fix factory ingress policies (GoogleCloudPlatform#2251)

dibaskar-google · May 14, 2024 · 3cec5f0 · 3cec5f0
1 parent 584eb9d
commit 3cec5f0
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 5 deletions.
diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
@@ -233,7 +233,7 @@ module "test" {
         resources           = ["projects/11111", "projects/111111"]
         restricted_services = ["storage.googleapis.com"]
         egress_policies     = ["gcs-sa-foo"]
-        ingress_policies    = ["sa-tf-test"]
+        ingress_policies    = ["sa-tf-test-geo", "sa-tf-test"]
         vpc_accessible_services = {
           allowed_services   = ["storage.googleapis.com"]
           enable_restriction = true
@@ -242,7 +242,7 @@ module "test" {
     }
   }
 }
-# tftest modules=1 resources=3 files=a1,a2,e1,i1 inventory=factory.yaml
+# tftest modules=1 resources=3 files=a1,a2,e1,i1,i2 inventory=factory.yaml
 ```
 
 ```yaml
@@ -282,12 +282,29 @@ from:
     - serviceAccount:[email protected]
 to:
   operations:
-    - service_name: "*"
+    - service_name: compute.googleapis.com
+      method_selectors:
+        - ProjectsService.Get
+        - RegionsService.Get
   resources:
     - "*"
 # tftest-file id=i1 path=data/ingress-policies/sa-tf-test.yaml
 ```
 
+```yaml
+from:
+  access_levels:
+    - geo-it
+  identities:
+    - serviceAccount:[email protected]
+to:
+  operations:
+    - service_name: "*"
+  resources:
+    - projects/1234567890
+# tftest-file id=i2 path=data/ingress-policies/sa-tf-test-geo.yaml
+```
+
 ## Notes
 
 - To remove an access level, first remove the binding between perimeter and the access level in `status` and/or `spec` without removing the access level itself. Once you have run `terraform apply`, you'll then be able to remove the access level and run `terraform apply` again.

diff --git a/modules/vpc-sc/factory.tf b/modules/vpc-sc/factory.tf
@@ -74,7 +74,7 @@ locals {
         }, try(v.from, {}))
         to = {
           operations = [
-            for o in try(v.operations, []) : merge({
+            for o in try(v.to.operations, []) : merge({
               method_selectors     = []
               permission_selectors = []
               service_name         = null

diff --git a/tests/modules/vpc_sc/examples/factory.yaml b/tests/modules/vpc_sc/examples/factory.yaml
@@ -81,9 +81,27 @@ values:
           - access_level: '*'
             resource: null
         ingress_to:
-        - operations: []
+        - operations:
+          - method_selectors:
+            - method: ProjectsService.Get
+              permission: null
+            - method: RegionsService.Get
+              permission: null
+            service_name: compute.googleapis.com
           resources:
           - '*'
+      - ingress_from:
+        - identities:
+          - serviceAccount:[email protected]
+          identity_type: null
+          sources:
+          - resource: null
+        ingress_to:
+        - operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - projects/1234567890
       resources:
       - projects/11111
       - projects/111111