README.md

Access Perimeter Submodule

This module handles opiniated configuration and deployment of a access_context_manager_service_perimeter resource for regular service perimeter types.

Usage

provider "google" {
  version     = "~> 2.5.0"
}

module "org_policy" {
  source      = "terraform-google-modules/vpc-service-controls/google"
  parent_id   = var.parent_id
  policy_name = var.policy_name
}

module "regular_service_perimeter_1" {
  source         = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
  policy         = module.org_policy.policy_id
  perimeter_name = "regular_perimeter_1"
  description    = "Some description"
  resources      = ["1111111111"]

  restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]

  ingress_policies = [{
      "from" = {
        "sources" = {
          resources = [
            "projects/688789777678",
            "projects/557367936583"
          ],
          access_levels = [
              "some_access_level_name"
          ]
        },
        "identity_type" = ""
        "identities"    = ["some_user_identity or service account"]
      }
      "to" = {
        "operations" = {
          "bigquery.googleapis.com" = {
            "methods" = [
              "BigQueryStorage.ReadRows",
              "TableService.ListTables"
            ],
            "permissions" = [
              "bigquery.jobs.get"
            ]
          }
          "storage.googleapis.com" = {
            "methods" = [
              "google.storage.objects.create"
            ]
          }
        }
      }
    },
  ]
  egress_policies = [{
       "from" = {
        "identity_type" = ""
        "identities"    = ["some_user_identity or service account"]
      },
       "to" = {
        "resources" = ["*"]
        "operations" = {
          "bigquery.googleapis.com" = {
            "methods" = [
              "BigQueryStorage.ReadRows",
              "TableService.ListTables"
            ],
            "permissions" = [
              "bigquery.jobs.get"
            ]
          }
          "storage.googleapis.com" = {
            "methods" = [
              "google.storage.objects.create"
            ]
          }
        }
      }
    },
  ]

  shared_resources = {
    all = ["1111111111"]
  }
}

Inputs

Name	Description	Type	Default	Required
access_levels	A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. Example: 'accessPolicies/MY_POLICY/accessLevels/MY_LEVEL'. For Service Perimeter Bridge, must be empty.	list(string)	[]	no
access_levels_dry_run	(Dry-run) A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. Example: 'accessPolicies/MY_POLICY/accessLevels/MY_LEVEL'. For Service Perimeter Bridge, must be empty. If set, a dry-run policy will be set.	list(string)	[]	no
description	Description of the regular perimeter	string	n/a	yes
egress_policies	A list of all egress policies, each list object has a from and to value that describes egress_from and egress_to.	list(object({ from = any to = any }))	[]	no
egress_policies_dry_run	A list of all egress policies, each list object has a from and to value that describes egress_from and egress_to.	list(object({ from = any to = any }))	[]	no
ingress_policies	A list of all ingress policies, each list object has a from and to value that describes ingress_from and ingress_to.	list(object({ from = any to = any }))	[]	no
ingress_policies_dry_run	A list of all ingress policies, each list object has a from and to value that describes ingress_from and ingress_to.	list(object({ from = any to = any }))	[]	no
perimeter_name	Name of the perimeter. Should be one unified string. Must only be letters, numbers and underscores	any	n/a	yes
policy	Name of the parent policy	string	n/a	yes
resources	A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed.	list(string)	[]	no
resources_dry_run	(Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. If set, a dry-run policy will be set.	list(string)	[]	no
restricted_services	GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.	list(string)	[]	no
restricted_services_dry_run	(Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set.	list(string)	[]	no
shared_resources	A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources	object({ all = list(string) })	{ "all": [] }	no

Outputs

Name	Description
perimeter_name	The perimeter's name.
resources	A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed.
shared_resources	A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources