From 91b40dc9c3e8aca956405f2a038cb537358a73e7 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Tue, 4 Jan 2022 13:02:38 +0100
Subject: [PATCH] Interpolate access levels by key in vpc sc module (#414)

* interpolate access levels by key

* fix access level reference

* fix num resources in last README test
---
 modules/vpc-sc/README.md                     | 21 ++++++++++++--------
 modules/vpc-sc/service_perimeters_regular.tf | 14 +++++++++++--
 tests/modules/vpc_sc/fixture/main.tf         |  2 +-
 3 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index a7bcaf4f1..55a066a11 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -46,7 +46,7 @@ module "test" {
     a1 = {
       combining_function = null
       conditions = [{
-        members       = ["user:ludomagno@google.com"],
+        members       = ["user:user1@example.com"],
         device_policy = null, ip_subnetworks = null, negate = null,
         regions       = null, required_access_levels = null
       }]
@@ -74,7 +74,7 @@ Bridge and regular service perimeters use two separate variables, as bridge peri
 
 The regular perimeters variable exposes all the complexity of the underlying resource, use [its documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter) as a reference about the possible values and configurations.
 
-If you need to refer to access levels created by the same module in regular service perimeters, simply use the module's outputs in the provided variables. The example below shows how to do this in practice.
+If you need to refer to access levels created by the same module in regular service perimeters, you can either use the module's outputs in the provided variables, or the key used to identify the relevant access level. The example below shows how to do this in practice.
 
 /*
 Resources for both perimeters have a `lifecycle` block that ignores changes to `spec` and `status` resources (projects), to allow using the additive resource `google_access_context_manager_service_perimeter_resource` at project creation. If this is not needed, the `lifecycle` blocks can be safely commented in the code.
@@ -112,7 +112,15 @@ module "test" {
     a1 = {
       combining_function = null
       conditions = [{
-        members       = ["user:ludomagno@google.com"],
+        members       = ["user:user1@example.com"],
+        device_policy = null, ip_subnetworks = null, negate = null,
+        regions       = null, required_access_levels = null
+      }]
+    }
+    a2 = {
+      combining_function = null
+      conditions = [{
+        members       = ["user:user2@example.com"],
         device_policy = null, ip_subnetworks = null, negate = null,
         regions       = null, required_access_levels = null
       }]
@@ -122,7 +130,7 @@ module "test" {
     r1 = {
       spec = null
       status = {
-        access_levels       = [module.test.access_level_names["a1"]]
+        access_levels       = [module.test.access_level_names["a1"], "a2"]
         resources           = ["projects/11111", "projects/111111"]
         restricted_services = ["storage.googleapis.com"]
         egress_policies     = null
@@ -136,16 +144,13 @@ module "test" {
     }
   }
 }
-# tftest:modules=1:resources=2
+# tftest:modules=1:resources=3
 ```
 
 ## TODO
 
 - [ ] implement support for the  `google_access_context_manager_gcp_user_access_binding` resource
 
-
-
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
diff --git a/modules/vpc-sc/service_perimeters_regular.tf b/modules/vpc-sc/service_perimeters_regular.tf
index e93ea5a63..c7ea4a1f8 100644
--- a/modules/vpc-sc/service_perimeters_regular.tf
+++ b/modules/vpc-sc/service_perimeters_regular.tf
@@ -28,7 +28,12 @@ resource "google_access_context_manager_service_perimeter" "regular" {
   dynamic "spec" {
     for_each = each.value.spec == null ? {} : { 1 = 1 }
     content {
-      access_levels       = each.value.spec.access_levels
+      access_levels = (
+        each.value.spec.access_levels == null ? null : [
+          for k in each.value.spec.access_levels :
+          try(google_access_context_manager_access_level.basic[k].id, k)
+        ]
+      )
       resources           = each.value.spec.resources
       restricted_services = each.value.spec.restricted_services
       # begin egress_policies
@@ -167,7 +172,12 @@ resource "google_access_context_manager_service_perimeter" "regular" {
   dynamic "status" {
     for_each = each.value.status == null ? {} : { 1 = 1 }
     content {
-      access_levels       = each.value.status.access_levels
+      access_levels = (
+        each.value.status.access_levels == null ? null : [
+          for k in each.value.status.access_levels :
+          try(google_access_context_manager_access_level.basic[k].id, k)
+        ]
+      )
       resources           = each.value.status.resources
       restricted_services = each.value.status.restricted_services
       # begin egress_policies
diff --git a/tests/modules/vpc_sc/fixture/main.tf b/tests/modules/vpc_sc/fixture/main.tf
index e7501b762..29cc672bc 100644
--- a/tests/modules/vpc_sc/fixture/main.tf
+++ b/tests/modules/vpc_sc/fixture/main.tf
@@ -103,7 +103,7 @@ module "test" {
     r2 = {
       spec = null
       status = {
-        access_levels       = [module.test.access_level_names["a1"]]
+        access_levels       = [module.test.access_level_names["a1"], "a2"]
         resources           = ["projects/222220", "projects/222221"]
         restricted_services = ["storage.googleapis.com"]
         egress_policies = [