Add VPC-SC perimeters support
This commit is contained in:
parent
78b0d6a9e7
commit
b0bb441df5
|
@ -25,6 +25,59 @@ locals {
|
|||
for pair in local.iam_additive_pairs :
|
||||
"${pair.role}-${pair.member}" => pair
|
||||
}
|
||||
|
||||
standard_perimeters = {
|
||||
for key, value in var.vpc_sc_perimeters :
|
||||
key => value
|
||||
if value.type == "PERIMETER_TYPE_REGULAR"
|
||||
}
|
||||
|
||||
perimeter_create = var.access_policy_name != null || var.access_policy_title != null ? true : false
|
||||
|
||||
bridge_perimeters = {
|
||||
for key, value in var.vpc_sc_perimeters :
|
||||
key => value
|
||||
if value.type == "PERIMETER_TYPE_BRIDGE"
|
||||
}
|
||||
|
||||
access_policy_name = (
|
||||
var.access_policy_name == null
|
||||
? try(google_access_context_manager_access_policy.default.0.name, null)
|
||||
: try(var.access_policy_name, null)
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_policy" "default" {
|
||||
count = var.access_policy_name == null ? 1 : 0
|
||||
parent = format("organizations/%s", var.org_id)
|
||||
title = var.access_policy_title
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter" "standard" {
|
||||
for_each = local.perimeter_create ? local.standard_perimeters : {}
|
||||
parent = "accessPolicies/${local.access_policy_name}"
|
||||
name = "accessPolicies/${local.access_policy_name}/servicePerimeters/${each.key}"
|
||||
title = each.key
|
||||
perimeter_type = each.value.type
|
||||
status {
|
||||
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
|
||||
restricted_services = each.value.restricted_services
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||
for_each = local.perimeter_create != null ? local.bridge_perimeters : {}
|
||||
parent = "accessPolicies/${local.access_policy_name}"
|
||||
name = "accessPolicies/${local.access_policy_name}/servicePerimeters/${each.key}"
|
||||
title = each.key
|
||||
perimeter_type = each.value.type
|
||||
status {
|
||||
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
|
||||
restricted_services = each.value.restricted_services
|
||||
}
|
||||
depends_on = [
|
||||
google_access_context_manager_service_perimeter.standard,
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_organization_iam_custom_role" "roles" {
|
||||
|
|
|
@ -14,6 +14,18 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "access_policy_title" {
|
||||
description = "Access Policy title to be created."
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "access_policy_name" {
|
||||
description = "Access Policy name. No Access Policy will be created."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "custom_roles" {
|
||||
description = "Map of role name => list of permissions to create in this project."
|
||||
type = map(list(string))
|
||||
|
@ -76,3 +88,18 @@ variable "policy_list" {
|
|||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "vpc_sc_perimeters" {
|
||||
description = "Set of Perimeters."
|
||||
type = map(object({
|
||||
type = string
|
||||
restricted_services = list(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "vpc_sc_perimeters_projects" {
|
||||
description = "Perimeter - Project Number mapping in `projects/project_number` format.."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue