diff --git a/.changelog/4509.txt b/.changelog/4509.txt new file mode 100644 index 0000000000..6e5441bc0b --- /dev/null +++ b/.changelog/4509.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +accesscontextmanager: added support for ingress and egress policies to `google_access_context_manager_service_perimeter` +``` diff --git a/google-beta/resource_access_context_manager_service_perimeter.go b/google-beta/resource_access_context_manager_service_perimeter.go index a4809130a2..b32de09f6c 100644 --- a/google-beta/resource_access_context_manager_service_perimeter.go +++ b/google-beta/resource_access_context_manager_service_perimeter.go @@ -120,6 +120,193 @@ Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}`, }, AtLeastOneOf: []string{"status.0.resources", "status.0.access_levels", "status.0.restricted_services"}, }, + "egress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "egress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines conditions on the source of a request causing this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this 'EgressPolicy'. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + }, + }, + }, + "egress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and destination resources that cause this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' that this egress rule applies to. A request matches if it contains an operation/service in this list.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by 'serviceName' field. A single MethodSelector entry with '*' specified for the 'method' field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for 'method' should be a valid method name for the corresponding 'serviceName' in 'ApiOperation'. If '*' used as value for method, then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this 'EgressTo' rule will authorize access to all resources outside the perimeter.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, + "ingress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of 'IngressPolicies' to apply to the perimeter. A perimeter may have multiple 'IngressPolicies', each of which is evaluated separately. Access is granted if any 'Ingress Policy' grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ingress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the source of a request causing this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + "sources": { + Type: schema.TypeList, + Optional: true, + Description: `/ Sources that this 'IngressPolicy' authorizes access from.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_level": { + Type: schema.TypeString, + Optional: true, + Description: `/ An 'AccessLevel' resource name that allow resources within the 'ServicePerimeters' to be accessed from the internet. 'AccessLevels' listed must be in the same policy as this 'ServicePerimeter'. Referencing a nonexistent 'AccessLevel' will cause an error. If no 'AccessLevel' names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example 'accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.' If * is specified, then all IngressSources will be allowed.`, + }, + "resource": { + Type: schema.TypeString, + Optional: true, + Description: `/ A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format 'projects/{project_number}' The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. '*' is not allowed, the case of allowing all Google Cloud resources only is not supported.`, + }, + }, + }, + }, + }, + }, + }, + "ingress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and request destination that cause this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom' are allowed to perform in this 'ServicePerimeter'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single 'MethodSelector' entry with '*' specified for the method field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for method should be a valid method name for the corresponding serviceName in 'ApiOperation'. If '*' used as value for 'method', then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName' field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', protected by this 'ServicePerimeter' that are allowed to be accessed by sources defined in the corresponding 'IngressFrom'. A request matches if it contains a resource in this list. If '*' is specified for resources, then this 'IngressTo' rule will authorize access to all resources inside the perimeter, provided that the request also matches the 'operations' field.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, "resources": { Type: schema.TypeList, Optional: true, @@ -200,6 +387,193 @@ Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}`, }, AtLeastOneOf: []string{"status.0.resources", "status.0.access_levels", "status.0.restricted_services"}, }, + "egress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "egress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines conditions on the source of a request causing this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this 'EgressPolicy'. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + }, + }, + }, + "egress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and destination resources that cause this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' that this egress rule applies to. A request matches if it contains an operation/service in this list.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by 'serviceName' field. A single MethodSelector entry with '*' specified for the 'method' field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for 'method' should be a valid method name for the corresponding 'serviceName' in 'ApiOperation'. If '*' used as value for method, then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this 'EgressTo' rule will authorize access to all resources outside the perimeter.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, + "ingress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of 'IngressPolicies' to apply to the perimeter. A perimeter may have multiple 'IngressPolicies', each of which is evaluated separately. Access is granted if any 'Ingress Policy' grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ingress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the source of a request causing this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + "sources": { + Type: schema.TypeList, + Optional: true, + Description: `/ Sources that this 'IngressPolicy' authorizes access from.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_level": { + Type: schema.TypeString, + Optional: true, + Description: `/ An 'AccessLevel' resource name that allow resources within the 'ServicePerimeters' to be accessed from the internet. 'AccessLevels' listed must be in the same policy as this 'ServicePerimeter'. Referencing a nonexistent 'AccessLevel' will cause an error. If no 'AccessLevel' names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example 'accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.' If * is specified, then all IngressSources will be allowed.`, + }, + "resource": { + Type: schema.TypeString, + Optional: true, + Description: `/ A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format 'projects/{project_number}' The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. '*' is not allowed, the case of allowing all Google Cloud resources only is not supported.`, + }, + }, + }, + }, + }, + }, + }, + "ingress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and request destination that cause this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom' are allowed to perform in this 'ServicePerimeter'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single 'MethodSelector' entry with '*' specified for the method field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for method should be a valid method name for the corresponding serviceName in 'ApiOperation'. If '*' used as value for 'method', then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName' field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', protected by this 'ServicePerimeter' that are allowed to be accessed by sources defined in the corresponding 'IngressFrom'. A request matches if it contains a resource in this list. If '*' is specified for resources, then this 'IngressTo' rule will authorize access to all resources inside the perimeter, provided that the request also matches the 'operations' field.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, "resources": { Type: schema.TypeList, Optional: true, @@ -675,6 +1049,10 @@ func flattenAccessContextManagerServicePerimeterStatus(v interface{}, d *schema. flattenAccessContextManagerServicePerimeterStatusRestrictedServices(original["restrictedServices"], d, config) transformed["vpc_accessible_services"] = flattenAccessContextManagerServicePerimeterStatusVPCAccessibleServices(original["vpcAccessibleServices"], d, config) + transformed["ingress_policies"] = + flattenAccessContextManagerServicePerimeterStatusIngressPolicies(original["ingressPolicies"], d, config) + transformed["egress_policies"] = + flattenAccessContextManagerServicePerimeterStatusEgressPolicies(original["egressPolicies"], d, config) return []interface{}{transformed} } func flattenAccessContextManagerServicePerimeterStatusResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { @@ -718,6 +1096,257 @@ func flattenAccessContextManagerServicePerimeterStatusVPCAccessibleServicesAllow return schema.NewSet(schema.HashString, v.([]interface{})) } +func flattenAccessContextManagerServicePerimeterStatusIngressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "ingress_from": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFrom(original["ingressFrom"], d, config), + "ingress_to": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressTo(original["ingressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentities(original["identities"], d, config) + transformed["sources"] = + flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSources(original["sources"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "access_level": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesAccessLevel(original["accessLevel"], d, config), + "resource": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesResource(original["resource"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesResource(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusEgressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "egress_from": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFrom(original["egressFrom"], d, config), + "egress_to": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressTo(original["egressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentities(original["identities"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + func flattenAccessContextManagerServicePerimeterSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} { if v == nil { return nil @@ -735,6 +1364,10 @@ func flattenAccessContextManagerServicePerimeterSpec(v interface{}, d *schema.Re flattenAccessContextManagerServicePerimeterSpecRestrictedServices(original["restrictedServices"], d, config) transformed["vpc_accessible_services"] = flattenAccessContextManagerServicePerimeterSpecVPCAccessibleServices(original["vpcAccessibleServices"], d, config) + transformed["ingress_policies"] = + flattenAccessContextManagerServicePerimeterSpecIngressPolicies(original["ingressPolicies"], d, config) + transformed["egress_policies"] = + flattenAccessContextManagerServicePerimeterSpecEgressPolicies(original["egressPolicies"], d, config) return []interface{}{transformed} } func flattenAccessContextManagerServicePerimeterSpecResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { @@ -772,85 +1405,350 @@ func flattenAccessContextManagerServicePerimeterSpecVPCAccessibleServicesAllowed return v } -func flattenAccessContextManagerServicePerimeterUseExplicitDryRunSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} { +func flattenAccessContextManagerServicePerimeterSpecIngressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "ingress_from": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFrom(original["ingressFrom"], d, config), + "ingress_to": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressTo(original["ingressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentities(original["identities"], d, config) + transformed["sources"] = + flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSources(original["sources"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { return v } -func flattenAccessContextManagerServicePerimeterName(v interface{}, d *schema.ResourceData, config *Config) interface{} { +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { return v } -func expandAccessContextManagerServicePerimeterTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - return v, nil +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "access_level": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesAccessLevel(original["accessLevel"], d, config), + "resource": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesResource(original["resource"], d, config), + }) + } + return transformed } - -func expandAccessContextManagerServicePerimeterDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - return v, nil +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v } -func expandAccessContextManagerServicePerimeterPerimeterType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - return v, nil +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesResource(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v } -func expandAccessContextManagerServicePerimeterStatus(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - l := v.([]interface{}) - if len(l) == 0 || l[0] == nil { - return nil, nil - } - raw := l[0] - original := raw.(map[string]interface{}) - transformed := make(map[string]interface{}) - - transformedResources, err := expandAccessContextManagerServicePerimeterStatusResources(original["resources"], d, config) - if err != nil { - return nil, err - } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { - transformed["resources"] = transformedResources - } - - transformedAccessLevels, err := expandAccessContextManagerServicePerimeterStatusAccessLevels(original["access_levels"], d, config) - if err != nil { - return nil, err - } else if val := reflect.ValueOf(transformedAccessLevels); val.IsValid() && !isEmptyValue(val) { - transformed["accessLevels"] = transformedAccessLevels +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil } - - transformedRestrictedServices, err := expandAccessContextManagerServicePerimeterStatusRestrictedServices(original["restricted_services"], d, config) - if err != nil { - return nil, err - } else if val := reflect.ValueOf(transformedRestrictedServices); val.IsValid() && !isEmptyValue(val) { - transformed["restrictedServices"] = transformedRestrictedServices + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} - transformedVPCAccessibleServices, err := expandAccessContextManagerServicePerimeterStatusVPCAccessibleServices(original["vpc_accessible_services"], d, config) - if err != nil { - return nil, err - } else if val := reflect.ValueOf(transformedVPCAccessibleServices); val.IsValid() && !isEmptyValue(val) { - transformed["vpcAccessibleServices"] = transformedVPCAccessibleServices +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v } - - return transformed, nil + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed } - -func expandAccessContextManagerServicePerimeterStatusResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - return v, nil +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v } -func expandAccessContextManagerServicePerimeterStatusAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - return v, nil +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v } -func expandAccessContextManagerServicePerimeterStatusRestrictedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - v = v.(*schema.Set).List() - return v, nil +func flattenAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v } -func expandAccessContextManagerServicePerimeterStatusVPCAccessibleServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - l := v.([]interface{}) - if len(l) == 0 || l[0] == nil { - return nil, nil +func flattenAccessContextManagerServicePerimeterSpecEgressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v } - raw := l[0] + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "egress_from": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFrom(original["egressFrom"], d, config), + "egress_to": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressTo(original["egressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentities(original["identities"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterUseExplicitDryRunSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimeterName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func expandAccessContextManagerServicePerimeterTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterPerimeterType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatus(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimeterStatusResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedAccessLevels, err := expandAccessContextManagerServicePerimeterStatusAccessLevels(original["access_levels"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccessLevels); val.IsValid() && !isEmptyValue(val) { + transformed["accessLevels"] = transformedAccessLevels + } + + transformedRestrictedServices, err := expandAccessContextManagerServicePerimeterStatusRestrictedServices(original["restricted_services"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedRestrictedServices); val.IsValid() && !isEmptyValue(val) { + transformed["restrictedServices"] = transformedRestrictedServices + } + + transformedVPCAccessibleServices, err := expandAccessContextManagerServicePerimeterStatusVPCAccessibleServices(original["vpc_accessible_services"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedVPCAccessibleServices); val.IsValid() && !isEmptyValue(val) { + transformed["vpcAccessibleServices"] = transformedVPCAccessibleServices + } + + transformedIngressPolicies, err := expandAccessContextManagerServicePerimeterStatusIngressPolicies(original["ingress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["ingressPolicies"] = transformedIngressPolicies + } + + transformedEgressPolicies, err := expandAccessContextManagerServicePerimeterStatusEgressPolicies(original["egress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["egressPolicies"] = transformedEgressPolicies + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterStatusResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusRestrictedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + v = v.(*schema.Set).List() + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusVPCAccessibleServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) @@ -880,6 +1778,376 @@ func expandAccessContextManagerServicePerimeterStatusVPCAccessibleServicesAllowe return v, nil } +func expandAccessContextManagerServicePerimeterStatusIngressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIngressFrom, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFrom(original["ingress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["ingressFrom"] = transformedIngressFrom + } + + transformedIngressTo, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressTo(original["ingress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressTo); val.IsValid() && !isEmptyValue(val) { + transformed["ingressTo"] = transformedIngressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + transformedSources, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSources(original["sources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSources); val.IsValid() && !isEmptyValue(val) { + transformed["sources"] = transformedSources + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedAccessLevel, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesAccessLevel(original["access_level"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccessLevel); val.IsValid() && !isEmptyValue(val) { + transformed["accessLevel"] = transformedAccessLevel + } + + transformedResource, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesResource(original["resource"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResource); val.IsValid() && !isEmptyValue(val) { + transformed["resource"] = transformedResource + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressFromSourcesResource(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedEgressFrom, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFrom(original["egress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["egressFrom"] = transformedEgressFrom + } + + transformedEgressTo, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressTo(original["egress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressTo); val.IsValid() && !isEmptyValue(val) { + transformed["egressTo"] = transformedEgressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandAccessContextManagerServicePerimeterSpec(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { l := v.([]interface{}) if len(l) == 0 || l[0] == nil { @@ -917,6 +2185,20 @@ func expandAccessContextManagerServicePerimeterSpec(v interface{}, d TerraformRe transformed["vpcAccessibleServices"] = transformedVPCAccessibleServices } + transformedIngressPolicies, err := expandAccessContextManagerServicePerimeterSpecIngressPolicies(original["ingress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["ingressPolicies"] = transformedIngressPolicies + } + + transformedEgressPolicies, err := expandAccessContextManagerServicePerimeterSpecEgressPolicies(original["egress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["egressPolicies"] = transformedEgressPolicies + } + return transformed, nil } @@ -966,6 +2248,376 @@ func expandAccessContextManagerServicePerimeterSpecVPCAccessibleServicesAllowedS return v, nil } +func expandAccessContextManagerServicePerimeterSpecIngressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIngressFrom, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFrom(original["ingress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["ingressFrom"] = transformedIngressFrom + } + + transformedIngressTo, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressTo(original["ingress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressTo); val.IsValid() && !isEmptyValue(val) { + transformed["ingressTo"] = transformedIngressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + transformedSources, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSources(original["sources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSources); val.IsValid() && !isEmptyValue(val) { + transformed["sources"] = transformedSources + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedAccessLevel, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesAccessLevel(original["access_level"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccessLevel); val.IsValid() && !isEmptyValue(val) { + transformed["accessLevel"] = transformedAccessLevel + } + + transformedResource, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesResource(original["resource"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResource); val.IsValid() && !isEmptyValue(val) { + transformed["resource"] = transformedResource + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressFromSourcesResource(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedEgressFrom, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFrom(original["egress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["egressFrom"] = transformedEgressFrom + } + + transformedEgressTo, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressTo(original["egress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressTo); val.IsValid() && !isEmptyValue(val) { + transformed["egressTo"] = transformedEgressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandAccessContextManagerServicePerimeterUseExplicitDryRunSpec(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } diff --git a/google-beta/resource_access_context_manager_service_perimeter_test.go b/google-beta/resource_access_context_manager_service_perimeter_test.go index c23d2c928f..82e14af6bf 100644 --- a/google-beta/resource_access_context_manager_service_perimeter_test.go +++ b/google-beta/resource_access_context_manager_service_perimeter_test.go @@ -197,13 +197,55 @@ resource "google_access_context_manager_service_perimeter" "test-access" { title = "%s" perimeter_type = "PERIMETER_TYPE_REGULAR" status { - restricted_services = ["bigquery.googleapis.com"] - access_levels = [google_access_context_manager_access_level.test-access.name] + restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + access_levels = [google_access_context_manager_access_level.test-access.name] - vpc_accessible_services { - enable_restriction = true - allowed_services = ["bigquery.googleapis.com"] - } + vpc_accessible_services { + enable_restriction = true + allowed_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + } + + ingress_policies { + ingress_from { + sources { + access_level = google_access_context_manager_access_level.test-access.name + } + identity_type = "ANY_IDENTITY" + } + + ingress_to { + resources = [ "*" ] + operations { + service_name = "bigquery.googleapis.com" + + method_selectors { + method = "BigQueryStorage.ReadRows" + } + + method_selectors { + method = "TableService.ListTables" + } + + method_selectors { + permission = "bigquery.jobs.get" + } + } + + operations { + service_name = "storage.googleapis.com" + + method_selectors { + method = "google.storage.objects.create" + } + } + } + } + + egress_policies { + egress_from { + identity_type = "ANY_USER_ACCOUNT" + } + } } } `, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName) diff --git a/google-beta/resource_access_context_manager_service_perimeters.go b/google-beta/resource_access_context_manager_service_perimeters.go index 4bbc6307a8..31b3d3e26d 100644 --- a/google-beta/resource_access_context_manager_service_perimeters.go +++ b/google-beta/resource_access_context_manager_service_perimeters.go @@ -133,6 +133,193 @@ Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}`, Type: schema.TypeString, }, }, + "egress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "egress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines conditions on the source of a request causing this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this 'EgressPolicy'. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + }, + }, + }, + "egress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and destination resources that cause this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' that this egress rule applies to. A request matches if it contains an operation/service in this list.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by 'serviceName' field. A single MethodSelector entry with '*' specified for the 'method' field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for 'method' should be a valid method name for the corresponding 'serviceName' in 'ApiOperation'. If '*' used as value for method, then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this 'EgressTo' rule will authorize access to all resources outside the perimeter.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, + "ingress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of 'IngressPolicies' to apply to the perimeter. A perimeter may have multiple 'IngressPolicies', each of which is evaluated separately. Access is granted if any 'Ingress Policy' grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ingress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the source of a request causing this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + "sources": { + Type: schema.TypeList, + Optional: true, + Description: `/ Sources that this 'IngressPolicy' authorizes access from.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_level": { + Type: schema.TypeString, + Optional: true, + Description: `/ An 'AccessLevel' resource name that allow resources within the 'ServicePerimeters' to be accessed from the internet. 'AccessLevels' listed must be in the same policy as this 'ServicePerimeter'. Referencing a nonexistent 'AccessLevel' will cause an error. If no 'AccessLevel' names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example 'accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.' If * is specified, then all IngressSources will be allowed.`, + }, + "resource": { + Type: schema.TypeString, + Optional: true, + Description: `/ A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format 'projects/{project_number}' The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. '*' is not allowed, the case of allowing all Google Cloud resources only is not supported.`, + }, + }, + }, + }, + }, + }, + }, + "ingress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and request destination that cause this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom' are allowed to perform in this 'ServicePerimeter'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single 'MethodSelector' entry with '*' specified for the method field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for method should be a valid method name for the corresponding serviceName in 'ApiOperation'. If '*' used as value for 'method', then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName' field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', protected by this 'ServicePerimeter' that are allowed to be accessed by sources defined in the corresponding 'IngressFrom'. A request matches if it contains a resource in this list. If '*' is specified for resources, then this 'IngressTo' rule will authorize access to all resources inside the perimeter, provided that the request also matches the 'operations' field.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, "resources": { Type: schema.TypeList, Optional: true, @@ -210,6 +397,193 @@ Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}`, Type: schema.TypeString, }, }, + "egress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "egress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines conditions on the source of a request causing this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this 'EgressPolicy'. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + }, + }, + }, + "egress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and destination resources that cause this 'EgressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' that this egress rule applies to. A request matches if it contains an operation/service in this list.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by 'serviceName' field. A single MethodSelector entry with '*' specified for the 'method' field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for 'method' should be a valid method name for the corresponding 'serviceName' in 'ApiOperation'. If '*' used as value for method, then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this 'EgressTo' rule will authorize access to all resources outside the perimeter.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, + "ingress_policies": { + Type: schema.TypeList, + Optional: true, + Description: `/ List of 'IngressPolicies' to apply to the perimeter. A perimeter may have multiple 'IngressPolicies', each of which is evaluated separately. Access is granted if any 'Ingress Policy' grants it. Must be empty for a perimeter bridge.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ingress_from": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the source of a request causing this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "identities": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "identity_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT", ""}, false), + Description: `/ Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of 'identities' field will be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"]`, + }, + "sources": { + Type: schema.TypeList, + Optional: true, + Description: `/ Sources that this 'IngressPolicy' authorizes access from.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_level": { + Type: schema.TypeString, + Optional: true, + Description: `/ An 'AccessLevel' resource name that allow resources within the 'ServicePerimeters' to be accessed from the internet. 'AccessLevels' listed must be in the same policy as this 'ServicePerimeter'. Referencing a nonexistent 'AccessLevel' will cause an error. If no 'AccessLevel' names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example 'accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.' If * is specified, then all IngressSources will be allowed.`, + }, + "resource": { + Type: schema.TypeString, + Optional: true, + Description: `/ A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format 'projects/{project_number}' The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. '*' is not allowed, the case of allowing all Google Cloud resources only is not supported.`, + }, + }, + }, + }, + }, + }, + }, + "ingress_to": { + Type: schema.TypeList, + Optional: true, + Description: `/ Defines the conditions on the 'ApiOperation' and request destination that cause this 'IngressPolicy' to apply.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "operations": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom' are allowed to perform in this 'ServicePerimeter'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method_selectors": { + Type: schema.TypeList, + Optional: true, + Description: `/ API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single 'MethodSelector' entry with '*' specified for the method field will allow all methods AND permissions for the service specified in 'serviceName'.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "method": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for method should be a valid method name for the corresponding serviceName in 'ApiOperation'. If '*' used as value for 'method', then ALL methods and permissions are allowed.`, + }, + "permission": { + Type: schema.TypeString, + Optional: true, + Description: `/ Value for permission should be a valid Cloud IAM permission for the corresponding 'serviceName' in 'ApiOperation'.`, + }, + }, + }, + }, + "service_name": { + Type: schema.TypeString, + Optional: true, + Description: `/ The name of the API whose methods or permissions the 'IngressPolicy' or 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName' field set to '*' will allow all methods AND permissions for all services.`, + }, + }, + }, + }, + "resources": { + Type: schema.TypeList, + Optional: true, + Description: `/ A list of resources, currently only projects in the form 'projects/', protected by this 'ServicePerimeter' that are allowed to be accessed by sources defined in the corresponding 'IngressFrom'. A request matches if it contains a resource in this list. If '*' is specified for resources, then this 'IngressTo' rule will authorize access to all resources inside the perimeter, provided that the request also matches the 'operations' field.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, "resources": { Type: schema.TypeList, Optional: true, @@ -557,6 +931,10 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatus(v inter flattenAccessContextManagerServicePerimetersServicePerimetersStatusRestrictedServices(original["restrictedServices"], d, config) transformed["vpc_accessible_services"] = flattenAccessContextManagerServicePerimetersServicePerimetersStatusVPCAccessibleServices(original["vpcAccessibleServices"], d, config) + transformed["ingress_policies"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPolicies(original["ingressPolicies"], d, config) + transformed["egress_policies"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPolicies(original["egressPolicies"], d, config) return []interface{}{transformed} } func flattenAccessContextManagerServicePerimetersServicePerimetersStatusResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { @@ -600,6 +978,257 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusVPCAcces return schema.NewSet(schema.HashString, v.([]interface{})) } +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "ingress_from": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFrom(original["ingressFrom"], d, config), + "ingress_to": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressTo(original["ingressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentities(original["identities"], d, config) + transformed["sources"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSources(original["sources"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "access_level": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesAccessLevel(original["accessLevel"], d, config), + "resource": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesResource(original["resource"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesResource(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "egress_from": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFrom(original["egressFrom"], d, config), + "egress_to": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressTo(original["egressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentities(original["identities"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + func flattenAccessContextManagerServicePerimetersServicePerimetersSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} { if v == nil { return nil @@ -617,6 +1246,10 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpec(v interfa flattenAccessContextManagerServicePerimetersServicePerimetersSpecRestrictedServices(original["restrictedServices"], d, config) transformed["vpc_accessible_services"] = flattenAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServices(original["vpcAccessibleServices"], d, config) + transformed["ingress_policies"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPolicies(original["ingressPolicies"], d, config) + transformed["egress_policies"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPolicies(original["egressPolicies"], d, config) return []interface{}{transformed} } func flattenAccessContextManagerServicePerimetersServicePerimetersSpecResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { @@ -654,16 +1287,267 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessi return v } -func flattenAccessContextManagerServicePerimetersServicePerimetersUseExplicitDryRunSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} { +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "ingress_from": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFrom(original["ingressFrom"], d, config), + "ingress_to": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressTo(original["ingressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentities(original["identities"], d, config) + transformed["sources"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSources(original["sources"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { return v } -func expandAccessContextManagerServicePerimetersServicePerimeters(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - v = v.(*schema.Set).List() +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } l := v.([]interface{}) - req := make([]interface{}, 0, len(l)) + transformed := make([]interface{}, 0, len(l)) for _, raw := range l { - if raw == nil { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "access_level": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesAccessLevel(original["accessLevel"], d, config), + "resource": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesResource(original["resource"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesResource(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPolicies(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "egress_from": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFrom(original["egressFrom"], d, config), + "egress_to": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressTo(original["egressTo"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFrom(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["identity_type"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentityType(original["identityType"], d, config) + transformed["identities"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentities(original["identities"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentityType(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentities(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressTo(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["resources"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToResources(original["resources"], d, config) + transformed["operations"] = + flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperations(original["operations"], d, config) + return []interface{}{transformed} +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToResources(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperations(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "service_name": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsServiceName(original["serviceName"], d, config), + "method_selectors": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectors(original["methodSelectors"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsServiceName(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "method": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config), + "permission": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config), + }) + } + return transformed +} +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func flattenAccessContextManagerServicePerimetersServicePerimetersUseExplicitDryRunSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + +func expandAccessContextManagerServicePerimetersServicePerimeters(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + v = v.(*schema.Set).List() + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { continue } original := raw.(map[string]interface{}) @@ -798,6 +1682,20 @@ func expandAccessContextManagerServicePerimetersServicePerimetersStatus(v interf transformed["vpcAccessibleServices"] = transformedVPCAccessibleServices } + transformedIngressPolicies, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPolicies(original["ingress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["ingressPolicies"] = transformedIngressPolicies + } + + transformedEgressPolicies, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPolicies(original["egress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["egressPolicies"] = transformedEgressPolicies + } + return transformed, nil } @@ -849,7 +1747,36 @@ func expandAccessContextManagerServicePerimetersServicePerimetersStatusVPCAccess return v, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpec(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIngressFrom, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFrom(original["ingress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["ingressFrom"] = transformedIngressFrom + } + + transformedIngressTo, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressTo(original["ingress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressTo); val.IsValid() && !isEmptyValue(val) { + transformed["ingressTo"] = transformedIngressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { l := v.([]interface{}) if len(l) == 0 || l[0] == nil { return nil, nil @@ -858,50 +1785,76 @@ func expandAccessContextManagerServicePerimetersServicePerimetersSpec(v interfac original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) - transformedResources, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecResources(original["resources"], d, config) - if err != nil { - return nil, err - } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { - transformed["resources"] = transformedResources - } - - transformedAccessLevels, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecAccessLevels(original["access_levels"], d, config) + transformedIdentityType, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentityType(original["identity_type"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedAccessLevels); val.IsValid() && !isEmptyValue(val) { - transformed["accessLevels"] = transformedAccessLevels + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType } - transformedRestrictedServices, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecRestrictedServices(original["restricted_services"], d, config) + transformedIdentities, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentities(original["identities"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedRestrictedServices); val.IsValid() && !isEmptyValue(val) { - transformed["restrictedServices"] = transformedRestrictedServices + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities } - transformedVPCAccessibleServices, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServices(original["vpc_accessible_services"], d, config) + transformedSources, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSources(original["sources"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedVPCAccessibleServices); val.IsValid() && !isEmptyValue(val) { - transformed["vpcAccessibleServices"] = transformedVPCAccessibleServices + } else if val := reflect.ValueOf(transformedSources); val.IsValid() && !isEmptyValue(val) { + transformed["sources"] = transformedSources } return transformed, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpecResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpecAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpecRestrictedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedAccessLevel, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesAccessLevel(original["access_level"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccessLevel); val.IsValid() && !isEmptyValue(val) { + transformed["accessLevel"] = transformedAccessLevel + } + + transformedResource, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesResource(original["resource"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResource); val.IsValid() && !isEmptyValue(val) { + transformed["resource"] = transformedResource + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressFromSourcesResource(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { l := v.([]interface{}) if len(l) == 0 || l[0] == nil { return nil, nil @@ -910,28 +1863,727 @@ func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessib original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) - transformedEnableRestriction, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesEnableRestriction(original["enable_restriction"], d, config) + transformedResources, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToResources(original["resources"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedEnableRestriction); val.IsValid() && !isEmptyValue(val) { - transformed["enableRestriction"] = transformedEnableRestriction + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources } - transformedAllowedServices, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesAllowedServices(original["allowed_services"], d, config) + transformedOperations, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperations(original["operations"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedAllowedServices); val.IsValid() && !isEmptyValue(val) { - transformed["allowedServices"] = transformedAllowedServices + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations } return transformed, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesEnableRestriction(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } -func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesAllowedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedEgressFrom, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFrom(original["egress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["egressFrom"] = transformedEgressFrom + } + + transformedEgressTo, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressTo(original["egress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressTo); val.IsValid() && !isEmptyValue(val) { + transformed["egressTo"] = transformedEgressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpec(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedAccessLevels, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecAccessLevels(original["access_levels"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccessLevels); val.IsValid() && !isEmptyValue(val) { + transformed["accessLevels"] = transformedAccessLevels + } + + transformedRestrictedServices, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecRestrictedServices(original["restricted_services"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedRestrictedServices); val.IsValid() && !isEmptyValue(val) { + transformed["restrictedServices"] = transformedRestrictedServices + } + + transformedVPCAccessibleServices, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServices(original["vpc_accessible_services"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedVPCAccessibleServices); val.IsValid() && !isEmptyValue(val) { + transformed["vpcAccessibleServices"] = transformedVPCAccessibleServices + } + + transformedIngressPolicies, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPolicies(original["ingress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["ingressPolicies"] = transformedIngressPolicies + } + + transformedEgressPolicies, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPolicies(original["egress_policies"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressPolicies); val.IsValid() && !isEmptyValue(val) { + transformed["egressPolicies"] = transformedEgressPolicies + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecRestrictedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedEnableRestriction, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesEnableRestriction(original["enable_restriction"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEnableRestriction); val.IsValid() && !isEmptyValue(val) { + transformed["enableRestriction"] = transformedEnableRestriction + } + + transformedAllowedServices, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesAllowedServices(original["allowed_services"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAllowedServices); val.IsValid() && !isEmptyValue(val) { + transformed["allowedServices"] = transformedAllowedServices + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesEnableRestriction(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecVPCAccessibleServicesAllowedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIngressFrom, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFrom(original["ingress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["ingressFrom"] = transformedIngressFrom + } + + transformedIngressTo, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressTo(original["ingress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIngressTo); val.IsValid() && !isEmptyValue(val) { + transformed["ingressTo"] = transformedIngressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + transformedSources, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSources(original["sources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedSources); val.IsValid() && !isEmptyValue(val) { + transformed["sources"] = transformedSources + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedAccessLevel, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesAccessLevel(original["access_level"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAccessLevel); val.IsValid() && !isEmptyValue(val) { + transformed["accessLevel"] = transformedAccessLevel + } + + transformedResource, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesResource(original["resource"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResource); val.IsValid() && !isEmptyValue(val) { + transformed["resource"] = transformedResource + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesAccessLevel(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressFromSourcesResource(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPolicies(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedEgressFrom, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFrom(original["egress_from"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressFrom); val.IsValid() && !isEmptyValue(val) { + transformed["egressFrom"] = transformedEgressFrom + } + + transformedEgressTo, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressTo(original["egress_to"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEgressTo); val.IsValid() && !isEmptyValue(val) { + transformed["egressTo"] = transformedEgressTo + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFrom(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedIdentityType, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentityType(original["identity_type"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentityType); val.IsValid() && !isEmptyValue(val) { + transformed["identityType"] = transformedIdentityType + } + + transformedIdentities, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentities(original["identities"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedIdentities); val.IsValid() && !isEmptyValue(val) { + transformed["identities"] = transformedIdentities + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentityType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromIdentities(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressTo(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedResources, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToResources(original["resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) { + transformed["resources"] = transformedResources + } + + transformedOperations, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperations(original["operations"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperations); val.IsValid() && !isEmptyValue(val) { + transformed["operations"] = transformedOperations + } + + return transformed, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperations(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedServiceName, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsServiceName(original["service_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedServiceName); val.IsValid() && !isEmptyValue(val) { + transformed["serviceName"] = transformedServiceName + } + + transformedMethodSelectors, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectors(original["method_selectors"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethodSelectors); val.IsValid() && !isEmptyValue(val) { + transformed["methodSelectors"] = transformedMethodSelectors + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsServiceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectors(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMethod, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(original["method"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMethod); val.IsValid() && !isEmptyValue(val) { + transformed["method"] = transformedMethod + } + + transformedPermission, err := expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(original["permission"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPermission); val.IsValid() && !isEmptyValue(val) { + transformed["permission"] = transformedPermission + } + + req = append(req, transformed) + } + return req, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsMethod(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + +func expandAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperationsMethodSelectorsPermission(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } diff --git a/google-beta/resource_dataproc_cluster_test.go b/google-beta/resource_dataproc_cluster_test.go index 88c15ce8f0..2508a876a2 100644 --- a/google-beta/resource_dataproc_cluster_test.go +++ b/google-beta/resource_dataproc_cluster_test.go @@ -13,8 +13,9 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - dataproc "google.golang.org/api/dataproc/v1beta2" "google.golang.org/api/googleapi" + + dataproc "google.golang.org/api/dataproc/v1beta2" ) func TestDataprocExtractInitTimeout(t *testing.T) { diff --git a/website/docs/r/access_context_manager_service_perimeter.html.markdown b/website/docs/r/access_context_manager_service_perimeter.html.markdown index 67a83ff7bc..a2f4127304 100644 --- a/website/docs/r/access_context_manager_service_perimeter.html.markdown +++ b/website/docs/r/access_context_manager_service_perimeter.html.markdown @@ -86,6 +86,118 @@ resource "google_access_context_manager_access_policy" "access-policy" { title = "my policy" } ``` +## Example Usage - Access Context Manager Service Perimeter Secure Data Exchange + + +```hcl +resource "google_access_context_manager_service_perimeters" "secure-data-exchange" { + parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}" + + service_perimeters { + name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/" + title = "" + status { + restricted_services = ["storage.googleapis.com"] + } + } + + service_perimeters { + name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/" + title = "" + status { + restricted_services = ["bigtable.googleapis.com"] + vpcAccessibleServices = { + enableRestriction = true + allowedServices = ["bigquery.googleapis.com"] + } + } + } +} + +resource "google_access_context_manager_access_level" "access-level" { + parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/secure_data_exchange" + title = "secure_data_exchange" + basic { + conditions { + device_policy { + require_screen_lock = false + os_constraints { + os_type = "DESKTOP_CHROME_OS" + } + } + regions = [ + "CH", + "IT", + "US", + ] + } + } +} + +resource "google_access_context_manager_access_policy" "access-policy" { + parent = "organizations/123456789" + title = "my policy" +} + +resource "google_access_context_manager_service_perimeter" "test-access" { + parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}" + name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s" + title = "%s" + perimeter_type = "PERIMETER_TYPE_REGULAR" + status { + restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + access_levels = [google_access_context_manager_access_level.access-level.name] + + vpc_accessible_services { + enable_restriction = true + allowed_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + } + + ingress_policies { + ingress_from { + sources { + access_level = google_access_context_manager_access_level.test-access.name + } + identity_type = "ANY_IDENTITY" + } + + ingress_to { + resources = [ "*" ] + operations { + service_name = "bigquery.googleapis.com" + + method_selectors { + method = "BigQueryStorage.ReadRows" + } + + method_selectors { + method = "TableService.ListTables" + } + + method_selectors { + permission = "bigquery.jobs.get" + } + } + + operations { + service_name = "storage.googleapis.com" + + method_selectors { + method = "google.storage.objects.create" + } + } + } + } + + egress_policies { + egress_from { + identity_type = "ANY_USER_ACCOUNT" + } + } + } +} +``` ## Example Usage - Access Context Manager Service Perimeter Dry Run @@ -225,6 +337,16 @@ The `status` block supports: Perimeter. Structure is documented below. +* `ingress_policies` - + (Optional) + / List of `IngressPolicies` to apply to the perimeter. A perimeter may have multiple `IngressPolicies`, each of which is evaluated separately. Access is granted if any `Ingress Policy` grants it. Must be empty for a perimeter bridge. + Structure is documented below. + +* `egress_policies` - + (Optional) + / List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge. + Structure is documented below. + The `vpc_accessible_services` block supports: @@ -238,6 +360,138 @@ The `vpc_accessible_services` block supports: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True. +The `ingress_policies` block supports: + +* `ingress_from` - + (Optional) + / Defines the conditions on the source of a request causing this `IngressPolicy` to apply. + Structure is documented below. + +* `ingress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and request destination that cause this `IngressPolicy` to apply. + Structure is documented below. + + +The `ingress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. + +* `sources` - + (Optional) + / Sources that this `IngressPolicy` authorizes access from. + Structure is documented below. + + +The `sources` block supports: + +* `access_level` - + (Optional) + / An `AccessLevel` resource name that allow resources within the `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` will cause an error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` If * is specified, then all IngressSources will be allowed. + +* `resource` - + (Optional) + / A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format `projects/{project_number}` The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported. + +The `ingress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, protected by this `ServicePerimeter` that are allowed to be accessed by sources defined in the corresponding `IngressFrom`. A request matches if it contains a resource in this list. If `*` is specified for resources, then this `IngressTo` rule will authorize access to all resources inside the perimeter, provided that the request also matches the `operations` field. + +* `operations` - + (Optional) + / A list of `ApiOperations` the sources specified in corresponding `IngressFrom` are allowed to perform in this `ServicePerimeter`. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single `MethodSelector` entry with `*` specified for the method field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for method should be a valid method name for the corresponding serviceName in `ApiOperation`. If `*` used as value for `method`, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + +The `egress_policies` block supports: + +* `egress_from` - + (Optional) + / Defines conditions on the source of a request causing this `EgressPolicy` to apply. + Structure is documented below. + +* `egress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and destination resources that cause this `EgressPolicy` to apply. + Structure is documented below. + + +The `egress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this `EgressPolicy`. Should be in the format of email address. The email address should represent individual user or service account only. + +The `egress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this `EgressTo` rule will authorize access to all resources outside the perimeter. + +* `operations` - + (Optional) + / A list of `ApiOperations` that this egress rule applies to. A request matches if it contains an operation/service in this list. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with serviceName field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by `serviceName` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for `method` should be a valid method name for the corresponding `serviceName` in `ApiOperation`. If `*` used as value for method, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + The `spec` block supports: * `resources` - @@ -272,6 +526,16 @@ The `spec` block supports: Perimeter. Structure is documented below. +* `ingress_policies` - + (Optional) + / List of `IngressPolicies` to apply to the perimeter. A perimeter may have multiple `IngressPolicies`, each of which is evaluated separately. Access is granted if any `Ingress Policy` grants it. Must be empty for a perimeter bridge. + Structure is documented below. + +* `egress_policies` - + (Optional) + / List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge. + Structure is documented below. + The `vpc_accessible_services` block supports: @@ -285,6 +549,138 @@ The `vpc_accessible_services` block supports: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True. +The `ingress_policies` block supports: + +* `ingress_from` - + (Optional) + / Defines the conditions on the source of a request causing this `IngressPolicy` to apply. + Structure is documented below. + +* `ingress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and request destination that cause this `IngressPolicy` to apply. + Structure is documented below. + + +The `ingress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. + +* `sources` - + (Optional) + / Sources that this `IngressPolicy` authorizes access from. + Structure is documented below. + + +The `sources` block supports: + +* `access_level` - + (Optional) + / An `AccessLevel` resource name that allow resources within the `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` will cause an error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` If * is specified, then all IngressSources will be allowed. + +* `resource` - + (Optional) + / A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format `projects/{project_number}` The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported. + +The `ingress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, protected by this `ServicePerimeter` that are allowed to be accessed by sources defined in the corresponding `IngressFrom`. A request matches if it contains a resource in this list. If `*` is specified for resources, then this `IngressTo` rule will authorize access to all resources inside the perimeter, provided that the request also matches the `operations` field. + +* `operations` - + (Optional) + / A list of `ApiOperations` the sources specified in corresponding `IngressFrom` are allowed to perform in this `ServicePerimeter`. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single `MethodSelector` entry with `*` specified for the method field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for method should be a valid method name for the corresponding serviceName in `ApiOperation`. If `*` used as value for `method`, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + +The `egress_policies` block supports: + +* `egress_from` - + (Optional) + / Defines conditions on the source of a request causing this `EgressPolicy` to apply. + Structure is documented below. + +* `egress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and destination resources that cause this `EgressPolicy` to apply. + Structure is documented below. + + +The `egress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this `EgressPolicy`. Should be in the format of email address. The email address should represent individual user or service account only. + +The `egress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this `EgressTo` rule will authorize access to all resources outside the perimeter. + +* `operations` - + (Optional) + / A list of `ApiOperations` that this egress rule applies to. A request matches if it contains an operation/service in this list. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with serviceName field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by `serviceName` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for `method` should be a valid method name for the corresponding `serviceName` in `ApiOperation`. If `*` used as value for method, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: diff --git a/website/docs/r/access_context_manager_service_perimeters.html.markdown b/website/docs/r/access_context_manager_service_perimeters.html.markdown index 7024aa3748..2933c2ab52 100644 --- a/website/docs/r/access_context_manager_service_perimeters.html.markdown +++ b/website/docs/r/access_context_manager_service_perimeters.html.markdown @@ -208,6 +208,16 @@ The `status` block supports: Perimeter. Structure is documented below. +* `ingress_policies` - + (Optional) + / List of `IngressPolicies` to apply to the perimeter. A perimeter may have multiple `IngressPolicies`, each of which is evaluated separately. Access is granted if any `Ingress Policy` grants it. Must be empty for a perimeter bridge. + Structure is documented below. + +* `egress_policies` - + (Optional) + / List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge. + Structure is documented below. + The `vpc_accessible_services` block supports: @@ -221,6 +231,138 @@ The `vpc_accessible_services` block supports: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True. +The `ingress_policies` block supports: + +* `ingress_from` - + (Optional) + / Defines the conditions on the source of a request causing this `IngressPolicy` to apply. + Structure is documented below. + +* `ingress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and request destination that cause this `IngressPolicy` to apply. + Structure is documented below. + + +The `ingress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. + +* `sources` - + (Optional) + / Sources that this `IngressPolicy` authorizes access from. + Structure is documented below. + + +The `sources` block supports: + +* `access_level` - + (Optional) + / An `AccessLevel` resource name that allow resources within the `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` will cause an error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` If * is specified, then all IngressSources will be allowed. + +* `resource` - + (Optional) + / A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format `projects/{project_number}` The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported. + +The `ingress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, protected by this `ServicePerimeter` that are allowed to be accessed by sources defined in the corresponding `IngressFrom`. A request matches if it contains a resource in this list. If `*` is specified for resources, then this `IngressTo` rule will authorize access to all resources inside the perimeter, provided that the request also matches the `operations` field. + +* `operations` - + (Optional) + / A list of `ApiOperations` the sources specified in corresponding `IngressFrom` are allowed to perform in this `ServicePerimeter`. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single `MethodSelector` entry with `*` specified for the method field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for method should be a valid method name for the corresponding serviceName in `ApiOperation`. If `*` used as value for `method`, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + +The `egress_policies` block supports: + +* `egress_from` - + (Optional) + / Defines conditions on the source of a request causing this `EgressPolicy` to apply. + Structure is documented below. + +* `egress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and destination resources that cause this `EgressPolicy` to apply. + Structure is documented below. + + +The `egress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this `EgressPolicy`. Should be in the format of email address. The email address should represent individual user or service account only. + +The `egress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this `EgressTo` rule will authorize access to all resources outside the perimeter. + +* `operations` - + (Optional) + / A list of `ApiOperations` that this egress rule applies to. A request matches if it contains an operation/service in this list. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with serviceName field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by `serviceName` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for `method` should be a valid method name for the corresponding `serviceName` in `ApiOperation`. If `*` used as value for method, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + The `spec` block supports: * `resources` - @@ -255,6 +397,16 @@ The `spec` block supports: Perimeter. Structure is documented below. +* `ingress_policies` - + (Optional) + / List of `IngressPolicies` to apply to the perimeter. A perimeter may have multiple `IngressPolicies`, each of which is evaluated separately. Access is granted if any `Ingress Policy` grants it. Must be empty for a perimeter bridge. + Structure is documented below. + +* `egress_policies` - + (Optional) + / List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge. + Structure is documented below. + The `vpc_accessible_services` block supports: @@ -268,6 +420,138 @@ The `vpc_accessible_services` block supports: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True. +The `ingress_policies` block supports: + +* `ingress_from` - + (Optional) + / Defines the conditions on the source of a request causing this `IngressPolicy` to apply. + Structure is documented below. + +* `ingress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and request destination that cause this `IngressPolicy` to apply. + Structure is documented below. + + +The `ingress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. + +* `sources` - + (Optional) + / Sources that this `IngressPolicy` authorizes access from. + Structure is documented below. + + +The `sources` block supports: + +* `access_level` - + (Optional) + / An `AccessLevel` resource name that allow resources within the `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` will cause an error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` If * is specified, then all IngressSources will be allowed. + +* `resource` - + (Optional) + / A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format `projects/{project_number}` The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported. + +The `ingress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, protected by this `ServicePerimeter` that are allowed to be accessed by sources defined in the corresponding `IngressFrom`. A request matches if it contains a resource in this list. If `*` is specified for resources, then this `IngressTo` rule will authorize access to all resources inside the perimeter, provided that the request also matches the `operations` field. + +* `operations` - + (Optional) + / A list of `ApiOperations` the sources specified in corresponding `IngressFrom` are allowed to perform in this `ServicePerimeter`. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single `MethodSelector` entry with `*` specified for the method field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for method should be a valid method name for the corresponding serviceName in `ApiOperation`. If `*` used as value for `method`, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + +The `egress_policies` block supports: + +* `egress_from` - + (Optional) + / Defines conditions on the source of a request causing this `EgressPolicy` to apply. + Structure is documented below. + +* `egress_to` - + (Optional) + / Defines the conditions on the `ApiOperation` and destination resources that cause this `EgressPolicy` to apply. + Structure is documented below. + + +The `egress_from` block supports: + +* `identity_type` - + (Optional) + / Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. + Possible values are `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, and `ANY_SERVICE_ACCOUNT`. + +* `identities` - + (Optional) + / A list of identities that are allowed access through this `EgressPolicy`. Should be in the format of email address. The email address should represent individual user or service account only. + +The `egress_to` block supports: + +* `resources` - + (Optional) + / A list of resources, currently only projects in the form `projects/`, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this `EgressTo` rule will authorize access to all resources outside the perimeter. + +* `operations` - + (Optional) + / A list of `ApiOperations` that this egress rule applies to. A request matches if it contains an operation/service in this list. + Structure is documented below. + + +The `operations` block supports: + +* `service_name` - + (Optional) + / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with serviceName field set to `*` will allow all methods AND permissions for all services. + +* `method_selectors` - + (Optional) + / API methods or permissions to allow. Method or permission must belong to the service specified by `serviceName` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `serviceName`. + Structure is documented below. + + +The `method_selectors` block supports: + +* `method` - + (Optional) + / Value for `method` should be a valid method name for the corresponding `serviceName` in `ApiOperation`. If `*` used as value for method, then ALL methods and permissions are allowed. + +* `permission` - + (Optional) + / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: