Enable multiple vpc-sc perimeters over multiple modules
This commit is contained in:
parent
1c6707b982
commit
0f10e820f9
|
@ -136,6 +136,95 @@ module "vpc-sc" {
|
|||
# tftest:modules=1:resources=3
|
||||
```
|
||||
|
||||
## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
|
||||
```hcl
|
||||
module "vpc-sc-first" {
|
||||
source = "./modules/vpc-sc"
|
||||
organization_id = "organizations/112233"
|
||||
access_policy_title = "My Org Access Policy"
|
||||
access_levels = {
|
||||
my_trusted_proxy = {
|
||||
combining_function = "AND"
|
||||
conditions = [{
|
||||
ip_subnetworks = ["85.85.85.52/32"]
|
||||
required_access_levels = null
|
||||
members = []
|
||||
negate = false
|
||||
regions = null
|
||||
}]
|
||||
}
|
||||
}
|
||||
access_level_perimeters = {
|
||||
enforced = {
|
||||
my_trusted_proxy = ["perimeter"]
|
||||
}
|
||||
}
|
||||
perimeters = {
|
||||
perimeter = {
|
||||
type = "PERIMETER_TYPE_REGULAR"
|
||||
dry_run_config = {
|
||||
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
|
||||
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
|
||||
}
|
||||
enforced_config = {
|
||||
restricted_services = ["storage.googleapis.com"]
|
||||
vpc_accessible_services = ["storage.googleapis.com"]
|
||||
}
|
||||
}
|
||||
}
|
||||
perimeter_projects = {
|
||||
perimeter = {
|
||||
enforced = [111111111, 222222222]
|
||||
dry_run = [333333333]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "vpc-sc-second" {
|
||||
source = "./modules/vpc-sc"
|
||||
organization_id = "organizations/112233"
|
||||
access_policy_create = false
|
||||
access_policy_name = module.vpc-sc-first.access_policy_name
|
||||
access_levels = {
|
||||
my_trusted_proxy = {
|
||||
combining_function = "AND"
|
||||
conditions = [{
|
||||
ip_subnetworks = ["85.85.85.52/32"]
|
||||
required_access_levels = null
|
||||
members = []
|
||||
negate = false
|
||||
regions = null
|
||||
}]
|
||||
}
|
||||
}
|
||||
access_level_perimeters = {
|
||||
enforced = {
|
||||
my_trusted_proxy = ["secperimeter"]
|
||||
}
|
||||
}
|
||||
perimeters = {
|
||||
secperimeter = {
|
||||
type = "PERIMETER_TYPE_REGULAR"
|
||||
dry_run_config = {
|
||||
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
|
||||
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
|
||||
}
|
||||
enforced_config = {
|
||||
restricted_services = ["storage.googleapis.com"]
|
||||
vpc_accessible_services = ["storage.googleapis.com"]
|
||||
}
|
||||
}
|
||||
}
|
||||
perimeter_projects = {
|
||||
secperimeter = {
|
||||
enforced = [444444444, 666666666]
|
||||
dry_run = [555555555]
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest:modules=1:resources=3
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
|
|
@ -15,7 +15,11 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
access_policy_name = google_access_context_manager_access_policy.default.name
|
||||
access_policy_name = (
|
||||
var.access_policy_create
|
||||
? try(google_access_context_manager_access_policy.default[0].name, null)
|
||||
: var.access_policy_name
|
||||
)
|
||||
|
||||
standard_perimeters = {
|
||||
for key, value in var.perimeters :
|
||||
|
@ -36,8 +40,9 @@ locals {
|
|||
}
|
||||
|
||||
resource "google_access_context_manager_access_policy" "default" {
|
||||
count = var.access_policy_create ? 1 : 0
|
||||
parent = var.organization_id
|
||||
title = var.access_policy_title
|
||||
title = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "default" {
|
||||
|
|
|
@ -29,6 +29,17 @@ variable "access_levels" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "access_policy_create" {
|
||||
description = "enable autocreation of the Access Policy"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "access_policy_name" {
|
||||
description = "Referenced Access Policy name"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "access_level_perimeters" {
|
||||
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
|
||||
type = map(map(list(string)))
|
||||
|
@ -38,6 +49,7 @@ variable "access_level_perimeters" {
|
|||
variable "access_policy_title" {
|
||||
description = "Access Policy title to be created."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "egress_policies" {
|
||||
|
|
|
@ -17,6 +17,6 @@
|
|||
terraform {
|
||||
required_version = ">= 0.12.6"
|
||||
required_providers {
|
||||
google = ">= 3.62"
|
||||
}
|
||||
google = ">= 3.62"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue