diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 55a066a11..5ac88aef5 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -46,21 +46,18 @@ module "test" {
a1 = {
combining_function = null
conditions = [{
- members = ["user:user1@example.com"],
- device_policy = null, ip_subnetworks = null, negate = null,
- regions = null, required_access_levels = null
+ members = ["user:user1@example.com"], ip_subnetworks = null,
+ negate = null, regions = null, required_access_levels = null
}]
}
a2 = {
combining_function = "OR"
conditions = [{
- regions = ["IT", "FR"],
- device_policy = null, ip_subnetworks = null, members = null,
- negate = null, required_access_levels = null
+ regions = ["IT", "FR"], ip_subnetworks = null,
+ members = null, negate = null, required_access_levels = null
},{
- ip_subnetworks = ["101.101.101.0/24"],
- device_policy = null, members = null, negate = null,
- regions = null, required_access_levels = null
+ ip_subnetworks = ["101.101.101.0/24"], members = null,
+ negate = null, regions = null, required_access_levels = null
}]
}
}
@@ -112,17 +109,15 @@ module "test" {
a1 = {
combining_function = null
conditions = [{
- members = ["user:user1@example.com"],
- device_policy = null, ip_subnetworks = null, negate = null,
- regions = null, required_access_levels = null
+ members = ["user:user1@example.com"], ip_subnetworks = null,
+ negate = null, regions = null, required_access_levels = null
}]
}
a2 = {
combining_function = null
conditions = [{
- members = ["user:user2@example.com"],
- device_policy = null, ip_subnetworks = null, negate = null,
- regions = null, required_access_levels = null
+ members = ["user:user2@example.com"], ip_subnetworks = null,
+ negate = null, regions = null, required_access_levels = null
}]
}
}
@@ -151,6 +146,7 @@ module "test" {
- [ ] implement support for the `google_access_context_manager_gcp_user_access_binding` resource
+
## Variables
@@ -158,7 +154,7 @@ module "test" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| access_policy | Access Policy name, leave null to use auto-created one. | string | ✓ | |
-| access_levels | Map of access levels in name => [conditions] format. | map(object({…})) | | {} |
+| access_levels | Map of access levels in name => [conditions] format. | map(object({…})) | | {} |
| access_policy_create | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | object({…}) | | null |
| service_perimeters_bridge | Bridge service perimeters. | map(object({…})) | | {} |
| service_perimeters_regular | Regular service perimeters. | map(object({…})) | | {} |
@@ -178,3 +174,4 @@ module "test" {
+
diff --git a/modules/vpc-sc/access_levels.tf b/modules/vpc-sc/access_levels.tf
index b732f0804..9aeb232be 100644
--- a/modules/vpc-sc/access_levels.tf
+++ b/modules/vpc-sc/access_levels.tf
@@ -33,30 +33,31 @@ resource "google_access_context_manager_access_level" "basic" {
)
iterator = condition
content {
- dynamic "device_policy" {
- for_each = toset(
- condition.key.device_policy == null ? [] : [condition.key.device_policy]
- )
- iterator = device_policy
- content {
- dynamic "os_constraints" {
- for_each = toset(
- device_policy.key.os_constraints == null ? [] : device_policy.key.os_constraints
- )
- iterator = os_constraint
- content {
- minimum_version = os_constraint.key.minimum_version
- os_type = os_constraint.key.os_type
- require_verified_chrome_os = os_constraint.key.require_verified_chrome_os
- }
- }
- allowed_encryption_statuses = device_policy.key.allowed_encryption_statuses
- allowed_device_management_levels = device_policy.key.allowed_device_management_levels
- require_admin_approval = device_policy.key.require_admin_approval
- require_corp_owned = device_policy.key.require_corp_owned
- require_screen_lock = device_policy.key.require_screen_lock
- }
- }
+ # uncomment here and in the variable type to enable
+ # dynamic "device_policy" {
+ # for_each = toset(
+ # condition.key.device_policy == null ? [] : [condition.key.device_policy]
+ # )
+ # iterator = device_policy
+ # content {
+ # dynamic "os_constraints" {
+ # for_each = toset(
+ # device_policy.key.os_constraints == null ? [] : device_policy.key.os_constraints
+ # )
+ # iterator = os_constraint
+ # content {
+ # minimum_version = os_constraint.key.minimum_version
+ # os_type = os_constraint.key.os_type
+ # require_verified_chrome_os = os_constraint.key.require_verified_chrome_os
+ # }
+ # }
+ # allowed_encryption_statuses = device_policy.key.allowed_encryption_statuses
+ # allowed_device_management_levels = device_policy.key.allowed_device_management_levels
+ # require_admin_approval = device_policy.key.require_admin_approval
+ # require_corp_owned = device_policy.key.require_corp_owned
+ # require_screen_lock = device_policy.key.require_screen_lock
+ # }
+ # }
ip_subnetworks = (
condition.key.ip_subnetworks == null ? [] : condition.key.ip_subnetworks
)
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index 9df6989e0..e7318de71 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -19,18 +19,19 @@ variable "access_levels" {
type = map(object({
combining_function = string
conditions = list(object({
- device_policy = object({
- require_screen_lock = bool
- allowed_encryption_statuses = list(string)
- allowed_device_management_levels = list(string)
- os_constraints = list(object({
- minimum_version = string
- os_type = string
- require_verified_chrome_os = bool
- }))
- require_admin_approval = bool
- require_corp_owned = bool
- })
+ # disabled to reduce var surface, uncomment here and in resource to enable
+ # device_policy = object({
+ # require_screen_lock = bool
+ # allowed_encryption_statuses = list(string)
+ # allowed_device_management_levels = list(string)
+ # os_constraints = list(object({
+ # minimum_version = string
+ # os_type = string
+ # require_verified_chrome_os = bool
+ # }))
+ # require_admin_approval = bool
+ # require_corp_owned = bool
+ # })
ip_subnetworks = list(string)
members = list(string)
negate = bool