# VPC Service Control Module
This module allows managing VPC Service Control (VPC-SC) properties:
- [Access Policy](https://cloud.google.com/access-context-manager/docs/create-access-policy)
- [Access Levels](https://cloud.google.com/access-context-manager/docs/manage-access-levels)
- [VPC-SC Perimeters](https://cloud.google.com/vpc-service-controls/docs/service-perimeters)
The Use of this module requires credentials with the [correct permissions](https://cloud.google.com/access-context-manager/docs/access-control) to use Access Context Manager.
## Example VCP-SC standard perimeter
```hcl
module "vpc-sc" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_title = "My Access Policy"
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
regions = null
}]
}
}
access_level_perimeters = {
enforced = {
my_trusted_proxy = ["perimeter"]
}
}
ingress_policies = {
ingress_1 = {
ingress_from = {
identity_type = "ANY_IDENTITY"
}
ingress_to = {
resources = ["*"]
operations = {
"storage.googleapis.com" = [{ method = "google.storage.objects.create" }]
"bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" }]
}
}
}
}
ingress_policies_perimeters = {
enforced = {
ingress_1 = ["default"]
}
}
egress_policies = {
egress_1 = {
egress_from = {
identity_type = "ANY_USER_ACCOUNT"
}
egress_to = {
resources = ["*"]
operations = {
"storage.googleapis.com" = [{ method = "google.storage.objects.create" }],
"bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" },{ method = "TableService.ListTables" }, { permission = "bigquery.jobs.get" }]
}
}
}
}
egress_policies_perimeters = {
enforced = {
egress_1 = ["perimeter"]
}
}
perimeters = {
perimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = null
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
perimeter = {
enforced = [111111111, 222222222]
}
}
}
# tftest:modules=1:resources=3
```
## Example VCP-SC standard perimeter with one service and one project in dry run mode
```hcl
module "vpc-sc" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_title = "My Access Policy"
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
regions = null
}]
}
}
access_level_perimeters = {
enforced = {
my_trusted_proxy = ["perimeter"]
}
}
perimeters = {
perimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = {
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
}
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
perimeter = {
enforced = [111111111, 222222222]
dry_run = [333333333]
}
}
}
# tftest:modules=1:resources=3
```
## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
```hcl
module "vpc-sc-second" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_create = false
access_policy_name = module.vpc-sc-first.access_policy_name
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
regions = null
}]
}
}
access_level_perimeters = {
enforced = {
my_trusted_proxy = ["secperimeter"]
}
}
perimeters = {
secperimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = {
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
}
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
secperimeter = {
enforced = [444444444, 666666666]
dry_run = [555555555]
}
}
}
# tftest:modules=1:resources=3
```
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | |
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} |
| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. | map(object({...})) | | {} |
| *access_policy_create* | Enable autocreation of the Access Policy | bool | | true |
| *access_policy_name* | Referenced Access Policy name | string | | null |
| *access_policy_title* | Access Policy title to be created. | string | | null |
| *egress_policies* | List of EgressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#egress_policies) | null |
| *egress_policies_perimeters* | Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} |
| *ingress_policies* | List of IngressPolicies in the form described in the [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter#ingress_policies) | null |
| *ingress_policies_perimeters* | Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} |
| *perimeter_projects* | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | map(map(list(number))) | | {} |
| *perimeters* | Set of Perimeters. | map(object({...})) | | {} |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| access_levels | Access Levels. | |
| access_policy_name | Access Policy resource | |
| organization_id | Organization id dependent on module resources. | |
| perimeters_bridge | VPC-SC bridge perimeter resources. | |
| perimeters_standard | VPC-SC standard perimeter resources. | |