terraform-provider-google/website/docs/r/access_context_manager_service_perimeter.html.markdown

---
# ----------------------------------------------------------------------------
#
#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
#
# ----------------------------------------------------------------------------
#
#     This file is automatically generated by Magic Modules and manual
#     changes will be clobbered when the file is regenerated.
#
#     Please read more about how to change this file in
#     .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
layout: "google"
page_title: "Google: google_access_context_manager_service_perimeter"
sidebar_current: "docs-google-access-context-manager-service-perimeter"
description: |-
  ServicePerimeter describes a set of GCP resources which can freely import
  and export data amongst themselves, but not export outside of the
  ServicePerimeter.
---

# google\_access\_context\_manager\_service\_perimeter

ServicePerimeter describes a set of GCP resources which can freely import
and export data amongst themselves, but not export outside of the
ServicePerimeter. If a request with a source within this ServicePerimeter
has a target outside of the ServicePerimeter, the request will be blocked.
Otherwise the request is allowed. There are two types of Service Perimeter
- Regular and Bridge. Regular Service Perimeters cannot overlap, a single
GCP project can only belong to a single regular Service Perimeter. Service
Perimeter Bridges can contain only GCP projects as members, a single GCP
project may belong to multiple Service Perimeter Bridges.


To get more information about ServicePerimeter, see:

* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters)
* How-to Guides
    * [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart)

## Example Usage - Access Context Manager Service Perimeter Basic


```hcl
resource "google_access_context_manager_service_perimeter" "service-perimeter" {
  parent      = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
  name        = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/restrict_all"
  title       = "restrict_all"
  status {
    restricted_services = ["storage.googleapis.com"]
  }
}

resource "google_access_context_manager_access_level" "access-level" {
  parent      = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
  name        = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"
  title       = "chromeos_no_lock"
  basic {
    conditions {
      device_policy {
        require_screen_lock = false
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
    }
  }
}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "my policy"
}
```

## Argument Reference

The following arguments are supported:


* `title` -
  (Required)
  Human readable title. Must be unique within the Policy.

* `parent` -
  (Required)
  The AccessPolicy this ServicePerimeter lives in.
  Format: accessPolicies/{policy_id}

* `name` -
  (Required)
  Resource name for the ServicePerimeter. The short_name component must
  begin with a letter and only include alphanumeric and '_'.
  Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}


- - -


* `description` -
  (Optional)
  Description of the ServicePerimeter and its use. Does not affect
  behavior.

* `perimeter_type` -
  (Optional)
  Specifies the type of the Perimeter. There are two types: regular and
  bridge. Regular Service Perimeter contains resources, access levels,
  and restricted services. Every resource can be in at most
  ONE regular Service Perimeter.
  In addition to being in a regular service perimeter, a resource can also
  be in zero or more perimeter bridges. A perimeter bridge only contains
  resources. Cross project operations are permitted if all effected
  resources share some perimeter (whether bridge or regular). Perimeter
  Bridge does not contain access levels or services: those are governed
  entirely by the regular perimeter that resource is in.
  Perimeter Bridges are typically useful when building more complex
  toplogies with many independent perimeters that need to share some data
  with a common perimeter, but should not be able to share data among
  themselves.

* `status` -
  (Optional)
  ServicePerimeter configuration. Specifies sets of resources,
  restricted services and access levels that determine
  perimeter content and boundaries.  Structure is documented below.


The `status` block supports:

* `resources` -
  (Optional)
  A list of GCP resources that are inside of the service perimeter.
  Currently only projects are allowed.
  Format: projects/{project_number}

* `access_levels` -
  (Optional)
  A list of AccessLevel resource names that allow resources within
  the ServicePerimeter to be accessed from the internet.
  AccessLevels listed must be in the same policy as this
  ServicePerimeter. Referencing a nonexistent AccessLevel is a
  syntax error. If no AccessLevel names are listed, resources within
  the perimeter can only be accessed via GCP calls with request
  origins within the perimeter. For Service Perimeter Bridge, must
  be empty.
  Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}

* `restricted_services` -
  (Optional)
  GCP services that are subject to the Service Perimeter
  restrictions. Must contain a list of services. For example, if
  `storage.googleapis.com` is specified, access to the storage
  buckets inside the perimeter must meet the perimeter's access
  restrictions.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:


* `create_time` -
  Time the AccessPolicy was created in UTC.

* `update_time` -
  Time the AccessPolicy was updated in UTC.


## Timeouts

This resource provides the following
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:

- `create` - Default is 6 minutes.
- `update` - Default is 6 minutes.
- `delete` - Default is 6 minutes.

## Import

ServicePerimeter can be imported using any of these accepted formats:

```
$ terraform import google_access_context_manager_service_perimeter.default {{name}}
```

-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
as an argument so that Terraform uses the correct provider to import your resource.
Bring Access Context Manager / VPC Service Controls to GA (#3358) <!-- This change is generated by MagicModules. --> /cc @rileykarson 2019-04-02 17:59:05 +00:00			`---`
			`# ----------------------------------------------------------------------------`
			`#`
			`# * AUTO GENERATED CODE * AUTO GENERATED CODE ***`
			`#`
			`# ----------------------------------------------------------------------------`
			`#`
			`# This file is automatically generated by Magic Modules and manual`
			`# changes will be clobbered when the file is regenerated.`
			`#`
			`# Please read more about how to change this file in`
			`# .github/CONTRIBUTING.md.`
			`#`
			`# ----------------------------------------------------------------------------`
			`layout: "google"`
			`page_title: "Google: google_access_context_manager_service_perimeter"`
			`sidebar_current: "docs-google-access-context-manager-service-perimeter"`
			`description: \|-`
			`ServicePerimeter describes a set of GCP resources which can freely import`
			`and export data amongst themselves, but not export outside of the`
			`ServicePerimeter.`
			`---`

			`# google\_access\_context\_manager\_service\_perimeter`

			`ServicePerimeter describes a set of GCP resources which can freely import`
			`and export data amongst themselves, but not export outside of the`
			`ServicePerimeter. If a request with a source within this ServicePerimeter`
			`has a target outside of the ServicePerimeter, the request will be blocked.`
			`Otherwise the request is allowed. There are two types of Service Perimeter`
			`- Regular and Bridge. Regular Service Perimeters cannot overlap, a single`
			`GCP project can only belong to a single regular Service Perimeter. Service`
			`Perimeter Bridges can contain only GCP projects as members, a single GCP`
			`project may belong to multiple Service Perimeter Bridges.`


			`To get more information about ServicePerimeter, see:`

			`* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters)`
			`* How-to Guides`
			`* [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart)`

			`## Example Usage - Access Context Manager Service Perimeter Basic`


			```hcl
			`resource "google_access_context_manager_service_perimeter" "service-perimeter" {`
			`parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"`
			`name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/restrict_all"`
			`title = "restrict_all"`
			`status {`
			`restricted_services = ["storage.googleapis.com"]`
			`}`
			`}`

			`resource "google_access_context_manager_access_level" "access-level" {`
			`parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"`
			`name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"`
			`title = "chromeos_no_lock"`
			`basic {`
			`conditions {`
			`device_policy {`
			`require_screen_lock = false`
			`os_constraints {`
			`os_type = "DESKTOP_CHROME_OS"`
			`}`
			`}`
			`}`
			`}`
			`}`

			`resource "google_access_context_manager_access_policy" "access-policy" {`
			`parent = "organizations/123456789"`
			`title = "my policy"`
			`}`
			```

			`## Argument Reference`

			`The following arguments are supported:`


			* `title` -
			`(Required)`
			`Human readable title. Must be unique within the Policy.`

			* `parent` -
			`(Required)`
			`The AccessPolicy this ServicePerimeter lives in.`
			`Format: accessPolicies/{policy_id}`

			* `name` -
			`(Required)`
			`Resource name for the ServicePerimeter. The short_name component must`
			`begin with a letter and only include alphanumeric and '_'.`
			`Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}`


			`- - -`


			* `description` -
			`(Optional)`
			`Description of the ServicePerimeter and its use. Does not affect`
			`behavior.`

			* `perimeter_type` -
			`(Optional)`
			`Specifies the type of the Perimeter. There are two types: regular and`
			`bridge. Regular Service Perimeter contains resources, access levels,`
			`and restricted services. Every resource can be in at most`
			`ONE regular Service Perimeter.`
			`In addition to being in a regular service perimeter, a resource can also`
			`be in zero or more perimeter bridges. A perimeter bridge only contains`
			`resources. Cross project operations are permitted if all effected`
			`resources share some perimeter (whether bridge or regular). Perimeter`
			`Bridge does not contain access levels or services: those are governed`
			`entirely by the regular perimeter that resource is in.`
			`Perimeter Bridges are typically useful when building more complex`
			`toplogies with many independent perimeters that need to share some data`
			`with a common perimeter, but should not be able to share data among`
			`themselves.`

			* `status` -
			`(Optional)`
			`ServicePerimeter configuration. Specifies sets of resources,`
			`restricted services and access levels that determine`
			`perimeter content and boundaries. Structure is documented below.`


			The `status` block supports:

			* `resources` -
			`(Optional)`
			`A list of GCP resources that are inside of the service perimeter.`
			`Currently only projects are allowed.`
			`Format: projects/{project_number}`

			* `access_levels` -
			`(Optional)`
			`A list of AccessLevel resource names that allow resources within`
			`the ServicePerimeter to be accessed from the internet.`
			`AccessLevels listed must be in the same policy as this`
			`ServicePerimeter. Referencing a nonexistent AccessLevel is a`
			`syntax error. If no AccessLevel names are listed, resources within`
			`the perimeter can only be accessed via GCP calls with request`
			`origins within the perimeter. For Service Perimeter Bridge, must`
			`be empty.`
			`Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}`

			* `restricted_services` -
			`(Optional)`
			`GCP services that are subject to the Service Perimeter`
			`restrictions. Must contain a list of services. For example, if`
			`storage.googleapis.com` is specified, access to the storage
			`buckets inside the perimeter must meet the perimeter's access`
			`restrictions.`

			`## Attributes Reference`

			`In addition to the arguments listed above, the following computed attributes are exported:`


			* `create_time` -
			`Time the AccessPolicy was created in UTC.`

			* `update_time` -
			`Time the AccessPolicy was updated in UTC.`


			`## Timeouts`

			`This resource provides the following`
			`[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:`

			- `create` - Default is 6 minutes.
			- `update` - Default is 6 minutes.
			- `delete` - Default is 6 minutes.

			`## Import`

			`ServicePerimeter can be imported using any of these accepted formats:`

			```
			`$ terraform import google_access_context_manager_service_perimeter.default {{name}}`
			```

			-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
			`as an argument so that Terraform uses the correct provider to import your resource.`