From aaeac7fd4b034a25ffa8308676b4f314ecb6a8a4 Mon Sep 17 00:00:00 2001 From: Charles Leon Date: Tue, 12 Mar 2024 14:24:19 -0700 Subject: [PATCH] Update Documentation for ACM Service Perimeter resources to reflect Granular Controls group support (#10087) groups Co-authored-by: Charles Leon --- .../ServicePerimeter.yaml | 31 ++++++---- .../ServicePerimeterEgressPolicy.yaml | 4 +- .../ServicePerimeterIngressPolicy.yaml | 6 +- .../ServicePerimeters.yaml | 28 +++++---- ...service_perimeter_granular_controls.tf.erb | 59 +++++++++++++++++++ 5 files changed, 99 insertions(+), 29 deletions(-) create mode 100644 mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml index b79c83c666cf..d6b02a13d48d 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml @@ -71,6 +71,9 @@ examples: primary_resource_id: 'service-perimeter' vars: service_perimeter_name: 'restrict_bigquery_dryrun_storage' + - !ruby/object:Provider::Terraform::Examples + name: 'access_context_manager_service_perimeter_granular_controls' + skip_test: true custom_code: !ruby/object:Provider::Terraform::CustomCode encoder: templates/terraform/encoders/access_level_never_send_parent.go.erb custom_import: templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.erb @@ -240,9 +243,10 @@ properties: item_type: Api::Type::String is_set: true description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + 'A list of identities that are allowed access through this `IngressPolicy`. + To specify an identity or identity group, use the IAM v1 + format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -364,9 +368,10 @@ properties: - !ruby/object:Api::Type::Array name: 'identities' description: | - A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + 'A list of identities that are allowed access through this `EgressPolicy`. + To specify an identity or identity group, use the IAM v1 + format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' is_set: true item_type: Api::Type::String - !ruby/object:Api::Type::NestedObject @@ -528,9 +533,10 @@ properties: item_type: Api::Type::String is_set: true description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + 'A list of identities that are allowed access through this `IngressPolicy`. + To specify an identity or identity group, use the IAM v1 + format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -652,9 +658,10 @@ properties: - !ruby/object:Api::Type::Array name: 'identities' description: | - A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + 'A list of identities that are allowed access through this `EgressPolicy`. + To specify an identity or identity group, use the IAM v1 + format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' item_type: Api::Type::String is_set: true - !ruby/object:Api::Type::NestedObject diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml index 5e46e6770c0d..738ceefd98bd 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml @@ -76,8 +76,8 @@ properties: name: 'identities' description: | A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + Should be in the format of an email address. The email address should + represent an individual user, service account, or Google group. item_type: Api::Type::String - !ruby/object:Api::Type::Array name: 'sources' diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml index 8e671e4096ee..195b87db9bfa 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml @@ -78,9 +78,9 @@ properties: name: 'identities' item_type: Api::Type::String description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + A list of identities that are allowed access through this `IngressPolicy`. + Should be in the format of an email address. The email address should represent + an individual user, service account, or Google group. - !ruby/object:Api::Type::Array name: 'sources' description: | diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml index 2b941289d41a..655c3545a2e6 100644 --- a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml +++ b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml @@ -220,9 +220,10 @@ properties: is_set: true item_type: Api::Type::String description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + 'A list of identities that are allowed access through this `IngressPolicy`. + To specify an identity or identity group, use the IAM v1 format + specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -329,9 +330,10 @@ properties: - !ruby/object:Api::Type::Array name: 'identities' description: | - A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + 'A list of identities that are allowed access through this `EgressPolicy`. + To specify an identity or identity group, use the IAM v1 format + specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' is_set: true item_type: Api::Type::String - !ruby/object:Api::Type::Array @@ -514,9 +516,10 @@ properties: is_set: true item_type: Api::Type::String description: | - A list of identities that are allowed access through this ingress policy. - Should be in the format of email address. The email address should represent - individual user or service account only. + 'A list of identities that are allowed access through this `IngressPolicy`. + To specify an identity or identity group, use the IAM v1 format + specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' - !ruby/object:Api::Type::Array name: 'sources' description: | @@ -623,9 +626,10 @@ properties: - !ruby/object:Api::Type::Array name: 'identities' description: | - A list of identities that are allowed access through this `EgressPolicy`. - Should be in the format of email address. The email address should - represent individual user or service account only. + 'A list of identities that are allowed access through this `EgressPolicy`. + To specify an identity or identity group, use the IAM v1 format + specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1). + The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.' item_type: Api::Type::String is_set: true - !ruby/object:Api::Type::Array diff --git a/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb b/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb new file mode 100644 index 000000000000..728b3a87ca83 --- /dev/null +++ b/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.erb @@ -0,0 +1,59 @@ +resource "google_access_context_manager_access_policy" "access-policy" { + parent = "organizations/123456789" + title = "Policy with Granular Controls Group Support" +} + +resource "google_access_context_manager_service_perimeter" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s" + title = "%s" + perimeter_type = "PERIMETER_TYPE_REGULAR" + status { + restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + + vpc_accessible_services { + enable_restriction = true + allowed_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + } + + ingress_policies { + ingress_from { + sources { + access_level = google_access_context_manager_access_level.test-access.name + } + identities = ["group:database-admins@google.com"] + identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"] + identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"] + } + + ingress_to { + resources = [ "*" ] + operations { + service_name = "storage.googleapis.com" + + method_selectors { + method = "google.storage.objects.create" + } + } + } + } + + egress_policies { + egress_from { + identities = ["group:database-admins@google.com"] + identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"] + identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"] + } + egress_to { + resources = [ "*" ] + operations { + service_name = "storage.googleapis.com" + + method_selectors { + method = "google.storage.objects.create" + } + } + } + } + } +}