VPC-SC
This commit is contained in:
parent
191e56fa80
commit
b9a4c27a03
|
@ -1 +1,11 @@
|
|||
#TODO
|
||||
#TODO Proper README (after deciding if this is a blueprint or a FAST stage)
|
||||
|
||||
# Implemented
|
||||
- Use of Scoped Policies (create or inherit)
|
||||
- VPC SC adding all Folder's project into the perimeter
|
||||
- Org policies
|
||||
- Hierarchical firewall rules
|
||||
|
||||
# TODO
|
||||
- Log sync
|
||||
- KMS
|
|
@ -0,0 +1,117 @@
|
|||
- accessapproval.googleapis.com
|
||||
- adsdatahub.googleapis.com
|
||||
- aiplatform.googleapis.com
|
||||
- alloydb.googleapis.com
|
||||
- alpha-documentai.googleapis.com
|
||||
- analyticshub.googleapis.com
|
||||
- apigee.googleapis.com
|
||||
- apigeeconnect.googleapis.com
|
||||
- artifactregistry.googleapis.com
|
||||
- assuredworkloads.googleapis.com
|
||||
- automl.googleapis.com
|
||||
- baremetalsolution.googleapis.com
|
||||
- batch.googleapis.com
|
||||
- beyondcorp.googleapis.com
|
||||
- bigquery.googleapis.com
|
||||
- bigquerydatapolicy.googleapis.com
|
||||
- bigquerydatatransfer.googleapis.com
|
||||
- bigquerymigration.googleapis.com
|
||||
- bigqueryreservation.googleapis.com
|
||||
- bigtable.googleapis.com
|
||||
- binaryauthorization.googleapis.com
|
||||
- cloudasset.googleapis.com
|
||||
- cloudbuild.googleapis.com
|
||||
- clouddebugger.googleapis.com
|
||||
- clouderrorreporting.googleapis.com
|
||||
- cloudfunctions.googleapis.com
|
||||
- cloudkms.googleapis.com
|
||||
- cloudprofiler.googleapis.com
|
||||
- cloudresourcemanager.googleapis.com
|
||||
- cloudsearch.googleapis.com
|
||||
- cloudtrace.googleapis.com
|
||||
- composer.googleapis.com
|
||||
- compute.googleapis.com
|
||||
- connectgateway.googleapis.com
|
||||
- contactcenterinsights.googleapis.com
|
||||
- container.googleapis.com
|
||||
- containeranalysis.googleapis.com
|
||||
- containerfilesystem.googleapis.com
|
||||
- containerregistry.googleapis.com
|
||||
- containerthreatdetection.googleapis.com
|
||||
- contentwarehouse.googleapis.com
|
||||
- datacatalog.googleapis.com
|
||||
- dataflow.googleapis.com
|
||||
- datafusion.googleapis.com
|
||||
- datalineage.googleapis.com
|
||||
- datamigration.googleapis.com
|
||||
- datapipelines.googleapis.com
|
||||
- dataplex.googleapis.com
|
||||
- dataproc.googleapis.com
|
||||
- datastream.googleapis.com
|
||||
- dialogflow.googleapis.com
|
||||
- dlp.googleapis.com
|
||||
- dns.googleapis.com
|
||||
- documentai.googleapis.com
|
||||
- domains.googleapis.com
|
||||
- essentialcontacts.googleapis.com
|
||||
- eventarc.googleapis.com
|
||||
- file.googleapis.com
|
||||
- firebaseappcheck.googleapis.com
|
||||
- firebaserules.googleapis.com
|
||||
- firestore.googleapis.com
|
||||
- gameservices.googleapis.com
|
||||
- gkebackup.googleapis.com
|
||||
- gkeconnect.googleapis.com
|
||||
- gkehub.googleapis.com
|
||||
- gkemulticloud.googleapis.com
|
||||
- healthcare.googleapis.com
|
||||
- iam.googleapis.com
|
||||
- iamcredentials.googleapis.com
|
||||
- iaptunnel.googleapis.com
|
||||
- ids.googleapis.com
|
||||
- integrations.googleapis.com
|
||||
- language.googleapis.com
|
||||
- lifesciences.googleapis.com
|
||||
- logging.googleapis.com
|
||||
- managedidentities.googleapis.com
|
||||
- memcache.googleapis.com
|
||||
- meshca.googleapis.com
|
||||
- metastore.googleapis.com
|
||||
- ml.googleapis.com
|
||||
- monitoring.googleapis.com
|
||||
- networkconnectivity.googleapis.com
|
||||
- networkmanagement.googleapis.com
|
||||
- networksecurity.googleapis.com
|
||||
- networkservices.googleapis.com
|
||||
- notebooks.googleapis.com
|
||||
- opsconfigmonitoring.googleapis.com
|
||||
- osconfig.googleapis.com
|
||||
- oslogin.googleapis.com
|
||||
- policytroubleshooter.googleapis.com
|
||||
- privateca.googleapis.com
|
||||
- pubsub.googleapis.com
|
||||
- pubsublite.googleapis.com
|
||||
- recaptchaenterprise.googleapis.com
|
||||
- recommender.googleapis.com
|
||||
- redis.googleapis.com
|
||||
- retail.googleapis.com
|
||||
- run.googleapis.com
|
||||
- secretmanager.googleapis.com
|
||||
- servicecontrol.googleapis.com
|
||||
- servicedirectory.googleapis.com
|
||||
- spanner.googleapis.com
|
||||
- speakerid.googleapis.com
|
||||
- speech.googleapis.com
|
||||
- sqladmin.googleapis.com
|
||||
- storage.googleapis.com
|
||||
- storagetransfer.googleapis.com
|
||||
- texttospeech.googleapis.com
|
||||
- tpu.googleapis.com
|
||||
- trafficdirector.googleapis.com
|
||||
- transcoder.googleapis.com
|
||||
- translate.googleapis.com
|
||||
- videointelligence.googleapis.com
|
||||
- vision.googleapis.com
|
||||
- visionai.googleapis.com
|
||||
- vpcaccess.googleapis.com
|
||||
- workstations.googleapis.com
|
|
@ -0,0 +1,117 @@
|
|||
- accessapproval.googleapis.com
|
||||
- adsdatahub.googleapis.com
|
||||
- aiplatform.googleapis.com
|
||||
- alloydb.googleapis.com
|
||||
- alpha-documentai.googleapis.com
|
||||
- analyticshub.googleapis.com
|
||||
- apigee.googleapis.com
|
||||
- apigeeconnect.googleapis.com
|
||||
- artifactregistry.googleapis.com
|
||||
- assuredworkloads.googleapis.com
|
||||
- automl.googleapis.com
|
||||
- baremetalsolution.googleapis.com
|
||||
- batch.googleapis.com
|
||||
- beyondcorp.googleapis.com
|
||||
- bigquery.googleapis.com
|
||||
- bigquerydatapolicy.googleapis.com
|
||||
- bigquerydatatransfer.googleapis.com
|
||||
- bigquerymigration.googleapis.com
|
||||
- bigqueryreservation.googleapis.com
|
||||
- bigtable.googleapis.com
|
||||
- binaryauthorization.googleapis.com
|
||||
- cloudasset.googleapis.com
|
||||
- cloudbuild.googleapis.com
|
||||
- clouddebugger.googleapis.com
|
||||
- clouderrorreporting.googleapis.com
|
||||
- cloudfunctions.googleapis.com
|
||||
- cloudkms.googleapis.com
|
||||
- cloudprofiler.googleapis.com
|
||||
- cloudresourcemanager.googleapis.com
|
||||
- cloudsearch.googleapis.com
|
||||
- cloudtrace.googleapis.com
|
||||
- composer.googleapis.com
|
||||
- compute.googleapis.com
|
||||
- connectgateway.googleapis.com
|
||||
- contactcenterinsights.googleapis.com
|
||||
- container.googleapis.com
|
||||
- containeranalysis.googleapis.com
|
||||
- containerfilesystem.googleapis.com
|
||||
- containerregistry.googleapis.com
|
||||
- containerthreatdetection.googleapis.com
|
||||
- contentwarehouse.googleapis.com
|
||||
- datacatalog.googleapis.com
|
||||
- dataflow.googleapis.com
|
||||
- datafusion.googleapis.com
|
||||
- datalineage.googleapis.com
|
||||
- datamigration.googleapis.com
|
||||
- datapipelines.googleapis.com
|
||||
- dataplex.googleapis.com
|
||||
- dataproc.googleapis.com
|
||||
- datastream.googleapis.com
|
||||
- dialogflow.googleapis.com
|
||||
- dlp.googleapis.com
|
||||
- dns.googleapis.com
|
||||
- documentai.googleapis.com
|
||||
- domains.googleapis.com
|
||||
- essentialcontacts.googleapis.com
|
||||
- eventarc.googleapis.com
|
||||
- file.googleapis.com
|
||||
- firebaseappcheck.googleapis.com
|
||||
- firebaserules.googleapis.com
|
||||
- firestore.googleapis.com
|
||||
- gameservices.googleapis.com
|
||||
- gkebackup.googleapis.com
|
||||
- gkeconnect.googleapis.com
|
||||
- gkehub.googleapis.com
|
||||
- gkemulticloud.googleapis.com
|
||||
- healthcare.googleapis.com
|
||||
- iam.googleapis.com
|
||||
- iamcredentials.googleapis.com
|
||||
- iaptunnel.googleapis.com
|
||||
- ids.googleapis.com
|
||||
- integrations.googleapis.com
|
||||
- language.googleapis.com
|
||||
- lifesciences.googleapis.com
|
||||
- logging.googleapis.com
|
||||
- managedidentities.googleapis.com
|
||||
- memcache.googleapis.com
|
||||
- meshca.googleapis.com
|
||||
- metastore.googleapis.com
|
||||
- ml.googleapis.com
|
||||
- monitoring.googleapis.com
|
||||
- networkconnectivity.googleapis.com
|
||||
- networkmanagement.googleapis.com
|
||||
- networksecurity.googleapis.com
|
||||
- networkservices.googleapis.com
|
||||
- notebooks.googleapis.com
|
||||
- opsconfigmonitoring.googleapis.com
|
||||
- osconfig.googleapis.com
|
||||
- oslogin.googleapis.com
|
||||
- policytroubleshooter.googleapis.com
|
||||
- privateca.googleapis.com
|
||||
- pubsub.googleapis.com
|
||||
- pubsublite.googleapis.com
|
||||
- recaptchaenterprise.googleapis.com
|
||||
- recommender.googleapis.com
|
||||
- redis.googleapis.com
|
||||
- retail.googleapis.com
|
||||
- run.googleapis.com
|
||||
- secretmanager.googleapis.com
|
||||
- servicecontrol.googleapis.com
|
||||
- servicedirectory.googleapis.com
|
||||
- spanner.googleapis.com
|
||||
- speakerid.googleapis.com
|
||||
- speech.googleapis.com
|
||||
- sqladmin.googleapis.com
|
||||
- storage.googleapis.com
|
||||
- storagetransfer.googleapis.com
|
||||
- texttospeech.googleapis.com
|
||||
- tpu.googleapis.com
|
||||
- trafficdirector.googleapis.com
|
||||
- transcoder.googleapis.com
|
||||
- translate.googleapis.com
|
||||
- videointelligence.googleapis.com
|
||||
- vision.googleapis.com
|
||||
- visionai.googleapis.com
|
||||
- vpcaccess.googleapis.com
|
||||
- workstations.googleapis.com
|
|
@ -15,6 +15,13 @@
|
|||
# tfdoc:file:description Folder resources.
|
||||
|
||||
locals {
|
||||
_vpc_sc_vpc_accessible_services = yamldecode(
|
||||
file("${var.data_dir}/vpc-sc/restricted-services.yaml")
|
||||
)
|
||||
_vpc_sc_restricted_services = yamldecode(
|
||||
file("${var.data_dir}/vpc-sc/restricted-services.yaml")
|
||||
)
|
||||
|
||||
groups = {
|
||||
for k, v in var.groups : k => "${v}@${var.organization_domain}"
|
||||
}
|
||||
|
@ -66,11 +73,11 @@ module "vpc-sc" {
|
|||
status = {
|
||||
access_levels = keys(var.vpc_sc_access_levels)
|
||||
resources = local.vpc_sc_resources
|
||||
restricted_services = var.vpc_sc_restricted_services
|
||||
restricted_services = local._vpc_sc_restricted_services
|
||||
egress_policies = keys(var.vpc_sc_egress_policies)
|
||||
ingress_policies = keys(var.vpc_sc_ingress_policies)
|
||||
vpc_accessible_services = {
|
||||
allowed_services = var.vpc_sc_accessible_services
|
||||
allowed_services = local._vpc_sc_vpc_accessible_services
|
||||
enable_restriction = true
|
||||
}
|
||||
}
|
|
@ -25,6 +25,7 @@ variable "access_policy_create" {
|
|||
type = object({
|
||||
parent = string
|
||||
title = string
|
||||
scopes = optional(list(string))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
@ -94,18 +95,6 @@ variable "vpc_sc_access_levels" {
|
|||
nullable = false
|
||||
}
|
||||
|
||||
variable "vpc_sc_accessible_services" {
|
||||
description = "VPC SC accessible services."
|
||||
type = list(string)
|
||||
default = ["storage.googleapis.com"]
|
||||
}
|
||||
|
||||
variable "vpc_sc_restricted_services" {
|
||||
description = "VPC SC restricted services."
|
||||
type = list(string)
|
||||
default = ["storage.googleapis.com"]
|
||||
}
|
||||
|
||||
variable "vpc_sc_egress_policies" {
|
||||
description = "VPC SC egress policy defnitions."
|
||||
type = map(object({
|
||||
|
|
Loading…
Reference in New Issue