kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
36648b6b63229f0faf65df4c84211442075f2c6b
hunfabric/modules/vpc-sc/variables.tf
Ludovico Magnocavallo 36648b6b63 FAST light implementation (#3255) 
* data wip

* wip data

* update org schema, add note on expansion

* all schemas, workload notes

* Update WORKLOG.md

* Update WORKLOG.md

* Update WORKLOG.md

* Update WORKLOG.md

* wip

* data wip

* wip

* wip

* wip

* wip

* org module IAM context (using lookup)

* new-style context expansion in project IAM

* remove spurious file

* project module contexts

* finalize context replacement format for project module

* revert org module changes

* fix tag id interpolation in project

* fix tag id interpolation in project

* organization module context

* organization context test

* context expansion for folder tag bindings

* test context expansion for tag bindings

* service account module context

* simplify context local

* context for iam service account

* nuke blueprints

* remove links to blueprints

* vpc sc context in project module

* Add context to GCS module

* Add inline deps to plan_summary script

* Make context a top-level variable for folder, organization, sa

* Add add context top-level to VPC-SC

* move context out of factories_config variable

* tfdoc

* fix merge

* fix merge

* fix examples

* net-vpc module context

* add parent ids to folder context

* rename folder parent context

* fix folder parent check

* new project factory stub

* wip

* wip

* refactor defaults

* project iam

* bueckts and service accounts

* start adding context replacements

* better test data

* automation resources for folders and projects

* automation

* add support for project id interpolation

* first tested apply

* improve IAM description in gcs module

* add context to billing account module

* add notification channels to billing account module context

* add billing budgets to new pf

* schemas and defaults

* bootstrap wip

* bootstrap wip

* bootstrap wip

* pf outputs

* pf fixes

* fix pf sample data

* bootstrap lite fixes

* add locations to organization module contexts

* bootstrap lite fixes

* org fixes, billing accounts

* fix default project parent

* bootstrap lite wip

* add locations to gcs module context

* add context support to logging bucket module

* add context to pubsub module

* split out iam variables in gcs module

* fix logging bucket context test

* bootstrap log sink destinations

* streamline logging-bucket module variables

* fix logging bucket context test

* align logging bucket module interface in fast bootstrap

* add support for project-level log buckets to project factory

* support full context expansion in organization module log sinks

* log buckets in fast-lite bootstrap

* make og sink type optional in organization module

* log sinks in fast-lite bootstrap

* set tag values in factory context

* bootstrap lite data

* output files schema

* billing account schema

* output files

* output providers

* gcs output files

* boilerplate

* tflint

* check documentation

* check docs

* fix project module parent variable validation

* fix log bucket examples

* allow null parent in project module

* silence folder test errors

* fix billing account sink example

* fix project example

* fix billing account module

* fix folder tests

* fix FAST

* fix fast

* tfvars outputs

* wif

* cicd service accounts

* cicd

* allow defaults in context, minimal org policies

* support gcs managed folders in project factory and bootstrap lite

* support prefix in provider output files

* rename bootstrap stage

* gitignore

* gitignore

* security folder, billing IAM

* wip tfvars

* fix typo

* security IAM

* control tag iam/context via variables in organization module

* split tag creation from tag IAM to avoid circular refs

* port organization module tag changes to project module

* implement new-style context expansion in vpc-sc module

* fix fast vpc-sc tests

* boilerplate

* vpc sc stage

* schemas

* fast-lite compatibility for vpc sc stage

* make log project number optional in vpc-sc stage

* networking

* networking

* networking

* networking

* rename and move new stage under fast

* clone pf tests

* use context replacement for internal notification channels in billing account module

* support service agents in project module iam context replacements

* support service agents in project module iam context replacements

* add support for kms keys to project module context

* experimental pf example test and fixes

* fix schemas

* fix tests

* tfdoc

* tfdoc

* pf config

* experimental pf

* remove redundant dot from gcs managed folder IAM keys

* bootstrap experimental test

* project factory exp stage test

* skip tflint for bootstrap experimental test

* tflint

* fix gcs test

* documentation work

* documentation work

* Update README.md

* tfdoc

* tfdoc

* readme

* tfdoc

* readme

* readme

* readme

* readme

* support universe in pf exp projects

* missing universe service agents

* org policies import, non-admin billing IAM

* todo

* fix test

* custom constraints

* fast classic dataset

* fix test data

* context replacements in billing module log sinks

* fix typo

* add support for billing log sinks

* update docs

* readme

* cicd fix and test

---------

Co-authored-by: Julio Castillo <jccb@google.com>
2025-09-02 08:38:57 +02:00

267 lines
8.9 KiB
HCL
Raw Blame History

/**
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "access_levels" {
description = "Access level definitions."
type = map(object({
combining_function = optional(string)
conditions = optional(list(object({
device_policy = optional(object({
allowed_device_management_levels = optional(list(string))
allowed_encryption_statuses = optional(list(string))
require_admin_approval = bool
require_corp_owned = bool
require_screen_lock = optional(bool)
os_constraints = optional(list(object({
os_type = string
minimum_version = optional(string)
require_verified_chrome_os = optional(bool)
})))
}))
ip_subnetworks = optional(list(string), [])
members = optional(list(string), [])
negate = optional(bool)
regions = optional(list(string), [])
required_access_levels = optional(list(string), [])
vpc_subnets = optional(map(list(string)), {})
})), [])
description = optional(string)
title = optional(string)
}))
default = {}
nullable = false
validation {
condition = alltrue([
for k, v in var.access_levels : (
v.combining_function == null ||
v.combining_function == "AND" ||
v.combining_function == "OR"
)
])
error_message = "Invalid `combining_function` value (null, \"AND\", \"OR\" accepted)."
}
validation {
condition = alltrue([
for k, v in var.access_levels : alltrue([
for condition in v.conditions : alltrue([
for member in condition.members : can(regex("^(?:serviceAccount:|user:)", member))
])
])
])
error_message = "Invalid `conditions[].members`. It needs to start with on of the prefixes: 'serviceAccount:' or 'user:'."
}
}
variable "access_policy" {
description = "Access Policy name, set to null if creating one."
type = string
}
variable "access_policy_create" {
description = "Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format."
type = object({
parent = string
title = string
scopes = optional(list(string), null)
})
default = null
}
variable "context" {
description = "External context used in replacements."
type = object({
identity_sets = optional(map(list(string)), {})
project_numbers = optional(map(number), {})
resource_sets = optional(map(list(string)), {})
service_sets = optional(map(list(string)), {})
})
default = {}
nullable = false
}
variable "egress_policies" {
description = "Egress policy definitions that can be referenced in perimeters."
type = map(object({
title = optional(string)
from = object({
access_levels = optional(list(string), [])
identity_type = optional(string)
identities = optional(list(string))
resources = optional(list(string), [])
})
to = object({
external_resources = optional(list(string))
operations = optional(list(object({
method_selectors = optional(list(string))
permission_selectors = optional(list(string))
service_name = string
})), [])
resources = optional(list(string))
roles = optional(list(string))
})
}))
default = {}
nullable = false
validation {
condition = alltrue([
for k, v in var.egress_policies :
v.from.identity_type == null ? true : contains([
"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY",
"ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""
], v.from.identity_type)
])
error_message = "Invalid `from.identity_type` value in egress policy."
}
validation {
condition = alltrue([
for k, v in var.egress_policies : v.from.identities == null ? true : alltrue([
for identity in v.from.identities : can(regex("^(?:serviceAccount:|user:|group:|principal:|principalSet:)", identity))
])
])
error_message = "Invalid `from.identity`. It needs to start with on of the prefixes: 'serviceAccount:', 'user:', 'group:', 'principal:' or 'principalSet:."
}
}
variable "factories_config" {
description = "Paths to folders that enable factory functionality."
type = object({
access_levels = optional(string)
egress_policies = optional(string)
ingress_policies = optional(string)
perimeters = optional(string)
})
nullable = false
default = {}
}
variable "iam" {
description = "IAM bindings in {ROLE => [MEMBERS]} format."
type = map(list(string))
default = {}
}
variable "iam_bindings" {
description = "Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary."
type = map(object({
members = list(string)
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
}))
nullable = false
default = {}
}
variable "iam_bindings_additive" {
description = "Individual additive IAM bindings. Keys are arbitrary."
type = map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
}))
nullable = false
default = {}
}
variable "ingress_policies" {
description = "Ingress policy definitions that can be referenced in perimeters."
type = map(object({
title = optional(string)
from = object({
access_levels = optional(list(string), [])
identity_type = optional(string)
identities = optional(list(string))
resources = optional(list(string), [])
})
to = object({
operations = optional(list(object({
method_selectors = optional(list(string))
permission_selectors = optional(list(string))
service_name = string
})), [])
resources = optional(list(string))
roles = optional(list(string))
})
}))
default = {}
nullable = false
validation {
condition = alltrue([
for k, v in var.ingress_policies :
v.from.identity_type == null ? true : contains([
"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY",
"ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""
], v.from.identity_type)
])
error_message = "Invalid `from.identity_type` value in ingress policy."
}
validation {
condition = alltrue([
for k, v in var.ingress_policies : v.from.identities == null ? true : alltrue([
for identity in v.from.identities : can(regex("^(?:serviceAccount:|user:|group:|principal:|principalSet:)", identity))
])
])
error_message = "Invalid `from.identity`. It needs to start with on of the prefixes: 'serviceAccount:', 'user:', 'group:', 'principal:', 'principalSet:'."
}
}
variable "perimeters" {
description = "Regular service perimeters."
type = map(object({
description = optional(string)
ignore_resource_changes = optional(bool, false)
title = optional(string)
use_explicit_dry_run_spec = optional(bool, false)
spec = optional(object({
access_levels = optional(list(string), [])
egress_policies = optional(list(string), [])
ingress_policies = optional(list(string), [])
restricted_services = optional(list(string), [])
resources = optional(list(string), [])
vpc_accessible_services = optional(object({
allowed_services = list(string)
enable_restriction = optional(bool, true)
}))
}))
status = optional(object({
access_levels = optional(list(string), [])
egress_policies = optional(list(string), [])
ingress_policies = optional(list(string), [])
resources = optional(list(string), [])
restricted_services = optional(list(string), [])
vpc_accessible_services = optional(object({
allowed_services = list(string)
enable_restriction = optional(bool, true)
}))
}))
}))
default = {}
nullable = false
}
variable "project_id_search_scope" {
description = "Set this to an organization or folder ID to use Cloud Asset Inventory to automatically translate project ids to numbers."
type = string
default = null
}
Reference in New Issue View Git Blame Copy Permalink