Enable multiple vpc-sc perimeters over multiple modules

modules/vpc-sc/README.md

@@ -136,6 +136,95 @@ module "vpc-sc" {
 # tftest:modules=1:resources=3
 ```
 
+## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
+```hcl
+module "vpc-sc-first" {
+  source              = "./modules/vpc-sc"
+  organization_id     = "organizations/112233"
+  access_policy_title = "My Org Access Policy"
+  access_levels = {
+    my_trusted_proxy = {
+      combining_function = "AND"
+      conditions = [{
+        ip_subnetworks = ["85.85.85.52/32"]
+        required_access_levels = null
+        members        = []
+        negate         = false
+        regions        = null
+      }]
+    }
+  }
+  access_level_perimeters = {
+    enforced = {
+      my_trusted_proxy = ["perimeter"]
+    }
+  }
+  perimeters = {
+    perimeter = {
+      type = "PERIMETER_TYPE_REGULAR"
+      dry_run_config = {
+        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+      }
+      enforced_config = {
+        restricted_services     = ["storage.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com"]
+      }
+    }
+  }
+  perimeter_projects = {
+    perimeter = {
+      enforced = [111111111, 222222222]
+      dry_run  = [333333333]
+    }
+  }
+}
+
+module "vpc-sc-second" {
+  source              = "./modules/vpc-sc"
+  organization_id     = "organizations/112233"
+  access_policy_create = false
+  access_policy_name = module.vpc-sc-first.access_policy_name
+  access_levels = {
+    my_trusted_proxy = {
+      combining_function = "AND"
+      conditions = [{
+        ip_subnetworks = ["85.85.85.52/32"]
+        required_access_levels = null
+        members        = []
+        negate         = false
+        regions        = null
+      }]
+    }
+  }
+  access_level_perimeters = {
+    enforced = {
+      my_trusted_proxy = ["secperimeter"]
+    }
+  }
+  perimeters = {
+    secperimeter = {
+      type = "PERIMETER_TYPE_REGULAR"
+      dry_run_config = {
+        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+      }
+      enforced_config = {
+        restricted_services     = ["storage.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com"]
+      }
+    }
+  }
+  perimeter_projects = {
+    secperimeter = {
+      enforced = [444444444, 666666666]
+      dry_run  = [555555555]
+    }
+  }
+}
+# tftest:modules=1:resources=3
+```
+
 <!-- BEGIN TFDOC -->
 ## Variables
 

modules/vpc-sc/main.tf

@@ -15,7 +15,11 @@
  */
 
 locals {
-  access_policy_name = google_access_context_manager_access_policy.default.name
+  access_policy_name = (
+    var.access_policy_create
+    ? try(google_access_context_manager_access_policy.default[0].name, null)
+    : var.access_policy_name
+  )
 
   standard_perimeters = {
     for key, value in var.perimeters :
@@ -36,8 +40,9 @@ locals {
 }
 
 resource "google_access_context_manager_access_policy" "default" {
+  count  = var.access_policy_create ? 1 : 0
   parent = var.organization_id
-  title  = var.access_policy_title
+  title  = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title
 }
 
 resource "google_access_context_manager_access_level" "default" {

modules/vpc-sc/variables.tf

@@ -29,6 +29,17 @@ variable "access_levels" {
   default = {}
 }
 
+variable "access_policy_create" {
+  description = "enable autocreation of the Access Policy"
+  type        = bool
+  default     = true
+}
+
+variable "access_policy_name" {
+  description = "Referenced Access Policy name"
+  type        = string
+}
+
 variable "access_level_perimeters" {
   description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
   type        = map(map(list(string)))
@@ -38,6 +49,7 @@ variable "access_level_perimeters" {
 variable "access_policy_title" {
   description = "Access Policy title to be created."
   type        = string
+  default     = null
 }
 
 variable "egress_policies" {

modules/vpc-sc/versions.tf

@@ -17,6 +17,6 @@
 terraform {
   required_version = ">= 0.12.6"
   required_providers {
-    google      = ">= 3.62"
-  }  
+    google = ">= 3.62"
+  }
 }