/** * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ locals { suffix = var.common_suffix != "" ? var.common_suffix : random_id.suffix.hex perimeter_name = "rp_dwh_${var.common_name}_${local.suffix}" regular_service_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${local.perimeter_name}" access_policy_name = "ac_dwh_${var.common_name}_${local.suffix}" } resource "random_id" "suffix" { byte_length = 4 } module "access_level_policy" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 5.1" policy = var.access_context_manager_policy_id name = local.access_policy_name description = "policy with all available options to configure" members = var.perimeter_members ip_subnetworks = var.access_level_ip_subnetworks regions = var.access_level_regions combining_function = var.access_level_combining_function negate = var.access_level_negate require_screen_lock = var.access_level_require_screen_lock require_corp_owned = var.access_level_require_corp_owned allowed_encryption_statuses = var.access_level_allowed_encryption_statuses allowed_device_management_levels = var.access_level_allowed_device_management_levels minimum_version = var.access_level_minimum_version os_type = var.access_level_os_type required_access_levels = var.required_access_levels } module "regular_service_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 5.1" policy = var.access_context_manager_policy_id perimeter_name = local.perimeter_name description = "Secured Data Warehouse VPC Service Controls perimeter" access_levels = [module.access_level_policy.name] egress_policies = var.egress_policies ingress_policies = var.ingress_policies vpc_accessible_services = ["RESTRICTED-SERVICES"] restricted_services = [ "accessapproval.googleapis.com", "adsdatahub.googleapis.com", "aiplatform.googleapis.com", "alloydb.googleapis.com", "alpha-documentai.googleapis.com", "analyticshub.googleapis.com", "apigee.googleapis.com", "apigeeconnect.googleapis.com", "artifactregistry.googleapis.com", "assuredworkloads.googleapis.com", "automl.googleapis.com", "baremetalsolution.googleapis.com", "batch.googleapis.com", "bigquery.googleapis.com", "bigquerydatapolicy.googleapis.com", "bigquerydatatransfer.googleapis.com", "bigquerymigration.googleapis.com", "bigqueryreservation.googleapis.com", "bigtable.googleapis.com", "binaryauthorization.googleapis.com", "cloud.googleapis.com", "cloudasset.googleapis.com", "cloudbuild.googleapis.com", "clouddebugger.googleapis.com", "clouddeploy.googleapis.com", "clouderrorreporting.googleapis.com", "cloudfunctions.googleapis.com", "cloudkms.googleapis.com", "cloudprofiler.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudscheduler.googleapis.com", "cloudsearch.googleapis.com", "cloudtrace.googleapis.com", "composer.googleapis.com", "compute.googleapis.com", "connectgateway.googleapis.com", "contactcenterinsights.googleapis.com", "container.googleapis.com", "containeranalysis.googleapis.com", "containerfilesystem.googleapis.com", "containerregistry.googleapis.com", "containerthreatdetection.googleapis.com", "datacatalog.googleapis.com", "dataflow.googleapis.com", "datafusion.googleapis.com", "datamigration.googleapis.com", "dataplex.googleapis.com", "dataproc.googleapis.com", "datastream.googleapis.com", "dialogflow.googleapis.com", "dlp.googleapis.com", "dns.googleapis.com", "documentai.googleapis.com", "domains.googleapis.com", "eventarc.googleapis.com", "file.googleapis.com", "firebaseappcheck.googleapis.com", "firebaserules.googleapis.com", "firestore.googleapis.com", "gameservices.googleapis.com", "gkebackup.googleapis.com", "gkeconnect.googleapis.com", "gkehub.googleapis.com", "healthcare.googleapis.com", "iam.googleapis.com", "iamcredentials.googleapis.com", "iaptunnel.googleapis.com", "ids.googleapis.com", "integrations.googleapis.com", "kmsinventory.googleapis.com", "krmapihosting.googleapis.com", "language.googleapis.com", "lifesciences.googleapis.com", "logging.googleapis.com", "managedidentities.googleapis.com", "memcache.googleapis.com", "meshca.googleapis.com", "meshconfig.googleapis.com", "metastore.googleapis.com", "ml.googleapis.com", "monitoring.googleapis.com", "networkconnectivity.googleapis.com", "networkmanagement.googleapis.com", "networksecurity.googleapis.com", "networkservices.googleapis.com", "notebooks.googleapis.com", "opsconfigmonitoring.googleapis.com", "orgpolicy.googleapis.com", "osconfig.googleapis.com", "oslogin.googleapis.com", "privateca.googleapis.com", "pubsub.googleapis.com", "pubsublite.googleapis.com", "recaptchaenterprise.googleapis.com", "recommender.googleapis.com", "redis.googleapis.com", "retail.googleapis.com", "run.googleapis.com", "secretmanager.googleapis.com", "servicecontrol.googleapis.com", "servicedirectory.googleapis.com", "spanner.googleapis.com", "speakerid.googleapis.com", "speech.googleapis.com", "sqladmin.googleapis.com", "storage.googleapis.com", "storagetransfer.googleapis.com", "sts.googleapis.com", "texttospeech.googleapis.com", "timeseriesinsights.googleapis.com", "tpu.googleapis.com", "trafficdirector.googleapis.com", "transcoder.googleapis.com", "translate.googleapis.com", "videointelligence.googleapis.com", "vision.googleapis.com", "visionai.googleapis.com", "vmmigration.googleapis.com", "vpcaccess.googleapis.com", "webrisk.googleapis.com", "workflows.googleapis.com", "workstations.googleapis.com", ] } resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" { for_each = var.resources perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${module.regular_service_perimeter.perimeter_name}" resource = "projects/${each.value}" depends_on = [ module.regular_service_perimeter ] } resource "time_sleep" "wait_for_vpc_sc_propagation" { create_duration = "240s" depends_on = [ module.access_level_policy, module.regular_service_perimeter, google_access_context_manager_service_perimeter_resource.service_perimeter_resource ] }