Add capability to add a project in service perimeter in dry-run mode

[imrannayer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Add a configuration option in google_access_context_manager_service_perimeter_resource which will add projects to dry run mode of service perimeter.

New or Affected Resource(s)

• google_access_context_manager_service_perimeter_resource

Potential Terraform Configuration

resource "google_access_context_manager_service_perimeter_resource" "service-perimeter-resource" {
  perimeter_name = google_access_context_manager_service_perimeter.service-perimeter-resource.name
  resource = "projects/987654321"
 dry_run_mode = true
}

References

[upodroid]

Hi

The field you are looking for is called use_explicit_dry_run_spec. Have a look at the docs for how it works.

https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

If this solves your question, please go ahead and close this issue.

Thank you

[imrannayer]

I am looking for that capability in google_access_context_manager_service_perimeter_resource
Right now that parameter is only available in

google_access_context_manager_service_perimeter

[upodroid]

Think of google_access_context_manager_service_perimeter_resource as a slice of the spec.resources or status.resources field in google_access_context_manager_service_perimeter. All the other parameters of the perimeter still need to be specified in google_access_context_manager_service_perimeter.

## From a project of mine.
resource "google_access_context_manager_service_perimeter" "service_perimeter" {
  provider       = google-beta
  parent         = "accessPolicies/${google_access_context_manager_access_policy.base.name}"
  name           = "accessPolicies/${google_access_context_manager_access_policy.base.name}/servicePerimeters/${lookup(var.service_controls, "perimeter_title")}"
  title          = lookup(var.service_controls, "perimeter_title")
  perimeter_type = "PERIMETER_TYPE_REGULAR"

  spec {
    resources = [
      # "projects/${google_project.infra.number}",
      # "projects/${google_project.logging.number}",
      # "projects/${google_project.forseti.number}",
      # "projects/${google_project.egress.number}",
      # "projects/${google_project.billing.number}",
      # "projects/${google_project.access_mgt.number}",
      # "projects/${google_project.build.number}",
      # "projects/${google_project.host.number}",
    ]
    access_levels       = [google_access_context_manager_access_level.base.id]
    restricted_services = lookup(var.service_controls, "restricted_apis")
  }

  use_explicit_dry_run_spec = true
}

resource "google_access_context_manager_service_perimeter_resource" "service-perimeter-resource" {
  perimeter_name = google_access_context_manager_service_perimeter.service_perimeter.name
  resource = "projects/${google_project.host.number}"
}

The docs in https://www.terraform.io/docs/providers/google/r/access_context_manager_service_perimeter_resource.html need to be clarified.

[imrannayer]

I agree google_access_context_manager_service_perimeter_resource is an extension to status.resources but it is not an extension to spec.resorces. I ran test using the following code and it adds the project to the enforced section only. Nothing in dry run mode. This is similar to your code. I was wondering if we can use google_access_context_manager_service_perimeter_resource to add project to dry run mode.

resource "google_access_context_manager_service_perimeter" "service_perimeter" {
  parent = "accessPolicies/${var.policy}"
  name   = "accessPolicies/${var.policy}/servicePerimeters/${local.perimeter_name}"
  title  = local.perimeter_name
  spec {
    access_levels = []
    resources = []
    restricted_services = [
      "storage.googleapis.com",
      "bigtable.googleapis.com",
      "bigquery.googleapis.com",
      "pubsub.googleapis.com",
    ]
  }
  use_explicit_dry_run_spec = true
  
}

resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" {
  perimeter_name = google_access_context_manager_service_perimeter.service_perimeter.name
  resource = "projects/local.project_id"
}

[nat-henderson]

To Riley to investigate, size and milestone.

[rileykarson]

Hmm- the google_access_context_manager_service_perimeter_resource resource edits the status directly, and not the spec. I'm curious what happens if we edit the spec when use_explicit_dry_run_spec is set to false (/ unset) on the parent and whether we'd be able to safely change the modified field. @danawillow do you happen to remember if you considered the spec as part of GoogleCloudPlatform/magic-modules#3052?

If we can't transparently upgrade, we'll want to add a flag as proposed.

[danawillow]

Spec wasn't added to the service_perimeter resource until after the service_perimeter_resource resource was added, so it wasn't on my radar (GoogleCloudPlatform/magic-modules#3353 vs GoogleCloudPlatform/magic-modules#3052)

[rileykarson]

Whoops, I was very convinced in my head that those happened in the opposite order and didn't check. Thanks!

Leaving this open for the next triage meeting, but I vote size/M since we need to evaluate whether we can transparently upgrade the resource or whether we need to add a boolean.

[barasviv-lb]

Is this solved already? I am in exactly same situation.

[maleksah]

Hello,
Any update on this issue?
I am in same situation too
Thanks

[imrannayer]

PR 17614 added requested feature. Seems like it will be part of release 5.22

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.