terraform-google-vpc-service-controls icon indicating copy to clipboard operation
terraform-google-vpc-service-controls copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Metadata

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments

terraform-google-vpc-service-controls

This module handles opinionated VPC Service Controls and Access Context Manager configuration and deployments.

Compatibility

This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.

Version

Current version is 5.X. Upgrade guides:

  • 3.X -> 4.0.
  • 4.X -> 6.0.

Usage

The root module only handles the configuration of the access_context_manager_policy resource. For examples on how to use the root module with along with other submodules to configure all of VPC Service Controls and Access Context Manager resources, see the examples folder and the modules folder

provider "google" {
  version = "~> 3.19.0"
}

module "org_policy" {
  source      = "terraform-google-modules/vpc-service-controls/google"
  parent_id   = var.parent_id
  policy_name = var.policy_name
}

module "access_level_members" {
  source  = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
  policy  = module.org_policy.policy_id
  name    = "terraform_members"
  members = var.members
}

module "regular_service_perimeter_1" {
  source              = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
  policy              = module.org_policy.policy_id
  perimeter_name      = "regular_perimeter_1"
  description         = "Perimeter shielding projects"
  resources           = ["1111111"]
  access_levels       = [module.access_level_members.name]
  restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
  shared_resources    = {
    all = ["11111111"]
  }
}

Then perform the following commands on the root folder:

  • terraform init to get the plugins
  • terraform plan to see the infrastructure plan
  • terraform apply to apply the infrastructure build
  • terraform destroy to destroy the built infrastructure

Known limitations

The Access Context Manager API guarantees that resources will be created, but there may be a delay between a successful response and the change taking effect. For example, "after you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect". Because of these limitations in the API, you may first get an error when running terraform apply for the first time. However, for the examples you should be able to succesfully deploy all resources by running terraform apply a second about 15 seconds after running it for the first time. You can add a delay using terraform's null_resource - check example in the tests.

Inputs

Name Description Type Default Required
parent_id The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. string n/a yes
policy_name The policy's name. string n/a yes

Outputs

Name Description
policy_id Resource name of the AccessPolicy.
policy_name The policy's name.

Requirements

Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:

  1. Terraform is installed on the machine where Terraform is executed.
  2. The Service Account you execute the module with has the right permissions.
  3. The necessary APIs are active on the project.

The project factory can be used to provision projects with the correct APIs active.

Software Dependencies

Terraform

Configure a Service Account

Organization level permissions

In order to create a policy, you need to grant your service account the Access Context Manager Admin role at the organization level:

  • roles/accesscontextmanager.policyAdmin

You may use the following command: gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="serviceAccount:example@project_id.iam.gserviceaccount.com" \ --role="roles/accesscontextmanager.policyAdmin"

Configure user permission

In order to view VPC Service Controls and Access Context Manger using the Google Cloud Platform Console, your user accounts will need to be granted the Resource Manager Organization Viewer:

  • roles/resourcemanager.organizationViewer

You may use the following command: gcloud projects add-iam-policy-binding <my project id> \ --member="user:[email protected]" \ --role="roles/resourcemanager.organizationViewer"

For more information see the Access Context Manager ACL Page

Enable APIs

To use this module you must enable Access Context Manager API (accesscontextmanager.googleapis.com) on project.

In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:

  • Storage JSON API - storage-api.googleapis.com
  • Big Query API - bigquery.googleapis.com

Install

Be sure you have the correct Terraform version (0.12.x), you can choose the binary here:

  • https://releases.hashicorp.com/terraform/

Metadata

59
Stars
67
Forks
Watchers

Owner

verified publisher icon terraform-google-modules

Metadata

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments

Back