Access Context Manager - make ingress and egress rules immutable

GoogleCloudPlatform · Mar 8, 2024 · f131707 · f131707
1 parent 1253916
commit f131707
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 0 deletions.
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
@@ -37,6 +37,14 @@ description: |
   within the ServicePerimeter to access a defined set of projects outside the
   perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket
   or query against a BigQuery dataset).
+
+  ~> **Note:** By default, updates to this resource will remove the EgressPolicy from the
+  from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy
+  is added first, add `create_before_destroy` to this resource.
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'access_context_manager_service_perimeter_egress_policy'
+    skip_test: true
 autogen_async: true
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
@@ -61,6 +69,7 @@ properties:
     name: 'egressFrom'
     description: |
       Defines conditions on the source of a request causing this `EgressPolicy` to apply.
+    immutable: true
     properties:
       - !ruby/object:Api::Type::Enum
         name: 'identityType'
@@ -99,6 +108,7 @@ properties:
     description: |
       Defines the conditions on the `ApiOperation` and destination resources that
       cause this `EgressPolicy` to apply.
+    immutable: true
     properties:
       - !ruby/object:Api::Type::Array
         name: 'resources'

diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
@@ -38,6 +38,14 @@ description: |
   For access from private networks, using the project of the hosting network is required.
   Individual ingress policies can be limited by restricting which services and/
   or actions they match using the ingressTo field.
+
+  ~> **Note:** By default, updates to this resource will remove the IngressPolicy from the
+  from the perimeter and add it back in a non-atomic manner. To ensure that the new IngressPolicy
+  is added first, add `create_before_destroy` to this resource.
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'access_context_manager_service_perimeter_ingress_policy'
+    skip_test: true
 autogen_async: true
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
@@ -63,6 +71,7 @@ properties:
     description: |
       Defines the conditions on the source of a request causing this `IngressPolicy`
       to apply.
+    immutable: true
     properties:
       - !ruby/object:Api::Type::Enum
         name: 'identityType'
@@ -112,6 +121,7 @@ properties:
     description: |
       Defines the conditions on the `ApiOperation` and request destination that cause
       this `IngressPolicy` to apply.
+    immutable: true
     properties:
       - !ruby/object:Api::Type::Array
         name: 'resources'

diff --git a/...emplates/terraform/examples/access_context_manager_service_perimeter_egress_policy.tf.erb b/...emplates/terraform/examples/access_context_manager_service_perimeter_egress_policy.tf.erb
@@ -0,0 +1,36 @@
+resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
+  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
+  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
+  title  = "Storage Perimeter"
+  status {
+    restricted_services = ["storage.googleapis.com"]
+  }
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }
+}
+
+resource "google_access_context_manager_service_perimeter_egress_policy" "egress_policy" {
+  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
+  egress_from {
+    identity_type = "ANY_IDENTITY"
+  }
+  egress_to {
+    resources = ["*"]
+    operations {
+      service_name = "bigquery.googleapis.com"
+      method_selectors {
+        method = "*"
+      }
+    }
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "test policy"
+}
diff --git a/...mplates/terraform/examples/access_context_manager_service_perimeter_ingress_policy.tf.erb b/...mplates/terraform/examples/access_context_manager_service_perimeter_ingress_policy.tf.erb
@@ -0,0 +1,39 @@
+resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
+  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
+  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
+  title  = "Storage Perimeter"
+  status {
+    restricted_services = ["storage.googleapis.com"]
+  }
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }
+}
+
+resource "google_access_context_manager_service_perimeter_ingress_policy" "ingress_policy" {
+  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
+  ingress_from {
+    identity_type = "any_identity"
+    sources {
+      access_level = "*"
+    }
+  }
+  ingress_to {
+    resources = ["*"]
+    operations {
+      service_name = "bigquery.googleapis.com"
+      method_selectors {
+        method = "*"
+      }
+    }
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "Storage Policy"
+}