kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor vps-sc module for Terraform 1.3 (#963)

Browse Source 
* wip

* example tests

* module tests

* streamline example

* fast

* tfdoc

* use collections.Counter in tests
This commit is contained in:
Ludovico Magnocavallo
2022-11-10 19:34:45 +01:00
committed by GitHub
parent b7bfcf3575
commit a9c47681d8
13 changed files with 715 additions and 803 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
modules/vpc-sc/service-perimeters-regular.tf
View File

@@ -14,6 +14,8 @@
* limitations under the License.
*/
# tfdoc:file:description Regular service perimeter resources.
# this code implements "additive" service perimeters, if "authoritative"
# service perimeters are needed, switch to the
# google_access_context_manager_service_perimeters resource
@@ -26,7 +28,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
perimeter_type = "PERIMETER_TYPE_REGULAR"
use_explicit_dry_run_spec = each.value.use_explicit_dry_run_spec
dynamic "spec" {
for_each = each.value.spec == null ? {} : { 1 = 1 }
for_each = each.value.spec == null ? [] : [""]
content {
access_levels = (
each.value.spec.access_levels == null ? null : [
@@ -36,43 +38,33 @@ resource "google_access_context_manager_service_perimeter" "regular" {
)
resources = each.value.spec.resources
restricted_services = each.value.spec.restricted_services
# begin egress_policies
dynamic "egress_policies" {
for_each = toset(
each.value.spec.egress_policies == null
? []
: each.value.spec.egress_policies
)
for_each = each.value.spec.egress_policies == null ? {} : {
for k in each.value.spec.egress_policies :
k => lookup(var.egress_policies, k, null)
if contains(keys(var.egress_policies), k)
}
iterator = policy
content {
# begin egress_from
dynamic "egress_from" {
for_each = policy.key.egress_from == null ? {} : { 1 = 1 }
for_each = policy.value.from == null ? [] : [""]
content {
identity_type = policy.key.egress_from.identity_type
identities = policy.key.egress_from.identities
identity_type = policy.value.from.identity_type
identities = policy.value.from.identities
}
}
# end egress_from
# begin egress_to
dynamic "egress_to" {
for_each = policy.key.egress_to == null ? {} : { 1 = 1 }
for_each = policy.value.to == null ? [] : [""]
content {
resources = policy.key.egress_to.resources
resources = policy.value.to.resources
dynamic "operations" {
for_each = toset(
policy.key.egress_to.operations == null
? []
: policy.key.egress_to.operations
)
for_each = toset(policy.value.to.operations)
iterator = o
content {
service_name = operations.key.service_name
service_name = o.value.service_name
dynamic "method_selectors" {
for_each = toset(
operations.key.method_selectors == null
? []
: operations.key.method_selectors
)
for_each = toset(coalesce(o.value.method_selectors, []))
content {
method = method_selectors.key
}
@@ -81,82 +73,61 @@ resource "google_access_context_manager_service_perimeter" "regular" {
}
}
}
# end egress_to
}
}
# end egress_policies
# begin ingress_policies
dynamic "ingress_policies" {
for_each = toset(
each.value.spec.ingress_policies == null
? []
: each.value.spec.ingress_policies
)
for_each = each.value.spec.ingress_policies == null ? {} : {
for k in each.value.spec.ingress_policies :
k => lookup(var.ingress_policies, k, null)
if contains(keys(var.ingress_policies), k)
}
iterator = policy
content {
# begin ingress_from
dynamic "ingress_from" {
for_each = policy.key.ingress_from == null ? {} : { 1 = 1 }
for_each = policy.value.from == null ? [] : [""]
content {
identity_type = policy.key.ingress_from.identity_type
identities = policy.key.ingress_from.identities
# begin sources
identity_type = policy.value.from.identity_type
identities = policy.value.from.identities
dynamic "sources" {
for_each = toset(
policy.key.ingress_from.source_access_levels == null
? []
: policy.key.ingress_from.source_access_levels
)
for_each = toset(policy.value.from.access_levels)
iterator = s
content {
access_level = sources.key
access_level = try(
google_access_context_manager_access_level.basic[s.value].id, s.value
)
}
}
dynamic "sources" {
for_each = toset(
policy.key.ingress_from.source_resources == null
? []
: policy.key.ingress_from.source_resources
)
for_each = toset(policy.value.from.resources)
content {
resource = sources.key
}
}
# end sources
}
}
# end ingress_from
# begin ingress_to
dynamic "ingress_to" {
for_each = policy.key.ingress_to == null ? {} : { 1 = 1 }
for_each = policy.value.to == null ? [] : [""]
content {
resources = policy.key.ingress_to.resources
resources = policy.value.to.resources
dynamic "operations" {
for_each = toset(
policy.key.ingress_to.operations == null
? []
: policy.key.ingress_to.operations
)
for_each = toset(policy.value.to.operations)
iterator = o
content {
service_name = operations.key.service_name
service_name = o.value.service_name
dynamic "method_selectors" {
for_each = toset(
operations.key.method_selectors == null
? []
: operations.key.method_selectors
)
for_each = toset(coalesce(o.value.method_selectors, []))
content {
method = method_selectors.key
method = method_selectors.value
}
}
}
}
}
}
# end ingress_to
}
}
# end ingress_policies
# begin vpc_accessible_services
dynamic "vpc_accessible_services" {
for_each = each.value.spec.vpc_accessible_services == null ? {} : { 1 = 1 }
content {
@@ -164,7 +135,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
enable_restriction = each.value.spec.vpc_accessible_services.enable_restriction
}
}
# end vpc_accessible_services
}
}
dynamic "status" {
@@ -178,43 +149,33 @@ resource "google_access_context_manager_service_perimeter" "regular" {
)
resources = each.value.status.resources
restricted_services = each.value.status.restricted_services
# begin egress_policies
dynamic "egress_policies" {
for_each = toset(
each.value.status.egress_policies == null
? []
: each.value.status.egress_policies
)
for_each = each.value.spec.egress_policies == null ? {} : {
for k in each.value.spec.egress_policies :
k => lookup(var.egress_policies, k, null)
if contains(keys(var.egress_policies), k)
}
iterator = policy
content {
# begin egress_from
dynamic "egress_from" {
for_each = policy.key.egress_from == null ? {} : { 1 = 1 }
for_each = policy.value.from == null ? [] : [""]
content {
identity_type = policy.key.egress_from.identity_type
identities = policy.key.egress_from.identities
identity_type = policy.value.from.identity_type
identities = policy.value.from.identities
}
}
# end egress_from
# begin egress_to
dynamic "egress_to" {
for_each = policy.key.egress_to == null ? {} : { 1 = 1 }
for_each = policy.value.to == null ? [] : [""]
content {
resources = policy.key.egress_to.resources
resources = policy.value.to.resources
dynamic "operations" {
for_each = toset(
policy.key.egress_to.operations == null
? []
: policy.key.egress_to.operations
)
for_each = toset(policy.value.to.operations)
iterator = o
content {
service_name = operations.key.service_name
service_name = o.value.service_name
dynamic "method_selectors" {
for_each = toset(
operations.key.method_selectors == null
? []
: operations.key.method_selectors
)
for_each = toset(coalesce(o.value.method_selectors, []))
content {
method = method_selectors.key
}
@@ -223,82 +184,61 @@ resource "google_access_context_manager_service_perimeter" "regular" {
}
}
}
# end egress_to
}
}
# end egress_policies
# begin ingress_policies
dynamic "ingress_policies" {
for_each = toset(
each.value.status.ingress_policies == null
? []
: each.value.status.ingress_policies
)
for_each = each.value.spec.ingress_policies == null ? {} : {
for k in each.value.spec.ingress_policies :
k => lookup(var.ingress_policies, k, null)
if contains(keys(var.ingress_policies), k)
}
iterator = policy
content {
# begin ingress_from
dynamic "ingress_from" {
for_each = policy.key.ingress_from == null ? {} : { 1 = 1 }
for_each = policy.value.from == null ? [] : [""]
content {
identity_type = policy.key.ingress_from.identity_type
identities = policy.key.ingress_from.identities
# begin sources
identity_type = policy.value.from.identity_type
identities = policy.value.from.identities
dynamic "sources" {
for_each = toset(
policy.key.ingress_from.source_access_levels == null
? []
: policy.key.ingress_from.source_access_levels
)
for_each = toset(policy.value.from.access_levels)
iterator = s
content {
access_level = sources.key
access_level = try(
google_access_context_manager_access_level.basic[s.value].id, s.value
)
}
}
dynamic "sources" {
for_each = toset(
policy.key.ingress_from.source_resources == null
? []
: policy.key.ingress_from.source_resources
)
for_each = toset(policy.value.from.resources)
content {
resource = sources.key
}
}
# end sources
}
}
# end ingress_from
# begin ingress_to
dynamic "ingress_to" {
for_each = policy.key.ingress_to == null ? {} : { 1 = 1 }
for_each = policy.value.to == null ? [] : [""]
content {
resources = policy.key.ingress_to.resources
resources = policy.value.to.resources
dynamic "operations" {
for_each = toset(
policy.key.ingress_to.operations == null
? []
: policy.key.ingress_to.operations
)
for_each = toset(policy.value.to.operations)
iterator = o
content {
service_name = operations.key.service_name
service_name = o.value.service_name
dynamic "method_selectors" {
for_each = toset(
operations.key.method_selectors == null
? []
: operations.key.method_selectors
)
for_each = toset(coalesce(o.value.method_selectors, []))
content {
method = method_selectors.key
method = method_selectors.value
}
}
}
}
}
}
# end ingress_to
}
}
# end ingress_policies
# begin vpc_accessible_services
dynamic "vpc_accessible_services" {
for_each = each.value.status.vpc_accessible_services == null ? {} : { 1 = 1 }
content {
@@ -306,7 +246,7 @@ resource "google_access_context_manager_service_perimeter" "regular" {
enable_restriction = each.value.status.vpc_accessible_services.enable_restriction
}
}
# end vpc_accessible_services
}
}
# lifecycle {