From 0f10e820f949d6e001c6471b8d60326a477e199a Mon Sep 17 00:00:00 2001
From: Daniel Marzini <dmarzi@google.com>
Date: Thu, 22 Jul 2021 09:19:10 +0200
Subject: [PATCH] Enable multiple vpc-sc perimeters over multiple modules

---
 modules/vpc-sc/README.md    | 89 +++++++++++++++++++++++++++++++++++++
 modules/vpc-sc/main.tf      |  9 +++-
 modules/vpc-sc/variables.tf | 12 +++++
 modules/vpc-sc/versions.tf  |  4 +-
 4 files changed, 110 insertions(+), 4 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 2c64bb1c1..ef2ca92b3 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -136,6 +136,95 @@ module "vpc-sc" {
 # tftest:modules=1:resources=3
 ```
 
+## Example VCP-SC standard perimeter with one service and one project in dry run mode in a Organization with an already existent access policy
+```hcl
+module "vpc-sc-first" {
+  source              = "./modules/vpc-sc"
+  organization_id     = "organizations/112233"
+  access_policy_title = "My Org Access Policy"
+  access_levels = {
+    my_trusted_proxy = {
+      combining_function = "AND"
+      conditions = [{
+        ip_subnetworks = ["85.85.85.52/32"]
+        required_access_levels = null
+        members        = []
+        negate         = false
+        regions        = null
+      }]
+    }
+  }
+  access_level_perimeters = {
+    enforced = {
+      my_trusted_proxy = ["perimeter"]
+    }
+  }
+  perimeters = {
+    perimeter = {
+      type = "PERIMETER_TYPE_REGULAR"
+      dry_run_config = {
+        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+      }
+      enforced_config = {
+        restricted_services     = ["storage.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com"]
+      }
+    }
+  }
+  perimeter_projects = {
+    perimeter = {
+      enforced = [111111111, 222222222]
+      dry_run  = [333333333]
+    }
+  }
+}
+
+module "vpc-sc-second" {
+  source              = "./modules/vpc-sc"
+  organization_id     = "organizations/112233"
+  access_policy_create = false
+  access_policy_name = module.vpc-sc-first.access_policy_name
+  access_levels = {
+    my_trusted_proxy = {
+      combining_function = "AND"
+      conditions = [{
+        ip_subnetworks = ["85.85.85.52/32"]
+        required_access_levels = null
+        members        = []
+        negate         = false
+        regions        = null
+      }]
+    }
+  }
+  access_level_perimeters = {
+    enforced = {
+      my_trusted_proxy = ["secperimeter"]
+    }
+  }
+  perimeters = {
+    secperimeter = {
+      type = "PERIMETER_TYPE_REGULAR"
+      dry_run_config = {
+        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
+      }
+      enforced_config = {
+        restricted_services     = ["storage.googleapis.com"]
+        vpc_accessible_services = ["storage.googleapis.com"]
+      }
+    }
+  }
+  perimeter_projects = {
+    secperimeter = {
+      enforced = [444444444, 666666666]
+      dry_run  = [555555555]
+    }
+  }
+}
+# tftest:modules=1:resources=3
+```
+
 <!-- BEGIN TFDOC -->
 ## Variables
 
diff --git a/modules/vpc-sc/main.tf b/modules/vpc-sc/main.tf
index 6b111d983..abae2e35f 100644
--- a/modules/vpc-sc/main.tf
+++ b/modules/vpc-sc/main.tf
@@ -15,7 +15,11 @@
  */
 
 locals {
-  access_policy_name = google_access_context_manager_access_policy.default.name
+  access_policy_name = (
+    var.access_policy_create
+    ? try(google_access_context_manager_access_policy.default[0].name, null)
+    : var.access_policy_name
+  )
 
   standard_perimeters = {
     for key, value in var.perimeters :
@@ -36,8 +40,9 @@ locals {
 }
 
 resource "google_access_context_manager_access_policy" "default" {
+  count  = var.access_policy_create ? 1 : 0
   parent = var.organization_id
-  title  = var.access_policy_title
+  title  = var.access_policy_title == null ? "${var.organization_id}-title" : var.access_policy_title
 }
 
 resource "google_access_context_manager_access_level" "default" {
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index 490f4951e..ea472ef91 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -29,6 +29,17 @@ variable "access_levels" {
   default = {}
 }
 
+variable "access_policy_create" {
+  description = "enable autocreation of the Access Policy"
+  type        = bool
+  default     = true
+}
+
+variable "access_policy_name" {
+  description = "Referenced Access Policy name"
+  type        = string
+}
+
 variable "access_level_perimeters" {
   description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
   type        = map(map(list(string)))
@@ -38,6 +49,7 @@ variable "access_level_perimeters" {
 variable "access_policy_title" {
   description = "Access Policy title to be created."
   type        = string
+  default     = null
 }
 
 variable "egress_policies" {
diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf
index 6ecbc64ee..2146648bd 100644
--- a/modules/vpc-sc/versions.tf
+++ b/modules/vpc-sc/versions.tf
@@ -17,6 +17,6 @@
 terraform {
   required_version = ">= 0.12.6"
   required_providers {
-    google      = ">= 3.62"
-  }  
+    google = ">= 3.62"
+  }
 }