-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
55 lines (48 loc) · 1.47 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
provider "google" {
project = var.project_id
region = var.region
}
resource "google_access_context_manager_access_policy" "access_policy" {
parent = "organizations/${var.organization_id}"
title = var.policy_name
}
resource "google_access_context_manager_service_perimeter" "service_perimeter" {
parent = google_access_context_manager_access_policy.access_policy.name
name = var.service_perimeter_name
title = var.service_perimeter_title
perimeter_type = "PERIMETER_TYPE_REGULAR"
status {
resources = ["projects/${var.trusted_project_1}", "projects/${var.trusted_project_2}"]
restricted_services = ["storage.googleapis.com"]
ingress_policies {
ingress_from {
sources {
access_level = google_access_context_manager_access_level.access_level.name
}
}
ingress_to {
operations {
service_name = "storage.googleapis.com"
}
}
}
egress_policies {
egress_to {
operations {
service_name = "storage.googleapis.com"
}
}
}
}
}
resource "google_access_context_manager_access_level" "access_level" {
parent = google_access_context_manager_access_policy.access_policy.name
name = var.access_level_name
title = var.access_level_title
basic {
conditions {
ip_subnetworks = ["192.168.1.0/24", "10.0.0.0/16"]
members = ["user:example1@company.com", "user:example2@company.com"]
}
}
}