feat: added VPC network support to perimeter resources (#106)

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>
Co-authored-by: Imran Nayer <imrannayer@google.com>

Author: 3 people

modules/regular_service_perimeter/README.md

@@ -105,8 +105,8 @@ module "regular_service_perimeter_1" {
 | perimeter\_name | Name of the perimeter. Should be one unified string. Must only be letters, numbers and underscores | `string` | n/a | yes |
 | policy | Name of the parent policy | `string` | n/a | yes |
 | resource\_keys | A list of keys to use for the Terraform state. The order should correspond to var.resources and the keys must not be dynamically computed. If `null`, var.resources will be used as keys. | `list(string)` | `null` | no |
-| resources | A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. | `list(string)` | `[]` | no |
-| resources\_dry\_run | (Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
+| resources | A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. | `list(string)` | `[]` | no |
+| resources\_dry\_run | (Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
 | restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no |
 | restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.  If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
 | shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | <pre>{<br>  "all": []<br>}</pre> | no |

modules/regular_service_perimeter/main.tf

@@ -210,5 +210,5 @@ locals {
 resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" {
   for_each       = local.resources
   perimeter_name = google_access_context_manager_service_perimeter.regular_service_perimeter.name
-  resource       = "projects/${each.value}"
+  resource       = can(regex("global/networks", each.value)) ? "//compute.googleapis.com/${each.value}" : "projects/${each.value}"
 }

modules/regular_service_perimeter/variables.tf

@@ -36,7 +36,7 @@ variable "restricted_services" {
 }
 
 variable "resources" {
-  description = "A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed."
+  description = "A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed."
   type        = list(string)
   default     = []
 }
@@ -60,7 +60,7 @@ variable "restricted_services_dry_run" {
 }
 
 variable "resources_dry_run" {
-  description = "(Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. If set, a dry-run policy will be set."
+  description = "(Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. If set, a dry-run policy will be set."
   type        = list(string)
   default     = []
 }