3ed801c464
* Use VPC-SC perimeter factory in FAST 1-vpcsc stage * Add boilerplate * Fix linter and schema checks * Fix tests * Fix schemas
392 lines
14 KiB
HCL
392 lines
14 KiB
HCL
/**
|
|
* Copyright 2025 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
# tfdoc:file:description Regular service perimeter resources.
|
|
|
|
# this code implements "additive" service perimeters, if "authoritative"
|
|
# service perimeters are needed, switch to the
|
|
# google_access_context_manager_service_perimeters resource
|
|
|
|
locals {
|
|
egress_policies = merge(local.data.egress_policies, var.egress_policies)
|
|
ingress_policies = merge(local.data.ingress_policies, var.ingress_policies)
|
|
regular_perimeters = merge(local.data.perimeters, var.service_perimeters_regular)
|
|
}
|
|
|
|
resource "google_access_context_manager_service_perimeter" "regular" {
|
|
for_each = local.regular_perimeters
|
|
parent = "accessPolicies/${local.access_policy}"
|
|
name = "accessPolicies/${local.access_policy}/servicePerimeters/${each.key}"
|
|
description = each.value.description
|
|
title = coalesce(each.value.title, each.key)
|
|
perimeter_type = "PERIMETER_TYPE_REGULAR"
|
|
use_explicit_dry_run_spec = each.value.use_explicit_dry_run_spec
|
|
dynamic "spec" {
|
|
for_each = each.value.spec == null ? [] : [each.value.spec]
|
|
iterator = spec
|
|
content {
|
|
access_levels = (
|
|
spec.value.access_levels == null ? null : [
|
|
for k in spec.value.access_levels :
|
|
try(google_access_context_manager_access_level.basic[k].id, k)
|
|
]
|
|
)
|
|
resources = flatten([
|
|
for r in spec.value.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
restricted_services = flatten([
|
|
for r in coalesce(spec.value.restricted_services, []) :
|
|
lookup(var.factories_config.context.service_sets, r, [r])
|
|
])
|
|
|
|
dynamic "egress_policies" {
|
|
for_each = spec.value.egress_policies == null ? {} : {
|
|
for k in spec.value.egress_policies :
|
|
k => local.egress_policies[k]
|
|
}
|
|
iterator = policy
|
|
content {
|
|
title = coalesce(policy.value.title, policy.key)
|
|
dynamic "egress_from" {
|
|
for_each = policy.value.from == null ? [] : [""]
|
|
content {
|
|
identity_type = policy.value.from.identity_type
|
|
identities = flatten([
|
|
for i in policy.value.from.identities :
|
|
lookup(var.factories_config.context.identity_sets, i, [i])
|
|
])
|
|
source_restriction = (
|
|
length(policy.value.from.access_levels) > 0 || length(policy.value.from.resources) > 0
|
|
? "SOURCE_RESTRICTION_ENABLED"
|
|
: "SOURCE_RESTRICTION_DISABLED"
|
|
)
|
|
dynamic "sources" {
|
|
for_each = policy.value.from.access_levels
|
|
iterator = access_level
|
|
content {
|
|
access_level = try(
|
|
google_access_context_manager_access_level.basic[access_level.value].id,
|
|
access_level.value
|
|
)
|
|
}
|
|
}
|
|
dynamic "sources" {
|
|
for_each = flatten([
|
|
for r in policy.value.from.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
iterator = resource
|
|
content {
|
|
resource = resource.value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
dynamic "egress_to" {
|
|
for_each = policy.value.to == null ? [] : [""]
|
|
content {
|
|
external_resources = policy.value.to.external_resources
|
|
resources = flatten([
|
|
for r in policy.value.to.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
|
|
dynamic "operations" {
|
|
for_each = toset(policy.value.to.operations)
|
|
iterator = o
|
|
content {
|
|
service_name = o.value.service_name
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.method_selectors, []))
|
|
content {
|
|
method = method_selectors.key
|
|
}
|
|
}
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.permission_selectors, []))
|
|
content {
|
|
permission = method_selectors.key
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
dynamic "ingress_policies" {
|
|
for_each = spec.value.ingress_policies == null ? {} : {
|
|
for k in spec.value.ingress_policies :
|
|
k => local.ingress_policies[k]
|
|
}
|
|
iterator = policy
|
|
content {
|
|
title = coalesce(policy.value.title, policy.key)
|
|
dynamic "ingress_from" {
|
|
for_each = policy.value.from == null ? [] : [""]
|
|
content {
|
|
identity_type = policy.value.from.identity_type
|
|
identities = flatten([
|
|
for i in policy.value.from.identities :
|
|
lookup(var.factories_config.context.identity_sets, i, [i])
|
|
])
|
|
dynamic "sources" {
|
|
for_each = toset(policy.value.from.access_levels)
|
|
iterator = s
|
|
content {
|
|
access_level = try(
|
|
google_access_context_manager_access_level.basic[s.value].id, s.value
|
|
)
|
|
}
|
|
}
|
|
dynamic "sources" {
|
|
for_each = flatten([
|
|
for r in policy.value.from.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
content {
|
|
resource = sources.value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
dynamic "ingress_to" {
|
|
for_each = policy.value.to == null ? [] : [""]
|
|
content {
|
|
resources = flatten([
|
|
for r in policy.value.to.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
dynamic "operations" {
|
|
for_each = toset(policy.value.to.operations)
|
|
iterator = o
|
|
content {
|
|
service_name = o.value.service_name
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.method_selectors, []))
|
|
content {
|
|
method = method_selectors.value
|
|
}
|
|
}
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.permission_selectors, []))
|
|
content {
|
|
permission = method_selectors.value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
dynamic "vpc_accessible_services" {
|
|
for_each = spec.value.vpc_accessible_services == null ? {} : { 1 = 1 }
|
|
content {
|
|
allowed_services = flatten([
|
|
for r in spec.value.vpc_accessible_services.allowed_services :
|
|
lookup(var.factories_config.context.service_sets, r, [r])
|
|
])
|
|
enable_restriction = spec.value.vpc_accessible_services.enable_restriction
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
dynamic "status" {
|
|
for_each = each.value.status == null ? [] : [each.value.status]
|
|
iterator = status
|
|
content {
|
|
access_levels = (
|
|
status.value.access_levels == null ? null : [
|
|
for k in status.value.access_levels :
|
|
try(google_access_context_manager_access_level.basic[k].id, k)
|
|
]
|
|
)
|
|
resources = flatten([
|
|
for r in status.value.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
restricted_services = flatten([
|
|
for r in coalesce(status.value.restricted_services, []) :
|
|
lookup(var.factories_config.context.service_sets, r, [r])
|
|
])
|
|
|
|
dynamic "egress_policies" {
|
|
for_each = status.value.egress_policies == null ? {} : {
|
|
for k in status.value.egress_policies :
|
|
k => local.egress_policies[k]
|
|
}
|
|
iterator = policy
|
|
content {
|
|
title = coalesce(policy.value.title, policy.key)
|
|
dynamic "egress_from" {
|
|
for_each = policy.value.from == null ? [] : [""]
|
|
content {
|
|
identity_type = policy.value.from.identity_type
|
|
identities = flatten([
|
|
for i in policy.value.from.identities :
|
|
lookup(var.factories_config.context.identity_sets, i, [i])
|
|
])
|
|
source_restriction = (
|
|
length(policy.value.from.access_levels) > 0 || length(policy.value.from.resources) > 0
|
|
? "SOURCE_RESTRICTION_ENABLED"
|
|
: "SOURCE_RESTRICTION_DISABLED"
|
|
)
|
|
dynamic "sources" {
|
|
for_each = policy.value.from.access_levels
|
|
iterator = access_level
|
|
content {
|
|
access_level = try(
|
|
google_access_context_manager_access_level.basic[access_level.value].id,
|
|
access_level.value
|
|
)
|
|
}
|
|
}
|
|
dynamic "sources" {
|
|
for_each = flatten([
|
|
for r in policy.value.from.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
iterator = resource
|
|
content {
|
|
resource = resource.value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
dynamic "egress_to" {
|
|
for_each = policy.value.to == null ? [] : [""]
|
|
content {
|
|
external_resources = policy.value.to.external_resources
|
|
resources = policy.value.to.resources
|
|
dynamic "operations" {
|
|
for_each = toset(policy.value.to.operations)
|
|
iterator = o
|
|
content {
|
|
service_name = o.value.service_name
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.method_selectors, []))
|
|
content {
|
|
method = method_selectors.key
|
|
}
|
|
}
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.permission_selectors, []))
|
|
content {
|
|
permission = method_selectors.key
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
dynamic "ingress_policies" {
|
|
for_each = status.value.ingress_policies == null ? {} : {
|
|
for k in status.value.ingress_policies :
|
|
k => local.ingress_policies[k]
|
|
}
|
|
iterator = policy
|
|
content {
|
|
title = coalesce(policy.value.title, policy.key)
|
|
dynamic "ingress_from" {
|
|
for_each = policy.value.from == null ? [] : [""]
|
|
content {
|
|
identity_type = policy.value.from.identity_type
|
|
identities = flatten([
|
|
for i in policy.value.from.identities :
|
|
lookup(var.factories_config.context.identity_sets, i, [i])
|
|
])
|
|
dynamic "sources" {
|
|
for_each = toset(policy.value.from.access_levels)
|
|
iterator = s
|
|
content {
|
|
access_level = try(
|
|
google_access_context_manager_access_level.basic[s.value].id,
|
|
s.value
|
|
)
|
|
}
|
|
}
|
|
dynamic "sources" {
|
|
for_each = flatten([
|
|
for r in policy.value.from.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
content {
|
|
resource = sources.value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
dynamic "ingress_to" {
|
|
for_each = policy.value.to == null ? [] : [""]
|
|
content {
|
|
resources = flatten([
|
|
for r in policy.value.to.resources :
|
|
lookup(var.factories_config.context.resource_sets, r, [r])
|
|
])
|
|
dynamic "operations" {
|
|
for_each = toset(policy.value.to.operations)
|
|
iterator = o
|
|
content {
|
|
service_name = o.value.service_name
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.method_selectors, []))
|
|
content {
|
|
method = method_selectors.value
|
|
}
|
|
}
|
|
dynamic "method_selectors" {
|
|
for_each = toset(coalesce(o.value.permission_selectors, []))
|
|
content {
|
|
permission = method_selectors.value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
dynamic "vpc_accessible_services" {
|
|
for_each = status.value.vpc_accessible_services == null ? {} : { 1 = 1 }
|
|
content {
|
|
allowed_services = flatten([
|
|
for r in status.value.vpc_accessible_services.allowed_services :
|
|
lookup(var.factories_config.context.service_sets, r, [r])
|
|
])
|
|
enable_restriction = status.value.vpc_accessible_services.enable_restriction
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
# lifecycle {
|
|
# ignore_changes = [spec[0].resources, status[0].resources]
|
|
# }
|
|
depends_on = [
|
|
google_access_context_manager_access_policy.default,
|
|
google_access_context_manager_access_level.basic
|
|
]
|
|
}
|