diff --git a/modules/organization/README.md b/modules/organization/README.md
index e124333d..ddb18e22 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -36,7 +36,8 @@ module "org" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| org_id | Organization id in nnnnnn format. | number
| ✓ | |
-| *access_policy_title* | Access Policy title to be created. | string
| |
|
+| *access_levels* | Access Levels. | map(object({...}))
| | {}
|
+| *access_policy_title* | Access Policy title to be created. | string
| | null
|
| *custom_roles* | Map of role name => list of permissions to create in this project. | map(list(string))
| | {}
|
| *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | map(list(string))
| | {}
|
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string)))
| | {}
|
@@ -44,7 +45,8 @@ module "org" {
| *iam_roles* | List of roles used to set authoritative bindings. | list(string)
| | []
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool)
| | {}
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...}))
| | {}
|
-| *vpc_sc_perimeters* | Set of Perimeters. | map(object({...}))
| | {}
|
+| *vpc_sc_access_levels_perimeters* | Access Levels -Perimeter mapping. | map(list(string))
| | {}
|
+| *vpc_sc_perimeters* | Set of Perimeters. | map(object({...}))
| | {}
|
| *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format. | map(list(string))
| | {}
|
## Outputs
diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index de7f78c4..a7c4be38 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -37,6 +37,8 @@ locals {
for key, value in var.vpc_sc_perimeters :
key => value if value.type == "PERIMETER_TYPE_BRIDGE"
}
+
+ perimeters_access_levels = try(transpose(var.vpc_sc_access_levels_perimeters), null)
}
resource "google_access_context_manager_access_policy" "default" {
@@ -45,7 +47,7 @@ resource "google_access_context_manager_access_policy" "default" {
title = each.key
}
-resource "google_access_context_manager_access_level" "access-level" {
+resource "google_access_context_manager_access_level" "default" {
for_each = var.access_levels
parent = "accessPolicies/${local.access_policy_name}"
name = "accessPolicies/${local.access_policy_name}/accessLevels/${each.key}"
@@ -74,6 +76,7 @@ resource "google_access_context_manager_service_perimeter" "standard" {
status {
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
restricted_services = each.value.enforced_config.restricted_services
+ access_levels = formatlist("accessPolicies/${local.access_policy_name}/accessLevels/%s", lookup(local.perimeters_access_levels, each.key, []))
dynamic "vpc_accessible_services" {
for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
@@ -108,6 +111,10 @@ resource "google_access_context_manager_service_perimeter" "standard" {
# lifecycle {
# ignore_changes = [status[0].resources]
# }
+
+ depends_on = [
+ google_access_context_manager_access_level.default,
+ ]
}
resource "google_access_context_manager_service_perimeter" "bridge" {
@@ -128,6 +135,7 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
depends_on = [
google_access_context_manager_service_perimeter.standard,
+ google_access_context_manager_access_level.default,
]
}