From 43e4ffc95d997b198d4709a93f739e420aaacf16 Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 6 Jul 2020 18:35:42 +0200 Subject: [PATCH] Support Access Levels - Perimeters mapping --- modules/organization/README.md | 6 ++++-- modules/organization/main.tf | 10 +++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/modules/organization/README.md b/modules/organization/README.md index e124333d..ddb18e22 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -36,7 +36,8 @@ module "org" { | name | description | type | required | default | |---|---|:---: |:---:|:---:| | org_id | Organization id in nnnnnn format. | number | ✓ | | -| *access_policy_title* | Access Policy title to be created. | string | | | +| *access_levels* | Access Levels. | map(object({...})) | | {} | +| *access_policy_title* | Access Policy title to be created. | string | | null | | *custom_roles* | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} | | *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | map(list(string)) | | {} | | *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) | | {} | @@ -44,7 +45,8 @@ module "org" { | *iam_roles* | List of roles used to set authoritative bindings. | list(string) | | [] | | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) | | {} | | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) | | {} | -| *vpc_sc_perimeters* | Set of Perimeters. | map(object({...})) | | {} | +| *vpc_sc_access_levels_perimeters* | Access Levels -Perimeter mapping. | map(list(string)) | | {} | +| *vpc_sc_perimeters* | Set of Perimeters. | map(object({...})) | | {} | | *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format. | map(list(string)) | | {} | ## Outputs diff --git a/modules/organization/main.tf b/modules/organization/main.tf index de7f78c4..a7c4be38 100644 --- a/modules/organization/main.tf +++ b/modules/organization/main.tf @@ -37,6 +37,8 @@ locals { for key, value in var.vpc_sc_perimeters : key => value if value.type == "PERIMETER_TYPE_BRIDGE" } + + perimeters_access_levels = try(transpose(var.vpc_sc_access_levels_perimeters), null) } resource "google_access_context_manager_access_policy" "default" { @@ -45,7 +47,7 @@ resource "google_access_context_manager_access_policy" "default" { title = each.key } -resource "google_access_context_manager_access_level" "access-level" { +resource "google_access_context_manager_access_level" "default" { for_each = var.access_levels parent = "accessPolicies/${local.access_policy_name}" name = "accessPolicies/${local.access_policy_name}/accessLevels/${each.key}" @@ -74,6 +76,7 @@ resource "google_access_context_manager_service_perimeter" "standard" { status { resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, [])) restricted_services = each.value.enforced_config.restricted_services + access_levels = formatlist("accessPolicies/${local.access_policy_name}/accessLevels/%s", lookup(local.perimeters_access_levels, each.key, [])) dynamic "vpc_accessible_services" { for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : [] @@ -108,6 +111,10 @@ resource "google_access_context_manager_service_perimeter" "standard" { # lifecycle { # ignore_changes = [status[0].resources] # } + + depends_on = [ + google_access_context_manager_access_level.default, + ] } resource "google_access_context_manager_service_perimeter" "bridge" { @@ -128,6 +135,7 @@ resource "google_access_context_manager_service_perimeter" "bridge" { depends_on = [ google_access_context_manager_service_perimeter.standard, + google_access_context_manager_access_level.default, ] }