Access Context Manager - make ingress and egress rules immutable (Goo…

…gleCloudPlatform#10147) * Access Context Manager - make ingress and egress rules immutable * Move immutable state to top level resource --------- Co-authored-by: Charles Leon <charlesleon@google.com>
balanaguharsha · May 2, 2024 · 78da866 · 78da866
1 parent 9329643
commit 78da866
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 2 deletions.
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
@@ -18,6 +18,7 @@ self_link: '{{perimeter}}'
 create_verb: :PATCH
 delete_verb: :PATCH
 update_mask: true
+immutable: true
 identity:
   - egressFrom
   - egressTo
@@ -37,6 +38,14 @@ description: |
   within the ServicePerimeter to access a defined set of projects outside the
   perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket
   or query against a BigQuery dataset).
+
+  ~> **Note:** By default, updates to this resource will remove the EgressPolicy from the
+  from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy
+  is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'access_context_manager_service_perimeter_egress_policy'
+    skip_test: true
 autogen_async: true
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
@@ -54,7 +63,6 @@ parameters:
     description: |
       The name of the Service Perimeter to add this resource to.
     required: true
-    immutable: true
     url_param_only: true
 properties:
   - !ruby/object:Api::Type::NestedObject

diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
@@ -18,6 +18,7 @@ self_link: '{{perimeter}}'
 create_verb: :PATCH
 delete_verb: :PATCH
 update_mask: true
+immutable: true
 identity:
   - ingressFrom
   - ingressTo
@@ -38,6 +39,14 @@ description: |
   For access from private networks, using the project of the hosting network is required.
   Individual ingress policies can be limited by restricting which services and/
   or actions they match using the ingressTo field.
+
+  ~> **Note:** By default, updates to this resource will remove the IngressPolicy from the
+  from the perimeter and add it back in a non-atomic manner. To ensure that the new IngressPolicy
+  is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'access_context_manager_service_perimeter_ingress_policy'
+    skip_test: true
 autogen_async: true
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
@@ -55,7 +64,6 @@ parameters:
     description: |
       The name of the Service Perimeter to add this resource to.
     required: true
-    immutable: true
     url_param_only: true
 properties:
   - !ruby/object:Api::Type::NestedObject

diff --git a/...emplates/terraform/examples/access_context_manager_service_perimeter_egress_policy.tf.erb b/...emplates/terraform/examples/access_context_manager_service_perimeter_egress_policy.tf.erb
@@ -0,0 +1,36 @@
+resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
+  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
+  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
+  title  = "Storage Perimeter"
+  status {
+    restricted_services = ["storage.googleapis.com"]
+  }
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }
+}
+
+resource "google_access_context_manager_service_perimeter_egress_policy" "egress_policy" {
+  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
+  egress_from {
+    identity_type = "ANY_IDENTITY"
+  }
+  egress_to {
+    resources = ["*"]
+    operations {
+      service_name = "bigquery.googleapis.com"
+      method_selectors {
+        method = "*"
+      }
+    }
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "Storage Policy"
+}
diff --git a/...mplates/terraform/examples/access_context_manager_service_perimeter_ingress_policy.tf.erb b/...mplates/terraform/examples/access_context_manager_service_perimeter_ingress_policy.tf.erb
@@ -0,0 +1,39 @@
+resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
+  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
+  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
+  title  = "Storage Perimeter"
+  status {
+    restricted_services = ["storage.googleapis.com"]
+  }
+  lifecycle {
+    ignore_changes = [status[0].resources]
+  }
+}
+
+resource "google_access_context_manager_service_perimeter_ingress_policy" "ingress_policy" {
+  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
+  ingress_from {
+    identity_type = "any_identity"
+    sources {
+      access_level = "*"
+    }
+  }
+  ingress_to {
+    resources = ["*"]
+    operations {
+      service_name = "bigquery.googleapis.com"
+      method_selectors {
+        method = "*"
+      }
+    }
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "Storage Policy"
+}