5.4 KiB
5.4 KiB
VPC Service Control Module
This module allows managing VPC Service Control (VPC-SC) properties:
The Use of this module requires credentials with the correct permissions to use Access Context Manager.
Example VCP-SC standard perimeter
module "vpc-sc" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_title = "My Access Policy"
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
device_policy = null
regions = null
}]
}
}
access_level_perimeters = {
my_trusted_proxy = {
my_trusted_proxy = ["perimeter"]
}
}
perimeters = {
perimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = null
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
perimeter = {
enforced = [111111111, 222222222]
}
}
}
# tftest:modules=1:resources=3
Example VCP-SC standard perimeter with one service and one project in dry run mode
module "vpc-sc" {
source = "./modules/vpc-sc"
organization_id = "organizations/112233"
access_policy_title = "My Access Policy"
access_levels = {
my_trusted_proxy = {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
required_access_levels = null
members = []
negate = false
device_policy = null
regions = null
}]
}
}
access_level_perimeters = {
enforced = {
my_trusted_proxy = ["perimeter"]
}
}
perimeters = {
perimeter = {
type = "PERIMETER_TYPE_REGULAR"
dry_run_config = {
restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
}
enforced_config = {
restricted_services = ["storage.googleapis.com"]
vpc_accessible_services = ["storage.googleapis.com"]
}
}
}
perimeter_projects = {
perimeter = {
enforced = [111111111, 222222222]
dry_run = [333333333]
}
}
}
# tftest:modules=1:resources=3
Variables
name | description | type | required | default |
---|---|---|---|---|
access_policy_title | Access Policy title to be created. | string |
✓ | |
organization_id | Organization id in organizations/nnnnnn format. | string |
✓ | |
access_level_perimeters | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) |
{} |
|
access_levels | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate, device_policy or regions'. | map(object({...})) |
{} |
|
perimeter_projects | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | map(map(list(number))) |
{} |
|
perimeters | Set of Perimeters. | map(object({...})) |
{} |
Outputs
name | description | sensitive |
---|---|---|
access_levels | Access Levels. | |
access_policy_name | Access Policy resource | |
organization_id | Organization id dependent on module resources. | |
perimeters_bridge | VPC-SC bridge perimeter resources. | |
perimeters_standard | VPC-SC standard perimeter resources. |