From 0f10e820f949d6e001c6471b8d60326a477e199a Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Thu, 22 Jul 2021 09:19:10 +0200 Subject: [PATCH 01/13] Enable multiple vpc-sc perimeters over multiple modules --- modules/vpc-sc/README.md | 89 +++++++++++++++++++++++++++++++++++++ modules/vpc-sc/main.tf | 9 +++- modules/vpc-sc/variables.tf | 12 +++++ modules/vpc-sc/versions.tf | 4 +- 4 files changed, 110 insertions(+), 4 deletions(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 2c64bb1c..ef2ca92b 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -136,6 +136,95 @@ module "vpc-sc" { # tftest:modules=1:resources=3 ``` +## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy +```hcl +module "vpc-sc-first" { + source = "./modules/vpc-sc" + organization_id = "organizations/112233" + access_policy_title = "My Org Access Policy" + access_levels = { + my_trusted_proxy = { + combining_function = "AND" + conditions = [{ + ip_subnetworks = ["85.85.85.52/32"] + required_access_levels = null + members = [] + negate = false + regions = null + }] + } + } + access_level_perimeters = { + enforced = { + my_trusted_proxy = ["perimeter"] + } + } + perimeters = { + perimeter = { + type = "PERIMETER_TYPE_REGULAR" + dry_run_config = { + restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] + vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"] + } + enforced_config = { + restricted_services = ["storage.googleapis.com"] + vpc_accessible_services = ["storage.googleapis.com"] + } + } + } + perimeter_projects = { + perimeter = { + enforced = [111111111, 222222222] + dry_run = [333333333] + } + } +} + +module "vpc-sc-second" { + source = "./modules/vpc-sc" + organization_id = "organizations/112233" + access_policy_create = false + access_policy_name = module.vpc-sc-first.access_policy_name + access_levels = { + my_trusted_proxy = { + combining_function = "AND" + conditions = [{ + ip_subnetworks = ["85.85.85.52/32"] + required_access_levels = null + members = [] + negate = false + regions = null + }] + } + } + access_level_perimeters = { + enforced = { + my_trusted_proxy = ["secperimeter"] + } + } + perimeters = { + secperimeter = { + type = "PERIMETER_TYPE_REGULAR" + dry_run_config = { + restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] + vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"] + } + enforced_config = { + restricted_services = ["storage.googleapis.com"] + vpc_accessible_services = ["storage.googleapis.com"] + } + } + } + perimeter_projects = { + secperimeter = { + enforced = [444444444, 666666666] + dry_run = [555555555] + } + } +} +# tftest:modules=1:resources=3 +``` + ## Variables diff --git a/modules/vpc-sc/main.tf b/modules/vpc-sc/main.tf index 6b111d98..abae2e35 100644 --- a/modules/vpc-sc/main.tf +++ b/modules/vpc-sc/main.tf @@ -15,7 +15,11 @@ */ locals { - access_policy_name = google_access_context_manager_access_policy.default.name + access_policy_name = ( + var.access_policy_create + ? try(google_access_context_manager_access_policy.default[0].name, null) + : var.access_policy_name + ) standard_perimeters = { for key, value in var.perimeters : @@ -36,8 +40,9 @@ locals { } resource "google_access_context_manager_access_policy" "default" { + count = var.access_policy_create ? 1 : 0 parent = var.organization_id - title = var.access_policy_title + title = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title } resource "google_access_context_manager_access_level" "default" { diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf index 490f4951..ea472ef9 100644 --- a/modules/vpc-sc/variables.tf +++ b/modules/vpc-sc/variables.tf @@ -29,6 +29,17 @@ variable "access_levels" { default = {} } +variable "access_policy_create" { + description = "enable autocreation of the Access Policy" + type = bool + default = true +} + +variable "access_policy_name" { + description = "Referenced Access Policy name" + type = string +} + variable "access_level_perimeters" { description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'" type = map(map(list(string))) @@ -38,6 +49,7 @@ variable "access_level_perimeters" { variable "access_policy_title" { description = "Access Policy title to be created." type = string + default = null } variable "egress_policies" { diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf index 6ecbc64e..2146648b 100644 --- a/modules/vpc-sc/versions.tf +++ b/modules/vpc-sc/versions.tf @@ -17,6 +17,6 @@ terraform { required_version = ">= 0.12.6" required_providers { - google = ">= 3.62" - } + google = ">= 3.62" + } } From a604e66cf9b2fb3dc85915ad94d863e84ad81b96 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Thu, 22 Jul 2021 10:18:18 +0200 Subject: [PATCH 02/13] Update README.md --- modules/vpc-sc/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index ef2ca92b..133709cf 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -230,10 +230,12 @@ module "vpc-sc-second" { | name | description | type | required | default | |---|---|:---: |:---:|:---:| -| access_policy_title | Access Policy title to be created. | string | ✓ | | +| access_policy_name | Referenced Access Policy name | string | ✓ | | | organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | | | *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | | *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} | +| *access_policy_create* | enable autocreation of the Access Policy | bool | | true | +| *access_policy_title* | Access Policy title to be created. | string | | null | | *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | | | null | | *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | | *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | | | null | From 4a3464fa7e61ad6dc16cc511bc5fa27051b3fd45 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Thu, 22 Jul 2021 10:36:01 +0200 Subject: [PATCH 03/13] Update variables.tf --- modules/vpc-sc/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf index ea472ef9..3a539d92 100644 --- a/modules/vpc-sc/variables.tf +++ b/modules/vpc-sc/variables.tf @@ -38,6 +38,7 @@ variable "access_policy_create" { variable "access_policy_name" { description = "Referenced Access Policy name" type = string + default = null } variable "access_level_perimeters" { From 5b88545ca016707a654b6634b4c169726a77dc08 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Thu, 22 Jul 2021 10:41:11 +0200 Subject: [PATCH 04/13] Update README.md --- modules/vpc-sc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 133709cf..b83f9fee 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -230,11 +230,11 @@ module "vpc-sc-second" { | name | description | type | required | default | |---|---|:---: |:---:|:---:| -| access_policy_name | Referenced Access Policy name | string | ✓ | | | organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | | | *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | | *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} | | *access_policy_create* | enable autocreation of the Access Policy | bool | | true | +| *access_policy_name* | Referenced Access Policy name | string | | null | | *access_policy_title* | Access Policy title to be created. | string | | null | | *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | | | null | | *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | From a0e6cfab676ea43cfde8fb13a8038b92d29e7f34 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Thu, 22 Jul 2021 11:45:02 +0200 Subject: [PATCH 05/13] Update README.md --- modules/vpc-sc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index b83f9fee..ae3ca954 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -222,7 +222,7 @@ module "vpc-sc-second" { } } } -# tftest:modules=1:resources=3 +# tftest:modules=2:resources=5 ``` From d5fde0e6e197799cad02c5f9331924decffb5f53 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Fri, 3 Sep 2021 18:35:06 +0200 Subject: [PATCH 06/13] adjusting code to reflect pr changes request --- modules/vpc-sc/README.md | 44 +------------------------------------ modules/vpc-sc/variables.tf | 2 +- 2 files changed, 2 insertions(+), 44 deletions(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index ae3ca954..3388c88f 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -138,48 +138,6 @@ module "vpc-sc" { ## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy ```hcl -module "vpc-sc-first" { - source = "./modules/vpc-sc" - organization_id = "organizations/112233" - access_policy_title = "My Org Access Policy" - access_levels = { - my_trusted_proxy = { - combining_function = "AND" - conditions = [{ - ip_subnetworks = ["85.85.85.52/32"] - required_access_levels = null - members = [] - negate = false - regions = null - }] - } - } - access_level_perimeters = { - enforced = { - my_trusted_proxy = ["perimeter"] - } - } - perimeters = { - perimeter = { - type = "PERIMETER_TYPE_REGULAR" - dry_run_config = { - restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] - vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"] - } - enforced_config = { - restricted_services = ["storage.googleapis.com"] - vpc_accessible_services = ["storage.googleapis.com"] - } - } - } - perimeter_projects = { - perimeter = { - enforced = [111111111, 222222222] - dry_run = [333333333] - } - } -} - module "vpc-sc-second" { source = "./modules/vpc-sc" organization_id = "organizations/112233" @@ -222,7 +180,7 @@ module "vpc-sc-second" { } } } -# tftest:modules=2:resources=5 +# tftest:modules=1:resources=3 ``` diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf index 3a539d92..0905c71a 100644 --- a/modules/vpc-sc/variables.tf +++ b/modules/vpc-sc/variables.tf @@ -30,7 +30,7 @@ variable "access_levels" { } variable "access_policy_create" { - description = "enable autocreation of the Access Policy" + description = "Enable autocreation of the Access Policy" type = bool default = true } From ae2dddc192b48f7d4151c9a1714eecd7e36f4a35 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Fri, 3 Sep 2021 18:41:51 +0200 Subject: [PATCH 07/13] Update README.md --- modules/vpc-sc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 3388c88f..544b9189 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -191,7 +191,7 @@ module "vpc-sc-second" { | organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | | | *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | | *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} | -| *access_policy_create* | enable autocreation of the Access Policy | bool | | true | +| *access_policy_create* | Enable autocreation of the Access Policy | bool | | true | | *access_policy_name* | Referenced Access Policy name | string | | null | | *access_policy_title* | Access Policy title to be created. | string | | null | | *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | | | null | From 996b8d2aa6a1b1f131901cf002c29cbf62de059f Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Fri, 3 Sep 2021 18:53:30 +0200 Subject: [PATCH 08/13] Update README.md --- modules/vpc-sc/README.md | 46 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 544b9189..ae3ca954 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -138,6 +138,48 @@ module "vpc-sc" { ## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy ```hcl +module "vpc-sc-first" { + source = "./modules/vpc-sc" + organization_id = "organizations/112233" + access_policy_title = "My Org Access Policy" + access_levels = { + my_trusted_proxy = { + combining_function = "AND" + conditions = [{ + ip_subnetworks = ["85.85.85.52/32"] + required_access_levels = null + members = [] + negate = false + regions = null + }] + } + } + access_level_perimeters = { + enforced = { + my_trusted_proxy = ["perimeter"] + } + } + perimeters = { + perimeter = { + type = "PERIMETER_TYPE_REGULAR" + dry_run_config = { + restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] + vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"] + } + enforced_config = { + restricted_services = ["storage.googleapis.com"] + vpc_accessible_services = ["storage.googleapis.com"] + } + } + } + perimeter_projects = { + perimeter = { + enforced = [111111111, 222222222] + dry_run = [333333333] + } + } +} + module "vpc-sc-second" { source = "./modules/vpc-sc" organization_id = "organizations/112233" @@ -180,7 +222,7 @@ module "vpc-sc-second" { } } } -# tftest:modules=1:resources=3 +# tftest:modules=2:resources=5 ``` @@ -191,7 +233,7 @@ module "vpc-sc-second" { | organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | | | *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | | *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} | -| *access_policy_create* | Enable autocreation of the Access Policy | bool | | true | +| *access_policy_create* | enable autocreation of the Access Policy | bool | | true | | *access_policy_name* | Referenced Access Policy name | string | | null | | *access_policy_title* | Access Policy title to be created. | string | | null | | *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | | | null | From 8ed8d917a9c4db358b743971350cdede6d13d204 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Fri, 3 Sep 2021 18:54:53 +0200 Subject: [PATCH 09/13] Update README.md --- modules/vpc-sc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index ae3ca954..43331e83 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -233,7 +233,7 @@ module "vpc-sc-second" { | organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | | | *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} | | *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} | -| *access_policy_create* | enable autocreation of the Access Policy | bool | | true | +| *access_policy_create* | Enable autocreation of the Access Policy | bool | | true | | *access_policy_name* | Referenced Access Policy name | string | | null | | *access_policy_title* | Access Policy title to be created. | string | | null | | *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | | | null | From 6b24acbbd4895409b2d2da9bbd5d901878530f1c Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Tue, 14 Sep 2021 10:21:36 +0200 Subject: [PATCH 10/13] Update README.md --- modules/vpc-sc/README.md | 45 ++-------------------------------------- 1 file changed, 2 insertions(+), 43 deletions(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 43331e83..6132bf13 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -141,7 +141,8 @@ module "vpc-sc" { module "vpc-sc-first" { source = "./modules/vpc-sc" organization_id = "organizations/112233" - access_policy_title = "My Org Access Policy" + access_policy_create = false + access_policy_name = "My Access Policy" access_levels = { my_trusted_proxy = { combining_function = "AND" @@ -180,48 +181,6 @@ module "vpc-sc-first" { } } -module "vpc-sc-second" { - source = "./modules/vpc-sc" - organization_id = "organizations/112233" - access_policy_create = false - access_policy_name = module.vpc-sc-first.access_policy_name - access_levels = { - my_trusted_proxy = { - combining_function = "AND" - conditions = [{ - ip_subnetworks = ["85.85.85.52/32"] - required_access_levels = null - members = [] - negate = false - regions = null - }] - } - } - access_level_perimeters = { - enforced = { - my_trusted_proxy = ["secperimeter"] - } - } - perimeters = { - secperimeter = { - type = "PERIMETER_TYPE_REGULAR" - dry_run_config = { - restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] - vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"] - } - enforced_config = { - restricted_services = ["storage.googleapis.com"] - vpc_accessible_services = ["storage.googleapis.com"] - } - } - } - perimeter_projects = { - secperimeter = { - enforced = [444444444, 666666666] - dry_run = [555555555] - } - } -} # tftest:modules=2:resources=5 ``` From 10698e1d5c8052be7768e538164016b38a3d84c9 Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Tue, 14 Sep 2021 14:57:20 +0200 Subject: [PATCH 11/13] Update README.md --- modules/vpc-sc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 6132bf13..8ec0a8af 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -181,7 +181,7 @@ module "vpc-sc-first" { } } -# tftest:modules=2:resources=5 +# tftest:modules=1:resources=3 ``` From 9fd6cd0c86c07fc216ed93ebd0f7a54c69e1a23d Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Tue, 14 Sep 2021 14:59:33 +0200 Subject: [PATCH 12/13] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8bbd4e7..667ba0f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. - new `billing-budget` module - fix `scheduled-asset-inventory-export-bq` module - output custom role information from the `organization` module +- enable multiple `vpc-sc` perimeters over multiple modules ## [5.1.0] - 2021-08-30 From a220f2ab1f7a94f3a7cb7ffba0e8fbf6199ebe0f Mon Sep 17 00:00:00 2001 From: Daniel Marzini Date: Tue, 14 Sep 2021 15:12:06 +0200 Subject: [PATCH 13/13] Update README.md --- modules/vpc-sc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index 8ec0a8af..01bcf59d 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -181,7 +181,7 @@ module "vpc-sc-first" { } } -# tftest:modules=1:resources=3 +# tftest:modules=1:resources=2 ```