Enable multiple vpc-sc perimeters over multiple modules

This commit is contained in:
Daniel Marzini 2021-07-22 09:19:10 +02:00
parent 1c6707b982
commit 0f10e820f9
4 changed files with 110 additions and 4 deletions

View File

@ -136,6 +136,95 @@ module "vpc-sc" {
# tftest:modules=1:resources=3
```
## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
```hcl
module "vpc-sc-first" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_title = "My Org Access Policy"
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
regions = null
}]
}
}
access_level_perimeters = {
enforced = {
my_trusted_proxy = ["perimeter"]
}
}
perimeters = {
perimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = {
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
}
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
perimeter = {
enforced = [111111111, 222222222]
dry_run = [333333333]
}
}
}
module "vpc-sc-second" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_create = false
access_policy_name = module.vpc-sc-first.access_policy_name
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
regions = null
}]
}
}
access_level_perimeters = {
enforced = {
my_trusted_proxy = ["secperimeter"]
}
}
perimeters = {
secperimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = {
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
}
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
secperimeter = {
enforced = [444444444, 666666666]
dry_run = [555555555]
}
}
}
# tftest:modules=1:resources=3
```
<!-- BEGIN TFDOC -->
## Variables

View File

@ -15,7 +15,11 @@
*/
locals {
access_policy_name = google_access_context_manager_access_policy.default.name
access_policy_name = (
var.access_policy_create
? try(google_access_context_manager_access_policy.default[0].name, null)
: var.access_policy_name
)
standard_perimeters = {
for key, value in var.perimeters :
@ -36,8 +40,9 @@ locals {
}
resource "google_access_context_manager_access_policy" "default" {
count = var.access_policy_create ? 1 : 0
parent = var.organization_id
title = var.access_policy_title
title = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title
}
resource "google_access_context_manager_access_level" "default" {

View File

@ -29,6 +29,17 @@ variable "access_levels" {
default = {}
}
variable "access_policy_create" {
description = "enable autocreation of the Access Policy"
type = bool
default = true
}
variable "access_policy_name" {
description = "Referenced Access Policy name"
type = string
}
variable "access_level_perimeters" {
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
type = map(map(list(string)))
@ -38,6 +49,7 @@ variable "access_level_perimeters" {
variable "access_policy_title" {
description = "Access Policy title to be created."
type = string
default = null
}
variable "egress_policies" {

View File

@ -17,6 +17,6 @@
terraform {
required_version = ">= 0.12.6"
required_providers {
google = ">= 3.62"
}
google = ">= 3.62"
}
}