How control access to subnets in a shared VPC using Terraform in GCP

Question

I am trying have it so that only certain projects can access the production subnet, how do I do this? Can I only limit access through policies? I know using the GUI/dashboard/website we can pick which subnet I want to share in my shared VPC, is there a way to do it through terraform?

The setup

    # Shared Network to attach 
resource "google_compute_network" "vpc-network" {
  name    = "vpc-network"
  auto_create_subnetworks = false
  project = var.host-project
}


# Shared Sub-Networks to attach 
resource "google_compute_subnetwork" "development" {
  name    = "development"
  network       = google_compute_network.vpc-network.self_link
  ip_cidr_range = ""
  region        = ""
}

resource "google_compute_subnetwork" "production" {
  name    = "production"
  network       = google_compute_network.vpc-network.self_link
  ip_cidr_range = ""
  region        = ""
}

# Enable A Shared VPC in the host project
resource "google_compute_shared_vpc_host_project" "host" {
  project = var.host-project 
}


# Attach service projects with host project 
resource "google_compute_shared_vpc_service_project" "services" {
  for_each = var.service-projects


  depends_on = [ google_compute_shared_vpc_host_project.host ]
  host_project    = google_compute_shared_vpc_host_project.host.project
  service_project = each.key

  
}
#Router
resource "google_compute_router" "router" {
  name    = "shared-router"
  network = google_compute_network.vpc-network.id
}

#Cloud NAT Gateway
resource "google_compute_router_nat" "nat_gateway" {
  name                  = "shared-nat-gateway"
  region                = ""
  router                = google_compute_router.router.name
  nat_ip_allocate_option = "AUTO_ONLY"

  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"

  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }

}

Answer 1

As per the documentation (https://cloud.google.com/vpc/docs/shared-vpc):

You can specify the Shared VPC subnets that a service project can access at the project, folder, or organization level. The constraint applies when you create new resources in the specified subnets and doesn't affect existing resources.

So yes, you need to use org policies, but they can be applied at lower levels than the organization node.

The terraform documentation for org policies should help: https://registry.terraform.io/modules/terraform-google-modules/org-policy/google/latest