From 96808b89ff74da9523228761dc610b2712327bf4 Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lcaggioni@google.com>
Date: Mon, 6 Jul 2020 16:53:02 +0200
Subject: [PATCH] Add dry run mode support

---
 modules/organization/main.tf      | 30 ++++++++++++++++++++++++++++--
 modules/organization/variables.tf | 13 +++++++++++--
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index 7044c458..dcd75725 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -53,7 +53,34 @@ resource "google_access_context_manager_service_perimeter" "standard" {
   perimeter_type = each.value.type
   status {
     resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
-    restricted_services = each.value.restricted_services
+    restricted_services = each.value.enforced_config.restricted_services
+
+    dynamic "vpc_accessible_services" {
+      for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
+
+      content {
+        enable_restriction = true
+        allowed_services = each.value.enforced_config.vpc_accessible_services
+      }
+    }
+  }
+  use_explicit_dry_run_spec = each.value.dry_run_config != [] ? true : false
+  dynamic "spec" {
+    for_each = each.value.dry_run_config != [] ? [""] : []
+
+    content {
+      resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
+      restricted_services = try(each.value.dry_run_config.restricted_services, null)
+
+      dynamic "vpc_accessible_services" {
+        for_each = try(each.value.dry_run_config.vpc_accessible_services != [] ? [""] : [],[])
+
+        content {
+          enable_restriction = true
+          allowed_services = try(each.value.dry_run_config.vpc_accessible_services, null)
+        }
+      }
+    }
   }
   
   # Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`, 
@@ -71,7 +98,6 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
   perimeter_type = each.value.type
   status {
     resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
-    restricted_services = each.value.restricted_services
   }
 
   # Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`, 
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 7209c39f..9053af0b 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -80,8 +80,17 @@ variable "policy_list" {
 variable "vpc_sc_perimeters" {
   description = "Set of Perimeters."
   type = map(object({
-    type                = string
-    restricted_services = list(string)
+    type            = string
+    dry_run_config  = object({
+      access_levels           = list(string)
+      restricted_services     = list(string)
+      vpc_accessible_services = list(string)
+    })
+    enforced_config = object({
+      access_levels           = list(string)
+      restricted_services     = list(string)
+      vpc_accessible_services = list(string)
+    })
   }))
   default = {}
 }