Add dry run mode support

2020-07-06 16:53:02 +02:00 · 2020-07-06 16:53:02 +02:00 · 96808b89ff
parent 35571096ca
commit 96808b89ff
2 changed files with 39 additions and 4 deletions
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@ -53,7 +53,34 @@ resource "google_access_context_manager_service_perimeter" "standard" {
  perimeter_type = each.value.type
  status {
    resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
-    restricted_services = each.value.restricted_services
+    restricted_services = each.value.enforced_config.restricted_services
+
+    dynamic "vpc_accessible_services" {
+      for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
+
+      content {
+        enable_restriction = true
+        allowed_services = each.value.enforced_config.vpc_accessible_services
+      }
+    }
+  }
+  use_explicit_dry_run_spec = each.value.dry_run_config != [] ? true : false
+  dynamic "spec" {
+    for_each = each.value.dry_run_config != [] ? [""] : []
+
+    content {
+      resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
+      restricted_services = try(each.value.dry_run_config.restricted_services, null)
+
+      dynamic "vpc_accessible_services" {
+        for_each = try(each.value.dry_run_config.vpc_accessible_services != [] ? [""] : [],[])
+
+        content {
+          enable_restriction = true
+          allowed_services = try(each.value.dry_run_config.vpc_accessible_services, null)
+        }
+      }
+    }
  }
  
  # Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`, 
@ -71,7 +98,6 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
  perimeter_type = each.value.type
  status {
    resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
-    restricted_services = each.value.restricted_services
  }

  # Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`, 
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@ -80,8 +80,17 @@ variable "policy_list" {
 variable "vpc_sc_perimeters" {
  description = "Set of Perimeters."
  type = map(object({
-    type                = string
-    restricted_services = list(string)
+    type            = string
+    dry_run_config  = object({
+      access_levels           = list(string)
+      restricted_services     = list(string)
+      vpc_accessible_services = list(string)
+    })
+    enforced_config = object({
+      access_levels           = list(string)
+      restricted_services     = list(string)
+      vpc_accessible_services = list(string)
+    })
  }))
  default = {}
 }