From 67fca1036cf924b3f95bfe2d6bfaafad896b5288 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 5 Dec 2022 09:00:00 +0100
Subject: [PATCH] Fix status ingress/egress policies in vpc-sc module (#1036)

* fix status ingress/egress policies

* fix default status/spec value
---
 modules/vpc-sc/README.md                     |  2 +-
 modules/vpc-sc/service-perimeters-regular.tf | 53 +++++++++++---------
 modules/vpc-sc/variables.tf                  |  6 +--
 3 files changed, 32 insertions(+), 29 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index a78158e1..8ba38c10 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -193,7 +193,7 @@ module "test" {
 | [egress_policies](variables.tf#L70) | Egress policy definitions that can be referenced in perimeters. | <code title="map&#40;object&#40;&#123;&#10;  from &#61; object&#40;&#123;&#10;    identity_type &#61; optional&#40;string, &#34;ANY_IDENTITY&#34;&#41;&#10;    identities    &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#10;  to &#61; object&#40;&#123;&#10;    operations &#61; optional&#40;list&#40;object&#40;&#123;&#10;      method_selectors &#61; optional&#40;list&#40;string&#41;&#41;&#10;      service_name     &#61; string&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    resources              &#61; optional&#40;list&#40;string&#41;&#41;&#10;    resource_type_external &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ingress_policies](variables.tf#L99) | Ingress policy definitions that can be referenced in perimeters. | <code title="map&#40;object&#40;&#123;&#10;  from &#61; object&#40;&#123;&#10;    access_levels &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    identity_type &#61; optional&#40;string&#41;&#10;    identities    &#61; optional&#40;list&#40;string&#41;&#41;&#10;    resources     &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#10;  to &#61; object&#40;&#123;&#10;    operations &#61; optional&#40;list&#40;object&#40;&#123;&#10;      method_selectors &#61; optional&#40;list&#40;string&#41;&#41;&#10;      service_name     &#61; string&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    resources &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [service_perimeters_bridge](variables.tf#L130) | Bridge service perimeters. | <code title="map&#40;object&#40;&#123;&#10;  spec_resources            &#61; optional&#40;list&#40;string&#41;&#41;&#10;  status_resources          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  use_explicit_dry_run_spec &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_perimeters_regular](variables.tf#L140) | Regular service perimeters. | <code title="map&#40;object&#40;&#123;&#10;  spec &#61; optional&#40;object&#40;&#123;&#10;    access_levels       &#61; optional&#40;list&#40;string&#41;&#41;&#10;    resources           &#61; optional&#40;list&#40;string&#41;&#41;&#10;    restricted_services &#61; optional&#40;list&#40;string&#41;&#41;&#10;    egress_policies     &#61; optional&#40;list&#40;string&#41;&#41;&#10;    ingress_policies    &#61; optional&#40;list&#40;string&#41;&#41;&#10;    vpc_accessible_services &#61; optional&#40;object&#40;&#123;&#10;      allowed_services   &#61; list&#40;string&#41;&#10;      enable_restriction &#61; bool&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  status &#61; optional&#40;object&#40;&#123;&#10;    access_levels       &#61; optional&#40;list&#40;string&#41;&#41;&#10;    resources           &#61; optional&#40;list&#40;string&#41;&#41;&#10;    restricted_services &#61; optional&#40;list&#40;string&#41;&#41;&#10;    egress_policies     &#61; optional&#40;list&#40;string&#41;&#41;&#10;    ingress_policies    &#61; optional&#40;list&#40;string&#41;&#41;&#10;    vpc_accessible_services &#61; optional&#40;object&#40;&#123;&#10;      allowed_services   &#61; list&#40;string&#41;&#10;      enable_restriction &#61; bool&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  use_explicit_dry_run_spec &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_perimeters_regular](variables.tf#L140) | Regular service perimeters. | <code title="map&#40;object&#40;&#123;&#10;  spec &#61; optional&#40;object&#40;&#123;&#10;    access_levels       &#61; optional&#40;list&#40;string&#41;&#41;&#10;    resources           &#61; optional&#40;list&#40;string&#41;&#41;&#10;    restricted_services &#61; optional&#40;list&#40;string&#41;&#41;&#10;    egress_policies     &#61; optional&#40;list&#40;string&#41;&#41;&#10;    ingress_policies    &#61; optional&#40;list&#40;string&#41;&#41;&#10;    vpc_accessible_services &#61; optional&#40;object&#40;&#123;&#10;      allowed_services   &#61; list&#40;string&#41;&#10;      enable_restriction &#61; bool&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  status &#61; optional&#40;object&#40;&#123;&#10;    access_levels       &#61; optional&#40;list&#40;string&#41;&#41;&#10;    resources           &#61; optional&#40;list&#40;string&#41;&#41;&#10;    restricted_services &#61; optional&#40;list&#40;string&#41;&#41;&#10;    egress_policies     &#61; optional&#40;list&#40;string&#41;&#41;&#10;    ingress_policies    &#61; optional&#40;list&#40;string&#41;&#41;&#10;    vpc_accessible_services &#61; optional&#40;object&#40;&#123;&#10;      allowed_services   &#61; list&#40;string&#41;&#10;      enable_restriction &#61; bool&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  use_explicit_dry_run_spec &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/vpc-sc/service-perimeters-regular.tf b/modules/vpc-sc/service-perimeters-regular.tf
index 5ef41c32..5b87ca3f 100644
--- a/modules/vpc-sc/service-perimeters-regular.tf
+++ b/modules/vpc-sc/service-perimeters-regular.tf
@@ -28,20 +28,21 @@ resource "google_access_context_manager_service_perimeter" "regular" {
   perimeter_type            = "PERIMETER_TYPE_REGULAR"
   use_explicit_dry_run_spec = each.value.use_explicit_dry_run_spec
   dynamic "spec" {
-    for_each = each.value.spec == null ? [] : [""]
+    for_each = each.value.spec == null ? [] : [each.value.spec]
+    iterator = spec
     content {
       access_levels = (
-        each.value.spec.access_levels == null ? null : [
-          for k in each.value.spec.access_levels :
+        spec.value.access_levels == null ? null : [
+          for k in spec.value.access_levels :
           try(google_access_context_manager_access_level.basic[k].id, k)
         ]
       )
-      resources           = each.value.spec.resources
-      restricted_services = each.value.spec.restricted_services
+      resources           = spec.value.resources
+      restricted_services = spec.value.restricted_services
 
       dynamic "egress_policies" {
-        for_each = each.value.spec.egress_policies == null ? {} : {
-          for k in each.value.spec.egress_policies :
+        for_each = spec.value.egress_policies == null ? {} : {
+          for k in spec.value.egress_policies :
           k => lookup(var.egress_policies, k, null)
           if contains(keys(var.egress_policies), k)
         }
@@ -77,8 +78,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
       }
 
       dynamic "ingress_policies" {
-        for_each = each.value.spec.ingress_policies == null ? {} : {
-          for k in each.value.spec.ingress_policies :
+        for_each = spec.value.ingress_policies == null ? {} : {
+          for k in spec.value.ingress_policies :
           k => lookup(var.ingress_policies, k, null)
           if contains(keys(var.ingress_policies), k)
         }
@@ -129,30 +130,31 @@ resource "google_access_context_manager_service_perimeter" "regular" {
       }
 
       dynamic "vpc_accessible_services" {
-        for_each = each.value.spec.vpc_accessible_services == null ? {} : { 1 = 1 }
+        for_each = spec.value.vpc_accessible_services == null ? {} : { 1 = 1 }
         content {
-          allowed_services   = each.value.spec.vpc_accessible_services.allowed_services
-          enable_restriction = each.value.spec.vpc_accessible_services.enable_restriction
+          allowed_services   = spec.value.vpc_accessible_services.allowed_services
+          enable_restriction = spec.value.vpc_accessible_services.enable_restriction
         }
       }
 
     }
   }
   dynamic "status" {
-    for_each = each.value.status == null ? {} : { 1 = 1 }
+    for_each = each.value.status == null ? [] : [each.value.status]
+    iterator = status
     content {
       access_levels = (
-        each.value.status.access_levels == null ? null : [
-          for k in each.value.status.access_levels :
+        status.value.access_levels == null ? null : [
+          for k in status.value.access_levels :
           try(google_access_context_manager_access_level.basic[k].id, k)
         ]
       )
-      resources           = each.value.status.resources
-      restricted_services = each.value.status.restricted_services
+      resources           = status.value.resources
+      restricted_services = status.value.restricted_services
 
       dynamic "egress_policies" {
-        for_each = each.value.spec.egress_policies == null ? {} : {
-          for k in each.value.spec.egress_policies :
+        for_each = status.value.egress_policies == null ? {} : {
+          for k in status.value.egress_policies :
           k => lookup(var.egress_policies, k, null)
           if contains(keys(var.egress_policies), k)
         }
@@ -188,8 +190,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
       }
 
       dynamic "ingress_policies" {
-        for_each = each.value.spec.ingress_policies == null ? {} : {
-          for k in each.value.spec.ingress_policies :
+        for_each = status.value.ingress_policies == null ? {} : {
+          for k in status.value.ingress_policies :
           k => lookup(var.ingress_policies, k, null)
           if contains(keys(var.ingress_policies), k)
         }
@@ -205,7 +207,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
                 iterator = s
                 content {
                   access_level = try(
-                    google_access_context_manager_access_level.basic[s.value].id, s.value
+                    google_access_context_manager_access_level.basic[s.value].id,
+                    s.value
                   )
                 }
               }
@@ -240,10 +243,10 @@ resource "google_access_context_manager_service_perimeter" "regular" {
       }
 
       dynamic "vpc_accessible_services" {
-        for_each = each.value.status.vpc_accessible_services == null ? {} : { 1 = 1 }
+        for_each = status.value.vpc_accessible_services == null ? {} : { 1 = 1 }
         content {
-          allowed_services   = each.value.status.vpc_accessible_services.allowed_services
-          enable_restriction = each.value.status.vpc_accessible_services.enable_restriction
+          allowed_services   = status.value.vpc_accessible_services.allowed_services
+          enable_restriction = status.value.vpc_accessible_services.enable_restriction
         }
       }
 
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index 1be23ae3..a196cc52 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -92,7 +92,7 @@ variable "egress_policies" {
         "ANY_USER", "ANY_SERVICE_ACCOUNT"
       ], v.from.identity_type)
     ])
-    error_message = "Invalid `from.identity_type` value in eress policy."
+    error_message = "Invalid `from.identity_type` value in egress policy."
   }
 }
 
@@ -150,7 +150,7 @@ variable "service_perimeters_regular" {
         allowed_services   = list(string)
         enable_restriction = bool
       }))
-    }), {})
+    }))
     status = optional(object({
       access_levels       = optional(list(string))
       resources           = optional(list(string))
@@ -161,7 +161,7 @@ variable "service_perimeters_regular" {
         allowed_services   = list(string)
         enable_restriction = bool
       }))
-    }), {})
+    }))
     use_explicit_dry_run_spec = optional(bool, false)
   }))
   default  = {}