Add VPC-SC perimeters support

2020-07-02 18:12:34 +02:00 · 2020-07-02 18:12:34 +02:00 · b0bb441df5
parent 78b0d6a9e7
commit b0bb441df5
2 changed files with 80 additions and 0 deletions
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@ -25,6 +25,59 @@ locals {
    for pair in local.iam_additive_pairs :
    "${pair.role}-${pair.member}" => pair
  }
+
+  standard_perimeters = {
+    for key, value in var.vpc_sc_perimeters :
+    key => value
+    if value.type == "PERIMETER_TYPE_REGULAR"
+  }
+
+  perimeter_create = var.access_policy_name != null || var.access_policy_title != null ? true : false
+
+  bridge_perimeters = {
+    for key, value in var.vpc_sc_perimeters :
+    key => value
+    if value.type == "PERIMETER_TYPE_BRIDGE"
+  }
+
+  access_policy_name = (
+    var.access_policy_name == null
+    ? try(google_access_context_manager_access_policy.default.0.name, null)
+    : try(var.access_policy_name, null)
+  )
+}
+
+resource "google_access_context_manager_access_policy" "default" {
+  count  = var.access_policy_name == null ? 1 : 0
+  parent = format("organizations/%s", var.org_id)
+  title  = var.access_policy_title
+}
+
+resource "google_access_context_manager_service_perimeter" "standard" {
+  for_each       = local.perimeter_create ? local.standard_perimeters : {}
+  parent         = "accessPolicies/${local.access_policy_name}"
+  name           = "accessPolicies/${local.access_policy_name}/servicePerimeters/${each.key}"
+  title          = each.key
+  perimeter_type = each.value.type
+  status {
+    resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
+    restricted_services = each.value.restricted_services
+  }
+}
+
+resource "google_access_context_manager_service_perimeter" "bridge" {
+  for_each       = local.perimeter_create != null ? local.bridge_perimeters : {}
+  parent         = "accessPolicies/${local.access_policy_name}"
+  name           = "accessPolicies/${local.access_policy_name}/servicePerimeters/${each.key}"
+  title          = each.key
+  perimeter_type = each.value.type
+  status {
+    resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
+    restricted_services = each.value.restricted_services
+  }
+  depends_on = [
+    google_access_context_manager_service_perimeter.standard,
+  ]
 }

 resource "google_organization_iam_custom_role" "roles" {
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@ -14,6 +14,18 @@
 * limitations under the License.
 */

+variable "access_policy_title" {
+  description = "Access Policy title to be created."
+  type        = string
+  default     = ""
+}
+
+variable "access_policy_name" {
+  description = "Access Policy name. No Access Policy will be created."
+  type        = string
+  default     = null
+}
+
 variable "custom_roles" {
  description = "Map of role name => list of permissions to create in this project."
  type        = map(list(string))
@ -76,3 +88,18 @@ variable "policy_list" {
  }))
  default = {}
 }
+
+variable "vpc_sc_perimeters" {
+  description = "Set of Perimeters."
+  type = map(object({
+    type                = string
+    restricted_services = list(string)
+  }))
+  default = {}
+}
+
+variable "vpc_sc_perimeters_projects" {
+  description = "Perimeter - Project Number mapping in `projects/project_number` format.."
+  type        = map(list(string))
+  default     = {}
+}