feat: split resources into separate resource to allow out-of-module additions (#61)

Author: aweberlopes

modules/access_level/versions.tf

@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.53"
+      version = ">= 3.50, < 5.0"
     }
   }
 

modules/bridge_service_perimeter/main.tf

@@ -21,7 +21,14 @@ resource "google_access_context_manager_service_perimeter" "bridge_service_perim
   name           = "accessPolicies/${var.policy}/servicePerimeters/${var.perimeter_name}"
   title          = var.perimeter_name
 
-  status {
-    resources = formatlist("projects/%s", var.resources)
+  lifecycle {
+    ignore_changes = [status[0].resources]
   }
 }
+
+
+resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" {
+  for_each       = toset(formatlist("projects/%s", var.resources))
+  perimeter_name = google_access_context_manager_service_perimeter.bridge_service_perimeter.name
+  resource       = each.key
+}

modules/bridge_service_perimeter/outputs.tf

@@ -17,4 +17,8 @@
 output "resources" {
   description = "A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed."
   value       = var.resources
+  depends_on = [
+    google_access_context_manager_service_perimeter.bridge_service_perimeter,
+    google_access_context_manager_service_perimeter_resource.service_perimeter_resource
+  ]
 }

modules/bridge_service_perimeter/versions.tf

@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.53"
+      version = ">= 3.50, < 5.0"
     }
   }
 

modules/regular_service_perimeter/main.tf

@@ -28,7 +28,6 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
 
   status {
     restricted_services = var.restricted_services
-    resources           = formatlist("projects/%s", var.resources)
     access_levels = formatlist(
       "accessPolicies/${var.policy}/accessLevels/%s",
       var.access_levels
@@ -58,9 +57,9 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
             content {
               service_name = operations.key
               dynamic "method_selectors" {
-                for_each = merge(
+                for_each = operations.key != "*" ? merge(
                   { for k, v in lookup(operations.value, "methods", {}) : v => "method" },
-                { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" })
+                { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" }) : {}
                 content {
                   method     = method_selectors.value == "method" ? method_selectors.key : null
                   permission = method_selectors.value == "permission" ? method_selectors.key : ""
@@ -85,9 +84,9 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
             content {
               service_name = operations.key
               dynamic "method_selectors" {
-                for_each = merge(
+                for_each = operations.key != "*" ? merge(
                   { for k, v in lookup(operations.value, "methods", {}) : v => "method" },
-                { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" })
+                { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" }) : {}
                 content {
                   method     = method_selectors.value == "method" ? method_selectors.key : ""
                   permission = method_selectors.value == "permission" ? method_selectors.key : ""
@@ -178,4 +177,15 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
     }
   }
   use_explicit_dry_run_spec = local.dry_run
+
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }
+}
+
+
+resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" {
+  for_each       = toset(formatlist("projects/%s", var.resources))
+  perimeter_name = google_access_context_manager_service_perimeter.regular_service_perimeter.name
+  resource       = each.key
 }

modules/regular_service_perimeter/outputs.tf

@@ -17,17 +17,26 @@
 output "shared_resources" {
   description = "A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources"
   value       = var.shared_resources
-  depends_on  = [google_access_context_manager_service_perimeter.regular_service_perimeter]
+  depends_on = [
+    google_access_context_manager_service_perimeter.regular_service_perimeter,
+    google_access_context_manager_service_perimeter_resource.service_perimeter_resource
+  ]
 }
 
 output "resources" {
   description = "A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed."
   value       = var.resources
-  depends_on  = [google_access_context_manager_service_perimeter.regular_service_perimeter]
+  depends_on = [
+    google_access_context_manager_service_perimeter.regular_service_perimeter,
+    google_access_context_manager_service_perimeter_resource.service_perimeter_resource
+  ]
 }
 
 output "perimeter_name" {
   description = "The perimeter's name."
   value       = var.perimeter_name
-  depends_on  = [google_access_context_manager_service_perimeter.regular_service_perimeter]
+  depends_on = [
+    google_access_context_manager_service_perimeter.regular_service_perimeter,
+    google_access_context_manager_service_perimeter_resource.service_perimeter_resource
+  ]
 }

modules/regular_service_perimeter/versions.tf

@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.82"
+      version = ">= 3.50, < 5.0"
     }
   }
 

versions.tf

@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.82"
+      version = ">= 3.50, < 5.0"
     }
   }