Add perimeter factory to modules/vpc-sc (#2919)
* Add perimeter factory Proposal to allow the management of perimeters in yaml factory. Project discovery is extended to multiple perimeters with query filtering. Doc clean uo * default perimeters desc to null * linting * Revert changes to FAST * Remove test and schema from FAST * Align vars and perimeter factory * Interpolate resource_sets in more places * Silence linter * Update README.md --------- Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Ludovico Magnocavallo <ludo@qix.it>
This commit is contained in:
karpok78
@@ -198,7 +198,7 @@ module "test" {
|
||||
r1 = {
|
||||
status = {
|
||||
access_levels = ["a1", "a2"]
|
||||
resources = ["projects/11111", "projects/111111"]
|
||||
resources = ["projects/1111", "projects/2222"]
|
||||
restricted_services = ["storage.googleapis.com"]
|
||||
egress_policies = ["gcs-sa-foo"]
|
||||
ingress_policies = ["sa-tf-test"]
|
||||
@@ -215,11 +215,11 @@ module "test" {
|
||||
|
||||
## Factories
|
||||
|
||||
This module implements support for three distinct factories, used to create and manage access levels, egress policies and ingress policies via YAML files. The YAML files syntax is a 1:1 match for the corresponding variables, and the factory data is merged at runtime with any data set in variables, which take precedence in case of key overlaps.
|
||||
This module implements support for five distinct factories, used to create and manage perimeters, bridges, access levels, egress policies, and ingress policies via YAML files.
|
||||
|
||||
JSON Schema files for each factory object are available in the [`schemas`](./schemas/) folder, and can be used to validate input YAML data with [`validate-yaml`](https://github.com/gerald1248/validate-yaml) or any of the available tools and libraries.
|
||||
|
||||
This is an example that uses all three factories. Note that the factory configuration points to folders, where each file represents one resource.
|
||||
This is an example that uses only three factories and leave perimeter management in tfvars. Note that the factory configuration points to folders, where each file represents one resource.
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
@@ -229,12 +229,18 @@ module "test" {
|
||||
access_levels = "data/access-levels"
|
||||
egress_policies = "data/egress-policies"
|
||||
ingress_policies = "data/ingress-policies"
|
||||
context = {
|
||||
resource_sets = {
|
||||
foo_projects = ["projects/321", "projects/654"]
|
||||
}
|
||||
}
|
||||
}
|
||||
service_perimeters_regular = {
|
||||
r1 = {
|
||||
perimeter-north = {
|
||||
description = "Main perimeter"
|
||||
status = {
|
||||
access_levels = ["geo-it", "identity-user1"]
|
||||
resources = ["projects/11111", "projects/111111"]
|
||||
resources = ["projects/1111", "projects/2222"]
|
||||
restricted_services = ["storage.googleapis.com"]
|
||||
egress_policies = ["gcs-sa-foo"]
|
||||
ingress_policies = ["sa-tf-test-geo", "sa-tf-test"]
|
||||
@@ -308,9 +314,55 @@ to:
|
||||
- service_name: "*"
|
||||
resources:
|
||||
- projects/1234567890
|
||||
- foo_projects
|
||||
# tftest-file id=i2 path=data/ingress-policies/sa-tf-test-geo.yaml schema=ingress-policy.schema.json
|
||||
```
|
||||
|
||||
But perimeters could also defined in a yaml file.
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/modules/vpc-sc"
|
||||
access_policy = "12345678"
|
||||
factories_config = {
|
||||
access_levels = "data/access-levels"
|
||||
egress_policies = "data/egress-policies"
|
||||
ingress_policies = "data/ingress-policies"
|
||||
perimeters = "data/perimeters"
|
||||
context = {
|
||||
resource_sets = {
|
||||
foo_projects = ["projects/321", "projects/654"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3 files=a1,a2,e1,i1,i2,r1 inventory=factory.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
description: Main perimeter
|
||||
status:
|
||||
access_levels:
|
||||
- "geo-it"
|
||||
- "identity-user1"
|
||||
resources:
|
||||
- "projects/1111"
|
||||
- "projects/2222"
|
||||
restricted_services:
|
||||
- "storage.googleapis.com"
|
||||
egress_policies:
|
||||
- "gcs-sa-foo"
|
||||
ingress_policies:
|
||||
- "sa-tf-test-geo"
|
||||
- "sa-tf-test"
|
||||
vpc_accessible_services:
|
||||
allowed_services:
|
||||
- "storage.googleapis.com"
|
||||
enable_restriction: yes
|
||||
|
||||
# tftest-file id=r1 path=data/perimeters/perimeter-north.yaml schema=perimeters.schema.json
|
||||
````
|
||||
|
||||
## Notes
|
||||
|
||||
- To remove an access level, first remove the binding between perimeter and the access level in `status` and/or `spec` without removing the access level itself. Once you have run `terraform apply`, you'll then be able to remove the access level and run `terraform apply` again.
|
||||
@@ -339,17 +391,17 @@ to:
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [access_policy](variables.tf#L67) | Access Policy name, set to null if creating one. | <code>string</code> | ✓ | |
|
||||
| [access_levels](variables.tf#L17) | Access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) vpc_subnets = optional(map(list(string)), {}) })), []) description = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy_create](variables.tf#L72) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. | <code title="object({ parent = string title = string scopes = optional(list(string), null) })">object({…})</code> | | <code>null</code> |
|
||||
| [egress_policies](variables.tf#L82) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ external_resources = optional(list(string)) operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L124) | Paths to folders that enable factory functionality. | <code title="object({ access_levels = optional(string) egress_policies = optional(string) ingress_policies = optional(string) restricted_services = optional(string, "data/restricted-services.yaml") })">object({…})</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L136) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables.tf#L142) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables.tf#L157) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_policies](variables.tf#L172) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_bridge](variables.tf#L213) | Bridge service perimeters. | <code title="map(object({ spec_resources = optional(list(string)) status_resources = optional(list(string)) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_regular](variables.tf#L223) | Regular service perimeters. | <code title="map(object({ description = optional(string) spec = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) status = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy](variables.tf#L68) | Access Policy name, set to null if creating one. | <code>string</code> | ✓ | |
|
||||
| [access_levels](variables.tf#L17) | Access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) vpc_subnets = optional(map(list(string)), {}) })), []) description = optional(string) title = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy_create](variables.tf#L73) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. | <code title="object({ parent = string title = string scopes = optional(list(string), null) })">object({…})</code> | | <code>null</code> |
|
||||
| [egress_policies](variables.tf#L83) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ external_resources = optional(list(string)) operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L125) | Paths to folders that enable factory functionality. | <code title="object({ access_levels = optional(string) bridges = optional(string) egress_policies = optional(string) ingress_policies = optional(string) perimeters = optional(string) context = optional(object({ resource_sets = optional(map(list(string)), {}) service_sets = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L142) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables.tf#L148) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables.tf#L163) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_policies](variables.tf#L178) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_bridge](variables.tf#L219) | Bridge service perimeters. | <code title="map(object({ description = optional(string) title = optional(string) spec_resources = optional(list(string)) status_resources = optional(list(string)) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_regular](variables.tf#L231) | Regular service perimeters. | <code title="map(object({ description = optional(string) title = optional(string) spec = optional(object({ access_levels = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) restricted_services = optional(list(string)) resources = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) status = optional(object({ access_levels = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
@@ -392,7 +444,7 @@ module "test" {
|
||||
default = {
|
||||
status = {
|
||||
access_levels = ["geo-it"]
|
||||
resources = ["projects/11111"]
|
||||
resources = ["projects/1111"]
|
||||
egress_policies = ["factory-egress-policy"]
|
||||
ingress_policies = ["variable-policy", "factory-ingress-policy"]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user