From 3e2706be10763a5604fa8d6dbe17c8ead9dedf9b Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lcaggioni@google.com>
Date: Mon, 6 Jul 2020 18:12:25 +0200
Subject: [PATCH] Add basic Access Level support

---
 modules/organization/main.tf      | 20 ++++++++++++++++++++
 modules/organization/variables.tf | 21 ++++++++++++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index dcd75725..de7f78c4 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -45,6 +45,26 @@ resource "google_access_context_manager_access_policy" "default" {
   title     = each.key
 }
 
+resource "google_access_context_manager_access_level" "access-level" {
+  for_each = var.access_levels
+  parent   = "accessPolicies/${local.access_policy_name}"
+  name     = "accessPolicies/${local.access_policy_name}/accessLevels/${each.key}"
+  title    = each.key
+
+  dynamic "basic" {
+    for_each = try(toset(each.value.conditions), [])
+
+    content {
+      combining_function = try(each.value.combining_function, null)
+      conditions         {
+        ip_subnetworks   = try(basic.value.ip_subnetworks,null)
+        members          = try(basic.value.members,null)
+        negate           = try(basic.value.negate,null)
+      }
+    }
+  }
+}
+
 resource "google_access_context_manager_service_perimeter" "standard" {
   for_each       = local.standard_perimeters
   parent         = "accessPolicies/${local.access_policy_name}"
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 9053af0b..ac80690f 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -14,10 +14,23 @@
  * limitations under the License.
  */
 
+variable "access_levels" {
+  description = "Access Levels."
+  type        = map(object({
+    combining_function = string
+    conditions         = list(object({
+      ip_subnetworks   = list(string)
+      members          = list(string)
+      negate           = string
+    }))
+  }))
+  default = {}
+}
+
 variable "access_policy_title" {
   description = "Access Policy title to be created."
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "custom_roles" {
@@ -100,3 +113,9 @@ variable "vpc_sc_perimeters_projects" {
   type        = map(list(string))
   default     = {}
 }
+
+variable "vpc_sc_access_levels_perimeters" {
+  description = "Access Levels -Perimeter mapping."
+  type        = map(list(string))
+  default     = {}
+}