add rm dry run config when enforced perimeter

Author: mariammartins

1-org/envs/shared/service_control.tf

@@ -177,8 +177,27 @@ locals {
     module.scc_notifications.project_number,
   ], local.shared_vpc_projects_numbers))
 
+  projects_dry_run = var.enable_hub_and_spoke ? (concat([
+    local.seed_project_number,
+    module.org_audit_logs.project_number,
+    module.org_billing_export.project_number,
+    module.common_kms.project_number,
+    module.org_secrets.project_number,
+    module.interconnect.project_number,
+    module.network_hub[0].project_number,
+    module.scc_notifications.project_number,
+    ], local.shared_vpc_projects_numbers)) : (concat([
+    local.seed_project_number,
+    module.org_audit_logs.project_number,
+    module.org_billing_export.project_number,
+    module.common_kms.project_number,
+    module.org_secrets.project_number,
+    module.interconnect.project_number,
+    module.scc_notifications.project_number,
+  ], local.shared_vpc_projects_numbers))
+
   project_keys = var.enable_hub_and_spoke ? [
-    "prj-org-seed",
+    "prj-b-seed",
     "prj-org-audit",
     "prj-org-billing",
     "prj-org-kms",
@@ -190,7 +209,32 @@ locals {
     "prj-net-d-svpc",
     "prj-net-n-svpc",
     ] : [
-    "prj-org-seed",
+    "prj-b-seed",
+    "prj-org-audit",
+    "prj-org-billing",
+    "prj-org-kms",
+    "prj-org-secrets",
+    "prj-org-interconnect",
+    "prj-org-scc",
+    "prj-net-p-svpc",
+    "prj-net-d-svpc",
+    "prj-net-n-svpc",
+  ]
+
+  project_keys_dry_run = var.enable_hub_and_spoke ? [
+    "prj-b-seed",
+    "prj-org-audit",
+    "prj-org-billing",
+    "prj-org-kms",
+    "prj-org-secrets",
+    "prj-org-interconnect",
+    "prj-org-scc",
+    "prj-net-hub-svpc",
+    "prj-net-p-svpc",
+    "prj-net-d-svpc",
+    "prj-net-n-svpc",
+    ] : [
+    "prj-b-seed",
     "prj-org-audit",
     "prj-org-billing",
     "prj-org-kms",
@@ -208,7 +252,7 @@ locals {
   )
 
   projects_map_dry_run = zipmap(
-    local.project_keys,
+    local.project_keys_dry_run,
     [for p in local.projects : "${p}"]
   )
 
@@ -801,7 +845,7 @@ module "service_control" {
     "serviceAccount:${local.environment_service_account}",
   ], var.perimeter_additional_members))
   resources_dry_run             = concat(values(local.projects_map_dry_run), var.resources_dry_run)
-  resource_keys_dry_run         = local.project_keys
+  resource_keys_dry_run         = local.project_keys_dry_run
   ingress_policies_keys_dry_run = local.ingress_policies_keys_dry_run
   egress_policies_keys_dry_run  = local.egress_policies_keys_dry_run
   ingress_policies_keys         = local.ingress_policies_keys

1-org/modules/service_control/main.tf

@@ -36,6 +36,8 @@ module "access_level" {
 }
 
 module "access_level_dry_run" {
+  count = !var.enforce_vpcsc ? 1 : 0
+
   source  = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
   version = "~> 7.1.3"
 
@@ -65,15 +67,15 @@ module "regular_service_perimeter" {
   egress_policies_keys    = var.enforce_vpcsc ? var.egress_policies_keys : []
 
   # configurations for a perimeter in dry run mode.
-  resources_dry_run               = var.resources_dry_run
-  resource_keys_dry_run           = var.resource_keys_dry_run
-  access_levels_dry_run           = [module.access_level_dry_run.name]
-  restricted_services_dry_run     = var.restricted_services_dry_run
-  vpc_accessible_services_dry_run = ["*"]
-  ingress_policies_dry_run        = var.ingress_policies_dry_run
-  ingress_policies_keys_dry_run   = var.ingress_policies_keys_dry_run
-  egress_policies_dry_run         = var.egress_policies_dry_run
-  egress_policies_keys_dry_run    = var.egress_policies_keys_dry_run
+  resources_dry_run               = !var.enforce_vpcsc ? var.resources_dry_run : []
+  resource_keys_dry_run           = !var.enforce_vpcsc ? var.resource_keys_dry_run : []
+  access_levels_dry_run           = !var.enforce_vpcsc && length(module.access_level_dry_run) > 0 ? [module.access_level_dry_run[0].name] : []
+  restricted_services_dry_run     = !var.enforce_vpcsc ? var.restricted_services_dry_run : []
+  vpc_accessible_services_dry_run = !var.enforce_vpcsc ? ["*"] : []
+  ingress_policies_dry_run        = !var.enforce_vpcsc ? var.ingress_policies_dry_run : []
+  ingress_policies_keys_dry_run   = !var.enforce_vpcsc ? var.ingress_policies_keys_dry_run : []
+  egress_policies_dry_run         = !var.enforce_vpcsc ? var.egress_policies_dry_run : []
+  egress_policies_keys_dry_run    = !var.enforce_vpcsc ? var.egress_policies_keys_dry_run : []
 }
 
 resource "time_sleep" "wait_vpc_sc_propagation" {