Skip to content

Latest commit

 

History

History
 
 

vpc-sc

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

VPC Service Control Module

This module allows managing VPC Service Control (VPC-SC) properties:

The Use of this module requires credentials with the correct permissions to use Access Context Manager.

Example VCP-SC standard perimeter

module "vpc-sc" {
  source              = "./modules/vpc-sc"
  organization_id     = "organizations/112233"
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {
      combining_function = "AND"
      conditions = [{
        ip_subnetworks = ["85.85.85.52/32"]
        required_access_levels = null
        members        = []
        negate         = false
        regions        = null
      }]
    }
  }
  access_level_perimeters = {
    enforced = {
      my_trusted_proxy = ["perimeter"]
    }
  }
 ingress_policies = {
   ingress_1 = {
     ingress_from = {
       identity_type = "ANY_IDENTITY"
     }
     ingress_to = {
       resources = ["*"]
       operations = {
         "storage.googleapis.com" = [{ method = "google.storage.objects.create" }]
         "bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" }]
       }
     }
   }
 }
 ingress_policies_perimeters = {
   enforced = {
     ingress_1 = ["default"]
   }
 }

  egress_policies = {
    egress_1 = {
      egress_from = {
        identity_type = "ANY_USER_ACCOUNT"
      }
      egress_to = {
       resources = ["*"]
       operations = {
         "storage.googleapis.com"  = [{ method = "google.storage.objects.create" }],
         "bigquery.googleapis.com" = [{ method = "BigQueryStorage.ReadRows" },{ method = "TableService.ListTables" }, { permission = "bigquery.jobs.get" }]
       }
      }
    }
  }  
  egress_policies_perimeters = {
    enforced = {
      egress_1 = ["perimeter"]
    }  
  }  
  perimeters = {
    perimeter = {
      type           = "PERIMETER_TYPE_REGULAR"
      dry_run_config = null
      enforced_config = {
        restricted_services     = ["storage.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111, 222222222]
    }
  }
}
# tftest:modules=1:resources=3

Example VCP-SC standard perimeter with one service and one project in dry run mode

module "vpc-sc" {
  source              = "./modules/vpc-sc"
  organization_id     = "organizations/112233"
  access_policy_title = "My Access Policy"
  access_levels = {
    my_trusted_proxy = {
      combining_function = "AND"
      conditions = [{
        ip_subnetworks = ["85.85.85.52/32"]
        required_access_levels = null
        members        = []
        negate         = false
        regions        = null
      }]
    }
  }
  access_level_perimeters = {
    enforced = {
      my_trusted_proxy = ["perimeter"]
    }
  }
  perimeters = {
    perimeter = {
      type = "PERIMETER_TYPE_REGULAR"
      dry_run_config = {
        restricted_services     = ["storage.googleapis.com", "bigquery.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"]
      }
      enforced_config = {
        restricted_services     = ["storage.googleapis.com"]
        vpc_accessible_services = ["storage.googleapis.com"]
      }
    }
  }
  perimeter_projects = {
    perimeter = {
      enforced = [111111111, 222222222]
      dry_run  = [333333333]
    }
  }
}
# tftest:modules=1:resources=3

Variables

name description type required default
access_policy_title Access Policy title to be created. string
organization_id Organization id in organizations/nnnnnn format. string
access_level_perimeters Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' map(map(list(string))) {}
access_levels Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'. map(object({...})) {}
egress_policies List of EgressPolicies in the form described in the documentation null
egress_policies_perimeters Enforced mode -> Egress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' map(map(list(string))) {}
ingress_policies List of IngressPolicies in the form described in the documentation null
ingress_policies_perimeters Enforced mode -> Ingress Policy -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' map(map(list(string))) {}
perimeter_projects Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. map(map(list(number))) {}
perimeters Set of Perimeters. map(object({...})) {}

Outputs

name description sensitive
access_levels Access Levels.
access_policy_name Access Policy resource
organization_id Organization id dependent on module resources.
perimeters_bridge VPC-SC bridge perimeter resources.
perimeters_standard VPC-SC standard perimeter resources.