feat: Add support for attaching projects to a VPC Service Controls perimeter (#428)

Author: kwraith05

.kitchen.yml

@@ -32,6 +32,11 @@ suites:
       name: terraform
       command_timeout: 1800
       root_module_directory: test/fixtures/minimal
+  - name: vpc_sc_project
+    driver:
+      name: terraform
+      command_timeout: 1800
+      root_module_directory: test/fixtures/vpc_sc_project
   - name: fabric_project
     driver:
       name: terraform

README.md

@@ -148,6 +148,8 @@ determining that location is as follows:
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
 | use\_tf\_google\_credentials\_env\_var | Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | bool | `"false"` | no |
+| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | bool | `"false"` | no |
+| vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | string | `"null"` | no |
 
 ## Outputs
 

build/int.cloudbuild.yaml

@@ -28,13 +28,19 @@ steps:
   args: ['/bin/bash', '-c', 'ln -s /root/.terraform.d/plugins ~/.terraform.d/plugins && source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
 - id: converge
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'ln -s /root/.terraform.d/plugins ~/.terraform.d/plugins && source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
+  args: ['/bin/bash', '-c', 'ln -s /root/.terraform.d/plugins ~/.terraform.d/plugins && source /usr/local/bin/task_helper_functions.sh && export TF_VAR_policy_id=$(gcloud access-context-manager policies list --organization="${TF_VAR_org_id:?}" --format="value(name)") && kitchen_do converge']
+  env:
+  - 'TF_VAR_org_id=$_ORG_ID'
+  - 'TF_VAR_domain=test.infra.cft.tips.'
 - id: verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'ln -s /root/.terraform.d/plugins ~/.terraform.d/plugins && source /usr/local/bin/task_helper_functions.sh && kitchen_do verify']
 - id: destroy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'ln -s /root/.terraform.d/plugins ~/.terraform.d/plugins && source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+  args: ['/bin/bash', '-c', 'ln -s /root/.terraform.d/plugins ~/.terraform.d/plugins && source /usr/local/bin/task_helper_functions.sh && export TF_VAR_policy_id=$(gcloud access-context-manager policies list --organization="${TF_VAR_org_id:?}" --format="value(name)") && kitchen_do destroy']
+  env:
+  - 'TF_VAR_org_id=$_ORG_ID'
+  - 'TF_VAR_domain=test.infra.cft.tips.'
 tags:
 - 'ci'
 - 'integration'

examples/app_engine/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "null" {

examples/budget_project/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "null" {

examples/fabric_project/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "random" {

examples/gke_shared_vpc/main.tf

@@ -20,12 +20,12 @@ locals {
 
 provider "google" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "google-beta" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "null" {

examples/group_project/main.tf

@@ -23,12 +23,12 @@ locals {
  *****************************************/
 provider "google" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "google-beta" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "gsuite" {

examples/project-hierarchy/main.tf

@@ -23,12 +23,12 @@ locals {
  *****************************************/
 provider "google" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "google-beta" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "gsuite" {

examples/project_services/main.tf

@@ -18,7 +18,7 @@
   Provider configuration
  *****************************************/
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 module "project-services" {

examples/shared_vpc/main.tf

@@ -23,11 +23,11 @@ locals {
   Provider configuration
  *****************************************/
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "null" {

examples/simple_project/main.tf

@@ -23,12 +23,12 @@ locals {
  *****************************************/
 provider "google" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "google-beta" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 3.6.0"
+  version     = "~> 3.30"
 }
 
 provider "null" {

main.tf

@@ -28,37 +28,39 @@ module "gsuite_group" {
 module "project-factory" {
   source = "./modules/core_project_factory"
 
-  group_email                       = module.gsuite_group.email
-  group_role                        = var.group_role
-  lien                              = var.lien
-  manage_group                      = var.group_name != "" ? "true" : "false"
-  random_project_id                 = var.random_project_id
-  org_id                            = var.org_id
-  name                              = var.name
-  project_id                        = var.project_id
-  shared_vpc                        = var.shared_vpc
-  shared_vpc_enabled                = var.shared_vpc != ""
-  billing_account                   = var.billing_account
-  folder_id                         = var.folder_id
-  sa_role                           = var.sa_role
-  activate_apis                     = var.activate_apis
-  usage_bucket_name                 = var.usage_bucket_name
-  usage_bucket_prefix               = var.usage_bucket_prefix
-  credentials_path                  = var.credentials_path
-  impersonate_service_account       = var.impersonate_service_account
-  shared_vpc_subnets                = var.shared_vpc_subnets
-  labels                            = var.labels
-  bucket_project                    = var.bucket_project
-  bucket_name                       = var.bucket_name
-  bucket_location                   = var.bucket_location
-  auto_create_network               = var.auto_create_network
-  disable_services_on_destroy       = var.disable_services_on_destroy
-  default_service_account           = var.default_service_account
-  disable_dependent_services        = var.disable_dependent_services
-  python_interpreter_path           = var.python_interpreter_path
-  pip_executable_path               = var.pip_executable_path
-  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
-  skip_gcloud_download              = var.skip_gcloud_download
+  group_email                        = module.gsuite_group.email
+  group_role                         = var.group_role
+  lien                               = var.lien
+  manage_group                       = var.group_name != "" ? "true" : "false"
+  random_project_id                  = var.random_project_id
+  org_id                             = var.org_id
+  name                               = var.name
+  project_id                         = var.project_id
+  shared_vpc                         = var.shared_vpc
+  shared_vpc_enabled                 = var.shared_vpc != ""
+  billing_account                    = var.billing_account
+  folder_id                          = var.folder_id
+  sa_role                            = var.sa_role
+  activate_apis                      = var.activate_apis
+  usage_bucket_name                  = var.usage_bucket_name
+  usage_bucket_prefix                = var.usage_bucket_prefix
+  credentials_path                   = var.credentials_path
+  impersonate_service_account        = var.impersonate_service_account
+  shared_vpc_subnets                 = var.shared_vpc_subnets
+  labels                             = var.labels
+  bucket_project                     = var.bucket_project
+  bucket_name                        = var.bucket_name
+  bucket_location                    = var.bucket_location
+  auto_create_network                = var.auto_create_network
+  disable_services_on_destroy        = var.disable_services_on_destroy
+  default_service_account            = var.default_service_account
+  disable_dependent_services         = var.disable_dependent_services
+  python_interpreter_path            = var.python_interpreter_path
+  pip_executable_path                = var.pip_executable_path
+  use_tf_google_credentials_env_var  = var.use_tf_google_credentials_env_var
+  skip_gcloud_download               = var.skip_gcloud_download
+  vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
+  vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
 }
 
 /******************************************

modules/core_project_factory/main.tf

@@ -471,3 +471,21 @@ resource "google_project_iam_member" "gke_host_agent" {
     module.project_services,
   ]
 }
+
+/******************************************
+  Attachment to VPC Service Control Perimeter
+ *****************************************/
+resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_attachment" {
+  count          = var.vpc_service_control_attach_enabled ? 1 : 0
+  perimeter_name = var.vpc_service_control_perimeter_name
+  resource       = "projects/${google_project.main.number}"
+}
+
+/******************************************
+  Enable Access Context Manager API
+ *****************************************/
+resource "google_project_service" "enable_access_context_manager" {
+  count   = var.vpc_service_control_attach_enabled ? 1 : 0
+  project = google_project.main.number
+  service = "accesscontextmanager.googleapis.com"
+}

modules/core_project_factory/variables.tf

@@ -195,3 +195,15 @@ variable "skip_gcloud_download" {
   type        = bool
   default     = false
 }
+
+variable "vpc_service_control_attach_enabled" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_perimeter_name" {
+  description = "The name of a VPC Service Control Perimeter to add the created project to"
+  type        = string
+  default     = null
+}

modules/core_project_factory/versions.tf

@@ -18,8 +18,8 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google      = ">= 2.1, < 4.0"
-    google-beta = ">= 2.1, < 4.0"
+    google      = ">= 3.8, < 4.0"
+    google-beta = ">= 3.8, < 4.0"
     null        = "~> 2.1"
     random      = "~> 2.2"
   }

test/fixtures/full/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "gsuite" {

test/fixtures/minimal/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "null" {

test/fixtures/shared_vpc_no_subnets/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  version = "~> 3.6.0"
+  version = "~> 3.30"
 }
 
 provider "gsuite" {

test/fixtures/vpc_sc_project/.gitignore

@@ -0,0 +1 @@
+terraform.tfvars