diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index a695fa9e..8e412bcf 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -34,6 +34,21 @@ module "test" {
# tftest modules=1 resources=1
```
+If you need the module to create a scoped policy for you, specify 'scopes' of the policy in the `access_policy_create` variable:
+
+```hcl
+module "test" {
+ source = "./fabric/modules/vpc-sc"
+ access_policy = null
+ access_policy_create = {
+ parent = "organizations/123456"
+ title = "vpcsc-policy"
+ scopes = ["folders/456789"]
+ }
+}
+# tftest modules=1 resources=1
+```
+
### Access levels
As highlighted above, the `access_levels` type replicates the underlying resource structure.
@@ -189,11 +204,11 @@ module "test" {
|---|---|:---:|:---:|:---:|
| [access_policy](variables.tf#L56) | Access Policy name, set to null if creating one. | string
| ✓ | |
| [access_levels](variables.tf#L17) | Access level definitions. | map(object({…}))
| | {}
|
-| [access_policy_create](variables.tf#L61) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | object({…})
| | null
|
-| [egress_policies](variables.tf#L70) | Egress policy definitions that can be referenced in perimeters. | map(object({…}))
| | {}
|
-| [ingress_policies](variables.tf#L99) | Ingress policy definitions that can be referenced in perimeters. | map(object({…}))
| | {}
|
-| [service_perimeters_bridge](variables.tf#L130) | Bridge service perimeters. | map(object({…}))
| | {}
|
-| [service_perimeters_regular](variables.tf#L140) | Regular service perimeters. | map(object({…}))
| | {}
|
+| [access_policy_create](variables.tf#L61) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. | object({…})
| | null
|
+| [egress_policies](variables.tf#L71) | Egress policy definitions that can be referenced in perimeters. | map(object({…}))
| | {}
|
+| [ingress_policies](variables.tf#L100) | Ingress policy definitions that can be referenced in perimeters. | map(object({…}))
| | {}
|
+| [service_perimeters_bridge](variables.tf#L131) | Bridge service perimeters. | map(object({…}))
| | {}
|
+| [service_perimeters_regular](variables.tf#L141) | Regular service perimeters. | map(object({…}))
| | {}
|
## Outputs
diff --git a/modules/vpc-sc/main.tf b/modules/vpc-sc/main.tf
index 0b06b481..7dd58904 100644
--- a/modules/vpc-sc/main.tf
+++ b/modules/vpc-sc/main.tf
@@ -25,4 +25,5 @@ resource "google_access_context_manager_access_policy" "default" {
count = var.access_policy_create != null ? 1 : 0
parent = var.access_policy_create.parent
title = var.access_policy_create.title
+ scopes = var.access_policy_create.scopes
}
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index a196cc52..a10b0768 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -59,10 +59,11 @@ variable "access_policy" {
}
variable "access_policy_create" {
- description = "Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format."
+ description = "Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format."
type = object({
parent = string
title = string
+ scopes = optional(list(string), null)
})
default = null
}