From c102aea178263038d1113578e5c6aa52d4b79766 Mon Sep 17 00:00:00 2001 From: Leonardo Morales Date: Mon, 14 Mar 2022 11:06:46 -0400 Subject: [PATCH 1/6] Added VPC Accessible Services configuration --- modules/regular_service_perimeter/README.md | 2 ++ modules/regular_service_perimeter/main.tf | 18 +++++++++++++++++- modules/regular_service_perimeter/variables.tf | 12 ++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/modules/regular_service_perimeter/README.md b/modules/regular_service_perimeter/README.md index f9b5786..0492945 100644 --- a/modules/regular_service_perimeter/README.md +++ b/modules/regular_service_perimeter/README.md @@ -110,6 +110,8 @@ module "regular_service_perimeter_1" { | restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no | | restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set. | `list(string)` | `[]` | no | | shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | 
{
  "all": []
}
| no | +| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["RESTRICTED-SERVICES"] to match the restricted services list. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["RESTRICTED-SERVICES"] to match the restricted services list. | `list(string)` | 
[
  "*"
]
| no | ## Outputs diff --git a/modules/regular_service_perimeter/main.tf b/modules/regular_service_perimeter/main.tf index 8ddb5fd..559be19 100644 --- a/modules/regular_service_perimeter/main.tf +++ b/modules/regular_service_perimeter/main.tf @@ -15,7 +15,7 @@ */ locals { - dry_run = (length(var.restricted_services_dry_run) > 0 || length(var.resources_dry_run) > 0 || length(var.access_levels_dry_run) > 0) + dry_run = (length(var.restricted_services_dry_run) > 0 || length(var.resources_dry_run) > 0 || length(var.access_levels_dry_run) > 0 || !contains(var.vpc_accessible_services_dry_run, "*")) } resource "google_access_context_manager_service_perimeter" "regular_service_perimeter" { @@ -97,6 +97,14 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri } } } + + dynamic "vpc_accessible_services" { + for_each = contains(var.vpc_accessible_services, "*") ? [] : [var.vpc_accessible_services] + content { + enable_restriction = true + allowed_services = vpc_accessible_services.value + } + } } @@ -174,6 +182,14 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri } } } + + dynamic "vpc_accessible_services" { + for_each = contains(var.vpc_accessible_services_dry_run, "*") ? [] : [var.vpc_accessible_services_dry_run] + content { + enable_restriction = true + allowed_services = vpc_accessible_services.value + } + } } } use_explicit_dry_run_spec = local.dry_run diff --git a/modules/regular_service_perimeter/variables.tf b/modules/regular_service_perimeter/variables.tf index c13b6f2..8f8ca31 100644 --- a/modules/regular_service_perimeter/variables.tf +++ b/modules/regular_service_perimeter/variables.tf @@ -117,3 +117,15 @@ variable "ingress_policies_dry_run" { })) default = [] } + +variable "vpc_accessible_services" { + description = "A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"RESTRICTED-SERVICES\"] to match the restricted services list." + type = list(string) + default = ["*"] +} + +variable "vpc_accessible_services_dry_run" { + description = "(Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"RESTRICTED-SERVICES\"] to match the restricted services list." + type = list(string) + default = ["*"] +} From 2e26f54635d2ae91db1586796dbe4006541b181d Mon Sep 17 00:00:00 2001 From: Leonardo Morales Date: Tue, 15 Mar 2022 19:59:02 -0400 Subject: [PATCH 2/6] Minor documentation update --- modules/regular_service_perimeter/README.md | 4 ++-- modules/regular_service_perimeter/variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/regular_service_perimeter/README.md b/modules/regular_service_perimeter/README.md index 0492945..e01ca5d 100644 --- a/modules/regular_service_perimeter/README.md +++ b/modules/regular_service_perimeter/README.md @@ -110,8 +110,8 @@ module "regular_service_perimeter_1" { | restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no | | restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set. | `list(string)` | `[]` | no | | shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | 
{
  "all": []
}
| no | -| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["RESTRICTED-SERVICES"] to match the restricted services list. | `list(string)` | 
[
  "*"
]
| no | -| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["RESTRICTED-SERVICES"] to match the restricted services list. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | ## Outputs diff --git a/modules/regular_service_perimeter/variables.tf b/modules/regular_service_perimeter/variables.tf index 8f8ca31..9b04d2a 100644 --- a/modules/regular_service_perimeter/variables.tf +++ b/modules/regular_service_perimeter/variables.tf @@ -119,13 +119,13 @@ variable "ingress_policies_dry_run" { } variable "vpc_accessible_services" { - description = "A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"RESTRICTED-SERVICES\"] to match the restricted services list." + description = "A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service." type = list(string) default = ["*"] } variable "vpc_accessible_services_dry_run" { - description = "(Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"RESTRICTED-SERVICES\"] to match the restricted services list." + description = "(Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service." type = list(string) default = ["*"] } From b88f50a38fb586722ce29d6413f7e28cc155d155 Mon Sep 17 00:00:00 2001 From: Leonardo Morales Date: Tue, 15 Mar 2022 20:07:24 -0400 Subject: [PATCH 3/6] malformatted documentation fix --- modules/regular_service_perimeter/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/regular_service_perimeter/README.md b/modules/regular_service_perimeter/README.md index e01ca5d..8b072dc 100644 --- a/modules/regular_service_perimeter/README.md +++ b/modules/regular_service_perimeter/README.md @@ -110,8 +110,8 @@ module "regular_service_perimeter_1" { | restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no | | restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set. | `list(string)` | `[]` | no | | shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | 
{
  "all": []
}
| no | -| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | -| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | ## Outputs From bb441e7e313cf47cee637e75206dfb96202ebe02 Mon Sep 17 00:00:00 2001 From: Leonardo Morales Date: Wed, 16 Mar 2022 15:22:43 -0400 Subject: [PATCH 4/6] Minor description fix Co-authored-by: Bharath KKB --- modules/regular_service_perimeter/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/regular_service_perimeter/variables.tf b/modules/regular_service_perimeter/variables.tf index 9b04d2a..9d401a2 100644 --- a/modules/regular_service_perimeter/variables.tf +++ b/modules/regular_service_perimeter/variables.tf @@ -119,7 +119,7 @@ variable "ingress_policies_dry_run" { } variable "vpc_accessible_services" { - description = "A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service." + description = "A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to not allow any service." type = list(string) default = ["*"] } From b5c2ed669c47732493d921bb4312e66f65b9591f Mon Sep 17 00:00:00 2001 From: Leonardo Morales Date: Wed, 16 Mar 2022 15:22:50 -0400 Subject: [PATCH 5/6] Minor description fix Co-authored-by: Bharath KKB --- modules/regular_service_perimeter/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/regular_service_perimeter/variables.tf b/modules/regular_service_perimeter/variables.tf index 9d401a2..64c0b07 100644 --- a/modules/regular_service_perimeter/variables.tf +++ b/modules/regular_service_perimeter/variables.tf @@ -125,7 +125,7 @@ variable "vpc_accessible_services" { } variable "vpc_accessible_services_dry_run" { - description = "(Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to do not allow any service." + description = "(Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use [\"*\"] to allow any service (disable VPC Accessible Services); Use [\"RESTRICTED-SERVICES\"] to match the restricted services list; Use [] to not allow any service." type = list(string) default = ["*"] } From b5908fc6cb62fd79e83aa1aa1ebd898180259123 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Thu, 17 Mar 2022 03:29:41 +0000 Subject: [PATCH 6/6] regen docs --- modules/regular_service_perimeter/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/regular_service_perimeter/README.md b/modules/regular_service_perimeter/README.md index 8b072dc..85c354c 100644 --- a/modules/regular_service_perimeter/README.md +++ b/modules/regular_service_perimeter/README.md @@ -110,8 +110,8 @@ module "regular_service_perimeter_1" { | restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no | | restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set. | `list(string)` | `[]` | no | | shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | 
{
  "all": []
}
| no | -| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | -| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to do not allow any service. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | 
[
  "*"
]
| no | +| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | 
[
  "*"
]
| no | ## Outputs