zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Support for Ingress Egress policy

This commit is contained in:
lcaggio 2021-05-07 09:07:36 +02:00
parent 85d2617421
commit 628ab41c33
3 changed files with 232 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
modules/vpc-sc/README.md
View File

@ -28,10 +28,35 @@ module "vpc-sc" {
}
}
access_level_perimeters = {
my_trusted_proxy = {
enforced = {
my_trusted_proxy = ["perimeter"]
}
}
egress_policies = {
egress_1 = {
egress_from = {
identity_type = "ANY_IDENTITY"
}
egress_to = {
resources = ["*"]
operations = [
{
service_name = "storage.googleapis.com"
method_selectors = { method = "google.storage.objects.create" }
},
{
service_name = "bigquery.googleapis.com"
method_selectors = { method = "BigQueryStorage.ReadRows" }
}
]
}
}
}
egress_policies_perimeters = {
enforced = {
egress_1 = ["perimeter"]
}
}
perimeters = {
perimeter = {
type = "PERIMETER_TYPE_REGULAR"
@ -106,6 +131,10 @@ module "vpc-sc" {
| organization_id | Organization id in organizations/nnnnnn format. | <code title="">string</code> | ✓ | |
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | <code title="map&#40;object&#40;&#123;&#10;combining_function &#61; string&#10;conditions &#61; list&#40;object&#40;&#123;&#10;ip_subnetworks &#61; list&#40;string&#41;&#10;required_access_levels &#61; list&#40;string&#41;&#10;members &#61; list&#40;string&#41;&#10;negate &#61; string&#10;regions &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | <code title=""></code> | | <code title="">null</code> |
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | <code title=""></code> | | <code title="">null</code> |
| *ingress_policies_perimeters* | Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *perimeter_projects* | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | <code title="map&#40;map&#40;list&#40;number&#41;&#41;&#41;">map(map(list(number)))</code> | | <code title="">{}</code> |
| *perimeters* | Set of Perimeters. | <code title="map&#40;object&#40;&#123;&#10;type &#61; string&#10;dry_run_config &#61; object&#40;&#123;&#10;restricted_services &#61; list&#40;string&#41;&#10;vpc_accessible_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;enforced_config &#61; object&#40;&#123;&#10;restricted_services &#61; list&#40;string&#41;&#10;vpc_accessible_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |

182
modules/vpc-sc/main.tf
View File

@ -27,8 +27,12 @@ locals {
key => value if value.type == "PERIMETER_TYPE_BRIDGE"
}
perimeter_access_levels_enforced = try(transpose(var.access_level_perimeters.enforced), null)
perimeter_access_levels_dry_run = try(transpose(var.access_level_perimeters.dry_run), null)
perimeter_access_levels_enforced = try(transpose(var.access_level_perimeters.enforced), null)
perimeter_access_levels_dry_run = try(transpose(var.access_level_perimeters.dry_run), null)
perimeter_ingress_policies_enforced = try(transpose(var.ingress_policies_perimeters.enforced), null)
perimeter_ingress_policies_dry_run = try(transpose(var.ingress_policies_perimeters.dry_run), null)
perimeter_egress_policies_enforced = try(transpose(var.egress_policies_perimeters.enforced), null)
perimeter_egress_policies_dry_run = try(transpose(var.egress_policies_perimeters.dry_run), null)
}
resource "google_access_context_manager_access_policy" "default" {
@ -89,6 +93,93 @@ resource "google_access_context_manager_service_perimeter" "standard" {
allowed_services = each.value.enforced_config.vpc_accessible_services
}
}
dynamic "egress_policies" {
for_each = try(local.perimeter_egress_policies_enforced[each.key] != null ? local.perimeter_egress_policies_enforced[each.key] : [], [])
content {
dynamic "egress_from" {
for_each = try(var.egress_policies[egress_policies.value].egress_from != null ? [""] : [], [])
content {
identity_type = try(var.egress_policies[egress_policies.value].egress_from.identity_type, null)
identities = try(var.egress_policies[egress_policies.value].egress_from.identities, null)
}
}
dynamic "egress_to" {
for_each = try(var.egress_policies[egress_policies.value].egress_to != null ? [""] : [], [])
content {
resources = try(var.egress_policies[egress_policies.value].egress_to.resources, null)
dynamic "operations" {
for_each = try(var.egress_policies[egress_policies.value].egress_to.operations, [])
content {
service_name = try(operations.value.service_name, null)
dynamic "method_selectors" {
for_each = try([operations.value.method_selectors], [])
content {
method = try(method_selectors.value.method, null)
permission = try(method_selectors.value.permission, null)
}
}
}
}
}
}
}
}
dynamic "ingress_policies" {
for_each = try(local.perimeter_ingress_policies_enforced[each.key] != null ? local.perimeter_ingress_policies_enforced[each.key] : [], [])
content {
dynamic "ingress_from" {
for_each = try(var.ingress_policies[ingress_policies.value].ingress_from != null ? [""] : [], [])
content {
identity_type = try(var.ingress_policies[ingress_policies.value].ingress_from.identity_type, null)
identities = try(var.ingress_policies[ingress_policies.value].ingress_from.identities, null)
dynamic "sources" {
for_each = toset(try([var.ingress_policies[ingress_policies.value].ingress_from.sources], []))
content {
access_level = try(sources.value.access_level, null)
resource = try(sources.value.resource, null)
}
}
}
}
dynamic "ingress_to" {
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to != null ? [""] : [], [])
content {
resources = try(var.ingress_policies[ingress_policies.value].ingress_to.resources, null)
dynamic "operations" {
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to.operations, [])
content {
service_name = try(operations.value.service_name, null)
dynamic "method_selectors" {
for_each = try([operations.value.method_selectors], [])
content {
method = try(method_selectors.value.method, null)
permission = try(method_selectors.value.permission, null)
}
}
}
}
}
}
}
}
}
}
@ -115,6 +206,93 @@ resource "google_access_context_manager_service_perimeter" "standard" {
allowed_services = try(each.value.dry_run_config.vpc_accessible_services, null)
}
}
dynamic "egress_policies" {
for_each = try(local.perimeter_egress_policies_dry_run[each.key] != null ? local.perimeter_egress_policies_dry_run[each.key] : [], [])
content {
dynamic "egress_from" {
for_each = try(var.egress_policies[egress_policies.value].egress_from != null ? [""] : [], [])
content {
identity_type = try(var.egress_policies[egress_policies.value].egress_from.identity_type, null)
identities = try(var.egress_policies[egress_policies.value].egress_from.identities, null)
}
}
dynamic "egress_to" {
for_each = try(var.egress_policies[egress_policies.value].egress_to != null ? [""] : [], [])
content {
resources = try(var.egress_policies[egress_policies.value].egress_to.resources, null)
dynamic "operations" {
for_each = try(var.egress_policies[egress_policies.value].egress_to.operations, [])
content {
service_name = try(operations.value.service_name, null)
dynamic "method_selectors" {
for_each = try([operations.value.method_selectors], [])
content {
method = try(method_selectors.value.method, null)
permission = try(method_selectors.value.permission, null)
}
}
}
}
}
}
}
}
dynamic "ingress_policies" {
for_each = try(local.perimeter_ingress_policies_dry_run[each.key] != null ? local.perimeter_ingress_policies_dry_run[each.key] : [], [])
content {
dynamic "ingress_from" {
for_each = try(var.ingress_policies[ingress_policies.value].ingress_from != null ? [""] : [], [])
content {
identity_type = try(var.ingress_policies[ingress_policies.value].ingress_from.identity_type, null)
identities = try(var.ingress_policies[ingress_policies.value].ingress_from.identities, null)
dynamic "sources" {
for_each = toset(try([var.ingress_policies[ingress_policies.value].ingress_from.sources], []))
content {
access_level = try(sources.value.access_level, null)
resource = try(sources.value.resource, null)
}
}
}
}
dynamic "ingress_to" {
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to != null ? [""] : [], [])
content {
resources = try(var.ingress_policies[ingress_policies.value].ingress_to.resources, null)
dynamic "operations" {
for_each = try(var.ingress_policies[ingress_policies.value].ingress_to.operations, [])
content {
service_name = try(operations.value.service_name, null)
dynamic "method_selectors" {
for_each = try([operations.value.method_selectors], [])
content {
method = try(method_selectors.value.method, null)
permission = try(method_selectors.value.permission, null)
}
}
}
}
}
}
}
}
}
}

22
modules/vpc-sc/variables.tf
View File

@ -40,6 +40,28 @@ variable "access_policy_title" {
type = string
}
variable "egress_policies" {
description = "List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies)"
default = null
}
variable "egress_policies_perimeters" {
description = "Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
type = map(map(list(string)))
default = {}
}
variable "ingress_policies" {
description = "List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies)"
default = null
}
variable "ingress_policies_perimeters" {
description = "Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
type = map(map(list(string)))
default = {}
}
variable "organization_id" {
description = "Organization id in organizations/nnnnnn format."
type = string