GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → terraform-google-modules → terraform-google-vpc-service-controls

terraform-google-modules / terraform-google-vpc-service-controls

Licence: Apache-2.0 license
Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments

Programming Languages

HCL
1544 projects
ruby
36898 projects - #4 most used programming language
Makefile
30231 projects
shell
77523 projects

Labels

networkingcft-terraform

Projects that are alternatives of or similar to terraform-google-vpc-service-controls

terraform-google-scheduled-function
Sets up a scheduled job to trigger events and run functions
Stars: ✭ 55 (+14.58%)
Mutual labels:  cft-terraform
terraform-google-memorystore
A Terraform module for creating a fully functional Google Memorystore (redis) instance.
Stars: ✭ 16 (-66.67%)
Mutual labels:  cft-terraform
terraform-google-folders
This module helps create several folders under the same parent
Stars: ✭ 23 (-52.08%)
Mutual labels:  cft-terraform
terraform-google-cloud-operations
This module is a collection of submodules related to Google Cloud Operations (Logging and Monitoring).
Stars: ✭ 18 (-62.5%)
Mutual labels:  cft-terraform
terraform-google-vm
This is a collection of opinionated submodules that can be used to provision VMs in GCP.
Stars: ✭ 137 (+185.42%)
Mutual labels:  cft-terraform
terraform-google-lb-internal
Modular Internal Load Balancer for GCE using forwarding rules.
Stars: ✭ 59 (+22.92%)
Mutual labels:  cft-terraform
terraform-google-bastion-host
This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.
Stars: ✭ 78 (+62.5%)
Mutual labels:  cft-terraform
terraform-google-kms
Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
Stars: ✭ 28 (-41.67%)
Mutual labels:  cft-terraform
terraform-google-startup-scripts
A library of useful startup scripts to embed in VMs created by Terraform
Stars: ✭ 50 (+4.17%)
Mutual labels:  cft-terraform
terraform-google-dataflow
This module handles opiniated Dataflow job configuration and deployments.
Stars: ✭ 19 (-60.42%)
Mutual labels:  cft-terraform
terraform-google-slo
Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
Stars: ✭ 59 (+22.92%)
Mutual labels:  cft-terraform
terraform-google-group
Manages Google Groups
Stars: ✭ 28 (-41.67%)
Mutual labels:  cft-terraform
terraform-google-cloud-storage
Creates one or more Cloud Storage buckets and assigns basic permissions on them to arbitrary users
Stars: ✭ 116 (+141.67%)
Mutual labels:  cft-terraform
terraform-google-bootstrap
Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization
Stars: ✭ 152 (+216.67%)
Mutual labels:  cft-terraform

terraform-google-vpc-service-controls

This module handles opinionated VPC Service Controls and Access Context Manager configuration and deployments.

Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v2.1.0.

Usage

The root module only handles the configuration of the access_context_manager_policy resource. For examples on how to use the root module with along with other submodules to configure all of VPC Service Controls and Access Context Manager resources, see the examples folder and the modules folder

provider "google" {
  version = "~> 3.19.0"
}

module "org_policy" {
  source      = "terraform-google-modules/vpc-service-controls/google"
  parent_id   = var.parent_id
  policy_name = var.policy_name
}

module "access_level_members" {
  source  = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
  policy  = module.org_policy.policy_id
  name    = "terraform_members"
  members = var.members
}

module "regular_service_perimeter_1" {
  source              = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
  policy              = module.org_policy.policy_id
  perimeter_name      = "regular_perimeter_1"
  description         = "Perimeter shielding projects"
  resources           = ["1111111"]
  access_levels       = [module.access_level_members.name]
  restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
  shared_resources    = {
    all = ["11111111"]
  }
}

Then perform the following commands on the root folder:

  • terraform init to get the plugins
  • terraform plan to see the infrastructure plan
  • terraform apply to apply the infrastructure build
  • terraform destroy to destroy the built infrastructure

Known limitations

The Access Context Manager API guarantees that resources will be created, but there may be a delay between a successful response and the change taking effect. For example, "after you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect". Because of these limitations in the API, you may first get an error when running terraform apply for the first time. However, for the examples you should be able to succesfully deploy all resources by running terraform apply a second about 15 seconds after running it for the first time. You can add a delay using terraform's null_resource - check example in the tests.

Inputs

Name Description Type Default Required
parent_id The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. string n/a yes
policy_name The policy's name. string n/a yes

Outputs

Name Description
policy_id Resource name of the AccessPolicy.
policy_name The policy's name.

Requirements

Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:

  1. Terraform is installed on the machine where Terraform is executed.
  2. The Service Account you execute the module with has the right permissions.
  3. The necessary APIs are active on the project.

The project factory can be used to provision projects with the correct APIs active.

Software Dependencies

Terraform

Configure a Service Account

Organization level permissions

In order to create a policy, you need to grant your service account the Access Context Manager Admin role at the organization level:

  • roles/accesscontextmanager.policyAdmin

You may use the following command: gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="serviceAccount:example@project_id.iam.gserviceaccount.com" \ --role="roles/accesscontextmanager.policyAdmin"

Configure user permission

In order to view VPC Service Controls and Access Context Manger using the Google Cloud Platform Console, your user accounts will need to be granted the Resource Manager Organization Viewer:

  • roles/resourcemanager.organizationViewer

You may use the following command: gcloud projects add-iam-policy-binding <my project id> \ --member="user:[email protected]" \ --role="roles/resourcemanager.organizationViewer"

For more information see the Access Context Manager ACL Page

Enable APIs

To use this module you must enable Access Context Manager API (accesscontextmanager.googleapis.com) on project.

In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:

  • Storage JSON API - storage-api.googleapis.com
  • Big Query API - bigquery.googleapis.com

Install

Be sure you have the correct Terraform version (0.12.x), you can choose the binary here:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].