From c558d9b7533a3e35851c291f9568eebc68900dd5 Mon Sep 17 00:00:00 2001
From: LudovicEmo <42294753+LudovicEmo@users.noreply.github.com>
Date: Tue, 29 Aug 2023 04:28:57 +0200
Subject: [PATCH] Vpc sc allow null for identity type (#1632)
* vpc-sc : allow null for identity_type
* cloudsql-instance : fmt
* vpc-sc: tfdoc
* modules/vpc-sc: update the test result for the identity_type field
* cloudsql-instance: remove empty line
---
modules/vpc-sc/README.md | 10 ++++------
modules/vpc-sc/variables.tf | 11 ++++++-----
tests/modules/vpc_sc/examples/regular.yaml | 2 +-
3 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 21abff9d..91d90d46 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -185,7 +185,6 @@ module "test" {
-
## Files
| name | description | resources |
@@ -205,10 +204,10 @@ module "test" {
| [access_policy](variables.tf#L56) | Access Policy name, set to null if creating one. | string | ✓ | |
| [access_levels](variables.tf#L17) | Access level definitions. | map(object({…})) | | {} |
| [access_policy_create](variables.tf#L61) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. | object({…}) | | null |
-| [egress_policies](variables.tf#L71) | Egress policy definitions that can be referenced in perimeters. | map(object({…})) | | {} |
-| [ingress_policies](variables.tf#L101) | Ingress policy definitions that can be referenced in perimeters. | map(object({…})) | | {} |
-| [service_perimeters_bridge](variables.tf#L133) | Bridge service perimeters. | map(object({…})) | | {} |
-| [service_perimeters_regular](variables.tf#L143) | Regular service perimeters. | map(object({…})) | | {} |
+| [egress_policies](variables.tf#L71) | Egress policy definitions that can be referenced in perimeters. | map(object({…})) | | {} |
+| [ingress_policies](variables.tf#L102) | Ingress policy definitions that can be referenced in perimeters. | map(object({…})) | | {} |
+| [service_perimeters_bridge](variables.tf#L134) | Bridge service perimeters. | map(object({…})) | | {} |
+| [service_perimeters_regular](variables.tf#L144) | Regular service perimeters. | map(object({…})) | | {} |
## Outputs
@@ -221,5 +220,4 @@ module "test" {
| [id](outputs.tf#L42) | Fully qualified access policy id. | |
| [service_perimeters_bridge](outputs.tf#L47) | Bridge service perimeter resources. | |
| [service_perimeters_regular](outputs.tf#L52) | Regular service perimeter resources. | |
-
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index ff4e7dec..8ce4b41e 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -72,7 +72,7 @@ variable "egress_policies" {
description = "Egress policy definitions that can be referenced in perimeters."
type = map(object({
from = object({
- identity_type = optional(string, "ANY_IDENTITY")
+ identity_type = optional(string)
identities = optional(list(string))
})
to = object({
@@ -89,10 +89,11 @@ variable "egress_policies" {
nullable = false
validation {
condition = alltrue([
- for k, v in var.egress_policies : contains([
+ for k, v in var.egress_policies :
+ v.from.identity_type == null || contains([
"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY",
- "ANY_USER", "ANY_SERVICE_ACCOUNT", ""
- ], v.from.identity_type)
+ "ANY_USER", "ANY_SERVICE_ACCOUNT"
+ ], coalesce(v.from.identity_type, "-"))
])
error_message = "Invalid `from.identity_type` value in egress policy."
}
@@ -126,7 +127,7 @@ variable "ingress_policies" {
"ANY_USER", "ANY_SERVICE_ACCOUNT"
], coalesce(v.from.identity_type, "-"))
])
- error_message = "Invalid `from.identity_type` value in eress policy."
+ error_message = "Invalid `from.identity_type` value in ingress policy."
}
}
diff --git a/tests/modules/vpc_sc/examples/regular.yaml b/tests/modules/vpc_sc/examples/regular.yaml
index 5f11e9a5..68c9cdc4 100644
--- a/tests/modules/vpc_sc/examples/regular.yaml
+++ b/tests/modules/vpc_sc/examples/regular.yaml
@@ -53,7 +53,7 @@ values:
- egress_from:
- identities:
- serviceAccount:foo@myproject.iam.gserviceaccount.com
- identity_type: ANY_IDENTITY
+ identity_type: null
egress_to:
- external_resources: null
operations: