feat(TPG>=5.4)!: add vpc_network_sources in access level

docs/upgrading_to_v6.0.md

@@ -2,4 +2,4 @@
 
 The v6.x release contains backwards-incompatible changes.
 
-This update requires upgrading the minimum provider version to `4.68`.
+This update requires upgrading the minimum provider version to `5.4`.

examples/access_level_vpc_ip/README.md

@@ -0,0 +1,24 @@
+# Simple Example Access Level
+
+This example illustrates how to use the `vpc-service-controls` module to configure an org policy and an access level
+
+# Requirements
+1. Make sure you've gone through the root [Requirement Section](../../#requirements)
+
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | `string` | n/a | yes |
+| project\_id | The ID of the project in which to provision network. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| access\_level | n/a |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/access_level_vpc_ip/main.tf

@@ -0,0 +1,96 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_id" "random_suffix" {
+  byte_length = 2
+}
+
+module "access_context_manager_policy" {
+  source  = "terraform-google-modules/vpc-service-controls/google"
+  version = "~> 5.0"
+
+  parent_id   = var.parent_id
+  policy_name = "int_test_vpc_sc_policy_${random_id.random_suffix.hex}"
+}
+
+# Create Network with a subnetwork and private service access for both netapp.servicenetworking.goog and servicenetworking.googleapis.com
+
+resource "google_compute_network" "network1" {
+  name                    = "vpc-a"
+  project                 = var.project_id
+  auto_create_subnetworks = false
+  description             = "test network"
+}
+
+resource "google_compute_subnetwork" "network1_us_central1" {
+  name                     = "vpc-a-us-central1"
+  ip_cidr_range            = "10.0.0.0/24"
+  region                   = "us-central1"
+  project                  = var.project_id
+  network                  = google_compute_network.network1.self_link
+  private_ip_google_access = true
+}
+
+resource "google_compute_subnetwork" "network1_us_east1" {
+  name                     = "vpc-a-us-east1"
+  ip_cidr_range            = "10.0.1.0/24"
+  region                   = "us-east1"
+  project                  = var.project_id
+  network                  = google_compute_network.network1.self_link
+  private_ip_google_access = true
+}
+
+resource "google_compute_network" "network2" {
+  name                    = "vpc-b"
+  project                 = var.project_id
+  auto_create_subnetworks = false
+  description             = "test network b"
+}
+
+resource "google_compute_subnetwork" "network2_us_central1" {
+  name                     = "vpc-b-us-central1"
+  ip_cidr_range            = "10.0.10.0/24"
+  region                   = "us-central1"
+  project                  = var.project_id
+  network                  = google_compute_network.network2.self_link
+  private_ip_google_access = true
+}
+
+module "access_level_vpc_ranges" {
+  source  = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
+  version = "~> 5.0"
+
+  policy      = module.access_context_manager_policy.policy_id
+  name        = "vpc_ip_address_policy"
+  description = "access level for vpc ip addresses"
+  vpc_network_sources = {
+    "vpc_a" = {
+      network_id = google_compute_network.network1.id
+      ip_address_ranges = [
+        "10.0.0.0/24",
+        "192.169.0.0/16",
+      ]
+    }
+    "vpc_b" = {
+      network_id = google_compute_network.network2.id
+    }
+  }
+  depends_on = [
+    google_compute_subnetwork.network1_us_central1,
+    google_compute_subnetwork.network1_us_east1,
+    google_compute_subnetwork.network2_us_central1,
+  ]
+}

examples/access_level_vpc_ip/outputs.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "access_level" {
+  value = module.access_level_vpc_ranges.access_level
+}

examples/access_level_vpc_ip/variables.tf

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "parent_id" {
+  description = "The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent."
+  type        = string
+}
+
+# variable "policy_name" {
+#   description = "The policy's name."
+#   type        = string
+# }
+
+# variable "protected_project_id" {
+#   description = "Project number of the project INSIDE the regular service perimeter."
+#   type        = number
+# }
+
+# variable "ip_subnetworks" {
+#   description = "A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, \"192.0.2.0/24\" is accepted but \"192.0.2.1/24\" is not. Similarly, for IPv6, \"2001:db8::/32\" is accepted whereas \"2001:db8::1/32\" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed."
+#   type        = list(string)
+# }
+
+variable "project_id" {
+  description = "The ID of the project in which to provision network."
+  type        = string
+}

modules/access_level/README.md

@@ -42,11 +42,13 @@ module "access_level_members" {
 | require\_corp\_owned | Condition - Whether the device needs to be corp owned. | `bool` | `false` | no |
 | require\_screen\_lock | Condition - Whether or not screenlock is required for the DevicePolicy to be true. | `bool` | `false` | no |
 | required\_access\_levels | Condition - A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. | `list(string)` | `[]` | no |
+| vpc\_network\_sources | VPC network's id and list of subnet IP address prefixes . Empty ip\_address\_ranges means all subnets of the VPC. For on-prem IP address connected through VPN/Interconnect, provide the name of VPC which contains cloud router for the VPN/Interconnect and on-prem private IP address prefixes. Cannot specify this field together with ip\_subnetworks | <pre>map(object({<br>    network_id        = string<br>    ip_address_ranges = optional(list(string))<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| access\_level | access\_level created |
 | name | Description of the AccessLevel and its use. Does not affect behavior. |
 | name\_id | The fully-qualified name of the Access Level. Format: accessPolicies/{policy\_id}/accessLevels/{name} |
 

modules/access_level/main.tf

@@ -48,6 +48,16 @@ resource "google_access_context_manager_access_level" "access_level" {
           }
         }
       }
+
+      dynamic "vpc_network_sources" {
+        for_each = var.vpc_network_sources
+        content {
+          vpc_subnetwork {
+            network            = "//compute.googleapis.com/${vpc_network_sources.value.network_id}"
+            vpc_ip_subnetworks = vpc_network_sources.value.ip_address_ranges
+          }
+        }
+      }
     }
 
     combining_function = var.combining_function

modules/access_level/outputs.tf

@@ -23,3 +23,8 @@ output "name_id" {
   description = "The fully-qualified name of the Access Level. Format: accessPolicies/{policy_id}/accessLevels/{name}"
   value       = local.output_name
 }
+
+output "access_level" {
+  description = "access_level created"
+  value       = google_access_context_manager_access_level.access_level
+}

modules/access_level/variables.tf

@@ -42,6 +42,15 @@ variable "ip_subnetworks" {
   default     = []
 }
 
+variable "vpc_network_sources" {
+  description = "VPC network's id and list of subnet IP address prefixes . Empty ip_address_ranges means all subnets of the VPC. For on-prem IP address connected through VPN/Interconnect, provide the name of VPC which contains cloud router for the VPN/Interconnect and on-prem private IP address prefixes. Cannot specify this field together with ip_subnetworks"
+  type = map(object({
+    network_id        = string
+    ip_address_ranges = optional(list(string))
+  }))
+  default = {}
+}
+
 variable "required_access_levels" {
   description = "Condition - A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true."
   type        = list(string)

modules/access_level/versions.tf

@@ -15,12 +15,12 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
   required_providers {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.50, < 6"
+      version = ">= 5.4, < 6"
     }
   }
 

modules/regular_service_perimeter/versions.tf

@@ -15,12 +15,12 @@
  */
 
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.3"
   required_providers {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.68, < 6"
+      version = ">= 5.4, < 6"
     }
   }
 

test/integration/discover_test.go

@@ -0,0 +1,25 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package test
+
+import (
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+)
+
+func TestAll(t *testing.T) {
+	tft.AutoDiscoverAndTest(t)
+}

test/integration/go.mod

@@ -0,0 +1,84 @@
+module github.com/GoogleCloudPlatform/terraform-google-vpc-service-controls/test/integration
+
+go 1.21
+
+toolchain go1.21.5
+
+require (
+	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1
+	github.com/stretchr/testify v1.8.4
+)
+
+require (
+	cloud.google.com/go v0.110.7 // indirect
+	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/iam v1.1.2 // indirect
+	cloud.google.com/go/storage v1.33.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/aws/aws-sdk-go v1.45.5 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-errors/errors v1.5.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/gruntwork-io/terratest v0.46.8 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-getter v1.7.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-safetemp v1.0.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect
+	github.com/hashicorp/hcl/v2 v2.18.0 // indirect
+	github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 // indirect
+	github.com/hashicorp/terraform-json v0.17.1 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-zglob v0.0.4 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/tidwall/gjson v1.17.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/tidwall/sjson v1.2.5 // indirect
+	github.com/tmccombs/hcl2json v0.6.0 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
+	github.com/zclconf/go-cty v1.14.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/api v0.138.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/grpc v1.58.3 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f // indirect
+	sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)