cloud-foundation-fabric/modules/vpc-sc

VPC Service Control Module

This module allows managing VPC Service Control (VPC-SC) properties:

• Access Policy
• Access Levels
• VPC-SC Perimeters

The Use of this module requires credentials with the correct permissions to use Access Context Manager.

Example VCP-SC standard perimeter

module "vpc-sc" {
  source              = "./modules/vpc-sc"
  organization_id     = "organizations/112233"
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {
      combining_function = "AND"
      conditions = [{
        ip_subnetworks = ["85.85.85.52/32"]
        required_access_levels = null
        members        = []
        negate         = false
        regions        = null
      }]
    }
  }
  access_level_perimeters = {
    my_trusted_proxy = {
      my_trusted_proxy = ["perimeter"]
    }
  }
  perimeters = {
    perimeter = {
      type           = "PERIMETER_TYPE_REGULAR"
      dry_run_config = null
      enforced_config = {
        restricted_services     = ["storage.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111, 222222222]
    }
  }
}
# tftest:modules=1:resources=3

Example VCP-SC standard perimeter with one service and one project in dry run mode

module "vpc-sc" {
  source              = "./modules/vpc-sc"
  organization_id     = "organizations/112233"
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {
      combining_function = "AND"
      conditions = [{
        ip_subnetworks = ["85.85.85.52/32"]
        required_access_levels = null
        members        = []
        negate         = false
        regions        = null
      }]
    }
  }
  access_level_perimeters = {
    enforced = {
      my_trusted_proxy = ["perimeter"]
    }
  }
  perimeters = {
    perimeter = {
      type = "PERIMETER_TYPE_REGULAR"
      dry_run_config = {
        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
      }
      enforced_config = {
        restricted_services     = ["storage.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111, 222222222]
      dry_run  = [333333333]
    }
  }
}
# tftest:modules=1:resources=3

Variables

name	description	type	required	default
access_policy_title	Access Policy title to be created.	string	✓
organization_id	Organization id in organizations/nnnnnn format.	string	✓
access_level_perimeters	Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'	map(map(list(string)))		{}
access_levels	Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'.	map(object({...}))		{}
perimeter_projects	Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'.	map(map(list(number)))		{}
perimeters	Set of Perimeters.	map(object({...}))		{}

Outputs

name	description	sensitive
access_levels	Access Levels.
access_policy_name	Access Policy resource
organization_id	Organization id dependent on module resources.
perimeters_bridge	VPC-SC bridge perimeter resources.
perimeters_standard	VPC-SC standard perimeter resources.