Add Project level support for VPC-SC
This commit is contained in:
parent
b0bb441df5
commit
bef0f77e67
|
@ -36,6 +36,8 @@ module "org" {
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ | |
|
||||
| *access_policy_name* | Access Policy name. No Access Policy will be created. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> | | <code title=""></code> |
|
||||
| *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_additive_members* | Map of member lists used to set non authoritative bindings, keyed by role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_additive_roles* | List of roles used to set non authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
@ -44,10 +46,13 @@ module "org" {
|
|||
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *vpc_sc_perimeters* | Set of Perimeters. | <code title="map(object({ type = string restricted_services = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format.. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| access_policy | Access Policy name. | |
|
||||
| org_id | Organization id dependent on module resources. | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -63,6 +63,10 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
|||
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
|
||||
restricted_services = each.value.restricted_services
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [status[0].resources]
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||
|
@ -75,6 +79,11 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
|
|||
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
|
||||
restricted_services = each.value.restricted_services
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [status[0].resources]
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
google_access_context_manager_service_perimeter.standard,
|
||||
]
|
||||
|
|
|
@ -26,3 +26,8 @@ output "org_id" {
|
|||
google_organization_policy.list
|
||||
]
|
||||
}
|
||||
|
||||
output "access_policy" {
|
||||
description = "Access Policy name."
|
||||
value = local.access_policy_name
|
||||
}
|
|
@ -75,6 +75,8 @@ module "project" {
|
|||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *prefix* | Prefix used to generate project id and name. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *services* | Service APIs to enable. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *vpc_sc_perimeter* | Name of the VPC-SC perimeter the project belong to. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *vpc_sc_perimeter_bridges* | List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name} | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -201,3 +201,18 @@ resource "google_project_organization_policy" "list" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter_resource" "standard" {
|
||||
count = var.vpc_sc_perimeter != "" ? 1 : 0
|
||||
perimeter_name = var.vpc_sc_perimeter
|
||||
resource = format("projects/%s", google_project.project.number)
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_service_perimeter_resource" "bridges" {
|
||||
count = length(var.vpc_sc_perimeter_bridges)
|
||||
perimeter_name = var.vpc_sc_perimeter_bridges[count.index]
|
||||
resource = format("projects/%s", google_project.project.number)
|
||||
depends_on = [
|
||||
google_access_context_manager_service_perimeter_resource.standard,
|
||||
]
|
||||
}
|
||||
|
|
|
@ -124,3 +124,15 @@ variable "services" {
|
|||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "vpc_sc_perimeter" {
|
||||
description = "Name of the VPC-SC perimeter the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "vpc_sc_perimeter_bridges" {
|
||||
description = "List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue