From 38eb8221543a368c8a84ddb42ad5729517c5040a Mon Sep 17 00:00:00 2001
From: kirantejaj <110390952+kirantejaj@users.noreply.github.com>
Date: Thu, 27 Jul 2023 00:51:02 +0530
Subject: [PATCH] feat: Support for VPCs in dry-run mode (#117)
---
modules/regular_service_perimeter/README.md | 4 ++--
modules/regular_service_perimeter/main.tf | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/modules/regular_service_perimeter/README.md b/modules/regular_service_perimeter/README.md
index c54fe33..d31e348 100644
--- a/modules/regular_service_perimeter/README.md
+++ b/modules/regular_service_perimeter/README.md
@@ -110,8 +110,8 @@ module "regular_service_perimeter_1" {
| restricted\_services | GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | `list(string)` | `[]` | no |
| restricted\_services\_dry\_run | (Dry-run) GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
| shared\_resources | A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources | `object({ all = list(string) })` | {
"all": []
} | no |
-| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | [
"*"
]
| no |
-| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["\*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | [
"*"
]
| no |
+| vpc\_accessible\_services | A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | [
"*"
]
| no |
+| vpc\_accessible\_services\_dry\_run | (Dry-run) A list of [VPC Accessible Services](https://cloud.google.com/vpc-service-controls/docs/vpc-accessible-services) that will be restricted within the VPC Network. Use ["*"] to allow any service (disable VPC Accessible Services); Use ["RESTRICTED-SERVICES"] to match the restricted services list; Use [] to not allow any service. | `list(string)` | [
"*"
]
| no |
## Outputs
diff --git a/modules/regular_service_perimeter/main.tf b/modules/regular_service_perimeter/main.tf
index 533e956..2095aa7 100644
--- a/modules/regular_service_perimeter/main.tf
+++ b/modules/regular_service_perimeter/main.tf
@@ -112,7 +112,7 @@ resource "google_access_context_manager_service_perimeter" "regular_service_peri
for_each = local.dry_run ? ["dry-run"] : []
content {
restricted_services = var.restricted_services_dry_run
- resources = formatlist("projects/%s", var.resources_dry_run)
+ resources = [for item in var.resources_dry_run : can(regex("global/networks", item)) ? format("//compute.googleapis.com/%s", item) : format("projects/%s", item)]
access_levels = formatlist(
"accessPolicies/${var.policy}/accessLevels/%s",
var.access_levels_dry_run