Add Project level support for VPC-SC

modules/organization/README.md

@@ -36,6 +36,8 @@ module "org" {
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ |  |
+| *access_policy_name* | Access Policy name. No Access Policy will be created. | <code title="">string</code> |  | <code title="">null</code> |
+| *access_policy_title* | Access Policy title to be created. | <code title="">string</code> |  | <code title=""></code> |
 | *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_additive_members* | Map of member lists used to set non authoritative bindings, keyed by role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_additive_roles* | List of roles used to set non authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
@@ -44,10 +46,13 @@ module "org" {
 | *iam_roles* | List of roles used to set authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+| *vpc_sc_perimeters* | Set of Perimeters. | <code title="map&#40;object&#40;&#123;&#10;type &#61; string&#10;restricted_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+| *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format.. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
+| access_policy | Access Policy name. |  |
 | org_id | Organization id dependent on module resources. |  |
 <!-- END TFDOC -->

modules/organization/main.tf

@@ -63,6 +63,10 @@ resource "google_access_context_manager_service_perimeter" "standard" {
     resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
     restricted_services = each.value.restricted_services
   }
+  
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }  
 }
 
 resource "google_access_context_manager_service_perimeter" "bridge" {
@@ -75,6 +79,11 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
     resources           = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
     restricted_services = each.value.restricted_services
   }
+
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }
+
   depends_on = [
     google_access_context_manager_service_perimeter.standard,
   ]

modules/organization/outputs.tf

@@ -26,3 +26,8 @@ output "org_id" {
     google_organization_policy.list
   ]
 }
+
+output "access_policy" {
+  description = "Access Policy name."
+  value       = local.access_policy_name
+}

modules/project/README.md

@@ -75,6 +75,8 @@ module "project" {
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *prefix* | Prefix used to generate project id and name. | <code title="">string</code> |  | <code title="">null</code> |
 | *services* | Service APIs to enable. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *vpc_sc_perimeter* | Name of the VPC-SC perimeter the project belong to. | <code title="">string</code> |  | <code title="">null</code> |
+| *vpc_sc_perimeter_bridges* | List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name} | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 
 ## Outputs
 

modules/project/main.tf

@@ -201,3 +201,18 @@ resource "google_project_organization_policy" "list" {
     }
   }
 }
+
+resource "google_access_context_manager_service_perimeter_resource" "standard" {
+  count          = var.vpc_sc_perimeter != "" ? 1 : 0
+  perimeter_name = var.vpc_sc_perimeter
+  resource       = format("projects/%s", google_project.project.number)
+}
+
+resource "google_access_context_manager_service_perimeter_resource" "bridges" {
+  count = length(var.vpc_sc_perimeter_bridges)
+  perimeter_name = var.vpc_sc_perimeter_bridges[count.index]
+  resource       = format("projects/%s", google_project.project.number)
+  depends_on = [
+    google_access_context_manager_service_perimeter_resource.standard,
+  ]  
+}

modules/project/variables.tf

@@ -124,3 +124,15 @@ variable "services" {
   type        = list(string)
   default     = []
 }
+
+variable "vpc_sc_perimeter" {
+  description = "Name of the VPC-SC perimeter the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
+  type        = string
+  default     = null
+}
+
+variable "vpc_sc_perimeter_bridges" {
+  description = "List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
+  type        = list(string)
+  default     = []
+}