies = {
egress_1 = {
egress_from = {
2021-05-15 23:31:55 -07:00
identity_type = "ANY_USER_ACCOUNT"
2021-05-07 00:07:36 -07:00
}
egress_to = {
2021-05-15 23:31:55 -07:00
resources = ["*"]
2021-05-17 09:38:46 -07:00
operations = {
"storage.googleapis.com" = [{ method = "google.storage.objects.create" }],
"bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" },{ method = "TableService.ListTables" }, { permission = "bigquery.jobs.get" }]
}
2021-05-07 00:07:36 -07:00
}
}
}
egress_policies_perimeters = {
enforced = {
egress_1 = ["perimeter"]
}
}
2020-11-07 01:28:33 -08:00
perimeters = {
2020-07-07 01:23:26 -07:00
perimeter = {
2020-11-07 01:28:33 -08:00
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = null
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
2020-07-07 01:23:26 -07:00
}
}
}
perimeter_projects = {
perimeter = {
2020-11-07 01:28:33 -08:00
enforced = [111111111, 222222222]
2020-07-07 01:23:26 -07:00
}
}
}
2020-11-07 01:28:33 -08:00
# tftest:modules=1:resources=3
2020-07-07 01:23:26 -07:00
```
## Example VCP-SC standard perimeter with one service and one project in dry run mode
```hcl
module "vpc-sc" {
2020-11-07 01:28:33 -08:00
source = "./modules/vpc-sc"
2020-11-16 09:04:12 -08:00
organization_id = "organizations/112233"
2020-07-07 01:23:26 -07:00
access_policy_title = "My Access Policy"
access_levels = {
2020-11-07 01:28:33 -08:00
my_trusted_proxy = {
2020-07-07 01:23:26 -07:00
combining_function = "AND"
2020-11-07 01:28:33 -08:00
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
2021-03-18 05:04:37 -07:00
required_access_levels = null
2020-11-07 01:28:33 -08:00
members = []
negate = false
2021-03-18 05:04:37 -07:00
regions = null
2020-07-07 01:23:26 -07:00
}]
}
}
access_level_perimeters = {
enforced = {
2020-11-07 01:28:33 -08:00
my_trusted_proxy = ["perimeter"]
2020-07-07 01:23:26 -07:00
}
2020-11-07 01:28:33 -08:00
}
perimeters = {
2020-07-07 01:23:26 -07:00
perimeter = {
2020-11-07 01:28:33 -08:00
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = {
2020-07-07 01:23:26 -07:00
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
}
2020-11-07 01:28:33 -08:00
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
2020-07-07 01:23:26 -07:00
}
}
}
perimeter_projects = {
perimeter = {
2020-11-07 01:28:33 -08:00
enforced = [111111111, 222222222]
2020-07-07 01:23:26 -07:00
dry_run = [333333333]
}
}
}
2020-11-07 01:28:33 -08:00
# tftest:modules=1:resources=3
2020-07-07 01:23:26 -07:00
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| access_policy_title | Access Policy title to be created. | < code title = "" > string< / code > | ✓ | |
2020-11-16 09:04:12 -08:00
| organization_id | Organization id in organizations/nnnnnn format. | < code title = "" > string< / code > | ✓ | |
2020-07-07 01:23:26 -07:00
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | < code title = "map(map(list(string)))" > map(map(list(string)))</ code > | | < code title = "" > {}</ code > |
2021-03-29 03:17:11 -07:00
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | < code title = "map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) required_access_levels = list(string) members = list(string) negate = string regions = list(string) })) }))" > map(object({...}))</ code > | | < code title = "" > {}</ code > |
2021-05-17 11:41:59 -07:00
| *egress_policies* | List of EgressPolicies in the form described in the [documentation ](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies ) | < code title = "" ></ code > | | < code title = "" > null</ code > |
2021-05-07 00:07:36 -07:00
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | < code title = "map(map(list(string)))" > map(map(list(string)))</ code > | | < code title = "" > {}</ code > |
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation ](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies ) | < code title = "" ></ code > | | < code title = "" > null</ code > |
| *ingress_policies_perimeters* | Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | < code title = "map(map(list(string)))" > map(map(list(string)))</ code > | | < code title = "" > {}</ code > |
2020-07-07 01:23:26 -07:00
| *perimeter_projects* | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | < code title = "map(map(list(number)))" > map(map(list(number)))</ code > | | < code title = "" > {}</ code > |
2020-08-15 01:12:43 -07:00
| *perimeters* | Set of Perimeters. | < code title = "map(object({ type = string dry_run_config = object({ restricted_services = list(string) vpc_accessible_services = list(string) }) enforced_config = object({ restricted_services = list(string) vpc_accessible_services = list(string) }) }))" > map(object({...}))</ code > | | < code title = "" > {}</ code > |
2020-07-07 01:23:26 -07:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
| access_levels | Access Levels. | |
| access_policy_name | Access Policy resource | |
2020-11-16 09:04:12 -08:00
| organization_id | Organization id dependent on module resources. | |
2020-07-07 01:23:26 -07:00
| perimeters_bridge | VPC-SC bridge perimeter resources. | |
| perimeters_standard | VPC-SC standard perimeter resources. | |
<!-- END TFDOC -->