Support Access Levels - Perimeters mapping

modules/organization/README.md

@@ -36,7 +36,8 @@ module "org" {
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ |  |
-| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> |  | <code title=""></code> |
+| *access_levels* | Access Levels. | <code title="map&#40;object&#40;&#123;&#10;combining_function &#61; string&#10;conditions         &#61; list&#40;object&#40;&#123;&#10;ip_subnetworks   &#61; list&#40;string&#41;&#10;members          &#61; list&#40;string&#41;&#10;negate           &#61; string&#10;&#125;&#41;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> |  | <code title="">null</code> |
 | *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
@@ -44,7 +45,8 @@ module "org" {
 | *iam_roles* | List of roles used to set authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
-| *vpc_sc_perimeters* | Set of Perimeters. | <code title="map&#40;object&#40;&#123;&#10;type &#61; string&#10;restricted_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+| *vpc_sc_access_levels_perimeters* | Access Levels -Perimeter mapping. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
+| *vpc_sc_perimeters* | Set of Perimeters. | <code title="map&#40;object&#40;&#123;&#10;type &#61; string&#10;dry_run_config  &#61; object&#40;&#123;&#10;access_levels           &#61; list&#40;string&#41;&#10;restricted_services     &#61; list&#40;string&#41;&#10;vpc_accessible_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;enforced_config &#61; object&#40;&#123;&#10;access_levels           &#61; list&#40;string&#41;&#10;restricted_services     &#61; list&#40;string&#41;&#10;vpc_accessible_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 
 ## Outputs

modules/organization/main.tf

@@ -37,6 +37,8 @@ locals {
     for key, value in var.vpc_sc_perimeters :
     key => value if value.type == "PERIMETER_TYPE_BRIDGE"
   }
+
+  perimeters_access_levels = try(transpose(var.vpc_sc_access_levels_perimeters), null)
 }
 
 resource "google_access_context_manager_access_policy" "default" {
@@ -45,7 +47,7 @@ resource "google_access_context_manager_access_policy" "default" {
   title     = each.key
 }
 
-resource "google_access_context_manager_access_level" "access-level" {
+resource "google_access_context_manager_access_level" "default" {
   for_each = var.access_levels
   parent   = "accessPolicies/${local.access_policy_name}"
   name     = "accessPolicies/${local.access_policy_name}/accessLevels/${each.key}"
@@ -74,6 +76,7 @@ resource "google_access_context_manager_service_perimeter" "standard" {
   status {
     resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
     restricted_services = each.value.enforced_config.restricted_services
+    access_levels       = formatlist("accessPolicies/${local.access_policy_name}/accessLevels/%s", lookup(local.perimeters_access_levels, each.key, []))
 
     dynamic "vpc_accessible_services" {
       for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
@@ -108,6 +111,10 @@ resource "google_access_context_manager_service_perimeter" "standard" {
   # lifecycle {
   #   ignore_changes = [status[0].resources]
   # }  
+
+  depends_on = [
+    google_access_context_manager_access_level.default,
+  ]
 }
 
 resource "google_access_context_manager_service_perimeter" "bridge" {
@@ -128,6 +135,7 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
 
   depends_on = [
     google_access_context_manager_service_perimeter.standard,
+    google_access_context_manager_access_level.default,    
   ]
 }