Merge pull request #235 from terraform-google-modules/vpc-sc-02
Add Support for Ingress Egress policies
This commit is contained in:
commit
27e8b1829c
|
@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
|
|||
## [Unreleased]
|
||||
|
||||
- **incompatible change** updated resource name for `google_dns_policy` on the `net-vpc` module
|
||||
- added support for VPC-SC Ingress Egress policies on the `vpc-sc` module
|
||||
|
||||
## [4.8.0] - 2021-05-12
|
||||
|
||||
|
|
|
@ -28,10 +28,49 @@ module "vpc-sc" {
|
|||
}
|
||||
}
|
||||
access_level_perimeters = {
|
||||
my_trusted_proxy = {
|
||||
enforced = {
|
||||
my_trusted_proxy = ["perimeter"]
|
||||
}
|
||||
}
|
||||
ingress_policies = {
|
||||
ingress_1 = {
|
||||
ingress_from = {
|
||||
identity_type = "ANY_IDENTITY"
|
||||
}
|
||||
ingress_to = {
|
||||
resources = ["*"]
|
||||
operations = {
|
||||
"storage.googleapis.com" = [{ method = "google.storage.objects.create" }]
|
||||
"bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" }]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
ingress_policies_perimeters = {
|
||||
enforced = {
|
||||
ingress_1 = ["default"]
|
||||
}
|
||||
}
|
||||
|
||||
egress_policies = {
|
||||
egress_1 = {
|
||||
egress_from = {
|
||||
identity_type = "ANY_USER_ACCOUNT"
|
||||
}
|
||||
egress_to = {
|
||||
resources = ["*"]
|
||||
operations = {
|
||||
"storage.googleapis.com" = [{ method = "google.storage.objects.create" }],
|
||||
"bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" },{ method = "TableService.ListTables" }, { permission = "bigquery.jobs.get" }]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
egress_policies_perimeters = {
|
||||
enforced = {
|
||||
egress_1 = ["perimeter"]
|
||||
}
|
||||
}
|
||||
perimeters = {
|
||||
perimeter = {
|
||||
type = "PERIMETER_TYPE_REGULAR"
|
||||
|
@ -106,6 +145,10 @@ module "vpc-sc" {
|
|||
| organization_id | Organization id in organizations/nnnnnn format. | <code title="">string</code> | ✓ | |
|
||||
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) required_access_levels = list(string) members = list(string) negate = string regions = list(string) })) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | <code title=""></code> | | <code title="">null</code> |
|
||||
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | <code title=""></code> | | <code title="">null</code> |
|
||||
| *ingress_policies_perimeters* | Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *perimeter_projects* | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | <code title="map(map(list(number)))">map(map(list(number)))</code> | | <code title="">{}</code> |
|
||||
| *perimeters* | Set of Perimeters. | <code title="map(object({ type = string dry_run_config = object({ restricted_services = list(string) vpc_accessible_services = list(string) }) enforced_config = object({ restricted_services = list(string) vpc_accessible_services = list(string) }) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
||||
|
|
|
@ -29,6 +29,10 @@ locals {
|
|||
|
||||
perimeter_access_levels_enforced = try(transpose(var.access_level_perimeters.enforced), null)
|
||||
perimeter_access_levels_dry_run = try(transpose(var.access_level_perimeters.dry_run), null)
|
||||
perimeter_ingress_policies_enforced = try(transpose(var.ingress_policies_perimeters.enforced), null)
|
||||
perimeter_ingress_policies_dry_run = try(transpose(var.ingress_policies_perimeters.dry_run), null)
|
||||
perimeter_egress_policies_enforced = try(transpose(var.egress_policies_perimeters.enforced), null)
|
||||
perimeter_egress_policies_dry_run = try(transpose(var.egress_policies_perimeters.dry_run), null)
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_policy" "default" {
|
||||
|
@ -89,6 +93,93 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
|||
allowed_services = each.value.enforced_config.vpc_accessible_services
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "egress_policies" {
|
||||
for_each = try(local.perimeter_egress_policies_enforced[each.key] != null ? local.perimeter_egress_policies_enforced[each.key] : [], [])
|
||||
|
||||
content {
|
||||
dynamic "egress_from" {
|
||||
for_each = try(var.egress_policies[egress_policies.value].egress_from != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
identity_type = try(var.egress_policies[egress_policies.value].egress_from.identity_type, null)
|
||||
identities = try(var.egress_policies[egress_policies.value].egress_from.identities, null)
|
||||
}
|
||||
}
|
||||
dynamic "egress_to" {
|
||||
for_each = try(var.egress_policies[egress_policies.value].egress_to != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
resources = try(var.egress_policies[egress_policies.value].egress_to.resources, null)
|
||||
|
||||
dynamic "operations" {
|
||||
for_each = try(var.egress_policies[egress_policies.value].egress_to.operations, [])
|
||||
|
||||
content {
|
||||
service_name = try(operations.key, null)
|
||||
|
||||
dynamic "method_selectors" {
|
||||
for_each = try(operations.value, [])
|
||||
|
||||
content {
|
||||
method = try(method_selectors.value.method, null)
|
||||
permission = try(method_selectors.value.permission, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "ingress_policies" {
|
||||
for_each = try(local.perimeter_ingress_policies_enforced[each.key] != null ? local.perimeter_ingress_policies_enforced[each.key] : [], [])
|
||||
|
||||
content {
|
||||
dynamic "ingress_from" {
|
||||
for_each = try(var.ingress_policies[ingress_policies.value].ingress_from != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
identity_type = try(var.ingress_policies[ingress_policies.value].ingress_from.identity_type, null)
|
||||
identities = try(var.ingress_policies[ingress_policies.value].ingress_from.identities, null)
|
||||
|
||||
dynamic "sources" {
|
||||
for_each = toset(try([var.ingress_policies[ingress_policies.value].ingress_from.sources], []))
|
||||
|
||||
content {
|
||||
access_level = try(sources.value.access_level, null)
|
||||
resource = try(sources.value.resource, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
dynamic "ingress_to" {
|
||||
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
resources = try(var.ingress_policies[ingress_policies.value].ingress_to.resources, null)
|
||||
|
||||
dynamic "operations" {
|
||||
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to.operations, [])
|
||||
|
||||
content {
|
||||
service_name = try(operations.key, null)
|
||||
|
||||
dynamic "method_selectors" {
|
||||
for_each = try(operations.value, [])
|
||||
|
||||
content {
|
||||
method = try(method_selectors.value.method, null)
|
||||
permission = try(method_selectors.value.permission, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -115,6 +206,93 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
|||
allowed_services = try(each.value.dry_run_config.vpc_accessible_services, null)
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "egress_policies" {
|
||||
for_each = try(local.perimeter_egress_policies_dry_run[each.key] != null ? local.perimeter_egress_policies_dry_run[each.key] : [], [])
|
||||
|
||||
content {
|
||||
dynamic "egress_from" {
|
||||
for_each = try(var.egress_policies[egress_policies.value].egress_from != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
identity_type = try(var.egress_policies[egress_policies.value].egress_from.identity_type, null)
|
||||
identities = try(var.egress_policies[egress_policies.value].egress_from.identities, null)
|
||||
}
|
||||
}
|
||||
dynamic "egress_to" {
|
||||
for_each = try(var.egress_policies[egress_policies.value].egress_to != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
resources = try(var.egress_policies[egress_policies.value].egress_to.resources, null)
|
||||
|
||||
dynamic "operations" {
|
||||
for_each = try(var.egress_policies[egress_policies.value].egress_to.operations, [])
|
||||
|
||||
content {
|
||||
service_name = try(operations.key, null)
|
||||
|
||||
dynamic "method_selectors" {
|
||||
for_each = try(operations.value, [])
|
||||
|
||||
content {
|
||||
method = try(method_selectors.value.method, null)
|
||||
permission = try(method_selectors.value.permission, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "ingress_policies" {
|
||||
for_each = try(local.perimeter_ingress_policies_dry_run[each.key] != null ? local.perimeter_ingress_policies_dry_run[each.key] : [], [])
|
||||
|
||||
content {
|
||||
dynamic "ingress_from" {
|
||||
for_each = try(var.ingress_policies[ingress_policies.value].ingress_from != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
identity_type = try(var.ingress_policies[ingress_policies.value].ingress_from.identity_type, null)
|
||||
identities = try(var.ingress_policies[ingress_policies.value].ingress_from.identities, null)
|
||||
|
||||
dynamic "sources" {
|
||||
for_each = toset(try([var.ingress_policies[ingress_policies.value].ingress_from.sources], []))
|
||||
|
||||
content {
|
||||
access_level = try(sources.value.access_level, null)
|
||||
resource = try(sources.value.resource, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
dynamic "ingress_to" {
|
||||
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to != null ? [""] : [], [])
|
||||
|
||||
content {
|
||||
resources = try(var.ingress_policies[ingress_policies.value].ingress_to.resources, null)
|
||||
|
||||
dynamic "operations" {
|
||||
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to.operations, [])
|
||||
|
||||
content {
|
||||
service_name = try(operations.key, null)
|
||||
|
||||
dynamic "method_selectors" {
|
||||
for_each = try(operations.value, [])
|
||||
|
||||
content {
|
||||
method = try(method_selectors.value.method, null)
|
||||
permission = try(method_selectors.value.permission, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -40,6 +40,28 @@ variable "access_policy_title" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "egress_policies" {
|
||||
description = "List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies)"
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "egress_policies_perimeters" {
|
||||
description = "Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "ingress_policies" {
|
||||
description = "List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies)"
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "ingress_policies_perimeters" {
|
||||
description = "Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "organization_id" {
|
||||
description = "Organization id in organizations/nnnnnn format."
|
||||
type = string
|
||||
|
|
Loading…
Reference in New Issue