Fix status ingress/egress policies in vpc-sc module (#1036)
* fix status ingress/egress policies * fix default status/spec value
This commit is contained in:
parent
f97239bd97
commit
67fca1036c
|
@ -193,7 +193,7 @@ module "test" {
|
||||||
| [egress_policies](variables.tf#L70) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [egress_policies](variables.tf#L70) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [ingress_policies](variables.tf#L99) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [ingress_policies](variables.tf#L99) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [service_perimeters_bridge](variables.tf#L130) | Bridge service perimeters. | <code title="map(object({ spec_resources = optional(list(string)) status_resources = optional(list(string)) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [service_perimeters_bridge](variables.tf#L130) | Bridge service perimeters. | <code title="map(object({ spec_resources = optional(list(string)) status_resources = optional(list(string)) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [service_perimeters_regular](variables.tf#L140) | Regular service perimeters. | <code title="map(object({ spec = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) }), {}) status = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) }), {}) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [service_perimeters_regular](variables.tf#L140) | Regular service perimeters. | <code title="map(object({ spec = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) status = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -28,20 +28,21 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||||
perimeter_type = "PERIMETER_TYPE_REGULAR"
|
perimeter_type = "PERIMETER_TYPE_REGULAR"
|
||||||
use_explicit_dry_run_spec = each.value.use_explicit_dry_run_spec
|
use_explicit_dry_run_spec = each.value.use_explicit_dry_run_spec
|
||||||
dynamic "spec" {
|
dynamic "spec" {
|
||||||
for_each = each.value.spec == null ? [] : [""]
|
for_each = each.value.spec == null ? [] : [each.value.spec]
|
||||||
|
iterator = spec
|
||||||
content {
|
content {
|
||||||
access_levels = (
|
access_levels = (
|
||||||
each.value.spec.access_levels == null ? null : [
|
spec.value.access_levels == null ? null : [
|
||||||
for k in each.value.spec.access_levels :
|
for k in spec.value.access_levels :
|
||||||
try(google_access_context_manager_access_level.basic[k].id, k)
|
try(google_access_context_manager_access_level.basic[k].id, k)
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
resources = each.value.spec.resources
|
resources = spec.value.resources
|
||||||
restricted_services = each.value.spec.restricted_services
|
restricted_services = spec.value.restricted_services
|
||||||
|
|
||||||
dynamic "egress_policies" {
|
dynamic "egress_policies" {
|
||||||
for_each = each.value.spec.egress_policies == null ? {} : {
|
for_each = spec.value.egress_policies == null ? {} : {
|
||||||
for k in each.value.spec.egress_policies :
|
for k in spec.value.egress_policies :
|
||||||
k => lookup(var.egress_policies, k, null)
|
k => lookup(var.egress_policies, k, null)
|
||||||
if contains(keys(var.egress_policies), k)
|
if contains(keys(var.egress_policies), k)
|
||||||
}
|
}
|
||||||
|
@ -77,8 +78,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "ingress_policies" {
|
dynamic "ingress_policies" {
|
||||||
for_each = each.value.spec.ingress_policies == null ? {} : {
|
for_each = spec.value.ingress_policies == null ? {} : {
|
||||||
for k in each.value.spec.ingress_policies :
|
for k in spec.value.ingress_policies :
|
||||||
k => lookup(var.ingress_policies, k, null)
|
k => lookup(var.ingress_policies, k, null)
|
||||||
if contains(keys(var.ingress_policies), k)
|
if contains(keys(var.ingress_policies), k)
|
||||||
}
|
}
|
||||||
|
@ -129,30 +130,31 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "vpc_accessible_services" {
|
dynamic "vpc_accessible_services" {
|
||||||
for_each = each.value.spec.vpc_accessible_services == null ? {} : { 1 = 1 }
|
for_each = spec.value.vpc_accessible_services == null ? {} : { 1 = 1 }
|
||||||
content {
|
content {
|
||||||
allowed_services = each.value.spec.vpc_accessible_services.allowed_services
|
allowed_services = spec.value.vpc_accessible_services.allowed_services
|
||||||
enable_restriction = each.value.spec.vpc_accessible_services.enable_restriction
|
enable_restriction = spec.value.vpc_accessible_services.enable_restriction
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
dynamic "status" {
|
dynamic "status" {
|
||||||
for_each = each.value.status == null ? {} : { 1 = 1 }
|
for_each = each.value.status == null ? [] : [each.value.status]
|
||||||
|
iterator = status
|
||||||
content {
|
content {
|
||||||
access_levels = (
|
access_levels = (
|
||||||
each.value.status.access_levels == null ? null : [
|
status.value.access_levels == null ? null : [
|
||||||
for k in each.value.status.access_levels :
|
for k in status.value.access_levels :
|
||||||
try(google_access_context_manager_access_level.basic[k].id, k)
|
try(google_access_context_manager_access_level.basic[k].id, k)
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
resources = each.value.status.resources
|
resources = status.value.resources
|
||||||
restricted_services = each.value.status.restricted_services
|
restricted_services = status.value.restricted_services
|
||||||
|
|
||||||
dynamic "egress_policies" {
|
dynamic "egress_policies" {
|
||||||
for_each = each.value.spec.egress_policies == null ? {} : {
|
for_each = status.value.egress_policies == null ? {} : {
|
||||||
for k in each.value.spec.egress_policies :
|
for k in status.value.egress_policies :
|
||||||
k => lookup(var.egress_policies, k, null)
|
k => lookup(var.egress_policies, k, null)
|
||||||
if contains(keys(var.egress_policies), k)
|
if contains(keys(var.egress_policies), k)
|
||||||
}
|
}
|
||||||
|
@ -188,8 +190,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "ingress_policies" {
|
dynamic "ingress_policies" {
|
||||||
for_each = each.value.spec.ingress_policies == null ? {} : {
|
for_each = status.value.ingress_policies == null ? {} : {
|
||||||
for k in each.value.spec.ingress_policies :
|
for k in status.value.ingress_policies :
|
||||||
k => lookup(var.ingress_policies, k, null)
|
k => lookup(var.ingress_policies, k, null)
|
||||||
if contains(keys(var.ingress_policies), k)
|
if contains(keys(var.ingress_policies), k)
|
||||||
}
|
}
|
||||||
|
@ -205,7 +207,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||||
iterator = s
|
iterator = s
|
||||||
content {
|
content {
|
||||||
access_level = try(
|
access_level = try(
|
||||||
google_access_context_manager_access_level.basic[s.value].id, s.value
|
google_access_context_manager_access_level.basic[s.value].id,
|
||||||
|
s.value
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -240,10 +243,10 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic "vpc_accessible_services" {
|
dynamic "vpc_accessible_services" {
|
||||||
for_each = each.value.status.vpc_accessible_services == null ? {} : { 1 = 1 }
|
for_each = status.value.vpc_accessible_services == null ? {} : { 1 = 1 }
|
||||||
content {
|
content {
|
||||||
allowed_services = each.value.status.vpc_accessible_services.allowed_services
|
allowed_services = status.value.vpc_accessible_services.allowed_services
|
||||||
enable_restriction = each.value.status.vpc_accessible_services.enable_restriction
|
enable_restriction = status.value.vpc_accessible_services.enable_restriction
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -92,7 +92,7 @@ variable "egress_policies" {
|
||||||
"ANY_USER", "ANY_SERVICE_ACCOUNT"
|
"ANY_USER", "ANY_SERVICE_ACCOUNT"
|
||||||
], v.from.identity_type)
|
], v.from.identity_type)
|
||||||
])
|
])
|
||||||
error_message = "Invalid `from.identity_type` value in eress policy."
|
error_message = "Invalid `from.identity_type` value in egress policy."
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -150,7 +150,7 @@ variable "service_perimeters_regular" {
|
||||||
allowed_services = list(string)
|
allowed_services = list(string)
|
||||||
enable_restriction = bool
|
enable_restriction = bool
|
||||||
}))
|
}))
|
||||||
}), {})
|
}))
|
||||||
status = optional(object({
|
status = optional(object({
|
||||||
access_levels = optional(list(string))
|
access_levels = optional(list(string))
|
||||||
resources = optional(list(string))
|
resources = optional(list(string))
|
||||||
|
@ -161,7 +161,7 @@ variable "service_perimeters_regular" {
|
||||||
allowed_services = list(string)
|
allowed_services = list(string)
|
||||||
enable_restriction = bool
|
enable_restriction = bool
|
||||||
}))
|
}))
|
||||||
}), {})
|
}))
|
||||||
use_explicit_dry_run_spec = optional(bool, false)
|
use_explicit_dry_run_spec = optional(bool, false)
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
|
|
Loading…
Reference in New Issue