fix factory ingress policies (#2251)

2024-05-01 18:50:30 +02:00
parent e1226676fd
commit 27a055a9cb
3 changed files with 40 additions and 5 deletions
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -233,7 +233,7 @@ module "test" {
        resources           = ["projects/11111", "projects/111111"]
        restricted_services = ["storage.googleapis.com"]
        egress_policies     = ["gcs-sa-foo"]
-        ingress_policies    = ["sa-tf-test"]
+        ingress_policies    = ["sa-tf-test-geo", "sa-tf-test"]
        vpc_accessible_services = {
          allowed_services   = ["storage.googleapis.com"]
          enable_restriction = true
@@ -242,7 +242,7 @@ module "test" {
    }
  }
 }
-# tftest modules=1 resources=3 files=a1,a2,e1,i1 inventory=factory.yaml
+# tftest modules=1 resources=3 files=a1,a2,e1,i1,i2 inventory=factory.yaml
 ```

 ```yaml
@@ -282,12 +282,29 @@ from:
    - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
 to:
  operations:
-    - service_name: "*"
+    - service_name: compute.googleapis.com
+      method_selectors:
+        - ProjectsService.Get
+        - RegionsService.Get
  resources:
    - "*"
 # tftest-file id=i1 path=data/ingress-policies/sa-tf-test.yaml
 ```

+```yaml
+from:
+  access_levels:
+    - geo-it
+  identities:
+    - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+to:
+  operations:
+    - service_name: "*"
+  resources:
+    - projects/1234567890
+# tftest-file id=i2 path=data/ingress-policies/sa-tf-test-geo.yaml
+```
+
 ## Notes

 - To remove an access level, first remove the binding between perimeter and the access level in `status` and/or `spec` without removing the access level itself. Once you have run `terraform apply`, you'll then be able to remove the access level and run `terraform apply` again.
--- a/modules/vpc-sc/factory.tf
+++ b/modules/vpc-sc/factory.tf
@@ -74,7 +74,7 @@ locals {
        }, try(v.from, {}))
        to = {
          operations = [
-            for o in try(v.operations, []) : merge({
+            for o in try(v.to.operations, []) : merge({
              method_selectors     = []
              permission_selectors = []
              service_name         = null
--- a/tests/modules/vpc_sc/examples/factory.yaml
+++ b/tests/modules/vpc_sc/examples/factory.yaml
@@ -81,9 +81,27 @@ values:
          - access_level: '*'
            resource: null
        ingress_to:
-        - operations: []
+        - operations:
+          - method_selectors:
+            - method: ProjectsService.Get
+              permission: null
+            - method: RegionsService.Get
+              permission: null
+            service_name: compute.googleapis.com
          resources:
          - '*'
+      - ingress_from:
+        - identities:
+          - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+          identity_type: null
+          sources:
+          - resource: null
+        ingress_to:
+        - operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - projects/1234567890
      resources:
      - projects/11111
      - projects/111111