2020-07-07 01:23:26 -07:00
/ * *
2022-01-01 06:52:31 -08:00
* Copyright 2022 Google LLC
2020-07-07 01:23:26 -07:00
*
* Licensed under the Apache License , Version 2 . 0 ( the " License " ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
variable " access_levels " {
2022-11-10 10:34:45 -08:00
description = " Access level definitions. "
2020-07-09 22:22:57 -07:00
type = map ( object ( {
2022-11-10 10:34:45 -08:00
combining_function = optional ( string )
conditions = optional ( list ( object ( {
device_policy = optional ( object ( {
allowed_device_management_levels = optional ( list ( string ) )
allowed_encryption_statuses = optional ( list ( string ) )
require_admin_approval = bool
require_corp_owned = bool
require_screen_lock = optional ( bool )
os_constraints = optional ( list ( object ( {
os_type = string
minimum_version = optional ( string )
require_verified_chrome_os = optional ( bool )
} ) ) )
} ) )
ip_subnetworks = optional ( list ( string ) , [ ] )
members = optional ( list ( string ) , [ ] )
negate = optional ( bool )
regions = optional ( list ( string ) , [ ] )
required_access_levels = optional ( list ( string ) , [ ] )
} ) ) , [ ] )
description = optional ( string )
2020-07-07 01:23:26 -07:00
} ) )
2022-11-10 10:34:45 -08:00
default = { }
nullable = false
2021-12-31 04:29:22 -08:00
validation {
condition = alltrue ( [
for k , v in var . access_levels : (
v . combining_function == null | |
v . combining_function == " AND " | |
v . combining_function == " OR "
)
] )
error_message = " Invalid `combining_function` value (null, \ " AND \ " , \ " OR \ " accepted). "
}
2020-07-07 01:23:26 -07:00
}
2021-12-31 04:29:22 -08:00
variable " access_policy " {
2022-11-10 10:34:45 -08:00
description = " Access Policy name, set to null if creating one. "
2020-07-07 01:23:26 -07:00
type = string
2021-05-07 00:07:36 -07:00
}
2021-12-31 04:29:22 -08:00
variable " access_policy_create " {
2023-01-17 04:39:28 -08:00
description = " Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. "
2021-12-31 04:29:22 -08:00
type = object ( {
parent = string
title = string
2023-01-17 04:39:28 -08:00
scopes = optional ( list ( string ) , null )
2021-12-31 04:29:22 -08:00
} )
default = null
2020-07-07 01:23:26 -07:00
}
2022-11-10 10:34:45 -08:00
variable " egress_policies " {
description = " Egress policy definitions that can be referenced in perimeters. "
type = map ( object ( {
from = object ( {
identity_type = optional ( string , " ANY_IDENTITY " )
identities = optional ( list ( string ) )
} )
to = object ( {
operations = optional ( list ( object ( {
2023-06-24 23:45:37 -07:00
method_selectors = optional ( list ( string ) )
permission_selectors = optional ( list ( string ) )
service_name = string
2022-11-10 10:34:45 -08:00
} ) ) , [ ] )
resources = optional ( list ( string ) )
resource_type_external = optional ( bool , false )
} )
} ) )
default = { }
nullable = false
validation {
condition = alltrue ( [
for k , v in var . egress_policies : contains ( [
" IDENTITY_TYPE_UNSPECIFIED " , " ANY_IDENTITY " ,
2023-05-24 03:05:16 -07:00
" ANY_USER " , " ANY_SERVICE_ACCOUNT " , " "
2022-11-10 10:34:45 -08:00
] , v . from . identity_type )
] )
2022-12-05 00:00:00 -08:00
error_message = " Invalid `from.identity_type` value in egress policy. "
2022-11-10 10:34:45 -08:00
}
}
variable " ingress_policies " {
description = " Ingress policy definitions that can be referenced in perimeters. "
type = map ( object ( {
from = object ( {
access_levels = optional ( list ( string ) , [ ] )
identity_type = optional ( string )
identities = optional ( list ( string ) )
resources = optional ( list ( string ) , [ ] )
} )
to = object ( {
operations = optional ( list ( object ( {
2023-06-24 23:45:37 -07:00
method_selectors = optional ( list ( string ) )
permission_selectors = optional ( list ( string ) )
service_name = string
2022-11-10 10:34:45 -08:00
} ) ) , [ ] )
resources = optional ( list ( string ) )
} )
} ) )
default = { }
nullable = false
validation {
condition = alltrue ( [
for k , v in var . ingress_policies :
v . from . identity_type == null | | contains ( [
" IDENTITY_TYPE_UNSPECIFIED " , " ANY_IDENTITY " ,
" ANY_USER " , " ANY_SERVICE_ACCOUNT "
] , coalesce ( v . from . identity_type , " - " ) )
] )
error_message = " Invalid `from.identity_type` value in eress policy. "
}
}
2021-12-31 04:29:22 -08:00
variable " service_perimeters_bridge " {
description = " Bridge service perimeters. "
type = map ( object ( {
2022-11-10 10:34:45 -08:00
spec_resources = optional ( list ( string ) )
status_resources = optional ( list ( string ) )
use_explicit_dry_run_spec = optional ( bool , false )
2021-12-31 04:29:22 -08:00
} ) )
default = { }
2021-10-08 09:26:04 -07:00
}
2021-12-31 04:29:22 -08:00
variable " service_perimeters_regular " {
description = " Regular service perimeters. "
2020-07-07 01:23:26 -07:00
type = map ( object ( {
2022-11-10 10:34:45 -08:00
spec = optional ( object ( {
access_levels = optional ( list ( string ) )
resources = optional ( list ( string ) )
restricted_services = optional ( list ( string ) )
egress_policies = optional ( list ( string ) )
ingress_policies = optional ( list ( string ) )
vpc_accessible_services = optional ( object ( {
2021-12-31 04:29:22 -08:00
allowed_services = list ( string )
enable_restriction = bool
} ) )
2022-12-05 00:00:00 -08:00
} ) )
2022-11-10 10:34:45 -08:00
status = optional ( object ( {
access_levels = optional ( list ( string ) )
resources = optional ( list ( string ) )
restricted_services = optional ( list ( string ) )
egress_policies = optional ( list ( string ) )
ingress_policies = optional ( list ( string ) )
vpc_accessible_services = optional ( object ( {
2021-12-31 04:29:22 -08:00
allowed_services = list ( string )
enable_restriction = bool
2022-11-10 10:34:45 -08:00
} ) )
2022-12-05 00:00:00 -08:00
} ) )
2022-11-10 10:34:45 -08:00
use_explicit_dry_run_spec = optional ( bool , false )
2020-07-07 01:23:26 -07:00
} ) )
2022-11-10 10:34:45 -08:00
default = { }
nullable = false
2020-07-07 01:23:26 -07:00
}