From 6a5a91532613c0c5e87c0f95b2150293d3f39c28 Mon Sep 17 00:00:00 2001 From: Charles Leon Date: Thu, 29 Feb 2024 00:18:53 -0800 Subject: [PATCH] Update ACM service perimeter resources to support Granular Controls groups --- .../ServicePerimeter.yaml | 20 +++---- .../ServicePerimeterEgressPolicy.yaml | 4 +- .../ServicePerimeterIngressPolicy.yaml | 6 +- .../ServicePerimeters.yaml | 20 +++---- ...service_perimeter_granular_controls.tf.erb | 55 +++++++++++++++++++ 5 files changed, 80 insertions(+), 25 deletions(-) create mode 100644 mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml index b79c83c666cf..266499bc94b4 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml @@ -240,9 +240,9 @@ properties: item_type: Api::Type::String is_set: true description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + A list of identities that are allowed access through this `IngressPolicy`. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -365,8 +365,8 @@ properties: name: 'identities' description: | A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. is_set: true item_type: Api::Type::String - !ruby/object:Api::Type::NestedObject @@ -528,9 +528,9 @@ properties: item_type: Api::Type::String is_set: true description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + A list of identities that are allowed access through this `IngressPolicy`. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -653,8 +653,8 @@ properties: name: 'identities' description: | A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. item_type: Api::Type::String is_set: true - !ruby/object:Api::Type::NestedObject diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml index 5e46e6770c0d..738ceefd98bd 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml @@ -76,8 +76,8 @@ properties: name: 'identities' description: | A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. item_type: Api::Type::String - !ruby/object:Api::Type::Array name: 'sources' diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml index 8e671e4096ee..195b87db9bfa 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml @@ -78,9 +78,9 @@ properties: name: 'identities' item_type: Api::Type::String description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + A list of identities that are allowed access through this `IngressPolicy`. + Should be in the format of an email address. The email address should represent + an individual user, service account, or Google group. - !ruby/object:Api::Type::Array name: 'sources' description: | diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml index 2b941289d41a..592be1bdb476 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml @@ -220,9 +220,9 @@ properties: is_set: true item_type: Api::Type::String description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + A list of identities that are allowed access through this `IngressPolicy`. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -330,8 +330,8 @@ properties: name: 'identities' description: | A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. is_set: true item_type: Api::Type::String - !ruby/object:Api::Type::Array @@ -514,9 +514,9 @@ properties: is_set: true item_type: Api::Type::String description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + A list of identities that are allowed access through this `IngressPolicy`. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -624,8 +624,8 @@ properties: name: 'identities' description: | A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. item_type: Api::Type::String is_set: true - !ruby/object:Api::Type::Array diff --git a/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb b/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb new file mode 100644 index 000000000000..90e3a25bfb3a --- /dev/null +++ b/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb @@ -0,0 +1,55 @@ +resource "google_access_context_manager_access_policy" "access-policy" { + parent = "organizations/123456789" + title = "Policy with Granular Controls Group Support" +} + +resource "google_access_context_manager_service_perimeter" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s" + title = "%s" + perimeter_type = "PERIMETER_TYPE_REGULAR" + status { + restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + + vpc_accessible_services { + enable_restriction = true + allowed_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + } + + ingress_policies { + ingress_from { + sources { + access_level = google_access_context_manager_access_level.test-access.name + } + identities = ["group:database-admins@google.com"] + } + + ingress_to { + resources = [ "*" ] + operations { + service_name = "storage.googleapis.com" + + method_selectors { + method = "google.storage.objects.create" + } + } + } + } + + egress_policies { + egress_from { + identities = ["group:database-admins@google.com"] + } + egress_to { + resources = [ "*" ] + operations { + service_name = "storage.googleapis.com" + + method_selectors { + method = "google.storage.objects.create" + } + } + } + } + } +}