Merge pull request #283 from terraform-google-modules/feature/vpc-sc-multiple-perimeters
Enable multiple vpc-sc perimeters over multiple modules
This commit is contained in:
commit
b1ea50ea80
|
@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
|
||||||
- new `billing-budget` module
|
- new `billing-budget` module
|
||||||
- fix `scheduled-asset-inventory-export-bq` module
|
- fix `scheduled-asset-inventory-export-bq` module
|
||||||
- output custom role information from the `organization` module
|
- output custom role information from the `organization` module
|
||||||
|
- enable multiple `vpc-sc` perimeters over multiple modules
|
||||||
|
|
||||||
## [5.1.0] - 2021-08-30
|
## [5.1.0] - 2021-08-30
|
||||||
|
|
||||||
|
|
|
@ -136,15 +136,65 @@ module "vpc-sc" {
|
||||||
# tftest:modules=1:resources=3
|
# tftest:modules=1:resources=3
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
|
||||||
|
```hcl
|
||||||
|
module "vpc-sc-first" {
|
||||||
|
source = "./modules/vpc-sc"
|
||||||
|
organization_id = "organizations/112233"
|
||||||
|
access_policy_create = false
|
||||||
|
access_policy_name = "My Access Policy"
|
||||||
|
access_levels = {
|
||||||
|
my_trusted_proxy = {
|
||||||
|
combining_function = "AND"
|
||||||
|
conditions = [{
|
||||||
|
ip_subnetworks = ["85.85.85.52/32"]
|
||||||
|
required_access_levels = null
|
||||||
|
members = []
|
||||||
|
negate = false
|
||||||
|
regions = null
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
access_level_perimeters = {
|
||||||
|
enforced = {
|
||||||
|
my_trusted_proxy = ["perimeter"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
perimeters = {
|
||||||
|
perimeter = {
|
||||||
|
type = "PERIMETER_TYPE_REGULAR"
|
||||||
|
dry_run_config = {
|
||||||
|
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
|
||||||
|
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
|
||||||
|
}
|
||||||
|
enforced_config = {
|
||||||
|
restricted_services = ["storage.googleapis.com"]
|
||||||
|
vpc_accessible_services = ["storage.googleapis.com"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
perimeter_projects = {
|
||||||
|
perimeter = {
|
||||||
|
enforced = [111111111, 222222222]
|
||||||
|
dry_run = [333333333]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# tftest:modules=1:resources=2
|
||||||
|
```
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| access_policy_title | Access Policy title to be created. | <code title="">string</code> | ✓ | |
|
|
||||||
| organization_id | Organization id in organizations/nnnnnn format. | <code title="">string</code> | ✓ | |
|
| organization_id | Organization id in organizations/nnnnnn format. | <code title="">string</code> | ✓ | |
|
||||||
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||||
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) required_access_levels = list(string) members = list(string) negate = string regions = list(string) })) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) required_access_levels = list(string) members = list(string) negate = string regions = list(string) })) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
|
| *access_policy_create* | Enable autocreation of the Access Policy | <code title="">bool</code> | | <code title="">true</code> |
|
||||||
|
| *access_policy_name* | Referenced Access Policy name | <code title="">string</code> | | <code title="">null</code> |
|
||||||
|
| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> | | <code title="">null</code> |
|
||||||
| *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | <code title=""></code> | | <code title="">null</code> |
|
| *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | <code title=""></code> | | <code title="">null</code> |
|
||||||
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||||
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | <code title=""></code> | | <code title="">null</code> |
|
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | <code title=""></code> | | <code title="">null</code> |
|
||||||
|
|
|
@ -15,7 +15,11 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
access_policy_name = google_access_context_manager_access_policy.default.name
|
access_policy_name = (
|
||||||
|
var.access_policy_create
|
||||||
|
? try(google_access_context_manager_access_policy.default[0].name, null)
|
||||||
|
: var.access_policy_name
|
||||||
|
)
|
||||||
|
|
||||||
standard_perimeters = {
|
standard_perimeters = {
|
||||||
for key, value in var.perimeters :
|
for key, value in var.perimeters :
|
||||||
|
@ -36,8 +40,9 @@ locals {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_access_policy" "default" {
|
resource "google_access_context_manager_access_policy" "default" {
|
||||||
|
count = var.access_policy_create ? 1 : 0
|
||||||
parent = var.organization_id
|
parent = var.organization_id
|
||||||
title = var.access_policy_title
|
title = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_access_level" "default" {
|
resource "google_access_context_manager_access_level" "default" {
|
||||||
|
|
|
@ -29,6 +29,18 @@ variable "access_levels" {
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "access_policy_create" {
|
||||||
|
description = "Enable autocreation of the Access Policy"
|
||||||
|
type = bool
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "access_policy_name" {
|
||||||
|
description = "Referenced Access Policy name"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "access_level_perimeters" {
|
variable "access_level_perimeters" {
|
||||||
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
|
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
|
||||||
type = map(map(list(string)))
|
type = map(map(list(string)))
|
||||||
|
@ -38,6 +50,7 @@ variable "access_level_perimeters" {
|
||||||
variable "access_policy_title" {
|
variable "access_policy_title" {
|
||||||
description = "Access Policy title to be created."
|
description = "Access Policy title to be created."
|
||||||
type = string
|
type = string
|
||||||
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "egress_policies" {
|
variable "egress_policies" {
|
||||||
|
|
Loading…
Reference in New Issue