zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/vpc-sc
History
Lorenzo Caggioni 7cf3990d27 - Fixes based on PR comments 
- Movig module under Security
 - Formatting TF files
 		2020-07-10 07:22:57 +02:00
..
README.md - Fixes based on PR comments 2020-07-10 07:22:57 +02:00
main.tf - Fixes based on PR comments 2020-07-10 07:22:57 +02:00
outputs.tf - Fixes based on PR comments 2020-07-10 07:22:57 +02:00
variables.tf - Fixes based on PR comments 2020-07-10 07:22:57 +02:00
versions.tf Move VPC-SC to a separate module. 2020-07-07 10:23:26 +02:00

README.md

VPC Service Control Module

This module allows managing VPC Service Control (VPC-SC) properties:

The Use of this module requires credentials with the correct permissions to use Access Context Manager.

Example VCP-SC standard perimeter

module "vpc-sc" {
  source      = "../../modules/vpc-sc"
  org_id      = 1234567890
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {  
      combining_function = "AND"
      conditions         = [{
        ip_subnetworks   = ["85.85.85.52/32"]
        members          = []
        negate           = false
      }]
    }
  }
  access_level_perimeters = {
    my_trusted_proxy  = ["perimeter"]
  } 
  perimeters = { 
    perimeter = {
      type                = "PERIMETER_TYPE_REGULAR"
      dry_run_config      = null
      enforced_config     = {
      restricted_services     = ["storage.googleapis.com"]
      vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111,222222222]
    }
  }
}

Example VCP-SC standard perimeter with one service and one project in dry run mode

module "vpc-sc" {
  source      = "../../modules/vpc-sc"
  org_id      = 1234567890
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {  
      combining_function = "AND"
      conditions         = [{
        ip_subnetworks   = ["85.85.85.52/32"]
        members          = []
        negate           = false
      }]
    }
  }
  access_level_perimeters = {
    enforced = {
      my_trusted_proxy  = ["perimeter"]
    }
  } 
  perimeters = { 
    perimeter = {
      type                = "PERIMETER_TYPE_REGULAR"
      dry_run_config      = {
        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
      }
      enforced_config     = {
      restricted_services     = ["storage.googleapis.com"]
      vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111,222222222]
      dry_run  = [333333333]
    }
  }
}

Variables

name description type required default
access_policy_title Access Policy title to be created. string
org_id Organization id in nnnnnn format. number
access_level_perimeters Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' map(map(list(string))) {}
access_levels Access Levels. map(object({...})) {}
perimeter_projects Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. map(map(list(number))) {}
perimeters Set of Perimeters. map(object({...})) {}

Outputs

name description sensitive
access_levels Access Levels.
access_policy_name Access Policy resource
org_id Organization id dependent on module resources.
perimeters_bridge VPC-SC bridge perimeter resources.
perimeters_standard VPC-SC standard perimeter resources.