Skip to content

feat!: support for externally managed egress/ingress policies #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
May 14, 2025
Merged

feat!: support for externally managed egress/ingress policies #193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
32c9237
add ingress policies
caetano-colin Apr 17, 2025
05ab954
remove policies
caetano-colin Apr 17, 2025
4363a1c
update code to use new tf resources
caetano-colin Apr 17, 2025
f400642
update attribute access
caetano-colin Apr 17, 2025
fe0abf9
update to support title field
caetano-colin Apr 17, 2025
d2b46e8
bump version
caetano-colin Apr 17, 2025
6c367bf
Revert "bump version"
caetano-colin Apr 17, 2025
35af325
Merge branch 'main' into support-externally-managed-policies
caetano-colin Apr 22, 2025
b8ed0d7
bump event-function to v5
caetano-colin Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions examples/automatic_folder/watcher.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

module "event_folder_log_entry" {
source = "terraform-google-modules/event-function/google//modules/event-folder-log-entry"
version = "~> 4.0"
version = "~> 5.0"

filter = <<EOF
resource.type="project" AND
Expand All @@ -37,7 +37,7 @@ resource "google_service_account" "watcher" {

module "localhost_function" {
source = "terraform-google-modules/event-function/google"
version = "~> 4.0"
version = "~> 5.0"

description = "Adds projects to VPC service permiterer."
entry_point = "handler"
Expand Down
151 changes: 5 additions & 146 deletions modules/regular_service_perimeter/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,80 +33,7 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
var.access_levels
)

dynamic "ingress_policies" {
for_each = var.ingress_policies
iterator = ingress_policies
content {
ingress_from {
dynamic "sources" {
for_each = merge(
{ for k, v in lookup(lookup(ingress_policies.value["from"], "sources", {}), "resources", []) : v => "resource" },
{ for k, v in lookup(lookup(ingress_policies.value["from"], "sources", {}), "access_levels", []) : v => "access_level" })
content {
resource = sources.value == "resource" ? sources.key : null
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
identity_type = lookup(ingress_policies.value["from"], "identity_type", null)
identities = lookup(ingress_policies.value["from"], "identities", null)
}

ingress_to {
resources = lookup(ingress_policies.value["to"], "resources", ["*"])
dynamic "operations" {
for_each = lookup(ingress_policies.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
}
}
dynamic "egress_policies" {
for_each = var.egress_policies
iterator = egress_policies
content {
egress_from {
identity_type = lookup(egress_policies.value["from"], "identity_type", null)
identities = lookup(egress_policies.value["from"], "identities", null)
dynamic "sources" {
for_each = { for k, v in lookup(lookup(egress_policies.value["from"], "sources", {}), "access_levels", []) : v => "access_level" }
content {
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
source_restriction = lookup(egress_policies.value["from"], "sources", null) != null ? "SOURCE_RESTRICTION_ENABLED" : null
}
egress_to {
resources = lookup(egress_policies.value["to"], "resources", ["*"])
external_resources = lookup(egress_policies.value["to"], "external_resources", [])
dynamic "operations" {
for_each = lookup(egress_policies.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
}
}

dynamic "vpc_accessible_services" {
for_each = contains(var.vpc_accessible_services, "*") ? [] : [var.vpc_accessible_services]
Expand All @@ -128,79 +55,7 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
var.access_levels_dry_run
)

dynamic "ingress_policies" {
for_each = var.ingress_policies_dry_run
iterator = ingress_policies_dry_run
content {
ingress_from {
dynamic "sources" {
for_each = merge(
{ for k, v in lookup(lookup(ingress_policies_dry_run.value["from"], "sources", {}), "resources", []) : v => "resource" },
{ for k, v in lookup(lookup(ingress_policies_dry_run.value["from"], "sources", {}), "access_levels", []) : v => "access_level" })
content {
resource = sources.value == "resource" ? sources.key : null
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
identity_type = lookup(ingress_policies_dry_run.value["from"], "identity_type", null)
identities = lookup(ingress_policies_dry_run.value["from"], "identities", null)
}

ingress_to {
resources = lookup(ingress_policies_dry_run.value["to"], "resources", ["*"])
dynamic "operations" {
for_each = lookup(ingress_policies_dry_run.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
}
}
dynamic "egress_policies" {
for_each = var.egress_policies_dry_run
iterator = egress_policies_dry_run
content {
egress_from {
identity_type = lookup(egress_policies_dry_run.value["from"], "identity_type", null)
identities = lookup(egress_policies_dry_run.value["from"], "identities", null)
dynamic "sources" {
for_each = { for k, v in lookup(lookup(egress_policies_dry_run.value["from"], "sources", {}), "access_levels", []) : v => "access_level" }
content {
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
source_restriction = lookup(egress_policies_dry_run.value["from"], "sources", null) != null ? "SOURCE_RESTRICTION_ENABLED" : null
}
egress_to {
resources = lookup(egress_policies_dry_run.value["to"], "resources", ["*"])
dynamic "operations" {
for_each = lookup(egress_policies_dry_run.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
}
}

dynamic "vpc_accessible_services" {
for_each = contains(var.vpc_accessible_services_dry_run, "*") ? [] : [var.vpc_accessible_services_dry_run]
Expand All @@ -214,7 +69,11 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
use_explicit_dry_run_spec = local.dry_run

lifecycle {
ignore_changes = [status[0].resources]
ignore_changes = [
status[0].resources,
status[0].ingress_policies, # Allows ingress policies to be managed by google_access_context_manager_service_perimeter_ingress_policy resources
status[0].egress_policies # Allows egress policies to be managed by google_access_context_manager_service_perimeter_egress_policy resources
]
}
}

Expand Down
2 changes: 1 addition & 1 deletion modules/regular_service_perimeter/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ terraform {

google = {
source = "hashicorp/google"
version = ">= 5.4, < 7"
version = ">= 6.21, < 7"
}
}

Expand Down
184 changes: 184 additions & 0 deletions modules/regular_service_perimeter/vpc-sc-policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
/**
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

resource "google_access_context_manager_service_perimeter_ingress_policy" "ingress_policies" {
for_each = { for k, v in var.ingress_policies : k => v }

perimeter = google_access_context_manager_service_perimeter.regular_service_perimeter.name
title = "Ingress Policy ${each.key}"
ingress_from {
dynamic "sources" {
for_each = merge(
{ for k, v in lookup(lookup(each.value["from"], "sources", {}), "resources", []) : v => "resource" },
{ for k, v in lookup(lookup(each.value["from"], "sources", {}), "access_levels", []) : v => "access_level" })
content {
resource = sources.value == "resource" ? sources.key : null
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
identity_type = lookup(each.value["from"], "identity_type", null)
identities = lookup(each.value["from"], "identities", null)
}

ingress_to {
resources = lookup(each.value["to"], "resources", ["*"])
dynamic "operations" {
for_each = lookup(each.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
lifecycle {
create_before_destroy = true
}
}

resource "google_access_context_manager_service_perimeter_egress_policy" "egress_policies" {
for_each = { for k, v in var.egress_policies : k => v }

perimeter = google_access_context_manager_service_perimeter.regular_service_perimeter.name
title = "Egress Policy ${each.key}"

egress_from {
identity_type = lookup(each.value["from"], "identity_type", null)
identities = lookup(each.value["from"], "identities", null)
dynamic "sources" {
for_each = { for k, v in lookup(lookup(each.value["from"], "sources", {}), "access_levels", []) : v => "access_level" }
content {
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
source_restriction = lookup(each.value["from"], "sources", null) != null ? "SOURCE_RESTRICTION_ENABLED" : null
}
egress_to {
resources = lookup(each.value["to"], "resources", ["*"])
external_resources = lookup(each.value["to"], "external_resources", [])
dynamic "operations" {
for_each = lookup(each.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
lifecycle {
create_before_destroy = true
}
}

############################################
# DRY-RUN POLICIES #
############################################

resource "google_access_context_manager_service_perimeter_dry_run_ingress_policy" "ingress_policies" {
for_each = { for k, v in var.ingress_policies_dry_run : k => v }

perimeter = google_access_context_manager_service_perimeter.regular_service_perimeter.name
title = "Ingress Policy ${each.key}"
ingress_from {
dynamic "sources" {
for_each = merge(
{ for k, v in lookup(lookup(each.value["from"], "sources", {}), "resources", []) : v => "resource" },
{ for k, v in lookup(lookup(each.value["from"], "sources", {}), "access_levels", []) : v => "access_level" })
content {
resource = sources.value == "resource" ? sources.key : null
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
identity_type = lookup(each.value["from"], "identity_type", null)
identities = lookup(each.value["from"], "identities", null)
}

ingress_to {
resources = lookup(each.value["to"], "resources", ["*"])
dynamic "operations" {
for_each = lookup(each.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
lifecycle {
create_before_destroy = true
}
}

resource "google_access_context_manager_service_perimeter_dry_run_egress_policy" "egress_policies" {
for_each = { for k, v in var.egress_policies_dry_run : k => v }

perimeter = google_access_context_manager_service_perimeter.regular_service_perimeter.name
title = "Egress Policy ${each.key}"

egress_from {
identity_type = lookup(each.value["from"], "identity_type", null)
identities = lookup(each.value["from"], "identities", null)
dynamic "sources" {
for_each = { for k, v in lookup(lookup(each.value["from"], "sources", {}), "access_levels", []) : v => "access_level" }
content {
access_level = sources.value == "access_level" ? sources.key != "*" ? "accessPolicies/${var.policy}/accessLevels/${sources.key}" : "*" : null
}
}
source_restriction = lookup(each.value["from"], "sources", null) != null ? "SOURCE_RESTRICTION_ENABLED" : null
}
egress_to {
resources = lookup(each.value["to"], "resources", ["*"])
dynamic "operations" {
for_each = lookup(each.value["to"], "operations", [])
content {
service_name = operations.key
dynamic "method_selectors" {
for_each = operations.key != "*" ? merge(
{ for v in lookup(operations.value, "methods", []) : v => "method" },
{ for v in lookup(operations.value, "permissions", []) : v => "permission" }) : {}
content {
method = method_selectors.value == "method" ? method_selectors.key : null
permission = method_selectors.value == "permission" ? method_selectors.key : null
}
}
}
}
}
lifecycle {
create_before_destroy = true
}
}