fix(TPG >= 4.68)!: added missing features for egress policies (#131)

cmalpe · web-flow · commit c6df32651832 · 2024-02-13T14:48:55.000-06:00
diff --git a/README.md b/README.md
@@ -3,11 +3,14 @@
 This module handles opinionated VPC Service Controls and Access Context Manager configuration and deployments.
 
 ## Compatibility
-This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
- If you haven't
-[upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform
-0.12.x-compatible version of this module, the last released version
-intended for Terraform 0.12.x is [v2.1.0](https://registry.terraform.io/modules/terraform-google-modules/-vpc-service-controls/google/v2.1.0).
+This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.
+
+## Version
+
+Current version is 5.X. Upgrade guides:
+
+- [3.X -> 4.0.](/docs/upgrading_to_v4.0.md)
+- [4.X -> 6.0.](/docs/upgrading_to_v6.0.md)
 
 ## Usage
 The root module only handles the configuration of the [access_context_manager_policy resource](https://www.terraform.io/docs/providers/google/r/access_context_manager_access_policy.html). For examples on how to use the root module with along with other submodules to configure all of VPC Service Controls and Access Context Manager resources, see the [examples](./examples/) folder and the [modules](./modules/) folder
diff --git a/docs/upgrading_to_v6.0.md b/docs/upgrading_to_v6.0.md
@@ -0,0 +1,5 @@
+# Upgrading to v6.x
+
+The v6.x release contains backwards-incompatible changes.
+
+This update requires upgrading the minimum provider version to `4.68`.
diff --git a/modules/regular_service_perimeter/main.tf b/modules/regular_service_perimeter/main.tf
@@ -35,6 +35,7 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
 
     dynamic "ingress_policies" {
       for_each = var.ingress_policies
+      iterator = ingress_policies
       content {
         ingress_from {
           dynamic "sources" {
@@ -72,10 +73,18 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
     }
     dynamic "egress_policies" {
       for_each = var.egress_policies
+      iterator = egress_policies
       content {
         egress_from {
           identity_type = lookup(egress_policies.value["from"], "identity_type", null)
           identities    = lookup(egress_policies.value["from"], "identities", null)
+          dynamic "sources" {
+            for_each = { for k, v in lookup(egress_policies.value["from"]["sources"], "access_levels", []) : v => "access_level" }
+            content {
+              access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
+            }
+          }
+          source_restriction = egress_policies.value["from"]["sources"] != null ? "SOURCE_RESTRICTION_ENABLED" : null
         }
         egress_to {
           resources = lookup(egress_policies.value["to"], "resources", ["*"])
@@ -120,25 +129,26 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
 
       dynamic "ingress_policies" {
         for_each = var.ingress_policies_dry_run
+        iterator = ingress_policies_dry_run
         content {
           ingress_from {
             dynamic "sources" {
               for_each = merge(
-                { for k, v in lookup(ingress_policies.value["from"]["sources"], "resources", []) : v => "resource" },
-              { for k, v in lookup(ingress_policies.value["from"]["sources"], "access_levels", []) : v => "access_level" })
+                { for k, v in lookup(ingress_policies_dry_run.value["from"]["sources"], "resources", []) : v => "resource" },
+              { for k, v in lookup(ingress_policies_dry_run.value["from"]["sources"], "access_levels", []) : v => "access_level" })
               content {
                 resource     = sources.value == "resource" ? sources.key : null
                 access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
               }
             }
-            identity_type = lookup(ingress_policies.value["from"], "identity_type", null)
-            identities    = lookup(ingress_policies.value["from"], "identities", null)
+            identity_type = lookup(ingress_policies_dry_run.value["from"], "identity_type", null)
+            identities    = lookup(ingress_policies_dry_run.value["from"], "identities", null)
           }
 
           ingress_to {
-            resources = lookup(ingress_policies.value["to"], "resources", ["*"])
+            resources = lookup(ingress_policies_dry_run.value["to"], "resources", ["*"])
             dynamic "operations" {
-              for_each = ingress_policies.value["to"]["operations"]
+              for_each = ingress_policies_dry_run.value["to"]["operations"]
               content {
                 service_name = operations.key
                 dynamic "method_selectors" {
@@ -157,15 +167,23 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
       }
       dynamic "egress_policies" {
         for_each = var.egress_policies_dry_run
+        iterator = egress_policies_dry_run
         content {
           egress_from {
-            identity_type = lookup(egress_policies.value["from"], "identity_type", null)
-            identities    = lookup(egress_policies.value["from"], "identities", null)
+            identity_type = lookup(egress_policies_dry_run.value["from"], "identity_type", null)
+            identities    = lookup(egress_policies_dry_run.value["from"], "identities", null)
+            dynamic "sources" {
+              for_each = { for k, v in lookup(egress_policies_dry_run.value["from"]["sources"], "access_levels", []) : v => "access_level" }
+              content {
+                access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
+              }
+            }
+            source_restriction = egress_policies_dry_run.value["from"]["sources"] != null ? "SOURCE_RESTRICTION_ENABLED" : null
           }
           egress_to {
-            resources = lookup(egress_policies.value["to"], "resources", ["*"])
+            resources = lookup(egress_policies_dry_run.value["to"], "resources", ["*"])
             dynamic "operations" {
-              for_each = lookup(egress_policies.value["to"], "operations", [])
+              for_each = lookup(egress_policies_dry_run.value["to"], "operations", [])
               content {
                 service_name = operations.key
                 dynamic "method_selectors" {
diff --git a/modules/regular_service_perimeter/versions.tf b/modules/regular_service_perimeter/versions.tf
@@ -15,12 +15,12 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3.0"
   required_providers {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.50, < 6"
+      version = ">= 4.68, < 6"
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -15,12 +15,12 @@`
`15`	`15`	`*/`
`16`	`16`
`17`	`17`	`terraform {`
`18`		`- required_version = ">= 0.13"`
	`18`	`+ required_version = ">= 1.3.0"`
`19`	`19`	`required_providers {`
`20`	`20`
`21`	`21`	`google = {`
`22`	`22`	`source = "hashicorp/google"`
`23`		`- version = ">= 3.50, < 6"`
	`23`	`+ version = ">= 4.68, < 6"`
`24`	`24`	`}`
`25`	`25`	`}`
`26`	`26`