Skip to content

Commit ccc56a8

Browse files
masterleroslomegftbharathkkb
authored
fix: Added VPC Accessible Services configuration (#84)
* Added VPC Accessible Services configuration * Minor documentation update * malformatted documentation fix * Minor description fix Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Minor description fix Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * regen docs Co-authored-by: Leonardo Morales <leonardo.morales@gft.com> Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
1 parent dfd0252 commit ccc56a8

File tree

3 files changed

+31
-1
lines changed

3 files changed

+31
-1
lines changed

modules/regular_service_perimeter/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,8 @@ module "regular_service_perimeter_1" {
110110
| restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no |
111111
| restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
112112
| shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | <pre>{<br> "all": []<br>}</pre> | no |
113+
| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | <pre>[<br> "*"<br>]</pre> | no |
114+
| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | <pre>[<br> "*"<br>]</pre> | no |
113115

114116
## Outputs
115117

modules/regular_service_perimeter/main.tf

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
*/
1616

1717
locals {
18-
dry_run = (length(var.restricted_services_dry_run) > 0 || length(var.resources_dry_run) > 0 || length(var.access_levels_dry_run) > 0)
18+
dry_run = (length(var.restricted_services_dry_run) > 0 || length(var.resources_dry_run) > 0 || length(var.access_levels_dry_run) > 0 || !contains(var.vpc_accessible_services_dry_run, "*"))
1919
}
2020

2121
resource "google_access_context_manager_service_perimeter" "regular_service_perimeter" {
@@ -97,6 +97,14 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
9797
}
9898
}
9999
}
100+
101+
dynamic "vpc_accessible_services" {
102+
for_each = contains(var.vpc_accessible_services, "*") ? [] : [var.vpc_accessible_services]
103+
content {
104+
enable_restriction = true
105+
allowed_services = vpc_accessible_services.value
106+
}
107+
}
100108
}
101109

102110

@@ -174,6 +182,14 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
174182
}
175183
}
176184
}
185+
186+
dynamic "vpc_accessible_services" {
187+
for_each = contains(var.vpc_accessible_services_dry_run, "*") ? [] : [var.vpc_accessible_services_dry_run]
188+
content {
189+
enable_restriction = true
190+
allowed_services = vpc_accessible_services.value
191+
}
192+
}
177193
}
178194
}
179195
use_explicit_dry_run_spec = local.dry_run

modules/regular_service_perimeter/variables.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,3 +117,15 @@ variable "ingress_policies_dry_run" {
117117
}))
118118
default = []
119119
}
120+
121+
variable "vpc_accessible_services" {
122+
description = "A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to not allow any service."
123+
type = list(string)
124+
default = ["*"]
125+
}
126+
127+
variable "vpc_accessible_services_dry_run" {
128+
description = "(Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to not allow any service."
129+
type = list(string)
130+
default = ["*"]
131+
}

0 commit comments

Comments
 (0)