FAST light implementation (#3255)
* data wip * wip data * update org schema, add note on expansion * all schemas, workload notes * Update WORKLOG.md * Update WORKLOG.md * Update WORKLOG.md * Update WORKLOG.md * wip * data wip * wip * wip * wip * wip * org module IAM context (using lookup) * new-style context expansion in project IAM * remove spurious file * project module contexts * finalize context replacement format for project module * revert org module changes * fix tag id interpolation in project * fix tag id interpolation in project * organization module context * organization context test * context expansion for folder tag bindings * test context expansion for tag bindings * service account module context * simplify context local * context for iam service account * nuke blueprints * remove links to blueprints * vpc sc context in project module * Add context to GCS module * Add inline deps to plan_summary script * Make context a top-level variable for folder, organization, sa * Add add context top-level to VPC-SC * move context out of factories_config variable * tfdoc * fix merge * fix merge * fix examples * net-vpc module context * add parent ids to folder context * rename folder parent context * fix folder parent check * new project factory stub * wip * wip * refactor defaults * project iam * bueckts and service accounts * start adding context replacements * better test data * automation resources for folders and projects * automation * add support for project id interpolation * first tested apply * improve IAM description in gcs module * add context to billing account module * add notification channels to billing account module context * add billing budgets to new pf * schemas and defaults * bootstrap wip * bootstrap wip * bootstrap wip * pf outputs * pf fixes * fix pf sample data * bootstrap lite fixes * add locations to organization module contexts * bootstrap lite fixes * org fixes, billing accounts * fix default project parent * bootstrap lite wip * add locations to gcs module context * add context support to logging bucket module * add context to pubsub module * split out iam variables in gcs module * fix logging bucket context test * bootstrap log sink destinations * streamline logging-bucket module variables * fix logging bucket context test * align logging bucket module interface in fast bootstrap * add support for project-level log buckets to project factory * support full context expansion in organization module log sinks * log buckets in fast-lite bootstrap * make og sink type optional in organization module * log sinks in fast-lite bootstrap * set tag values in factory context * bootstrap lite data * output files schema * billing account schema * output files * output providers * gcs output files * boilerplate * tflint * check documentation * check docs * fix project module parent variable validation * fix log bucket examples * allow null parent in project module * silence folder test errors * fix billing account sink example * fix project example * fix billing account module * fix folder tests * fix FAST * fix fast * tfvars outputs * wif * cicd service accounts * cicd * allow defaults in context, minimal org policies * support gcs managed folders in project factory and bootstrap lite * support prefix in provider output files * rename bootstrap stage * gitignore * gitignore * security folder, billing IAM * wip tfvars * fix typo * security IAM * control tag iam/context via variables in organization module * split tag creation from tag IAM to avoid circular refs * port organization module tag changes to project module * implement new-style context expansion in vpc-sc module * fix fast vpc-sc tests * boilerplate * vpc sc stage * schemas * fast-lite compatibility for vpc sc stage * make log project number optional in vpc-sc stage * networking * networking * networking * networking * rename and move new stage under fast * clone pf tests * use context replacement for internal notification channels in billing account module * support service agents in project module iam context replacements * support service agents in project module iam context replacements * add support for kms keys to project module context * experimental pf example test and fixes * fix schemas * fix tests * tfdoc * tfdoc * pf config * experimental pf * remove redundant dot from gcs managed folder IAM keys * bootstrap experimental test * project factory exp stage test * skip tflint for bootstrap experimental test * tflint * fix gcs test * documentation work * documentation work * Update README.md * tfdoc * tfdoc * readme * tfdoc * readme * readme * readme * readme * support universe in pf exp projects * missing universe service agents * org policies import, non-admin billing IAM * todo * fix test * custom constraints * fast classic dataset * fix test data * context replacements in billing module log sinks * fix typo * add support for billing log sinks * update docs * readme * cicd fix and test --------- Co-authored-by: Julio Castillo <jccb@google.com>
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
dcd762370c
commit
36648b6b63
@@ -207,7 +207,6 @@ The caller must have `cloudasset.assets.searchAllResources` permission to perfor
|
||||
module "vpc-sc" {
|
||||
source = "./fabric/modules/vpc-sc"
|
||||
project_id_search_scope = var.org_id
|
||||
|
||||
access_policy = "12345678"
|
||||
ingress_policies = {
|
||||
i1 = {
|
||||
@@ -226,7 +225,6 @@ module "vpc-sc" {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
perimeters = {
|
||||
p = {
|
||||
spec = {
|
||||
@@ -252,16 +250,16 @@ JSON Schema files for each factory object are available in the [`schemas`](./sch
|
||||
module "test" {
|
||||
source = "./fabric/modules/vpc-sc"
|
||||
access_policy = "12345678"
|
||||
context = {
|
||||
resource_sets = {
|
||||
foo_projects = ["projects/321", "projects/654"]
|
||||
}
|
||||
}
|
||||
factories_config = {
|
||||
access_levels = "data/access-levels"
|
||||
egress_policies = "data/egress-policies"
|
||||
ingress_policies = "data/ingress-policies"
|
||||
perimeters = "data/perimeters"
|
||||
context = {
|
||||
resource_sets = {
|
||||
foo_projects = ["projects/321", "projects/654"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3 files=p1,a1,a2,e1,i1,i2 inventory=factory.yaml
|
||||
@@ -373,7 +371,7 @@ to:
|
||||
- service_name: "*"
|
||||
resources:
|
||||
- projects/1234567890
|
||||
- foo_projects
|
||||
- $resource_sets:foo_projects
|
||||
# tftest-file id=i2 path=data/ingress-policies/sa-tf-test-geo.yaml schema=ingress-policy.schema.json
|
||||
```
|
||||
|
||||
@@ -404,14 +402,15 @@ to:
|
||||
| [access_policy](variables.tf#L68) | Access Policy name, set to null if creating one. | <code>string</code> | ✓ | |
|
||||
| [access_levels](variables.tf#L17) | Access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) vpc_subnets = optional(map(list(string)), {}) })), []) description = optional(string) title = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy_create](variables.tf#L73) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. | <code title="object({ parent = string title = string scopes = optional(list(string), null) })">object({…})</code> | | <code>null</code> |
|
||||
| [egress_policies](variables.tf#L83) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ external_resources = optional(list(string)) operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) roles = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L126) | Paths to folders that enable factory functionality. | <code title="object({ access_levels = optional(string) egress_policies = optional(string) ingress_policies = optional(string) perimeters = optional(string) context = optional(object({ resource_sets = optional(map(list(string)), {}) service_sets = optional(map(list(string)), {}) identity_sets = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L143) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables.tf#L149) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables.tf#L164) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_policies](variables.tf#L179) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) roles = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [perimeters](variables.tf#L221) | Regular service perimeters. | <code title="map(object({ description = optional(string) ignore_resource_changes = optional(bool, false) title = optional(string) use_explicit_dry_run_spec = optional(bool, false) spec = optional(object({ access_levels = optional(list(string), []) egress_policies = optional(list(string), []) ingress_policies = optional(list(string), []) restricted_services = optional(list(string), []) resources = optional(list(string), []) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) status = optional(object({ access_levels = optional(list(string), []) egress_policies = optional(list(string), []) ingress_policies = optional(list(string), []) resources = optional(list(string), []) restricted_services = optional(list(string), []) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [project_id_search_scope](variables.tf#L255) | Set this to an organization or folder ID to use Cloud Asset Inventory to automatically translate project ids to numbers. | <code>string</code> | | <code>null</code> |
|
||||
| [context](variables.tf#L83) | External context used in replacements. | <code title="object({ identity_sets = optional(map(list(string)), {}) project_numbers = optional(map(number), {}) resource_sets = optional(map(list(string)), {}) service_sets = optional(map(list(string)), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [egress_policies](variables.tf#L95) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ external_resources = optional(list(string)) operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) roles = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L138) | Paths to folders that enable factory functionality. | <code title="object({ access_levels = optional(string) egress_policies = optional(string) ingress_policies = optional(string) perimeters = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L150) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables.tf#L156) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables.tf#L171) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_policies](variables.tf#L186) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ title = optional(string) from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) permission_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) roles = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [perimeters](variables.tf#L228) | Regular service perimeters. | <code title="map(object({ description = optional(string) ignore_resource_changes = optional(bool, false) title = optional(string) use_explicit_dry_run_spec = optional(bool, false) spec = optional(object({ access_levels = optional(list(string), []) egress_policies = optional(list(string), []) ingress_policies = optional(list(string), []) restricted_services = optional(list(string), []) resources = optional(list(string), []) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) status = optional(object({ access_levels = optional(list(string), []) egress_policies = optional(list(string), []) ingress_policies = optional(list(string), []) resources = optional(list(string), []) restricted_services = optional(list(string), []) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = optional(bool, true) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [project_id_search_scope](variables.tf#L262) | Set this to an organization or folder ID to use Cloud Asset Inventory to automatically translate project ids to numbers. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ resource "google_access_context_manager_access_level" "basic" {
|
||||
ip_subnetworks = c.value.ip_subnetworks
|
||||
members = flatten([
|
||||
for i in c.value.members :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
negate = c.value.negate
|
||||
regions = c.value.regions
|
||||
|
||||
@@ -15,6 +15,11 @@
|
||||
*/
|
||||
|
||||
locals {
|
||||
_ctx = {
|
||||
for k, v in var.context : k => {
|
||||
for kk, vv in v : "${local.ctx_p}${k}:${kk}" => vv
|
||||
}
|
||||
}
|
||||
access_policy = try(
|
||||
google_access_context_manager_access_policy.default[0].name,
|
||||
var.access_policy
|
||||
@@ -25,13 +30,18 @@ locals {
|
||||
local._project_ids
|
||||
)
|
||||
)
|
||||
ctx = merge(local._ctx, {
|
||||
project_numbers = {
|
||||
for k, v in local._ctx.project_numbers : k => "projects/${v}"
|
||||
}
|
||||
})
|
||||
ctx_p = "$"
|
||||
do_cai_query = (
|
||||
var.project_id_search_scope == null
|
||||
? false
|
||||
: length(local._project_ids) > 0
|
||||
)
|
||||
|
||||
# collect project ids and convert them to numbers
|
||||
# collect project ids and convert them to numbers (project numbers is dynamic)
|
||||
_all_project_identifiers = distinct(flatten([
|
||||
for k, v in local.perimeters : [
|
||||
try(v.status.resources, []),
|
||||
@@ -55,7 +65,8 @@ locals {
|
||||
trimprefix(x, "projects/")
|
||||
if can(regex("^projects/[a-z]", x))
|
||||
]
|
||||
project_number = (local.do_cai_query
|
||||
project_numbers = (
|
||||
local.do_cai_query
|
||||
? {
|
||||
for x in data.google_cloud_asset_search_all_resources.projects[0].results :
|
||||
(trimprefix(x.name, "//cloudresourcemanager.googleapis.com/")) => x.project
|
||||
|
||||
@@ -38,15 +38,16 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
)
|
||||
resources = flatten([
|
||||
for r in spec.value.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]],
|
||||
[r]
|
||||
)
|
||||
])
|
||||
restricted_services = flatten([
|
||||
for r in coalesce(spec.value.restricted_services, []) :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
|
||||
dynamic "egress_policies" {
|
||||
for_each = [
|
||||
for k in coalesce(spec.value.egress_policies, []) :
|
||||
@@ -61,7 +62,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
source_restriction = (
|
||||
length(policy.value.from.access_levels) > 0 || length(policy.value.from.resources) > 0
|
||||
@@ -81,8 +82,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
iterator = resource
|
||||
@@ -98,8 +100,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
external_resources = policy.value.to.external_resources
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
|
||||
@@ -142,7 +145,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
dynamic "sources" {
|
||||
for_each = toset(policy.value.from.access_levels)
|
||||
@@ -156,8 +159,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
content {
|
||||
@@ -171,8 +175,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
content {
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
roles = policy.value.to.roles
|
||||
@@ -205,7 +210,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
content {
|
||||
allowed_services = flatten([
|
||||
for r in spec.value.vpc_accessible_services.allowed_services :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
enable_restriction = spec.value.vpc_accessible_services.enable_restriction
|
||||
}
|
||||
@@ -225,13 +230,14 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
)
|
||||
resources = flatten([
|
||||
for r in status.value.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
restricted_services = flatten([
|
||||
for r in coalesce(status.value.restricted_services, []) :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
|
||||
dynamic "egress_policies" {
|
||||
@@ -248,7 +254,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
source_restriction = (
|
||||
length(policy.value.from.access_levels) > 0 || length(policy.value.from.resources) > 0
|
||||
@@ -268,8 +274,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
iterator = resource
|
||||
@@ -283,8 +290,14 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
for_each = policy.value.to == null ? [] : [""]
|
||||
content {
|
||||
external_resources = policy.value.to.external_resources
|
||||
resources = policy.value.to.resources
|
||||
roles = policy.value.to.roles
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
roles = policy.value.to.roles
|
||||
dynamic "operations" {
|
||||
for_each = toset(policy.value.to.operations)
|
||||
iterator = o
|
||||
@@ -323,7 +336,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
dynamic "sources" {
|
||||
for_each = toset(policy.value.from.access_levels)
|
||||
@@ -338,8 +351,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
content {
|
||||
@@ -353,8 +367,9 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
content {
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
roles = policy.value.to.roles
|
||||
@@ -387,7 +402,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
|
||||
content {
|
||||
allowed_services = flatten([
|
||||
for r in status.value.vpc_accessible_services.allowed_services :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
enable_restriction = status.value.vpc_accessible_services.enable_restriction
|
||||
}
|
||||
|
||||
@@ -52,13 +52,14 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
)
|
||||
resources = flatten([
|
||||
for r in spec.value.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
restricted_services = flatten([
|
||||
for r in coalesce(spec.value.restricted_services, []) :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
|
||||
dynamic "egress_policies" {
|
||||
@@ -75,7 +76,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
source_restriction = (
|
||||
length(policy.value.from.access_levels) > 0 || length(policy.value.from.resources) > 0
|
||||
@@ -95,8 +96,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
iterator = resource
|
||||
@@ -112,11 +114,11 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
external_resources = policy.value.to.external_resources
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
|
||||
roles = policy.value.to.roles
|
||||
dynamic "operations" {
|
||||
for_each = toset(policy.value.to.operations)
|
||||
@@ -156,7 +158,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
dynamic "sources" {
|
||||
for_each = toset(policy.value.from.access_levels)
|
||||
@@ -170,8 +172,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
content {
|
||||
@@ -185,8 +188,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
content {
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
roles = policy.value.to.roles
|
||||
@@ -219,7 +223,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
content {
|
||||
allowed_services = flatten([
|
||||
for r in spec.value.vpc_accessible_services.allowed_services :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
enable_restriction = spec.value.vpc_accessible_services.enable_restriction
|
||||
}
|
||||
@@ -239,13 +243,14 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
)
|
||||
resources = flatten([
|
||||
for r in status.value.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
restricted_services = flatten([
|
||||
for r in coalesce(status.value.restricted_services, []) :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
|
||||
dynamic "egress_policies" {
|
||||
@@ -262,7 +267,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
source_restriction = (
|
||||
length(policy.value.from.access_levels) > 0 || length(policy.value.from.resources) > 0
|
||||
@@ -282,8 +287,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
iterator = resource
|
||||
@@ -299,8 +305,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
external_resources = policy.value.to.external_resources
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
roles = policy.value.to.roles
|
||||
@@ -342,7 +349,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
identity_type = policy.value.from.identity_type
|
||||
identities = flatten([
|
||||
for i in policy.value.from.identities :
|
||||
lookup(var.factories_config.context.identity_sets, i, [i])
|
||||
lookup(local.ctx.identity_sets, i, [i])
|
||||
])
|
||||
dynamic "sources" {
|
||||
for_each = toset(policy.value.from.access_levels)
|
||||
@@ -357,8 +364,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
dynamic "sources" {
|
||||
for_each = flatten([
|
||||
for r in policy.value.from.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
content {
|
||||
@@ -372,8 +380,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
content {
|
||||
resources = flatten([
|
||||
for r in policy.value.to.resources : try(
|
||||
var.factories_config.context.resource_sets[r],
|
||||
[local.project_number[r]], [r]
|
||||
local.ctx.resource_sets[r],
|
||||
[local.ctx.project_numbers[r]],
|
||||
[local.project_numbers[r]], [r]
|
||||
)
|
||||
])
|
||||
roles = policy.value.to.roles
|
||||
@@ -406,7 +415,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
|
||||
content {
|
||||
allowed_services = flatten([
|
||||
for r in status.value.vpc_accessible_services.allowed_services :
|
||||
lookup(var.factories_config.context.service_sets, r, [r])
|
||||
lookup(local.ctx.service_sets, r, [r])
|
||||
])
|
||||
enable_restriction = status.value.vpc_accessible_services.enable_restriction
|
||||
}
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:serviceAccount:|user:|group:|principal:)"
|
||||
"pattern": "^(?:serviceAccount:|user:|group:|principal:|\\$identity_sets:)"
|
||||
}
|
||||
},
|
||||
"resources": {
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
<br>*enum: ['IDENTITY_TYPE_UNSPECIFIED', 'ANY_IDENTITY', 'ANY_USER_ACCOUNT', 'ANY_SERVICE_ACCOUNT', '']*
|
||||
- **identities**: *array*
|
||||
- items: *string*
|
||||
<br>*pattern: ^(?:serviceAccount:|user:|group:|principal:)*
|
||||
<br>*pattern: ^(?:serviceAccount:|user:|group:|principal:|\$identity_sets:)*
|
||||
- **resources**: *array*
|
||||
- items: *string*
|
||||
- ⁺**to**: *object*
|
||||
|
||||
@@ -80,6 +80,18 @@ variable "access_policy_create" {
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "context" {
|
||||
description = "External context used in replacements."
|
||||
type = object({
|
||||
identity_sets = optional(map(list(string)), {})
|
||||
project_numbers = optional(map(number), {})
|
||||
resource_sets = optional(map(list(string)), {})
|
||||
service_sets = optional(map(list(string)), {})
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "egress_policies" {
|
||||
description = "Egress policy definitions that can be referenced in perimeters."
|
||||
type = map(object({
|
||||
@@ -130,11 +142,6 @@ variable "factories_config" {
|
||||
egress_policies = optional(string)
|
||||
ingress_policies = optional(string)
|
||||
perimeters = optional(string)
|
||||
context = optional(object({
|
||||
resource_sets = optional(map(list(string)), {})
|
||||
service_sets = optional(map(list(string)), {})
|
||||
identity_sets = optional(map(list(string)), {})
|
||||
}), {})
|
||||
})
|
||||
nullable = false
|
||||
default = {}
|
||||
|
||||
Reference in New Issue
Block a user