diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8bbd4e7..667ba0f9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
- new `billing-budget` module
- fix `scheduled-asset-inventory-export-bq` module
- output custom role information from the `organization` module
+- enable multiple `vpc-sc` perimeters over multiple modules
## [5.1.0] - 2021-08-30
diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 2c64bb1c..01bcf59d 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -136,15 +136,65 @@ module "vpc-sc" {
# tftest:modules=1:resources=3
```
+## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
+```hcl
+module "vpc-sc-first" {
+ source = "./modules/vpc-sc"
+ organization_id = "organizations/112233"
+ access_policy_create = false
+ access_policy_name = "My Access Policy"
+ access_levels = {
+ my_trusted_proxy = {
+ combining_function = "AND"
+ conditions = [{
+ ip_subnetworks = ["85.85.85.52/32"]
+ required_access_levels = null
+ members = []
+ negate = false
+ regions = null
+ }]
+ }
+ }
+ access_level_perimeters = {
+ enforced = {
+ my_trusted_proxy = ["perimeter"]
+ }
+ }
+ perimeters = {
+ perimeter = {
+ type = "PERIMETER_TYPE_REGULAR"
+ dry_run_config = {
+ restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+ vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+ }
+ enforced_config = {
+ restricted_services = ["storage.googleapis.com"]
+ vpc_accessible_services = ["storage.googleapis.com"]
+ }
+ }
+ }
+ perimeter_projects = {
+ perimeter = {
+ enforced = [111111111, 222222222]
+ dry_run = [333333333]
+ }
+ }
+}
+
+# tftest:modules=1:resources=2
+```
+
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
-| access_policy_title | Access Policy title to be created. | string | ✓ | |
| organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | |
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} |
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} |
+| *access_policy_create* | Enable autocreation of the Access Policy | bool | | true |
+| *access_policy_name* | Referenced Access Policy name | string | | null |
+| *access_policy_title* | Access Policy title to be created. | string | | null |
| *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | null |
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} |
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | null |
diff --git a/modules/vpc-sc/main.tf b/modules/vpc-sc/main.tf
index 6b111d98..abae2e35 100644
--- a/modules/vpc-sc/main.tf
+++ b/modules/vpc-sc/main.tf
@@ -15,7 +15,11 @@
*/
locals {
- access_policy_name = google_access_context_manager_access_policy.default.name
+ access_policy_name = (
+ var.access_policy_create
+ ? try(google_access_context_manager_access_policy.default[0].name, null)
+ : var.access_policy_name
+ )
standard_perimeters = {
for key, value in var.perimeters :
@@ -36,8 +40,9 @@ locals {
}
resource "google_access_context_manager_access_policy" "default" {
+ count = var.access_policy_create ? 1 : 0
parent = var.organization_id
- title = var.access_policy_title
+ title = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title
}
resource "google_access_context_manager_access_level" "default" {
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index 490f4951..0905c71a 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -29,6 +29,18 @@ variable "access_levels" {
default = {}
}
+variable "access_policy_create" {
+ description = "Enable autocreation of the Access Policy"
+ type = bool
+ default = true
+}
+
+variable "access_policy_name" {
+ description = "Referenced Access Policy name"
+ type = string
+ default = null
+}
+
variable "access_level_perimeters" {
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
type = map(map(list(string)))
@@ -38,6 +50,7 @@ variable "access_level_perimeters" {
variable "access_policy_title" {
description = "Access Policy title to be created."
type = string
+ default = null
}
variable "egress_policies" {