Add detailed variable types for ingress and egress policy inputs in regular_service_perimeter
3sne opened this issue · 1 comments
TL;DR
It would be beneficial to have detailed variable types for the variables egress_policies
, egress_policies_dry_run
, ingress_policies
and ingress_policies_dry_run
in the regular_service_perimeter
module.
Terraform Resources
1. Ingress Rules Reference: https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference]
2. Egress Rules Reference: https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference
3. google_access_context_manager_service_perimeter: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter
Detailed design
No response
Additional information
With the optional
type attribute generally available since Terraform version 1.3
, the module users will find it very convenient to reference a concrete type for the above variables directly, rather than having to rely on referring the module code to understand what input structure for policy rules are expected by the module.
The current type for these variables only define a rough skeleton:
list(object({
from = any
to = any
}))
The type design can use the ingress & egress rule references from links [1] and [2] to potentially create something like:
variable "ingress_policies" {
default = []
type = list(object({
from = object({
identity_type = optional(string)
identities = optional(list(string))
sources = object({
access_levels = optional(list(string), [])
resources = optional(list(string), [])
})
})
to = object({
resources = optional(list(string), ["*"])
operations = map(object({
methods = optional(list(string), [])
permissions = optional(list(string), [])
}))
})
}))
validation {
# identity_type XOR identities
condition = alltrue([
for ingress_rule in var.ingress_policies: (
(ingress_rule.from.identity_type == null && ingress_rule.from.identities != null)
||
(ingress_rule.from.identity_type != null && ingress_rule.from.identities == null)
)
])
error_message = "Exactly one of from.identity_type OR from.identities must be configured."
}
}
variable "egress_policies" {
default = []
type = list(object({
to = object({
resources = optional(list(string), ["*"])
operations = map(object({
methods = optional(list(string), [])
permissions = optional(list(string), [])
}))
})
from = object({
identity_type = optional(string)
identities = optional(list(string))
})
}))
validation {
# identity_type XOR identities
condition = alltrue([
for egress_rule in var.egress_policies : (
(egress_rule.from.identity_type != null && egress_rule.from.identities == null)
||
(egress_rule.from.identity_type == null && egress_rule.from.identities != null)
)
])
error_message = "Exactly one of from.identity_type OR from.identities must be configured."
}
}
Similar types can be reused for egress_policies_dry_run
& ingress_policies_dry_run
. This should provide module users a good context on the general structure of the expected values!
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days