Fixes based on PR comments:
- fix typos - use for_each - fix code layout
This commit is contained in:
parent
bef0f77e67
commit
c414ca5505
|
@ -28,16 +28,14 @@ locals {
|
||||||
|
|
||||||
standard_perimeters = {
|
standard_perimeters = {
|
||||||
for key, value in var.vpc_sc_perimeters :
|
for key, value in var.vpc_sc_perimeters :
|
||||||
key => value
|
key => value if value.type == "PERIMETER_TYPE_REGULAR"
|
||||||
if value.type == "PERIMETER_TYPE_REGULAR"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
perimeter_create = var.access_policy_name != null || var.access_policy_title != null ? true : false
|
perimeter_create = var.access_policy_name != null || var.access_policy_title != null ? true : false
|
||||||
|
|
||||||
bridge_perimeters = {
|
bridge_perimeters = {
|
||||||
for key, value in var.vpc_sc_perimeters :
|
for key, value in var.vpc_sc_perimeters :
|
||||||
key => value
|
key => value if value.type == "PERIMETER_TYPE_BRIDGE"
|
||||||
if value.type == "PERIMETER_TYPE_BRIDGE"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
access_policy_name = (
|
access_policy_name = (
|
||||||
|
@ -49,7 +47,7 @@ locals {
|
||||||
|
|
||||||
resource "google_access_context_manager_access_policy" "default" {
|
resource "google_access_context_manager_access_policy" "default" {
|
||||||
count = var.access_policy_name == null ? 1 : 0
|
count = var.access_policy_name == null ? 1 : 0
|
||||||
parent = format("organizations/%s", var.org_id)
|
parent = "organizations/${var.org_id}"
|
||||||
title = var.access_policy_title
|
title = var.access_policy_title
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -64,9 +62,11 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
||||||
restricted_services = each.value.restricted_services
|
restricted_services = each.value.restricted_services
|
||||||
}
|
}
|
||||||
|
|
||||||
lifecycle {
|
# Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`,
|
||||||
ignore_changes = [status[0].resources]
|
# so they don't fight over which resources should be in the policy.
|
||||||
}
|
# lifecycle {
|
||||||
|
# ignore_changes = [status[0].resources]
|
||||||
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_service_perimeter" "bridge" {
|
resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||||
|
@ -80,9 +80,11 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||||
restricted_services = each.value.restricted_services
|
restricted_services = each.value.restricted_services
|
||||||
}
|
}
|
||||||
|
|
||||||
lifecycle {
|
# Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`,
|
||||||
ignore_changes = [status[0].resources]
|
# so they don't fight over which resources should be in the policy.
|
||||||
}
|
# lifecycle {
|
||||||
|
# ignore_changes = [status[0].resources]
|
||||||
|
# }
|
||||||
|
|
||||||
depends_on = [
|
depends_on = [
|
||||||
google_access_context_manager_service_perimeter.standard,
|
google_access_context_manager_service_perimeter.standard,
|
||||||
|
|
|
@ -99,7 +99,7 @@ variable "vpc_sc_perimeters" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "vpc_sc_perimeters_projects" {
|
variable "vpc_sc_perimeters_projects" {
|
||||||
description = "Perimeter - Project Number mapping in `projects/project_number` format.."
|
description = "Perimeter - Project Number mapping in `projects/project_number` format."
|
||||||
type = map(list(string))
|
type = map(list(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
|
@ -203,15 +203,15 @@ resource "google_project_organization_policy" "list" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_service_perimeter_resource" "standard" {
|
resource "google_access_context_manager_service_perimeter_resource" "standard" {
|
||||||
count = var.vpc_sc_perimeter != "" ? 1 : 0
|
for_each = toset([var.vpc_sc_perimeter])
|
||||||
perimeter_name = var.vpc_sc_perimeter
|
perimeter_name = each.key
|
||||||
resource = format("projects/%s", google_project.project.number)
|
resource = "projects/${google_project.project.number}"
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_access_context_manager_service_perimeter_resource" "bridges" {
|
resource "google_access_context_manager_service_perimeter_resource" "bridges" {
|
||||||
count = length(var.vpc_sc_perimeter_bridges)
|
for_each = toset(var.vpc_sc_perimeter_bridges)
|
||||||
perimeter_name = var.vpc_sc_perimeter_bridges[count.index]
|
perimeter_name = each.key
|
||||||
resource = format("projects/%s", google_project.project.number)
|
resource = "projects/${google_project.project.number}"
|
||||||
depends_on = [
|
depends_on = [
|
||||||
google_access_context_manager_service_perimeter_resource.standard,
|
google_access_context_manager_service_perimeter_resource.standard,
|
||||||
]
|
]
|
||||||
|
|
|
@ -126,13 +126,23 @@ variable "services" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "vpc_sc_perimeter" {
|
variable "vpc_sc_perimeter" {
|
||||||
description = "Name of the VPC-SC perimeter the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
|
description = <<EOF
|
||||||
|
Name of the VPC-SC perimeter the project belongs to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}.
|
||||||
|
If this resource is used alongside a `google_access_context_manager_service_perimeter` resource,
|
||||||
|
the service perimeter resource must have a lifecycle block with ignore_changes = [status[0].resources]
|
||||||
|
so they don't fight over which resources should be in the policy.
|
||||||
|
EOF
|
||||||
type = string
|
type = string
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "vpc_sc_perimeter_bridges" {
|
variable "vpc_sc_perimeter_bridges" {
|
||||||
description = "List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
|
description = <<EOF
|
||||||
|
List of VPC-SC perimeter bridges the project belongs to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}.
|
||||||
|
If this resource is used alongside a `google_access_context_manager_service_perimeter` resource,
|
||||||
|
the service perimeter resource must have a lifecycle block with ignore_changes = [status[0].resources]
|
||||||
|
so they don't fight over which resources should be in the policy.
|
||||||
|
EOF
|
||||||
type = list(string)
|
type = list(string)
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue