- Fixes based on PR comments
- Movig module under Security - Formatting TF files
This commit is contained in:
Lorenzo Caggioni
@@ -6,7 +6,7 @@ This module allows managing VPC Service Control (VPC-SC) properties:
|
||||
- [Access Levels](https://cloud.google.com/access-context-manager/docs/manage-access-levels)
|
||||
- [VPC-SC Perimeters](https://cloud.google.com/vpc-service-controls/docs/service-perimeters)
|
||||
|
||||
Before you begin, check you are running the script with a service account having the [correct permissions](https://cloud.google.com/access-context-manager/docs/access-control) to use Access Context Manager.
|
||||
The Use of this module requires credentials with the [correct permissions](https://cloud.google.com/access-context-manager/docs/access-control) to use Access Context Manager.
|
||||
|
||||
## Example VCP-SC standard perimeter
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
*/
|
||||
|
||||
locals {
|
||||
access_policy_name = try(google_access_context_manager_access_policy.default[var.access_policy_title].name, null)
|
||||
access_policy_name = google_access_context_manager_access_policy.default.name
|
||||
|
||||
standard_perimeters = {
|
||||
for key, value in var.perimeters :
|
||||
@@ -32,9 +32,8 @@ locals {
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_policy" "default" {
|
||||
for_each = toset([var.access_policy_title])
|
||||
parent = "organizations/${var.org_id}"
|
||||
title = each.key
|
||||
parent = "organizations/${var.org_id}"
|
||||
title = var.access_policy_title
|
||||
}
|
||||
|
||||
resource "google_access_context_manager_access_level" "default" {
|
||||
@@ -48,10 +47,10 @@ resource "google_access_context_manager_access_level" "default" {
|
||||
|
||||
content {
|
||||
combining_function = try(each.value.combining_function, null)
|
||||
conditions {
|
||||
ip_subnetworks = try(basic.value.ip_subnetworks,null)
|
||||
members = try(basic.value.members,null)
|
||||
negate = try(basic.value.negate,null)
|
||||
conditions {
|
||||
ip_subnetworks = try(basic.value.ip_subnetworks, null)
|
||||
members = try(basic.value.members, null)
|
||||
negate = try(basic.value.negate, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -70,18 +69,23 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
||||
for_each = each.value.enforced_config != null ? [""] : []
|
||||
|
||||
content {
|
||||
resources = formatlist("projects/%s", try(lookup(var.perimeter_projects, each.key, {}).enforced, []))
|
||||
restricted_services = each.value.enforced_config.restricted_services
|
||||
access_levels = formatlist("accessPolicies/${local.access_policy_name}/accessLevels/%s", try(lookup(local.perimeter_access_levels_enforced, each.key, []), []))
|
||||
resources = formatlist(
|
||||
"projects/%s", try(lookup(var.perimeter_projects, each.key, {}).enforced, [])
|
||||
)
|
||||
restricted_services = each.value.enforced_config.restricted_services
|
||||
access_levels = formatlist(
|
||||
"accessPolicies/${local.access_policy_name}/accessLevels/%s",
|
||||
try(lookup(local.perimeter_access_levels_enforced, each.key, []), [])
|
||||
)
|
||||
|
||||
dynamic "vpc_accessible_services" {
|
||||
for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
|
||||
dynamic "vpc_accessible_services" {
|
||||
for_each = each.value.enforced_config.vpc_accessible_services != [] ? [""] : []
|
||||
|
||||
content {
|
||||
enable_restriction = true
|
||||
allowed_services = each.value.enforced_config.vpc_accessible_services
|
||||
}
|
||||
content {
|
||||
enable_restriction = true
|
||||
allowed_services = each.value.enforced_config.vpc_accessible_services
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -91,22 +95,26 @@ resource "google_access_context_manager_service_perimeter" "standard" {
|
||||
for_each = each.value.dry_run_config != null ? [""] : []
|
||||
|
||||
content {
|
||||
resources = formatlist("projects/%s", try(lookup(var.perimeter_projects, each.key, {}).dry_run, []))
|
||||
resources = formatlist(
|
||||
"projects/%s", try(lookup(var.perimeter_projects, each.key, {}).dry_run, [])
|
||||
)
|
||||
restricted_services = try(each.value.dry_run_config.restricted_services, null)
|
||||
access_levels = formatlist("accessPolicies/${local.access_policy_name}/accessLevels/%s", try(lookup(local.perimeter_access_levels_dry_run, each.key, []), []))
|
||||
|
||||
access_levels = formatlist(
|
||||
"accessPolicies/${local.access_policy_name}/accessLevels/%s",
|
||||
try(lookup(local.perimeter_access_levels_dry_run, each.key, []), [])
|
||||
)
|
||||
|
||||
dynamic "vpc_accessible_services" {
|
||||
for_each = try(each.value.dry_run_config.vpc_accessible_services != [] ? [""] : [],[])
|
||||
for_each = try(each.value.dry_run_config.vpc_accessible_services != [] ? [""] : [], [])
|
||||
|
||||
content {
|
||||
enable_restriction = true
|
||||
allowed_services = try(each.value.dry_run_config.vpc_accessible_services, null)
|
||||
allowed_services = try(each.value.dry_run_config.vpc_accessible_services, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Uncomment if used alongside `google_access_context_manager_service_perimeter_resource`,
|
||||
# so they don't fight over which resources should be in the policy.
|
||||
# lifecycle {
|
||||
@@ -152,6 +160,6 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
|
||||
|
||||
depends_on = [
|
||||
google_access_context_manager_service_perimeter.standard,
|
||||
google_access_context_manager_access_level.default,
|
||||
google_access_context_manager_access_level.default,
|
||||
]
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
output "org_id" {
|
||||
description = "Organization id dependent on module resources."
|
||||
value = var.org_id
|
||||
depends_on = [
|
||||
depends_on = [
|
||||
google_organization_iam_audit_config,
|
||||
google_organization_iam_binding.authoritative,
|
||||
google_organization_iam_custom_role.roles,
|
||||
@@ -34,7 +34,7 @@ output "access_policy_name" {
|
||||
|
||||
output "access_levels" {
|
||||
description = "Access Levels."
|
||||
value = {
|
||||
value = {
|
||||
for key, value in google_access_context_manager_access_level.default :
|
||||
key => value
|
||||
}
|
||||
@@ -42,7 +42,7 @@ output "access_levels" {
|
||||
|
||||
output "perimeters_standard" {
|
||||
description = "VPC-SC standard perimeter resources."
|
||||
value = {
|
||||
value = {
|
||||
for key, value in google_access_context_manager_service_perimeter.standard :
|
||||
key => value
|
||||
}
|
||||
@@ -50,7 +50,7 @@ output "perimeters_standard" {
|
||||
|
||||
output "perimeters_bridge" {
|
||||
description = "VPC-SC bridge perimeter resources."
|
||||
value = {
|
||||
value = {
|
||||
for key, value in google_access_context_manager_service_perimeter.bridge :
|
||||
key => value
|
||||
}
|
||||
|
||||
@@ -16,12 +16,12 @@
|
||||
|
||||
variable "access_levels" {
|
||||
description = "Access Levels."
|
||||
type = map(object({
|
||||
type = map(object({
|
||||
combining_function = string
|
||||
conditions = list(object({
|
||||
ip_subnetworks = list(string)
|
||||
members = list(string)
|
||||
negate = string
|
||||
conditions = list(object({
|
||||
ip_subnetworks = list(string)
|
||||
members = list(string)
|
||||
negate = string
|
||||
}))
|
||||
}))
|
||||
default = {}
|
||||
@@ -46,8 +46,8 @@ variable "org_id" {
|
||||
variable "perimeters" {
|
||||
description = "Set of Perimeters."
|
||||
type = map(object({
|
||||
type = string
|
||||
dry_run_config = object({
|
||||
type = string
|
||||
dry_run_config = object({
|
||||
restricted_services = list(string)
|
||||
vpc_accessible_services = list(string)
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user