History

Julio Castillo eecdee63e6 Make examples in READMEs runnable and testable		2020-11-07 10:28:33 +01:00
..
README.md	Make examples in READMEs runnable and testable	2020-11-07 10:28:33 +01:00
main.tf	- Fixes based on PR comments	2020-07-10 07:22:57 +02:00
outputs.tf	Make examples in READMEs runnable and testable	2020-11-07 10:28:33 +01:00
variables.tf	- Fixes based on PR comments	2020-07-10 07:22:57 +02:00
versions.tf	Move VPC-SC to a separate module.	2020-07-07 10:23:26 +02:00

README.md

VPC Service Control Module

This module allows managing VPC Service Control (VPC-SC) properties:

The Use of this module requires credentials with the correct permissions to use Access Context Manager.

Example VCP-SC standard perimeter

module "vpc-sc" {
  source              = "./modules/vpc-sc"
  org_id              = 112233
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {
      combining_function = "AND"
      conditions = [{
        ip_subnetworks = ["85.85.85.52/32"]
        members        = []
        negate         = false
      }]
    }
  }
  access_level_perimeters = {
    my_trusted_proxy = {
      my_trusted_proxy = ["perimeter"]
    }
  }
  perimeters = {
    perimeter = {
      type           = "PERIMETER_TYPE_REGULAR"
      dry_run_config = null
      enforced_config = {
        restricted_services     = ["storage.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111, 222222222]
    }
  }
}
# tftest:modules=1:resources=3

Example VCP-SC standard perimeter with one service and one project in dry run mode

module "vpc-sc" {
  source              = "./modules/vpc-sc"
  org_id              = 112233
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {
      combining_function = "AND"
      conditions = [{
        ip_subnetworks = ["85.85.85.52/32"]
        members        = []
        negate         = false
      }]
    }
  }
  access_level_perimeters = {
    enforced = {
      my_trusted_proxy = ["perimeter"]
    }
  }
  perimeters = {
    perimeter = {
      type = "PERIMETER_TYPE_REGULAR"
      dry_run_config = {
        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
      }
      enforced_config = {
        restricted_services     = ["storage.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111, 222222222]
      dry_run  = [333333333]
    }
  }
}
# tftest:modules=1:resources=3

Variables

name	description	type	required	default
access_policy_title	Access Policy title to be created.	`string`	✓
org_id	Organization id in nnnnnn format.	`number`	✓
access_level_perimeters	Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'	`map(map(list(string)))`		`{}`
access_levels	Access Levels.	`map(object({...}))`		`{}`
perimeter_projects	Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'.	`map(map(list(number)))`		`{}`
perimeters	Set of Perimeters.	`map(object({...}))`		`{}`

Outputs

name	description	sensitive
access_levels	Access Levels.
access_policy_name	Access Policy resource
org_id	Organization id dependent on module resources.
perimeters_bridge	VPC-SC bridge perimeter resources.
perimeters_standard	VPC-SC standard perimeter resources.