kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Embed subnet-level IAM in the variables controlling creation of subnets

Browse Source 
This moves the top-level `iam`, `iam_bindings` and
`iam_bindings_additive` variables into subnet-level attributes. This
change also allows setting permissions to PSC or proxy-only subnets

As part of this change, the factory interface is more aligned with the
rest of the modules using a `factories_config` variable. In the future
we can add a cidrs template similar to the firewall policy module
This commit is contained in:
Julio Castillo
2023-09-14 17:20:37 +02:00
parent b3dc91b5cd
commit f19ab4872f
3 changed files with 186 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
modules/net-vpc/variables.tf
View File

@@ -31,12 +31,6 @@ variable "create_googleapis_routes" {
default = {}
}
variable "data_folder" {
description = "An optional folder containing the subnet configurations in YaML format."
type = string
default = null
}
variable "delete_default_routes_on_create" {
description = "Set to true to delete the default routes at creation time."
type = bool
@@ -62,6 +56,14 @@ variable "dns_policy" {
default = null
}
variable "factories_config" {
description = "Paths to data files and folders that enable factory functionality."
type = object({
subnets_folder = string
})
default = null
}
variable "firewall_policy_enforcement_order" {
description = "Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'."
type = string
@@ -164,42 +166,6 @@ variable "shared_vpc_service_projects" {
default = []
}
variable "subnet_iam" {
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
type = map(map(list(string)))
default = {}
}
variable "subnet_iam_bindings" {
description = "Authoritative IAM bindings in {REGION/NAME => {ROLE => {members = [], condition = {}}}}."
type = map(map(object({
members = list(string)
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})))
nullable = false
default = {}
}
variable "subnet_iam_bindings_additive" {
description = "Individual additive IAM bindings. Keys are arbitrary."
type = map(object({
member = string
role = string
subnet = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
}))
nullable = false
default = {}
}
variable "subnets" {
description = "Subnet configuration."
type = list(object({
@@ -222,6 +188,25 @@ variable "subnets" {
# enable_private_access = optional(string)
}))
secondary_ip_ranges = optional(map(string))
iam = optional(map(list(string)), {})
iam_bindings = optional(map(object({
members = list(string)
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
iam_bindings_additive = optional(map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
}))
default = []
nullable = false
@@ -234,8 +219,27 @@ variable "subnets_proxy_only" {
ip_cidr_range = string
region = string
description = optional(string)
active = bool
active = optional(bool, true)
global = optional(bool, false)
iam = optional(map(list(string)), {})
iam_bindings = optional(map(object({
members = list(string)
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
iam_bindings_additive = optional(map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
}))
default = []
nullable = false
@@ -248,6 +252,25 @@ variable "subnets_psc" {
ip_cidr_range = string
region = string
description = optional(string)
iam = optional(map(list(string)), {})
iam_bindings = optional(map(object({
members = list(string)
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
iam_bindings_additive = optional(map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
})), {})
}))
default = []
nullable = false