From de5a9d747a979e975765fa0b8f8e5830a7828cd3 Mon Sep 17 00:00:00 2001
From: lcaggio <lcaggioni@google.com>
Date: Thu, 18 Mar 2021 13:04:37 +0100
Subject: [PATCH] Add VPC-SC support for Regions, device policy and access
 policy dependency (#210)

* Add VPC-SC support for Regions, device policy and access policy dependency.

* fix compute mig module test

* Fixes

* Fix example

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/vpc-sc/README.md               |  8 +++++++-
 modules/vpc-sc/main.tf                 | 16 +++++++++++++---
 modules/vpc-sc/variables.tf            | 17 +++++++++++++----
 tests/modules/compute_mig/test_plan.py |  2 +-
 4 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 91b5a789..6ad4e1fc 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -20,8 +20,11 @@ module "vpc-sc" {
       combining_function = "AND"
       conditions = [{
         ip_subnetworks = ["85.85.85.52/32"]
+        required_access_levels = null
         members        = []
         negate         = false
+        device_policy  = null
+        regions        = null
       }]
     }
   }
@@ -60,8 +63,11 @@ module "vpc-sc" {
       combining_function = "AND"
       conditions = [{
         ip_subnetworks = ["85.85.85.52/32"]
+        required_access_levels = null
         members        = []
         negate         = false
+        device_policy  = null
+        regions        = null
       }]
     }
   }
@@ -101,7 +107,7 @@ module "vpc-sc" {
 | access_policy_title | Access Policy title to be created. | <code title="">string</code> | ✓ |  |
 | organization_id | Organization id in organizations/nnnnnn format. | <code title="">string</code> | ✓ |  |
 | *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
-| *access_levels* | Access Levels. | <code title="map&#40;object&#40;&#123;&#10;combining_function &#61; string&#10;conditions &#61; list&#40;object&#40;&#123;&#10;ip_subnetworks &#61; list&#40;string&#41;&#10;members        &#61; list&#40;string&#41;&#10;negate         &#61; string&#10;&#125;&#41;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate, device_policy or regions'. | <code title="map&#40;object&#40;&#123;&#10;combining_function &#61; string&#10;conditions &#61; list&#40;object&#40;&#123;&#10;ip_subnetworks         &#61; list&#40;string&#41;&#10;required_access_levels &#61; list&#40;string&#41;&#10;members                &#61; list&#40;string&#41;&#10;negate                 &#61; string&#10;device_policy          &#61; object&#40;&#123;&#10;require_screen_lock              &#61; bool&#10;allowed_encryption_statuses      &#61; string&#10;allowed_device_management_levels &#61; string&#10;require_admin_approval           &#61; bool&#10;require_corp_owned               &#61; bool&#10;&#125;&#41;&#10;regions                &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *perimeter_projects* | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | <code title="map&#40;map&#40;list&#40;number&#41;&#41;&#41;">map(map(list(number)))</code> |  | <code title="">{}</code> |
 | *perimeters* | Set of Perimeters. | <code title="map&#40;object&#40;&#123;&#10;type &#61; string&#10;dry_run_config &#61; object&#40;&#123;&#10;restricted_services     &#61; list&#40;string&#41;&#10;vpc_accessible_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;enforced_config &#61; object&#40;&#123;&#10;restricted_services     &#61; list&#40;string&#41;&#10;vpc_accessible_services &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 
diff --git a/modules/vpc-sc/main.tf b/modules/vpc-sc/main.tf
index cf2f2b03..7e0d13dc 100644
--- a/modules/vpc-sc/main.tf
+++ b/modules/vpc-sc/main.tf
@@ -44,13 +44,23 @@ resource "google_access_context_manager_access_level" "default" {
 
   dynamic "basic" {
     for_each = try(toset(each.value.conditions), [])
+    iterator = condition
 
     content {
       combining_function = try(each.value.combining_function, null)
       conditions {
-        ip_subnetworks = try(basic.value.ip_subnetworks, null)
-        members        = try(basic.value.members, null)
-        negate         = try(basic.value.negate, null)
+        ip_subnetworks         = try(condition.value.ip_subnetworks, null)
+        required_access_levels = try(condition.value.required_access_levels, null)
+        members                = try(condition.value.members, null)
+        negate                 = try(condition.value.negate, null)
+        device_policy          {
+          require_screen_lock              = try(condition.value.device_policy.require_screen_lock, null)
+          allowed_encryption_statuses      = try(condition.value.device_policy.allowed_encryption_statuses, null)
+          allowed_device_management_levels = try(condition.value.device_policy.allowed_device_management_levels, null)
+          require_admin_approval           = try(condition.value.device_policy.require_admin_approval, null)
+          require_corp_owned               = try(condition.value.device_policy.require_corp_owned, null)
+        }
+        regions                = try(condition.value.regions, null)
       }
     }
   }
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index d66b4370..4f1fc51f 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -15,13 +15,22 @@
  */
 
 variable "access_levels" {
-  description = "Access Levels."
+  description = "Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate, device_policy or regions'."
   type = map(object({
     combining_function = string
     conditions = list(object({
-      ip_subnetworks = list(string)
-      members        = list(string)
-      negate         = string
+      ip_subnetworks         = list(string)
+      required_access_levels = list(string)
+      members                = list(string)
+      negate                 = string
+      device_policy          = object({
+        require_screen_lock              = bool
+        allowed_encryption_statuses      = string
+        allowed_device_management_levels = string
+        require_admin_approval           = bool
+        require_corp_owned               = bool
+      })
+      regions                = list(string)
     }))
   }))
   default = {}
diff --git a/tests/modules/compute_mig/test_plan.py b/tests/modules/compute_mig/test_plan.py
index 194ecfe3..81e6a313 100644
--- a/tests/modules/compute_mig/test_plan.py
+++ b/tests/modules/compute_mig/test_plan.py
@@ -61,7 +61,7 @@ def test_autoscaler(plan_runner):
   assert autoscaler['type'] == 'google_compute_autoscaler'
   assert autoscaler['values']['autoscaling_policy'] == [{
       'cooldown_period': 60,
-      'cpu_utilization': [{'target': 65}],
+      'cpu_utilization': [{'predictive_method': 'NONE', 'target': 65}],
       'load_balancing_utilization': [],
       'max_replicas': 3,
       'metric': [],