Use additive resource for perimeter resources in vpc-sc module when ignore changes is set (#3628)

* module changes * fix module
2026-01-08 13:09:09 +01:00
parent 5374899b36
commit a3e09197c7
4 changed files with 242 additions and 22 deletions
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -20,6 +20,8 @@ If you are using [Application Default Credentials](https://cloud.google.com/sdk/
 - [Variables](#variables)
 - [Outputs](#outputs)
 - [Tests](#tests)
+  - [Authoritative resources](#authoritative-resources)
+  - [Additive resources](#additive-resources)
 <!-- END TOC -->

 ## Examples
@@ -390,7 +392,7 @@ to:
 | [iam.tf](./iam.tf) | IAM bindings | <code>google_access_context_manager_access_policy_iam_binding</code> · <code>google_access_context_manager_access_policy_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_access_context_manager_access_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
-| [perimeters-additive.tf](./perimeters-additive.tf) | Regular service perimeter resources which ignore resource changes. | <code>google_access_context_manager_service_perimeter</code> |
+| [perimeters-additive.tf](./perimeters-additive.tf) | Regular service perimeter resources which ignore resource changes. | <code>google_access_context_manager_service_perimeter</code> · <code>google_access_context_manager_service_perimeter_dry_run_resource</code> · <code>google_access_context_manager_service_perimeter_resource</code> |
 | [perimeters.tf](./perimeters.tf) | Regular service perimeter resources. | <code>google_access_context_manager_service_perimeter</code> |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
@@ -425,6 +427,8 @@ to:
 <!-- END TFDOC -->
 ## Tests

+### Authoritative resources
+
 ```hcl
 module "test" {
  source        = "./fabric/modules/vpc-sc"
@@ -492,3 +496,81 @@ to:
    - "*"
 # tftest-file id=t1e1 path=data/egress-policies/factory-egress-policy.yaml schema=egress-policy.schema.json
 ```
+
+### Additive resources
+
+```hcl
+module "test" {
+  source        = "./fabric/modules/vpc-sc"
+  access_policy = "12345678"
+  factories_config = {
+    access_levels    = "data/access-levels"
+    egress_policies  = "data/egress-policies"
+    ingress_policies = "data/ingress-policies"
+    perimeters       = "data/perimeters"
+  }
+  ingress_policies = {
+    variable-policy = {
+      from = {
+        identities = [
+          "serviceAccount:sa-0@myproject.iam.gserviceaccount.com"
+        ]
+        access_levels = ["*"]
+      }
+      to = {
+        operations = [{ service_name = "*" }]
+        resources  = ["*"]
+      }
+    }
+  }
+}
+# tftest modules=1 resources=3 files=p0,t1a1,t1i1,t1e1 inventory=additive.yaml
+```
+
+```yaml
+description: Main perimeter
+ignore_resource_changes: true
+use_explicit_dry_run_spec: true
+spec:
+  access_levels:
+    - geo-it
+  resources:
+    - projects/1111
+  egress_policies:
+    - factory-egress-policy
+  ingress_policies:
+    - variable-policy
+    - factory-ingress-policy
+# tftest-file id=p0 path=data/perimeters/default.yaml schema=perimeter.schema.json
+```
+
+```yaml
+conditions:
+  - regions:
+      - IT
+# tftest-file id=t1a1 path=data/access-levels/geo-it.yaml schema=access-level.schema.json
+```
+
+```yaml
+from:
+  access_levels:
+    - geo-it
+  identity_type: ANY_IDENTITY
+to:
+  operations:
+    - service_name: "*"
+  resources:
+    - projects/1234567890
+# tftest-file id=t1i1 path=data/ingress-policies/factory-ingress-policy.yaml schema=ingress-policy.schema.json
+```
+
+```yaml
+from:
+  identity_type: ANY_IDENTITY
+to:
+  operations:
+    - service_name: "*"
+  resources:
+    - "*"
+# tftest-file id=t1e1 path=data/egress-policies/factory-egress-policy.yaml schema=egress-policy.schema.json
+```
--- a/modules/vpc-sc/perimeters-additive.tf
+++ b/modules/vpc-sc/perimeters-additive.tf
@@ -16,6 +16,31 @@

 # tfdoc:file:description Regular service perimeter resources which ignore resource changes.

+locals {
+  perimeters_additive = {
+    for k, v in google_access_context_manager_service_perimeter.additive :
+    k => v.id
+  }
+  spec_additive_resources = flatten([
+    for k, v in local.perimeters : [
+      for vv in try(v.spec.resources, []) : {
+        key       = "${k}/${vv}"
+        perimeter = k
+        resource  = vv
+      }
+    ] if v.ignore_resource_changes
+  ])
+  status_additive_resources = flatten([
+    for k, v in local.perimeters : [
+      for vv in try(v.status.resources, []) : {
+        key       = "${k}/${vv}"
+        perimeter = k
+        resource  = vv
+      }
+    ] if v.ignore_resource_changes
+  ])
+}
+
 resource "google_access_context_manager_service_perimeter" "additive" {
  for_each = {
    for k, v in local.perimeters : k => v if v.ignore_resource_changes
@@ -36,14 +61,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
          try(google_access_context_manager_access_level.basic[k].id, k)
        ]
      )
-      resources = flatten([
-        for r in spec.value.resources : try(
-          local.ctx.resource_sets[r],
-          [local.ctx.project_numbers[r]],
-          [local.project_numbers[r]],
-          [r]
-        )
-      ])
+      # use additive resources below to avoid overriding externally defined ones
      restricted_services = flatten([
        for r in coalesce(spec.value.restricted_services, []) :
        lookup(local.ctx.service_sets, r, [r])
@@ -234,13 +252,7 @@ resource "google_access_context_manager_service_perimeter" "additive" {
          try(google_access_context_manager_access_level.basic[k].id, k)
        ]
      )
-      resources = flatten([
-        for r in status.value.resources : try(
-          local.ctx.resource_sets[r],
-          [local.ctx.project_numbers[r]],
-          [local.project_numbers[r]], [r]
-        )
-      ])
+      # use additive resources below to avoid overriding externally defined ones
      restricted_services = flatten([
        for r in coalesce(status.value.restricted_services, []) :
        lookup(local.ctx.service_sets, r, [r])
@@ -438,3 +450,23 @@ resource "google_access_context_manager_service_perimeter" "additive" {
    google_access_context_manager_access_level.basic
  ]
 }
+
+resource "google_access_context_manager_service_perimeter_resource" "default" {
+  for_each       = { for v in local.status_additive_resources : v.key => v }
+  perimeter_name = local.perimeters_additive[each.value.perimeter]
+  resource = try(
+    local.ctx.project_numbers[each.value.resource],
+    local.project_numbers[each.value.resource],
+    each.value.resource
+  )
+}
+
+resource "google_access_context_manager_service_perimeter_dry_run_resource" "default" {
+  for_each       = { for v in local.spec_additive_resources : v.key => v }
+  perimeter_name = local.perimeters_additive[each.value.perimeter]
+  resource = try(
+    local.ctx.project_numbers[each.value.resource],
+    local.project_numbers[each.value.resource],
+    each.value.resource
+  )
+}