fix: dry-run egress ingress operations (#83)

* Fix dry-run egress ingress operations

* fixed policies operations type and documented

Co-authored-by: Leonardo Morales <leonardo.morales@gft.com>

Author: masterleros

modules/regular_service_perimeter/README.md

@@ -98,10 +98,10 @@ module "regular_service_perimeter_1" {
 | access\_levels | A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. Example: 'accessPolicies/MY\_POLICY/accessLevels/MY\_LEVEL'. For Service Perimeter Bridge, must be empty. | `list(string)` | `[]` | no |
 | access\_levels\_dry\_run | (Dry-run) A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. Example: 'accessPolicies/MY\_POLICY/accessLevels/MY\_LEVEL'. For Service Perimeter Bridge, must be empty. If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
 | description | Description of the regular perimeter | `string` | n/a | yes |
-| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
-| egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
-| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
-| ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
+| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
+| egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to. Use same formatting as `egress_policies`. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
+| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
+| ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to. Use same formatting as `ingress_policies`. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
 | perimeter\_name | Name of the perimeter. Should be one unified string. Must only be letters, numbers and underscores | `any` | n/a | yes |
 | policy | Name of the parent policy | `string` | n/a | yes |
 | resource\_keys | A list of keys to use for the Terraform state. The order should correspond to var.resources and the keys must not be dynamically computed. If `null`, var.resources will be used as keys. | `list(string)` | `null` | no |

modules/regular_service_perimeter/main.tf

@@ -58,11 +58,11 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
               service_name = operations.key
               dynamic "method_selectors" {
                 for_each = operations.key != "*" ? merge(
-                  { for k, v in lookup(operations.value, "methods", {}) : v => "method" },
-                { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" }) : {}
+                  { for v in lookup(operations.value, "methods", []) : v => "method" },
+                { for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
                 content {
                   method     = method_selectors.value == "method" ? method_selectors.key : null
-                  permission = method_selectors.value == "permission" ? method_selectors.key : ""
+                  permission = method_selectors.value == "permission" ? method_selectors.key : null
                 }
               }
             }
@@ -85,11 +85,11 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
               service_name = operations.key
               dynamic "method_selectors" {
                 for_each = operations.key != "*" ? merge(
-                  { for k, v in lookup(operations.value, "methods", {}) : v => "method" },
-                { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" }) : {}
+                  { for v in lookup(operations.value, "methods", []) : v => "method" },
+                { for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
                 content {
-                  method     = method_selectors.value == "method" ? method_selectors.key : ""
-                  permission = method_selectors.value == "permission" ? method_selectors.key : ""
+                  method     = method_selectors.value == "method" ? method_selectors.key : null
+                  permission = method_selectors.value == "permission" ? method_selectors.key : null
                 }
               }
             }
@@ -134,12 +134,12 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
               content {
                 service_name = operations.key
                 dynamic "method_selectors" {
-                  for_each = merge(
-                    { for k, v in lookup(operations.value, "methods", {}) : v => "method" },
-                  { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" })
+                  for_each = operations.key != "*" ? merge(
+                    { for v in lookup(operations.value, "methods", []) : v => "method" },
+                  { for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
                   content {
-                    method     = method_selectors.value == "method" ? method_selectors.key : ""
-                    permission = method_selectors.value == "permission" ? method_selectors.key : ""
+                    method     = method_selectors.value == "method" ? method_selectors.key : null
+                    permission = method_selectors.value == "permission" ? method_selectors.key : null
                   }
                 }
               }
@@ -161,12 +161,12 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
               content {
                 service_name = operations.key
                 dynamic "method_selectors" {
-                  for_each = merge(
-                    { for k, v in lookup(operations.value, "methods", {}) : v => "method" },
-                  { for k, v in lookup(operations.value, "permissions", {}) : v => "permission" })
+                  for_each = operations.key != "*" ? merge(
+                    { for v in lookup(operations.value, "methods", []) : v => "method" },
+                  { for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
                   content {
-                    method     = method_selectors.value == "method" ? method_selectors.key : ""
-                    permission = method_selectors.value == "permission" ? method_selectors.key : ""
+                    method     = method_selectors.value == "method" ? method_selectors.key : null
+                    permission = method_selectors.value == "permission" ? method_selectors.key : null
                   }
                 }
               }

modules/regular_service_perimeter/variables.tf

@@ -79,7 +79,7 @@ variable "shared_resources" {
 
 ## Have to solve it like this don't want use optional flag because is still experimental
 variable "egress_policies" {
-  description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to."
+  description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to.\n\nExample: `[{ from={ identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)"
   type = list(object({
     from = any
     to   = any
@@ -89,7 +89,7 @@ variable "egress_policies" {
 
 ## Have to solve it like this don't want use optional flag because is still experimental
 variable "ingress_policies" {
-  description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to."
+  description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to.\n\nExample: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)"
   type = list(object({
     from = any
     to   = any
@@ -100,7 +100,7 @@ variable "ingress_policies" {
 
 ## Have to solve it like this don't want use optional flag because is still experimental
 variable "egress_policies_dry_run" {
-  description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to."
+  description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to. Use same formatting as `egress_policies`."
   type = list(object({
     from = any
     to   = any
@@ -110,7 +110,7 @@ variable "egress_policies_dry_run" {
 
 ## Have to solve it like this don't want use optional flag because is still experimental
 variable "ingress_policies_dry_run" {
-  description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to."
+  description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to. Use same formatting as `ingress_policies`."
   type = list(object({
     from = any
     to   = any