Skip to content

Commit

Permalink
Update Documentation for ACM Service Perimeter resources to reflect G…
Browse files Browse the repository at this point in the history
…ranular Controls group support (GoogleCloudPlatform#10087)

groups

Co-authored-by: Charles Leon <[email protected]>
  • Loading branch information
2 people authored and balanaguharsha committed Apr 19, 2024
1 parent be7815f commit f9e5910
Show file tree
Hide file tree
Showing 5 changed files with 99 additions and 29 deletions.
31 changes: 19 additions & 12 deletions mmv1/products/accesscontextmanager/ServicePerimeter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ examples:
primary_resource_id: 'service-perimeter'
vars:
service_perimeter_name: 'restrict_bigquery_dryrun_storage'
- !ruby/object:Provider::Terraform::Examples
name: 'access_context_manager_service_perimeter_granular_controls'
skip_test: true
custom_code: !ruby/object:Provider::Terraform::CustomCode
encoder: templates/terraform/encoders/access_level_never_send_parent.go.erb
custom_import: templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.erb
Expand Down Expand Up @@ -240,9 +243,10 @@ properties:
item_type: Api::Type::String
is_set: true
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
individual user or service account only.
'A list of identities that are allowed access through this `IngressPolicy`.
To specify an identity or identity group, use the IAM v1
format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
- !ruby/object:Api::Type::Array
name: 'sources'
description: |
Expand Down Expand Up @@ -364,9 +368,10 @@ properties:
- !ruby/object:Api::Type::Array
name: 'identities'
description: |
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
'A list of identities that are allowed access through this `EgressPolicy`.
To specify an identity or identity group, use the IAM v1
format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
is_set: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
Expand Down Expand Up @@ -528,9 +533,10 @@ properties:
item_type: Api::Type::String
is_set: true
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
individual user or service account only.
'A list of identities that are allowed access through this `IngressPolicy`.
To specify an identity or identity group, use the IAM v1
format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
- !ruby/object:Api::Type::Array
name: 'sources'
description: |
Expand Down Expand Up @@ -652,9 +658,10 @@ properties:
- !ruby/object:Api::Type::Array
name: 'identities'
description: |
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
'A list of identities that are allowed access through this `EgressPolicy`.
To specify an identity or identity group, use the IAM v1
format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::NestedObject
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,8 @@ properties:
name: 'identities'
description: |
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
Should be in the format of an email address. The email address should
represent an individual user, service account, or Google group.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'sources'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,9 @@ properties:
name: 'identities'
item_type: Api::Type::String
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
individual user or service account only.
A list of identities that are allowed access through this `IngressPolicy`.
Should be in the format of an email address. The email address should represent
an individual user, service account, or Google group.
- !ruby/object:Api::Type::Array
name: 'sources'
description: |
Expand Down
28 changes: 16 additions & 12 deletions mmv1/products/accesscontextmanager/ServicePerimeters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -220,9 +220,10 @@ properties:
is_set: true
item_type: Api::Type::String
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
individual user or service account only.
'A list of identities that are allowed access through this `IngressPolicy`.
To specify an identity or identity group, use the IAM v1 format
specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
- !ruby/object:Api::Type::Array
name: 'sources'
description: |
Expand Down Expand Up @@ -329,9 +330,10 @@ properties:
- !ruby/object:Api::Type::Array
name: 'identities'
description: |
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
'A list of identities that are allowed access through this `EgressPolicy`.
To specify an identity or identity group, use the IAM v1 format
specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
is_set: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
Expand Down Expand Up @@ -514,9 +516,10 @@ properties:
is_set: true
item_type: Api::Type::String
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
individual user or service account only.
'A list of identities that are allowed access through this `IngressPolicy`.
To specify an identity or identity group, use the IAM v1 format
specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
- !ruby/object:Api::Type::Array
name: 'sources'
description: |
Expand Down Expand Up @@ -623,9 +626,10 @@ properties:
- !ruby/object:Api::Type::Array
name: 'identities'
description: |
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
'A list of identities that are allowed access through this `EgressPolicy`.
To specify an identity or identity group, use the IAM v1 format
specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "Policy with Granular Controls Group Support"
}

resource "google_access_context_manager_service_perimeter" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
title = "%s"
perimeter_type = "PERIMETER_TYPE_REGULAR"
status {
restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]

vpc_accessible_services {
enable_restriction = true
allowed_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
}

ingress_policies {
ingress_from {
sources {
access_level = google_access_context_manager_access_level.test-access.name
}
identities = ["group:[email protected]"]
identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
}

ingress_to {
resources = [ "*" ]
operations {
service_name = "storage.googleapis.com"

method_selectors {
method = "google.storage.objects.create"
}
}
}
}

egress_policies {
egress_from {
identities = ["group:[email protected]"]
identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
}
egress_to {
resources = [ "*" ]
operations {
service_name = "storage.googleapis.com"

method_selectors {
method = "google.storage.objects.create"
}
}
}
}
}
}

0 comments on commit f9e5910

Please sign in to comment.