disable device policy support in vpc-sc module
This commit is contained in:
Ludovico Magnocavallo
@@ -46,21 +46,18 @@ module "test" {
|
||||
a1 = {
|
||||
combining_function = null
|
||||
conditions = [{
|
||||
members = ["user:user1@example.com"],
|
||||
device_policy = null, ip_subnetworks = null, negate = null,
|
||||
regions = null, required_access_levels = null
|
||||
members = ["user:user1@example.com"], ip_subnetworks = null,
|
||||
negate = null, regions = null, required_access_levels = null
|
||||
}]
|
||||
}
|
||||
a2 = {
|
||||
combining_function = "OR"
|
||||
conditions = [{
|
||||
regions = ["IT", "FR"],
|
||||
device_policy = null, ip_subnetworks = null, members = null,
|
||||
negate = null, required_access_levels = null
|
||||
regions = ["IT", "FR"], ip_subnetworks = null,
|
||||
members = null, negate = null, required_access_levels = null
|
||||
},{
|
||||
ip_subnetworks = ["101.101.101.0/24"],
|
||||
device_policy = null, members = null, negate = null,
|
||||
regions = null, required_access_levels = null
|
||||
ip_subnetworks = ["101.101.101.0/24"], members = null,
|
||||
negate = null, regions = null, required_access_levels = null
|
||||
}]
|
||||
}
|
||||
}
|
||||
@@ -112,17 +109,15 @@ module "test" {
|
||||
a1 = {
|
||||
combining_function = null
|
||||
conditions = [{
|
||||
members = ["user:user1@example.com"],
|
||||
device_policy = null, ip_subnetworks = null, negate = null,
|
||||
regions = null, required_access_levels = null
|
||||
members = ["user:user1@example.com"], ip_subnetworks = null,
|
||||
negate = null, regions = null, required_access_levels = null
|
||||
}]
|
||||
}
|
||||
a2 = {
|
||||
combining_function = null
|
||||
conditions = [{
|
||||
members = ["user:user2@example.com"],
|
||||
device_policy = null, ip_subnetworks = null, negate = null,
|
||||
regions = null, required_access_levels = null
|
||||
members = ["user:user2@example.com"], ip_subnetworks = null,
|
||||
negate = null, regions = null, required_access_levels = null
|
||||
}]
|
||||
}
|
||||
}
|
||||
@@ -151,6 +146,7 @@ module "test" {
|
||||
|
||||
- [ ] implement support for the `google_access_context_manager_gcp_user_access_binding` resource
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
@@ -158,7 +154,7 @@ module "test" {
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| access_policy | Access Policy name, leave null to use auto-created one. | <code>string</code> | ✓ | |
|
||||
| access_levels | Map of access levels in name => [conditions] format. | <code title="map(object({ combining_function = string conditions = list(object({ device_policy = object({ require_screen_lock = bool allowed_encryption_statuses = list(string) allowed_device_management_levels = list(string) os_constraints = list(object({ minimum_version = string os_type = string require_verified_chrome_os = bool })) require_admin_approval = bool require_corp_owned = bool }) ip_subnetworks = list(string) members = list(string) negate = bool regions = list(string) required_access_levels = list(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| access_levels | Map of access levels in name => [conditions] format. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) members = list(string) negate = bool regions = list(string) required_access_levels = list(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| access_policy_create | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | <code title="object({ parent = string title = string })">object({…})</code> | | <code>null</code> |
|
||||
| service_perimeters_bridge | Bridge service perimeters. | <code title="map(object({ spec_resources = list(string) status_resources = list(string) use_explicit_dry_run_spec = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| service_perimeters_regular | Regular service perimeters. | <code title="map(object({ spec = object({ access_levels = list(string) resources = list(string) restricted_services = list(string) egress_policies = list(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) ingress_policies = list(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) vpc_accessible_services = object({ allowed_services = list(string) enable_restriction = bool }) }) status = object({ access_levels = list(string) resources = list(string) restricted_services = list(string) egress_policies = list(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) ingress_policies = list(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) vpc_accessible_services = object({ allowed_services = list(string) enable_restriction = bool }) }) use_explicit_dry_run_spec = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
@@ -178,3 +174,4 @@ module "test" {
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -33,30 +33,31 @@ resource "google_access_context_manager_access_level" "basic" {
|
||||
)
|
||||
iterator = condition
|
||||
content {
|
||||
dynamic "device_policy" {
|
||||
for_each = toset(
|
||||
condition.key.device_policy == null ? [] : [condition.key.device_policy]
|
||||
)
|
||||
iterator = device_policy
|
||||
content {
|
||||
dynamic "os_constraints" {
|
||||
for_each = toset(
|
||||
device_policy.key.os_constraints == null ? [] : device_policy.key.os_constraints
|
||||
)
|
||||
iterator = os_constraint
|
||||
content {
|
||||
minimum_version = os_constraint.key.minimum_version
|
||||
os_type = os_constraint.key.os_type
|
||||
require_verified_chrome_os = os_constraint.key.require_verified_chrome_os
|
||||
}
|
||||
}
|
||||
allowed_encryption_statuses = device_policy.key.allowed_encryption_statuses
|
||||
allowed_device_management_levels = device_policy.key.allowed_device_management_levels
|
||||
require_admin_approval = device_policy.key.require_admin_approval
|
||||
require_corp_owned = device_policy.key.require_corp_owned
|
||||
require_screen_lock = device_policy.key.require_screen_lock
|
||||
}
|
||||
}
|
||||
# uncomment here and in the variable type to enable
|
||||
# dynamic "device_policy" {
|
||||
# for_each = toset(
|
||||
# condition.key.device_policy == null ? [] : [condition.key.device_policy]
|
||||
# )
|
||||
# iterator = device_policy
|
||||
# content {
|
||||
# dynamic "os_constraints" {
|
||||
# for_each = toset(
|
||||
# device_policy.key.os_constraints == null ? [] : device_policy.key.os_constraints
|
||||
# )
|
||||
# iterator = os_constraint
|
||||
# content {
|
||||
# minimum_version = os_constraint.key.minimum_version
|
||||
# os_type = os_constraint.key.os_type
|
||||
# require_verified_chrome_os = os_constraint.key.require_verified_chrome_os
|
||||
# }
|
||||
# }
|
||||
# allowed_encryption_statuses = device_policy.key.allowed_encryption_statuses
|
||||
# allowed_device_management_levels = device_policy.key.allowed_device_management_levels
|
||||
# require_admin_approval = device_policy.key.require_admin_approval
|
||||
# require_corp_owned = device_policy.key.require_corp_owned
|
||||
# require_screen_lock = device_policy.key.require_screen_lock
|
||||
# }
|
||||
# }
|
||||
ip_subnetworks = (
|
||||
condition.key.ip_subnetworks == null ? [] : condition.key.ip_subnetworks
|
||||
)
|
||||
|
||||
@@ -19,18 +19,19 @@ variable "access_levels" {
|
||||
type = map(object({
|
||||
combining_function = string
|
||||
conditions = list(object({
|
||||
device_policy = object({
|
||||
require_screen_lock = bool
|
||||
allowed_encryption_statuses = list(string)
|
||||
allowed_device_management_levels = list(string)
|
||||
os_constraints = list(object({
|
||||
minimum_version = string
|
||||
os_type = string
|
||||
require_verified_chrome_os = bool
|
||||
}))
|
||||
require_admin_approval = bool
|
||||
require_corp_owned = bool
|
||||
})
|
||||
# disabled to reduce var surface, uncomment here and in resource to enable
|
||||
# device_policy = object({
|
||||
# require_screen_lock = bool
|
||||
# allowed_encryption_statuses = list(string)
|
||||
# allowed_device_management_levels = list(string)
|
||||
# os_constraints = list(object({
|
||||
# minimum_version = string
|
||||
# os_type = string
|
||||
# require_verified_chrome_os = bool
|
||||
# }))
|
||||
# require_admin_approval = bool
|
||||
# require_corp_owned = bool
|
||||
# })
|
||||
ip_subnetworks = list(string)
|
||||
members = list(string)
|
||||
negate = bool
|
||||
|
||||
Reference in New Issue
Block a user