Fix VPC-SC module, add example (#387)

2021-12-13 11:26:09 +01:00 · 2021-12-13 11:26:09 +01:00 · 38b8ea1757
parent 750bb9f7e0
commit 38b8ea1757
2 changed files with 52 additions and 2 deletions
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@ -136,6 +136,53 @@ module "vpc-sc" {
 # tftest:modules=1:resources=3
 ```

+## Example VCP-SC: 2 standard perimeters with one bridge  between the two (dry run mode).
+```hcl
+module "vpc-sc" {
+  source              = "./modules/vpc-sc"
+  organization_id     = "organizations/112233"
+  access_policy_title = "My Access Policy"
+  perimeters = {
+    perimeter_1 = {
+      type = "PERIMETER_TYPE_REGULAR"
+      dry_run_config = {
+        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+      }
+      enforced_config = null
+    }
+    perimeter_2 = {
+      type = "PERIMETER_TYPE_REGULAR"
+      dry_run_config = {
+        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+      }
+      enforced_config = null
+    }
+    perimeter_bridge = {
+      type = "PERIMETER_TYPE_BRIDGE"
+      dry_run_config = null
+      enforced_config = null
+    }
+  }
+  perimeter_projects = {
+    perimeter_1 = {
+      enforced = []
+      dry_run  = [111111111]
+    }
+    perimeter_2 = {
+      enforced = []
+      dry_run  = [222222222]
+    }
+    perimeter_bridge = {
+      enforced = []
+      dry_run  = [111111111, 222222222]
+    }
+  }
+}
+# tftest:modules=1:resources=4
+```
+
 ## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
 ```hcl
 module "vpc-sc-first" {
--- a/modules/vpc-sc/main.tf
+++ b/modules/vpc-sc/main.tf
@ -330,11 +330,14 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
  }

  # Dry run mode configuration
+  use_explicit_dry_run_spec = try(lookup(var.perimeter_projects, each.key, null).dry_run, null) != null ? true : null
  dynamic "spec" {
-    for_each = try(lookup(var.perimeter_projects, each.key, {}).dry_run, []) != null ? [""] : []
+    for_each = try(lookup(var.perimeter_projects, each.key, null).dry_run, null) != null ? [""] : []

    content {
-      resources = formatlist("projects/%s", try(lookup(var.perimeter_projects, each.key, {}).dry_run, []))
+      resources           = try(formatlist("projects/%s", lookup(var.perimeter_projects, each.key, {}).dry_run), null)
+      restricted_services = []
+      access_levels       = []
    }
  }