This example illustrates how to use the vpc-service-controls module to configure an org policy, an access level, a regular perimeter and a BigQuery resource inside the regular perimeter.
- Make sure you've gone through the root Requirement Section on any project in your organization.
- If you need to run integration tests for this example, select a second project in your organization. The project you already configured will be referred as the protected project that will be inside of the regular service perimeter. The second project will be the public project, which will be outside of the regular service perimeter.
- Grant the service account the following permissions on the protected project:
- roles/bigquery.dataOwner
- roles/bigquery.jobUser
You may use the following gcloud commands:
gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount:<service-account-email> --role=roles/bigquery.jobUser
gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount:<service-account-email> --role=roles/bigquery.dataOwner
- Enable BigQuery API on the protected project.
- If you want to run the integration tests for this example, repeat step #3 and #4 on the public project.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_level_name | Access level name of the Access Policy. | string |
"terraform_members" |
no |
| dataset_id | Unique dataset ID/name that will be created. | string |
"sample_dataset" |
no |
| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | list(string) |
n/a | yes |
| parent_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string |
n/a | yes |
| perimeter_name | Perimeter name of the Access Policy.. | string |
"regular_perimeter_1" |
no |
| policy_name | The policy's name. | string |
n/a | yes |
| protected_project_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | object({ id = string, number = number }) |
n/a | yes |
| regions | The request must originate from one of the provided countries/regions. Format: A valid ISO 3166-1 alpha-2 code. | list(string) |
[] |
no |
| Name | Description |
|---|---|
| access_level_name | Access level name of the Access Policy. |
| dataset_id | Unique id for the BigQuery dataset being provisioned |
| dataset_name | Name of dataset being provisioned |
| policy_id | Resource name of the AccessPolicy. |
| policy_name | Name of the parent policy |
| protected_project_id | Project id of the project INSIDE the regular service perimeter |
| table_id | Unique id for the BigQuery table being provisioned |
To provision this example, run the following from within this directory:
terraform initto get the pluginsterraform planto see the infrastructure planterraform applyto apply the infrastructure buildterraform destroyto destroy the built infrastructure