diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml index ce323709e7ca..e42ef201e867 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml @@ -384,6 +384,15 @@ properties: - name: 'accessLevel' type: String description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + - name: 'resource' + type: String + description: | + A Google Cloud resource that is allowed to egress the perimeter. + Requests from these resources are allowed to access data outside the perimeter. + Currently only projects are allowed. Project format: `projects/{project_number}`. + The resource may be in any Google Cloud organization, not just the + organization that the perimeter is defined in. `*` is not allowed, the + case of allowing all Google Cloud resources only is not supported. - name: 'sourceRestriction' type: Enum description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' @@ -693,6 +702,15 @@ properties: - name: 'accessLevel' type: String description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + - name: 'resource' + type: String + description: | + A Google Cloud resource that is allowed to egress the perimeter. + Requests from these resources are allowed to access data outside the perimeter. + Currently only projects are allowed. Project format: `projects/{project_number}`. + The resource may be in any Google Cloud organization, not just the + organization that the perimeter is defined in. `*` is not allowed, the + case of allowing all Google Cloud resources only is not supported. - name: 'sourceRestriction' type: Enum description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml index ee2d5f68f0d9..39f5daef2ba7 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml @@ -127,6 +127,15 @@ properties: - name: 'accessLevel' type: String description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + - name: 'resource' + type: String + description: | + A Google Cloud resource that is allowed to egress the perimeter. + Requests from these resources are allowed to access data outside the perimeter. + Currently only projects are allowed. Project format: `projects/{project_number}`. + The resource may be in any Google Cloud organization, not just the + organization that the perimeter is defined in. `*` is not allowed, the + case of allowing all Google Cloud resources only is not supported. - name: 'sourceRestriction' type: Enum description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml index b8603fd524d4..e91d790e6783 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml @@ -124,6 +124,15 @@ properties: - name: 'accessLevel' type: String description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + - name: 'resource' + type: String + description: | + A Google Cloud resource that is allowed to egress the perimeter. + Requests from these resources are allowed to access data outside the perimeter. + Currently only projects are allowed. Project format: `projects/{project_number}`. + The resource may be in any Google Cloud organization, not just the + organization that the perimeter is defined in. `*` is not allowed, the + case of allowing all Google Cloud resources only is not supported. - name: 'sourceRestriction' type: Enum description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml index 0c3b5a0ca944..eb203b44c79e 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml @@ -372,6 +372,15 @@ properties: - name: 'accessLevel' type: String description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + - name: 'resource' + type: String + description: | + A Google Cloud resource that is allowed to egress the perimeter. + Requests from these resources are allowed to access data outside the perimeter. + Currently only projects are allowed. Project format: `projects/{project_number}`. + The resource may be in any Google Cloud organization, not just the + organization that the perimeter is defined in. `*` is not allowed, the + case of allowing all Google Cloud resources only is not supported. - name: 'sourceRestriction' type: Enum description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' @@ -673,6 +682,15 @@ properties: - name: 'accessLevel' type: String description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.' + - name: 'resource' + type: String + description: | + A Google Cloud resource that is allowed to egress the perimeter. + Requests from these resources are allowed to access data outside the perimeter. + Currently only projects are allowed. Project format: `projects/{project_number}`. + The resource may be in any Google Cloud organization, not just the + organization that the perimeter is defined in. `*` is not allowed, the + case of allowing all Google Cloud resources only is not supported. - name: 'sourceRestriction' type: Enum description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.' diff --git a/mmv1/templates/terraform/custom_flatten/accesscontextmanager_serviceperimeters_custom_flatten.go.tmpl b/mmv1/templates/terraform/custom_flatten/accesscontextmanager_serviceperimeters_custom_flatten.go.tmpl index 231fc3f35c04..c7c4de553d89 100644 --- a/mmv1/templates/terraform/custom_flatten/accesscontextmanager_serviceperimeters_custom_flatten.go.tmpl +++ b/mmv1/templates/terraform/custom_flatten/accesscontextmanager_serviceperimeters_custom_flatten.go.tmpl @@ -341,6 +341,7 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPo } transformed = append(transformed, map[string]interface{}{ "access_level": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourcesAccessLevel(original["accessLevel"], d, config), + "resource": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourcesResource(original["resource"], d, config), }) } return transformed @@ -349,6 +350,10 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPo return v } +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { return v } @@ -713,6 +718,7 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoli } transformed = append(transformed, map[string]interface{}{ "access_level": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourcesAccessLevel(original["accessLevel"], d, config), + "resource": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourcesResource(original["resource"], d, config), }) } return transformed @@ -721,6 +727,10 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoli return v } +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { return v } diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go index e41c2f333a67..364af2272683 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go @@ -20,13 +20,14 @@ func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basicTest(t * //projects := acctest.BootstrapServicePerimeterProjects(t, 1) policyTitle := acctest.RandString(t, 10) perimeterTitle := "perimeter" + projectNumber := envvar.GetTestProjectNumberFromEnv() acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), Steps: []resource.TestStep{ { - Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitle), + Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitle, projectNumber), }, { Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitle), @@ -83,7 +84,7 @@ func testAccCheckAccessContextManagerServicePerimeterDryRunEgressPolicyDestroyPr } } -func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitleName string) string { +func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitleName, projectNumber string) string { return fmt.Sprintf(` %s @@ -127,7 +128,17 @@ resource "google_access_context_manager_service_perimeter_dry_run_egress_policy" depends_on = [google_access_context_manager_service_perimeter_dry_run_egress_policy.test-access1] } -`, testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName)) +resource "google_access_context_manager_service_perimeter_dry_run_egress_policy" "test-access3" { + perimeter = google_access_context_manager_service_perimeter.test-access.name + egress_from { + sources { + resource = "projects/%s" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" + } +} + +`, testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName), projectNumber) } func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName string) string { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go index e04e313fc3ef..34982f4651f9 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go @@ -22,13 +22,14 @@ func testAccAccessContextManagerServicePerimeterEgressPolicy_basicTest(t *testin //projects := acctest.BootstrapServicePerimeterProjects(t, 1) policyTitle := acctest.RandString(t, 10) perimeterTitle := "perimeter" + projectNumber := envvar.GetTestProjectNumberFromEnv() acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), Steps: []resource.TestStep{ { - Config: testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitle), + Config: testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitle, projectNumber), }, { Config: testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitle), @@ -85,7 +86,7 @@ func testAccCheckAccessContextManagerServicePerimeterEgressPolicyDestroyProducer } } -func testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitleName string) string { +func testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitleName, projectNumber string) string { return fmt.Sprintf(` %s @@ -129,7 +130,17 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a } } -`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName)) +resource "google_access_context_manager_service_perimeter_egress_policy" "test-access3" { + perimeter = google_access_context_manager_service_perimeter.test-access.name + egress_from { + sources { + resource = "projects/%s" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" + } +} + +`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName), projectNumber) } func testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName string) string { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl index 754f2479e154..ff178d9b7cfa 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl @@ -38,6 +38,7 @@ func testAccAccessContextManagerServicePerimeter_basicTest(t *testing.T) { func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) { org := envvar.GetTestOrgFromEnv(t) + projectNumber := envvar.GetTestProjectNumberFromEnv() acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -61,7 +62,7 @@ func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) { ImportStateVerify: true, }, { - Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter"), + Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter", projectNumber), }, { ResourceName: "google_access_context_manager_service_perimeter.test-access", @@ -77,7 +78,7 @@ func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) { ImportStateVerify: true, }, { - Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter"), + Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter", projectNumber), }, { ResourceName: "google_access_context_manager_service_perimeter.test-access", @@ -182,7 +183,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" { `, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName) } -func testAccAccessContextManagerServicePerimeter_updateAllowed(org, policyTitle, levelTitleName, perimeterTitleName string) string { +func testAccAccessContextManagerServicePerimeter_updateAllowed(org, policyTitle, levelTitleName, perimeterTitleName, projectNumber string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -267,6 +268,11 @@ resource "google_access_context_manager_service_perimeter" "test-access" { sources { access_level = google_access_context_manager_access_level.test-access.name } + + sources { + resource = "projects/%s" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" } egress_to { @@ -347,6 +353,11 @@ resource "google_access_context_manager_service_perimeter" "test-access" { sources { access_level = google_access_context_manager_access_level.test-access.name } + + sources { + resource = "projects/%s" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" } egress_to { @@ -369,7 +380,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" { } } } -`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName) +`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName, projectNumber, projectNumber) } func testAccAccessContextManagerServicePerimeter_updateDryrun(org, policyTitle, levelTitleName, perimeterTitleName string) string { diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go index b62aa5b65bc4..69420c26d3f2 100644 --- a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go +++ b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go @@ -16,6 +16,7 @@ import ( // can exist, they need to be run serially. See AccessPolicy for the test runner. func testAccAccessContextManagerServicePerimeters_basicTest(t *testing.T) { org := envvar.GetTestOrgFromEnv(t) + projectNumber := envvar.GetTestProjectNumberFromEnv() acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, @@ -32,7 +33,7 @@ func testAccAccessContextManagerServicePerimeters_basicTest(t *testing.T) { ImportStateVerifyIgnore: []string{"service_perimeters"}, }, { - Config: testAccAccessContextManagerServicePerimeters_update(org, "my policy", "level", "storage_perimeter", "bigquery_perimeter", "bigtable_perimeter", "bigquery_omni_perimeter"), + Config: testAccAccessContextManagerServicePerimeters_update(org, "my policy", "level", "storage_perimeter", "bigquery_perimeter", "bigtable_perimeter", "bigquery_omni_perimeter", projectNumber), }, { ResourceName: "google_access_context_manager_service_perimeters.test-access", @@ -153,7 +154,7 @@ resource "google_access_context_manager_service_perimeters" "test-access" { `, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName1, perimeterTitleName1, perimeterTitleName2, perimeterTitleName2, perimeterTitleName3, perimeterTitleName3) } -func testAccAccessContextManagerServicePerimeters_update(org, policyTitle, levelTitleName, perimeterTitleName1, perimeterTitleName2, perimeterTitleName3, perimeterTitleName4 string) string { +func testAccAccessContextManagerServicePerimeters_update(org, policyTitle, levelTitleName, perimeterTitleName1, perimeterTitleName2, perimeterTitleName3, perimeterTitleName4, projectNumber string) string { return fmt.Sprintf(` resource "google_access_context_manager_access_policy" "test-access" { parent = "organizations/%s" @@ -285,6 +286,14 @@ resource "google_access_context_manager_service_perimeters" "test-access" { resources = ["*"] } } + egress_policies { + egress_from { + sources { + resource = "projects/%s" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" + } + } } status { restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] @@ -361,10 +370,18 @@ resource "google_access_context_manager_service_perimeters" "test-access" { resources = ["*"] } } + egress_policies { + egress_from { + sources { + resource = "projects/%s" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" + } + } } } } -`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName1, perimeterTitleName1, perimeterTitleName2, perimeterTitleName2, perimeterTitleName3, perimeterTitleName3, perimeterTitleName4, perimeterTitleName4) +`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName1, perimeterTitleName1, perimeterTitleName2, perimeterTitleName2, perimeterTitleName3, perimeterTitleName3, perimeterTitleName4, perimeterTitleName4, projectNumber, projectNumber) } func testAccAccessContextManagerServicePerimeters_empty(org, policyTitle, levelTitleName string) string { diff --git a/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.json b/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.json index 8e0990e72376..690f24752f41 100644 --- a/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.json +++ b/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.json @@ -20,6 +20,9 @@ "sources": [ { "accessLevel": "accessPolicies/987654/accessLevels/restrict_storage" + }, + { + "resource": "projects/4321" } ] } diff --git a/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.tf b/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.tf index ca8852445502..462dcf97c392 100644 --- a/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.tf +++ b/mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.tf @@ -60,7 +60,10 @@ resource "google_access_context_manager_service_perimeter" "service-perimeter" { sources { access_level = "accessPolicies/987654/accessLevels/restrict_storage" } - source_restriction = "SOURCE_RESTRICTION_ENABLED" + sources { + resource = "projects/4321" + } + source_restriction = "SOURCE_RESTRICTION_ENABLED" identity_type = "ANY_USER_ACCOUNT" } }