Support Access Levels - Perimeters mapping
This commit is contained in:
parent
3e2706be10
commit
43e4ffc95d
|
@ -36,7 +36,8 @@ module "org" {
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ | |
|
| org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ | |
|
||||||
| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> | | <code title=""></code> |
|
| *access_levels* | Access Levels. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) members = list(string) negate = string })) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
|
| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> | | <code title="">null</code> |
|
||||||
| *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
| *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||||
|
@ -44,7 +45,8 @@ module "org" {
|
||||||
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
| *vpc_sc_perimeters* | Set of Perimeters. | <code title="map(object({ type = string restricted_services = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *vpc_sc_access_levels_perimeters* | Access Levels -Perimeter mapping. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *vpc_sc_perimeters* | Set of Perimeters. | <code title="map(object({ type = string dry_run_config = object({ access_levels = list(string) restricted_services = list(string) vpc_accessible_services = list(string) }) enforced_config = object({ access_levels = list(string) restricted_services = list(string) vpc_accessible_services = list(string) }) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
| *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
|
@ -37,6 +37,8 @@ locals {
|
||||||
for key, value in var.vpc_sc_perimeters :
|
for key, value in var.vpc_sc_perimeters :
|
||||||
key => value if value.type == "PERIMETER_TYPE_BRIDGE"
|
key => value if value.type == "PERIMETER_TYPE_BRIDGE"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
perimeters_access_levels = try(transpose(var.vpc_sc_access_levels_perimeters), null)
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_access_policy" "default" {
|
resource "google_access_context_manager_access_policy" "default" {
|
||||||
|
@ -45,7 +47,7 @@ resource "google_access_context_manager_access_policy" "default" {
|
||||||
title = each.key
|
title = each.key
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_access_level" "access-level" {
|
resource "google_access_context_manager_access_level" "default" {
|
||||||
for_each = var.access_levels
|
for_each = var.access_levels
|
||||||
parent = "accessPolicies/${local.access_policy_name}"
|
parent = "accessPolicies/${local.access_policy_name}"
|
||||||
name = "accessPolicies/${local.access_policy_name}/accessLevels/${each.key}"
|
name = "accessPolicies/${local.access_policy_name}/accessLevels/${each.key}"
|
||||||
|
@ -74,6 +76,7 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
||||||
status {
|
status {
|
||||||
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
|
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
|
||||||
restricted_services = each.value.enforced_config.restricted_services
|
restricted_services = each.value.enforced_config.restricted_services
|
||||||
|
access_levels = formatlist("accessPolicies/${local.access_policy_name}/accessLevels/%s", lookup(local.perimeters_access_levels, each.key, []))
|
||||||
|
|
||||||
dynamic "vpc_accessible_services" {
|
dynamic "vpc_accessible_services" {
|
||||||
for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
|
for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
|
||||||
|
@ -108,6 +111,10 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
||||||
# lifecycle {
|
# lifecycle {
|
||||||
# ignore_changes = [status[0].resources]
|
# ignore_changes = [status[0].resources]
|
||||||
# }
|
# }
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_access_context_manager_access_level.default,
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_service_perimeter" "bridge" {
|
resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||||
|
@ -128,6 +135,7 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||||
|
|
||||||
depends_on = [
|
depends_on = [
|
||||||
google_access_context_manager_service_perimeter.standard,
|
google_access_context_manager_service_perimeter.standard,
|
||||||
|
google_access_context_manager_access_level.default,
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue