diff --git a/modules/organization/README.md b/modules/organization/README.md
index 53ac2cbb5..e38e62f94 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -36,6 +36,8 @@ module "org" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| org_id | Organization id in nnnnnn format. | number | ✓ | |
+| *access_policy_name* | Access Policy name. No Access Policy will be created. | string | | null |
+| *access_policy_title* | Access Policy title to be created. | string | | map(list(string)) | | {} |
| *iam_additive_members* | Map of member lists used to set non authoritative bindings, keyed by role. | map(list(string)) | | {} |
| *iam_additive_roles* | List of roles used to set non authoritative bindings. | list(string) | | [] |
@@ -44,10 +46,13 @@ module "org" {
| *iam_roles* | List of roles used to set authoritative bindings. | list(string) | | [] |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) | | {} |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) | | {} |
+| *vpc_sc_perimeters* | Set of Perimeters. | map(object({...})) | | {} |
+| *vpc_sc_perimeters_projects* | Perimeter - Project Number mapping in `projects/project_number` format.. | map(list(string)) | | {} |
## Outputs
| name | description | sensitive |
|---|---|:---:|
+| access_policy | Access Policy name. | |
| org_id | Organization id dependent on module resources. | |
diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index b243d9d95..37f43c787 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -63,6 +63,10 @@ resource "google_access_context_manager_service_perimeter" "standard" {
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
restricted_services = each.value.restricted_services
}
+
+ lifecycle {
+ ignore_changes = [status[0].resources]
+ }
}
resource "google_access_context_manager_service_perimeter" "bridge" {
@@ -75,6 +79,11 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
resources = formatlist("projects/%s", lookup(var.vpc_sc_perimeters_projects, each.key, []))
restricted_services = each.value.restricted_services
}
+
+ lifecycle {
+ ignore_changes = [status[0].resources]
+ }
+
depends_on = [
google_access_context_manager_service_perimeter.standard,
]
diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf
index 2a829c4dd..c0cc469cf 100644
--- a/modules/organization/outputs.tf
+++ b/modules/organization/outputs.tf
@@ -26,3 +26,8 @@ output "org_id" {
google_organization_policy.list
]
}
+
+output "access_policy" {
+ description = "Access Policy name."
+ value = local.access_policy_name
+}
\ No newline at end of file
diff --git a/modules/project/README.md b/modules/project/README.md
index 582b7b295..bdb8cfda8 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -75,6 +75,8 @@ module "project" {
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) | | {} |
| *prefix* | Prefix used to generate project id and name. | string | | null |
| *services* | Service APIs to enable. | list(string) | | [] |
+| *vpc_sc_perimeter* | Name of the VPC-SC perimeter the project belong to. | string | | null |
+| *vpc_sc_perimeter_bridges* | List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name} | list(string) | | [] |
## Outputs
diff --git a/modules/project/main.tf b/modules/project/main.tf
index 7e4aaeb0b..f1c74413b 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -201,3 +201,18 @@ resource "google_project_organization_policy" "list" {
}
}
}
+
+resource "google_access_context_manager_service_perimeter_resource" "standard" {
+ count = var.vpc_sc_perimeter != "" ? 1 : 0
+ perimeter_name = var.vpc_sc_perimeter
+ resource = format("projects/%s", google_project.project.number)
+}
+
+resource "google_access_context_manager_service_perimeter_resource" "bridges" {
+ count = length(var.vpc_sc_perimeter_bridges)
+ perimeter_name = var.vpc_sc_perimeter_bridges[count.index]
+ resource = format("projects/%s", google_project.project.number)
+ depends_on = [
+ google_access_context_manager_service_perimeter_resource.standard,
+ ]
+}
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index fc6e12ab9..f6cb8b591 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -124,3 +124,15 @@ variable "services" {
type = list(string)
default = []
}
+
+variable "vpc_sc_perimeter" {
+ description = "Name of the VPC-SC perimeter the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
+ type = string
+ default = null
+}
+
+variable "vpc_sc_perimeter_bridges" {
+ description = "List of VPC-SC perimeter bridges the project belong to. Must be of the form accessPolicies/{policy_id}/servicePerimeters/{short_name}"
+ type = list(string)
+ default = []
+}