mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-07 03:01:06 +00:00
190 lines
6.5 KiB
Markdown
190 lines
6.5 KiB
Markdown
|
---
|
||
|
# ----------------------------------------------------------------------------
|
||
|
#
|
||
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||
|
#
|
||
|
# ----------------------------------------------------------------------------
|
||
|
#
|
||
|
# This file is automatically generated by Magic Modules and manual
|
||
|
# changes will be clobbered when the file is regenerated.
|
||
|
#
|
||
|
# Please read more about how to change this file in
|
||
|
# .github/CONTRIBUTING.md.
|
||
|
#
|
||
|
# ----------------------------------------------------------------------------
|
||
|
layout: "google"
|
||
|
page_title: "Google: google_access_context_manager_service_perimeter"
|
||
|
sidebar_current: "docs-google-access-context-manager-service-perimeter"
|
||
|
description: |-
|
||
|
ServicePerimeter describes a set of GCP resources which can freely import
|
||
|
and export data amongst themselves, but not export outside of the
|
||
|
ServicePerimeter.
|
||
|
---
|
||
|
|
||
|
# google\_access\_context\_manager\_service\_perimeter
|
||
|
|
||
|
ServicePerimeter describes a set of GCP resources which can freely import
|
||
|
and export data amongst themselves, but not export outside of the
|
||
|
ServicePerimeter. If a request with a source within this ServicePerimeter
|
||
|
has a target outside of the ServicePerimeter, the request will be blocked.
|
||
|
Otherwise the request is allowed. There are two types of Service Perimeter
|
||
|
- Regular and Bridge. Regular Service Perimeters cannot overlap, a single
|
||
|
GCP project can only belong to a single regular Service Perimeter. Service
|
||
|
Perimeter Bridges can contain only GCP projects as members, a single GCP
|
||
|
project may belong to multiple Service Perimeter Bridges.
|
||
|
|
||
|
|
||
|
To get more information about ServicePerimeter, see:
|
||
|
|
||
|
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters)
|
||
|
* How-to Guides
|
||
|
* [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart)
|
||
|
|
||
|
## Example Usage - Access Context Manager Service Perimeter Basic
|
||
|
|
||
|
|
||
|
```hcl
|
||
|
resource "google_access_context_manager_service_perimeter" "service-perimeter" {
|
||
|
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||
|
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/restrict_all"
|
||
|
title = "restrict_all"
|
||
|
status {
|
||
|
restricted_services = ["storage.googleapis.com"]
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "google_access_context_manager_access_level" "access-level" {
|
||
|
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
|
||
|
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"
|
||
|
title = "chromeos_no_lock"
|
||
|
basic {
|
||
|
conditions {
|
||
|
device_policy {
|
||
|
require_screen_lock = false
|
||
|
os_constraints {
|
||
|
os_type = "DESKTOP_CHROME_OS"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "google_access_context_manager_access_policy" "access-policy" {
|
||
|
parent = "organizations/123456789"
|
||
|
title = "my policy"
|
||
|
}
|
||
|
```
|
||
|
|
||
|
## Argument Reference
|
||
|
|
||
|
The following arguments are supported:
|
||
|
|
||
|
|
||
|
* `title` -
|
||
|
(Required)
|
||
|
Human readable title. Must be unique within the Policy.
|
||
|
|
||
|
* `parent` -
|
||
|
(Required)
|
||
|
The AccessPolicy this ServicePerimeter lives in.
|
||
|
Format: accessPolicies/{policy_id}
|
||
|
|
||
|
* `name` -
|
||
|
(Required)
|
||
|
Resource name for the ServicePerimeter. The short_name component must
|
||
|
begin with a letter and only include alphanumeric and '_'.
|
||
|
Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}
|
||
|
|
||
|
|
||
|
- - -
|
||
|
|
||
|
|
||
|
* `description` -
|
||
|
(Optional)
|
||
|
Description of the ServicePerimeter and its use. Does not affect
|
||
|
behavior.
|
||
|
|
||
|
* `perimeter_type` -
|
||
|
(Optional)
|
||
|
Specifies the type of the Perimeter. There are two types: regular and
|
||
|
bridge. Regular Service Perimeter contains resources, access levels,
|
||
|
and restricted services. Every resource can be in at most
|
||
|
ONE regular Service Perimeter.
|
||
|
In addition to being in a regular service perimeter, a resource can also
|
||
|
be in zero or more perimeter bridges. A perimeter bridge only contains
|
||
|
resources. Cross project operations are permitted if all effected
|
||
|
resources share some perimeter (whether bridge or regular). Perimeter
|
||
|
Bridge does not contain access levels or services: those are governed
|
||
|
entirely by the regular perimeter that resource is in.
|
||
|
Perimeter Bridges are typically useful when building more complex
|
||
|
toplogies with many independent perimeters that need to share some data
|
||
|
with a common perimeter, but should not be able to share data among
|
||
|
themselves.
|
||
|
|
||
|
* `status` -
|
||
|
(Optional)
|
||
|
ServicePerimeter configuration. Specifies sets of resources,
|
||
|
restricted services and access levels that determine
|
||
|
perimeter content and boundaries. Structure is documented below.
|
||
|
|
||
|
|
||
|
The `status` block supports:
|
||
|
|
||
|
* `resources` -
|
||
|
(Optional)
|
||
|
A list of GCP resources that are inside of the service perimeter.
|
||
|
Currently only projects are allowed.
|
||
|
Format: projects/{project_number}
|
||
|
|
||
|
* `access_levels` -
|
||
|
(Optional)
|
||
|
A list of AccessLevel resource names that allow resources within
|
||
|
the ServicePerimeter to be accessed from the internet.
|
||
|
AccessLevels listed must be in the same policy as this
|
||
|
ServicePerimeter. Referencing a nonexistent AccessLevel is a
|
||
|
syntax error. If no AccessLevel names are listed, resources within
|
||
|
the perimeter can only be accessed via GCP calls with request
|
||
|
origins within the perimeter. For Service Perimeter Bridge, must
|
||
|
be empty.
|
||
|
Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}
|
||
|
|
||
|
* `restricted_services` -
|
||
|
(Optional)
|
||
|
GCP services that are subject to the Service Perimeter
|
||
|
restrictions. Must contain a list of services. For example, if
|
||
|
`storage.googleapis.com` is specified, access to the storage
|
||
|
buckets inside the perimeter must meet the perimeter's access
|
||
|
restrictions.
|
||
|
|
||
|
## Attributes Reference
|
||
|
|
||
|
In addition to the arguments listed above, the following computed attributes are exported:
|
||
|
|
||
|
|
||
|
* `create_time` -
|
||
|
Time the AccessPolicy was created in UTC.
|
||
|
|
||
|
* `update_time` -
|
||
|
Time the AccessPolicy was updated in UTC.
|
||
|
|
||
|
|
||
|
## Timeouts
|
||
|
|
||
|
This resource provides the following
|
||
|
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
||
|
|
||
|
- `create` - Default is 6 minutes.
|
||
|
- `update` - Default is 6 minutes.
|
||
|
- `delete` - Default is 6 minutes.
|
||
|
|
||
|
## Import
|
||
|
|
||
|
ServicePerimeter can be imported using any of these accepted formats:
|
||
|
|
||
|
```
|
||
|
$ terraform import google_access_context_manager_service_perimeter.default {{name}}
|
||
|
```
|
||
|
|
||
|
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
|
||
|
as an argument so that Terraform uses the correct provider to import your resource.
|