public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-06-29 06:42:36 +00:00
Code Issues Projects Releases Wiki Activity

Bring Access Context Manager / VPC Service Controls to GA (#3358)

Browse Source 
<!-- This change is generated by MagicModules. -->
/cc @rileykarson
This commit is contained in:
The Magician 2019-04-02 10:59:05 -07:00 committed by Riley Karson
parent d1dbdb0252
commit 95191ed06e
11 changed files with 2427 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
google/access_context_manager_operation.go Normal file
View File

@ -0,0 +1,46 @@
// ----------------------------------------------------------------------------
//
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
//
// ----------------------------------------------------------------------------
//
// This file is automatically generated by Magic Modules and manual
// changes will be clobbered when the file is regenerated.
//
// Please read more about how to change this file in
// .github/CONTRIBUTING.md.
//
// ----------------------------------------------------------------------------
package google
import (
"fmt"
)
type AccessContextManagerOperationWaiter struct {
Config *Config
CommonOperationWaiter
}
func (w *AccessContextManagerOperationWaiter) QueryOp() (interface{}, error) {
if w == nil {
return nil, fmt.Errorf("Cannot query operation, it's unset or nil.")
}
// Returns the proper get.
url := fmt.Sprintf("https://accesscontextmanager.googleapis.com/v1/%s", w.CommonOperationWaiter.Op.Name)
return sendRequest(w.Config, "GET", url, nil)
}
func accessContextManagerOperationWaitTime(config *Config, op map[string]interface{}, activity string, timeoutMinutes int) error {
if val, ok := op["name"]; !ok || val == "" {
// This was a synchronous call - there is no operation to wait for.
return nil
}
w := &AccessContextManagerOperationWaiter{
Config: config,
}
if err := w.CommonOperationWaiter.SetOp(op); err != nil {
return err
}
return OperationWait(w, activity, timeoutMinutes)
}

23
google/provider_access_context_manager_gen.go Normal file
View File

@ -0,0 +1,23 @@
// ----------------------------------------------------------------------------
//
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
//
// ----------------------------------------------------------------------------
//
// This file is automatically generated by Magic Modules and manual
// changes will be clobbered when the file is regenerated.
//
// Please read more about how to change this file in
// .github/CONTRIBUTING.md.
//
// ----------------------------------------------------------------------------
package google
import "github.com/hashicorp/terraform/helper/schema"
var GeneratedAccessContextManagerResourcesMap = map[string]*schema.Resource{
"google_access_context_manager_access_policy": resourceAccessContextManagerAccessPolicy(),
"google_access_context_manager_access_level": resourceAccessContextManagerAccessLevel(),
"google_access_context_manager_service_perimeter": resourceAccessContextManagerServicePerimeter(),
}

706
google/resource_access_context_manager_access_level.go Normal file
View File

@ -0,0 +1,706 @@
// ----------------------------------------------------------------------------
//
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
//
// ----------------------------------------------------------------------------
//
// This file is automatically generated by Magic Modules and manual
// changes will be clobbered when the file is regenerated.
//
// Please read more about how to change this file in
// .github/CONTRIBUTING.md.
//
// ----------------------------------------------------------------------------
package google
import (
"fmt"
"log"
"reflect"
"strings"
"time"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)
func resourceAccessContextManagerAccessLevel() *schema.Resource {
return &schema.Resource{
Create: resourceAccessContextManagerAccessLevelCreate,
Read: resourceAccessContextManagerAccessLevelRead,
Update: resourceAccessContextManagerAccessLevelUpdate,
Delete: resourceAccessContextManagerAccessLevelDelete,
Importer: &schema.ResourceImporter{
State: resourceAccessContextManagerAccessLevelImport,
},
Timeouts: &schema.ResourceTimeout{
Create: schema.DefaultTimeout(360 * time.Second),
Update: schema.DefaultTimeout(360 * time.Second),
Delete: schema.DefaultTimeout(360 * time.Second),
},
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"parent": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"title": {
Type: schema.TypeString,
Required: true,
},
"basic": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"conditions": {
Type: schema.TypeList,
Required: true,
MinItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"device_policy": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"allowed_device_management_levels": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"allowed_encryption_statuses": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"os_constraints": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"minimum_version": {
Type: schema.TypeString,
Optional: true,
},
"os_type": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice([]string{"OS_UNSPECIFIED", "DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX", "DESKTOP_CHROME_OS", ""}, false),
},
},
},
},
"require_screen_lock": {
Type: schema.TypeBool,
Optional: true,
},
},
},
},
"ip_subnetworks": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"members": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"negate": {
Type: schema.TypeBool,
Optional: true,
},
"required_access_levels": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
},
},
"combining_function": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice([]string{"AND", "OR", ""}, false),
Default: "AND",
},
},
},
},
"description": {
Type: schema.TypeString,
Optional: true,
},
},
}
}
func resourceAccessContextManagerAccessLevelCreate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
obj := make(map[string]interface{})
titleProp, err := expandAccessContextManagerAccessLevelTitle(d.Get("title"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
obj["title"] = titleProp
}
descriptionProp, err := expandAccessContextManagerAccessLevelDescription(d.Get("description"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
obj["description"] = descriptionProp
}
basicProp, err := expandAccessContextManagerAccessLevelBasic(d.Get("basic"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("basic"); !isEmptyValue(reflect.ValueOf(basicProp)) && (ok || !reflect.DeepEqual(v, basicProp)) {
obj["basic"] = basicProp
}
parentProp, err := expandAccessContextManagerAccessLevelParent(d.Get("parent"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("parent"); !isEmptyValue(reflect.ValueOf(parentProp)) && (ok || !reflect.DeepEqual(v, parentProp)) {
obj["parent"] = parentProp
}
nameProp, err := expandAccessContextManagerAccessLevelName(d.Get("name"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("name"); !isEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) {
obj["name"] = nameProp
}
obj, err = resourceAccessContextManagerAccessLevelEncoder(d, meta, obj)
if err != nil {
return err
}
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{parent}}/accessLevels")
if err != nil {
return err
}
log.Printf("[DEBUG] Creating new AccessLevel: %#v", obj)
res, err := sendRequestWithTimeout(config, "POST", url, obj, d.Timeout(schema.TimeoutCreate))
if err != nil {
return fmt.Errorf("Error creating AccessLevel: %s", err)
}
// Store the ID now
id, err := replaceVars(d, config, "{{name}}")
if err != nil {
return fmt.Errorf("Error constructing id: %s", err)
}
d.SetId(id)
waitErr := accessContextManagerOperationWaitTime(
config, res, "Creating AccessLevel",
int(d.Timeout(schema.TimeoutCreate).Minutes()))
if waitErr != nil {
// The resource didn't actually create
d.SetId("")
return fmt.Errorf("Error waiting to create AccessLevel: %s", waitErr)
}
log.Printf("[DEBUG] Finished creating AccessLevel %q: %#v", d.Id(), res)
return resourceAccessContextManagerAccessLevelRead(d, meta)
}
func resourceAccessContextManagerAccessLevelRead(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
if err != nil {
return err
}
res, err := sendRequest(config, "GET", url, nil)
if err != nil {
return handleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerAccessLevel %q", d.Id()))
}
if err := d.Set("title", flattenAccessContextManagerAccessLevelTitle(res["title"], d)); err != nil {
return fmt.Errorf("Error reading AccessLevel: %s", err)
}
if err := d.Set("description", flattenAccessContextManagerAccessLevelDescription(res["description"], d)); err != nil {
return fmt.Errorf("Error reading AccessLevel: %s", err)
}
if err := d.Set("basic", flattenAccessContextManagerAccessLevelBasic(res["basic"], d)); err != nil {
return fmt.Errorf("Error reading AccessLevel: %s", err)
}
if err := d.Set("name", flattenAccessContextManagerAccessLevelName(res["name"], d)); err != nil {
return fmt.Errorf("Error reading AccessLevel: %s", err)
}
return nil
}
func resourceAccessContextManagerAccessLevelUpdate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
obj := make(map[string]interface{})
titleProp, err := expandAccessContextManagerAccessLevelTitle(d.Get("title"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
obj["title"] = titleProp
}
descriptionProp, err := expandAccessContextManagerAccessLevelDescription(d.Get("description"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
obj["description"] = descriptionProp
}
basicProp, err := expandAccessContextManagerAccessLevelBasic(d.Get("basic"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("basic"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, basicProp)) {
obj["basic"] = basicProp
}
obj, err = resourceAccessContextManagerAccessLevelEncoder(d, meta, obj)
if err != nil {
return err
}
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
if err != nil {
return err
}
log.Printf("[DEBUG] Updating AccessLevel %q: %#v", d.Id(), obj)
updateMask := []string{}
if d.HasChange("title") {
updateMask = append(updateMask, "title")
}
if d.HasChange("description") {
updateMask = append(updateMask, "description")
}
if d.HasChange("basic") {
updateMask = append(updateMask, "basic")
}
// updateMask is a URL parameter but not present in the schema, so replaceVars
// won't set it
url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
if err != nil {
return err
}
res, err := sendRequestWithTimeout(config, "PATCH", url, obj, d.Timeout(schema.TimeoutUpdate))
if err != nil {
return fmt.Errorf("Error updating AccessLevel %q: %s", d.Id(), err)
}
err = accessContextManagerOperationWaitTime(
config, res, "Updating AccessLevel",
int(d.Timeout(schema.TimeoutUpdate).Minutes()))
if err != nil {
return err
}
return resourceAccessContextManagerAccessLevelRead(d, meta)
}
func resourceAccessContextManagerAccessLevelDelete(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
if err != nil {
return err
}
var obj map[string]interface{}
log.Printf("[DEBUG] Deleting AccessLevel %q", d.Id())
res, err := sendRequestWithTimeout(config, "DELETE", url, obj, d.Timeout(schema.TimeoutDelete))
if err != nil {
return handleNotFoundError(err, d, "AccessLevel")
}
err = accessContextManagerOperationWaitTime(
config, res, "Deleting AccessLevel",
int(d.Timeout(schema.TimeoutDelete).Minutes()))
if err != nil {
return err
}
log.Printf("[DEBUG] Finished deleting AccessLevel %q: %#v", d.Id(), res)
return nil
}
func resourceAccessContextManagerAccessLevelImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
config := meta.(*Config)
// current import_formats can't import ids with forward slashes in them.
if err := parseImportId([]string{"(?P<name>.+)"}, d, config); err != nil {
return nil, err
}
stringParts := strings.Split(d.Get("name").(string), "/")
d.Set("parent", fmt.Sprintf("%s/%s", stringParts[0], stringParts[1]))
return []*schema.ResourceData{d}, nil
}
func flattenAccessContextManagerAccessLevelTitle(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelDescription(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasic(v interface{}, d *schema.ResourceData) interface{} {
if v == nil {
return nil
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil
}
transformed := make(map[string]interface{})
transformed["combining_function"] =
flattenAccessContextManagerAccessLevelBasicCombiningFunction(original["combiningFunction"], d)
transformed["conditions"] =
flattenAccessContextManagerAccessLevelBasicConditions(original["conditions"], d)
return []interface{}{transformed}
}
func flattenAccessContextManagerAccessLevelBasicCombiningFunction(v interface{}, d *schema.ResourceData) interface{} {
if v == nil || v.(string) == "" {
return "AND"
}
return v
}
func flattenAccessContextManagerAccessLevelBasicConditions(v interface{}, d *schema.ResourceData) interface{} {
if v == nil {
return v
}
l := v.([]interface{})
transformed := make([]interface{}, 0, len(l))
for _, raw := range l {
original := raw.(map[string]interface{})
if len(original) < 1 {
// Do not include empty json objects coming back from the api
continue
}
transformed = append(transformed, map[string]interface{}{
"ip_subnetworks": flattenAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(original["ipSubnetworks"], d),
"required_access_levels": flattenAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(original["requiredAccessLevels"], d),
"members": flattenAccessContextManagerAccessLevelBasicConditionsMembers(original["members"], d),
"negate": flattenAccessContextManagerAccessLevelBasicConditionsNegate(original["negate"], d),
"device_policy": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicy(original["devicePolicy"], d),
})
}
return transformed
}
func flattenAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsMembers(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsNegate(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicy(v interface{}, d *schema.ResourceData) interface{} {
if v == nil {
return nil
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil
}
transformed := make(map[string]interface{})
transformed["require_screen_lock"] =
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(original["requireScreenLock"], d)
transformed["allowed_encryption_statuses"] =
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(original["allowedEncryptionStatuses"], d)
transformed["allowed_device_management_levels"] =
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(original["allowedDeviceManagementLevels"], d)
transformed["os_constraints"] =
flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(original["osConstraints"], d)
return []interface{}{transformed}
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(v interface{}, d *schema.ResourceData) interface{} {
if v == nil {
return v
}
l := v.([]interface{})
transformed := make([]interface{}, 0, len(l))
for _, raw := range l {
original := raw.(map[string]interface{})
if len(original) < 1 {
// Do not include empty json objects coming back from the api
continue
}
transformed = append(transformed, map[string]interface{}{
"minimum_version": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(original["minimumVersion"], d),
"os_type": flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(original["osType"], d),
})
}
return transformed
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessLevelName(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func expandAccessContextManagerAccessLevelTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasic(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil, nil
}
raw := l[0]
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})
transformedCombiningFunction, err := expandAccessContextManagerAccessLevelBasicCombiningFunction(original["combining_function"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedCombiningFunction); val.IsValid() && !isEmptyValue(val) {
transformed["combiningFunction"] = transformedCombiningFunction
}
transformedConditions, err := expandAccessContextManagerAccessLevelBasicConditions(original["conditions"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedConditions); val.IsValid() && !isEmptyValue(val) {
transformed["conditions"] = transformedConditions
}
return transformed, nil
}
func expandAccessContextManagerAccessLevelBasicCombiningFunction(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditions(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
req := make([]interface{}, 0, len(l))
for _, raw := range l {
if raw == nil {
continue
}
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})
transformedIpSubnetworks, err := expandAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(original["ip_subnetworks"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedIpSubnetworks); val.IsValid() && !isEmptyValue(val) {
transformed["ipSubnetworks"] = transformedIpSubnetworks
}
transformedRequiredAccessLevels, err := expandAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(original["required_access_levels"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedRequiredAccessLevels); val.IsValid() && !isEmptyValue(val) {
transformed["requiredAccessLevels"] = transformedRequiredAccessLevels
}
transformedMembers, err := expandAccessContextManagerAccessLevelBasicConditionsMembers(original["members"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedMembers); val.IsValid() && !isEmptyValue(val) {
transformed["members"] = transformedMembers
}
transformedNegate, err := expandAccessContextManagerAccessLevelBasicConditionsNegate(original["negate"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedNegate); val.IsValid() && !isEmptyValue(val) {
transformed["negate"] = transformedNegate
}
transformedDevicePolicy, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicy(original["device_policy"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedDevicePolicy); val.IsValid() && !isEmptyValue(val) {
transformed["devicePolicy"] = transformedDevicePolicy
}
req = append(req, transformed)
}
return req, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsIpSubnetworks(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsRequiredAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsMembers(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsNegate(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicy(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil, nil
}
raw := l[0]
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})
transformedRequireScreenLock, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(original["require_screen_lock"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedRequireScreenLock); val.IsValid() && !isEmptyValue(val) {
transformed["requireScreenLock"] = transformedRequireScreenLock
}
transformedAllowedEncryptionStatuses, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(original["allowed_encryption_statuses"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedAllowedEncryptionStatuses); val.IsValid() && !isEmptyValue(val) {
transformed["allowedEncryptionStatuses"] = transformedAllowedEncryptionStatuses
}
transformedAllowedDeviceManagementLevels, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(original["allowed_device_management_levels"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedAllowedDeviceManagementLevels); val.IsValid() && !isEmptyValue(val) {
transformed["allowedDeviceManagementLevels"] = transformedAllowedDeviceManagementLevels
}
transformedOsConstraints, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(original["os_constraints"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedOsConstraints); val.IsValid() && !isEmptyValue(val) {
transformed["osConstraints"] = transformedOsConstraints
}
return transformed, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyRequireScreenLock(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedEncryptionStatuses(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyAllowedDeviceManagementLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
req := make([]interface{}, 0, len(l))
for _, raw := range l {
if raw == nil {
continue
}
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})
transformedMinimumVersion, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(original["minimum_version"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedMinimumVersion); val.IsValid() && !isEmptyValue(val) {
transformed["minimumVersion"] = transformedMinimumVersion
}
transformedOsType, err := expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(original["os_type"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedOsType); val.IsValid() && !isEmptyValue(val) {
transformed["osType"] = transformedOsType
}
req = append(req, transformed)
}
return req, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsMinimumVersion(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraintsOsType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessLevelName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func resourceAccessContextManagerAccessLevelEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
delete(obj, "parent")
return obj, nil
}

155
google/resource_access_context_manager_access_level_test.go
View File

@ -1,3 +1,156 @@
package google
// Magic Modules doesn't let us remove files - blank out beta-only common-compile files for now.
import (
"fmt"
"testing"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
// Since each test here is acting on the same organization and only one AccessPolicy
// can exist, they need to be ran serially. See AccessPolicy for the test runner.
func testAccAccessContextManagerAccessLevel_basicTest(t *testing.T) {
org := getTestOrgFromEnv(t)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroy,
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerAccessLevel_basic(org, "my policy", "level"),
},
{
ResourceName: "google_access_context_manager_access_level.test-access",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccAccessContextManagerAccessLevel_basicUpdated(org, "my new policy", "level"),
},
{
ResourceName: "google_access_context_manager_access_level.test-access",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccAccessContextManagerAccessLevel_fullTest(t *testing.T) {
org := getTestOrgFromEnv(t)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAccessContextManagerAccessLevelDestroy,
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerAccessLevel_full(org, "my policy", "level"),
},
{
ResourceName: "google_access_context_manager_access_level.test-access",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccCheckAccessContextManagerAccessLevelDestroy(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "google_access_context_manager_access_level" {
continue
}
config := testAccProvider.Meta().(*Config)
url, err := replaceVarsForTest(rs, "https://accesscontextmanager.googleapis.com/v1beta/{{name}}")
if err != nil {
return err
}
_, err = sendRequest(config, "GET", url, nil)
if err == nil {
return fmt.Errorf("AccessLevel still exists at %s", url)
}
}
return nil
}
func testAccAccessContextManagerAccessLevel_basic(org, policyTitle, levelTitleName string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
title = "%s"
description = "hello"
basic {
combining_function = "AND"
conditions {
ip_subnetworks = ["192.0.4.0/24"]
}
}
}
`, org, policyTitle, levelTitleName, levelTitleName)
}
func testAccAccessContextManagerAccessLevel_basicUpdated(org, policyTitle, levelTitleName string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
title = "%s"
description = "hello"
basic {
combining_function = "OR"
conditions {
ip_subnetworks = ["192.0.2.0/24"]
}
}
}
`, org, policyTitle, levelTitleName, levelTitleName)
}
func testAccAccessContextManagerAccessLevel_full(org, policyTitle, levelTitleName string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
title = "%s"
description = "hello"
basic {
combining_function = "AND"
conditions {
ip_subnetworks = ["192.0.4.0/24"]
members = ["user:test@google.com", "user:test2@google.com"]
negate = false
device_policy {
require_screen_lock = false
os_constraints {
os_type = "DESKTOP_CHROME_OS"
}
}
}
}
}
`, org, policyTitle, levelTitleName, levelTitleName)
}

279
google/resource_access_context_manager_access_policy.go Normal file
View File

@ -0,0 +1,279 @@
// ----------------------------------------------------------------------------
//
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
//
// ----------------------------------------------------------------------------
//
// This file is automatically generated by Magic Modules and manual
// changes will be clobbered when the file is regenerated.
//
// Please read more about how to change this file in
// .github/CONTRIBUTING.md.
//
// ----------------------------------------------------------------------------
package google
import (
"fmt"
"log"
"reflect"
"strings"
"time"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAccessContextManagerAccessPolicy() *schema.Resource {
return &schema.Resource{
Create: resourceAccessContextManagerAccessPolicyCreate,
Read: resourceAccessContextManagerAccessPolicyRead,
Update: resourceAccessContextManagerAccessPolicyUpdate,
Delete: resourceAccessContextManagerAccessPolicyDelete,
Importer: &schema.ResourceImporter{
State: resourceAccessContextManagerAccessPolicyImport,
},
Timeouts: &schema.ResourceTimeout{
Create: schema.DefaultTimeout(360 * time.Second),
Update: schema.DefaultTimeout(360 * time.Second),
Delete: schema.DefaultTimeout(360 * time.Second),
},
Schema: map[string]*schema.Schema{
"parent": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"title": {
Type: schema.TypeString,
Required: true,
},
"create_time": {
Type: schema.TypeString,
Computed: true,
},
"name": {
Type: schema.TypeString,
Computed: true,
},
"update_time": {
Type: schema.TypeString,
Computed: true,
},
},
}
}
func resourceAccessContextManagerAccessPolicyCreate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
obj := make(map[string]interface{})
parentProp, err := expandAccessContextManagerAccessPolicyParent(d.Get("parent"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("parent"); !isEmptyValue(reflect.ValueOf(parentProp)) && (ok || !reflect.DeepEqual(v, parentProp)) {
obj["parent"] = parentProp
}
titleProp, err := expandAccessContextManagerAccessPolicyTitle(d.Get("title"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
obj["title"] = titleProp
}
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies")
if err != nil {
return err
}
log.Printf("[DEBUG] Creating new AccessPolicy: %#v", obj)
res, err := sendRequestWithTimeout(config, "POST", url, obj, d.Timeout(schema.TimeoutCreate))
if err != nil {
return fmt.Errorf("Error creating AccessPolicy: %s", err)
}
// Store the ID now
id, err := replaceVars(d, config, "{{name}}")
if err != nil {
return fmt.Errorf("Error constructing id: %s", err)
}
d.SetId(id)
waitErr := accessContextManagerOperationWaitTime(
config, res, "Creating AccessPolicy",
int(d.Timeout(schema.TimeoutCreate).Minutes()))
if waitErr != nil {
// The resource didn't actually create
d.SetId("")
return fmt.Errorf("Error waiting to create AccessPolicy: %s", waitErr)
}
log.Printf("[DEBUG] Finished creating AccessPolicy %q: %#v", d.Id(), res)
// The operation for this resource contains the generated name that we need
// in order to perform a READ. We need to access the object inside of it as
// a map[string]interface, so let's do that.
resp := res["response"].(map[string]interface{})
name := GetResourceNameFromSelfLink(resp["name"].(string))
log.Printf("[DEBUG] Setting AccessPolicy name, id to %s", name)
d.Set("name", name)
d.SetId(name)
return resourceAccessContextManagerAccessPolicyRead(d, meta)
}
func resourceAccessContextManagerAccessPolicyRead(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies/{{name}}")
if err != nil {
return err
}
res, err := sendRequest(config, "GET", url, nil)
if err != nil {
return handleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerAccessPolicy %q", d.Id()))
}
if err := d.Set("name", flattenAccessContextManagerAccessPolicyName(res["name"], d)); err != nil {
return fmt.Errorf("Error reading AccessPolicy: %s", err)
}
if err := d.Set("create_time", flattenAccessContextManagerAccessPolicyCreateTime(res["createTime"], d)); err != nil {
return fmt.Errorf("Error reading AccessPolicy: %s", err)
}
if err := d.Set("update_time", flattenAccessContextManagerAccessPolicyUpdateTime(res["updateTime"], d)); err != nil {
return fmt.Errorf("Error reading AccessPolicy: %s", err)
}
if err := d.Set("parent", flattenAccessContextManagerAccessPolicyParent(res["parent"], d)); err != nil {
return fmt.Errorf("Error reading AccessPolicy: %s", err)
}
if err := d.Set("title", flattenAccessContextManagerAccessPolicyTitle(res["title"], d)); err != nil {
return fmt.Errorf("Error reading AccessPolicy: %s", err)
}
return nil
}
func resourceAccessContextManagerAccessPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
obj := make(map[string]interface{})
titleProp, err := expandAccessContextManagerAccessPolicyTitle(d.Get("title"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
obj["title"] = titleProp
}
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies/{{name}}")
if err != nil {
return err
}
log.Printf("[DEBUG] Updating AccessPolicy %q: %#v", d.Id(), obj)
updateMask := []string{}
if d.HasChange("title") {
updateMask = append(updateMask, "title")
}
// updateMask is a URL parameter but not present in the schema, so replaceVars
// won't set it
url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
if err != nil {
return err
}
res, err := sendRequestWithTimeout(config, "PATCH", url, obj, d.Timeout(schema.TimeoutUpdate))
if err != nil {
return fmt.Errorf("Error updating AccessPolicy %q: %s", d.Id(), err)
}
err = accessContextManagerOperationWaitTime(
config, res, "Updating AccessPolicy",
int(d.Timeout(schema.TimeoutUpdate).Minutes()))
if err != nil {
return err
}
return resourceAccessContextManagerAccessPolicyRead(d, meta)
}
func resourceAccessContextManagerAccessPolicyDelete(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/accessPolicies/{{name}}")
if err != nil {
return err
}
var obj map[string]interface{}
log.Printf("[DEBUG] Deleting AccessPolicy %q", d.Id())
res, err := sendRequestWithTimeout(config, "DELETE", url, obj, d.Timeout(schema.TimeoutDelete))
if err != nil {
return handleNotFoundError(err, d, "AccessPolicy")
}
err = accessContextManagerOperationWaitTime(
config, res, "Deleting AccessPolicy",
int(d.Timeout(schema.TimeoutDelete).Minutes()))
if err != nil {
return err
}
log.Printf("[DEBUG] Finished deleting AccessPolicy %q: %#v", d.Id(), res)
return nil
}
func resourceAccessContextManagerAccessPolicyImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
config := meta.(*Config)
if err := parseImportId([]string{"(?P<name>[^/]+)"}, d, config); err != nil {
return nil, err
}
// Replace import id for the resource id
id, err := replaceVars(d, config, "{{name}}")
if err != nil {
return nil, fmt.Errorf("Error constructing id: %s", err)
}
d.SetId(id)
return []*schema.ResourceData{d}, nil
}
func flattenAccessContextManagerAccessPolicyName(v interface{}, d *schema.ResourceData) interface{} {
if v == nil {
return v
}
return NameFromSelfLinkStateFunc(v)
}
func flattenAccessContextManagerAccessPolicyCreateTime(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessPolicyUpdateTime(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessPolicyParent(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerAccessPolicyTitle(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func expandAccessContextManagerAccessPolicyParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerAccessPolicyTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

90
google/resource_access_context_manager_access_policy_test.go
View File

@ -1,3 +1,91 @@
package google
// Magic Modules doesn't let us remove files - blank out beta-only common-compile files for now.
import (
"fmt"
"testing"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
// Since each test here is acting on the same organization and only one AccessPolicy
// can exist, they need to be ran serially
func TestAccAccessContextManager(t *testing.T) {
testCases := map[string]func(t *testing.T){
"access_policy": testAccAccessContextManagerAccessPolicy_basicTest,
"service_perimeter": testAccAccessContextManagerServicePerimeter_basicTest,
"service_perimeter_update": testAccAccessContextManagerServicePerimeter_updateTest,
"access_level": testAccAccessContextManagerAccessLevel_basicTest,
"access_level_full": testAccAccessContextManagerAccessLevel_fullTest,
}
for name, tc := range testCases {
// shadow the tc variable into scope so that when
// the loop continues, if t.Run hasn't executed tc(t)
// yet, we don't have a race condition
// see https://github.com/golang/go/wiki/CommonMistakes#using-goroutines-on-loop-iterator-variables
tc := tc
t.Run(name, func(t *testing.T) {
tc(t)
})
}
}
func testAccAccessContextManagerAccessPolicy_basicTest(t *testing.T) {
org := getTestOrgFromEnv(t)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAccessContextManagerAccessPolicyDestroy,
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerAccessPolicy_basic(org, "my policy"),
},
{
ResourceName: "google_access_context_manager_access_policy.test-access",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccAccessContextManagerAccessPolicy_basic(org, "my new policy"),
},
{
ResourceName: "google_access_context_manager_access_policy.test-access",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccCheckAccessContextManagerAccessPolicyDestroy(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "google_access_context_manager_access_policy" {
continue
}
config := testAccProvider.Meta().(*Config)
url, err := replaceVarsForTest(rs, "https://accesscontextmanager.googleapis.com/v1beta/accessPolicies/{{name}}")
if err != nil {
return err
}
_, err = sendRequest(config, "GET", url, nil)
if err == nil {
return fmt.Errorf("AccessPolicy still exists at %s", url)
}
}
return nil
}
func testAccAccessContextManagerAccessPolicy_basic(org, title string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
`, org, title)
}

463
google/resource_access_context_manager_service_perimeter.go Normal file
View File

@ -0,0 +1,463 @@
// ----------------------------------------------------------------------------
//
// *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
//
// ----------------------------------------------------------------------------
//
// This file is automatically generated by Magic Modules and manual
// changes will be clobbered when the file is regenerated.
//
// Please read more about how to change this file in
// .github/CONTRIBUTING.md.
//
// ----------------------------------------------------------------------------
package google
import (
"fmt"
"log"
"reflect"
"strings"
"time"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)
func resourceAccessContextManagerServicePerimeter() *schema.Resource {
return &schema.Resource{
Create: resourceAccessContextManagerServicePerimeterCreate,
Read: resourceAccessContextManagerServicePerimeterRead,
Update: resourceAccessContextManagerServicePerimeterUpdate,
Delete: resourceAccessContextManagerServicePerimeterDelete,
Importer: &schema.ResourceImporter{
State: resourceAccessContextManagerServicePerimeterImport,
},
Timeouts: &schema.ResourceTimeout{
Create: schema.DefaultTimeout(360 * time.Second),
Update: schema.DefaultTimeout(360 * time.Second),
Delete: schema.DefaultTimeout(360 * time.Second),
},
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"parent": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"title": {
Type: schema.TypeString,
Required: true,
},
"description": {
Type: schema.TypeString,
Optional: true,
},
"perimeter_type": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ValidateFunc: validation.StringInSlice([]string{"PERIMETER_TYPE_REGULAR", "PERIMETER_TYPE_BRIDGE", ""}, false),
Default: "PERIMETER_TYPE_REGULAR",
},
"status": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"access_levels": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"resources": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"restricted_services": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
},
},
"create_time": {
Type: schema.TypeString,
Computed: true,
},
"update_time": {
Type: schema.TypeString,
Computed: true,
},
},
}
}
func resourceAccessContextManagerServicePerimeterCreate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
obj := make(map[string]interface{})
titleProp, err := expandAccessContextManagerServicePerimeterTitle(d.Get("title"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(titleProp)) && (ok || !reflect.DeepEqual(v, titleProp)) {
obj["title"] = titleProp
}
descriptionProp, err := expandAccessContextManagerServicePerimeterDescription(d.Get("description"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
obj["description"] = descriptionProp
}
perimeterTypeProp, err := expandAccessContextManagerServicePerimeterPerimeterType(d.Get("perimeter_type"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("perimeter_type"); !isEmptyValue(reflect.ValueOf(perimeterTypeProp)) && (ok || !reflect.DeepEqual(v, perimeterTypeProp)) {
obj["perimeterType"] = perimeterTypeProp
}
statusProp, err := expandAccessContextManagerServicePerimeterStatus(d.Get("status"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("status"); !isEmptyValue(reflect.ValueOf(statusProp)) && (ok || !reflect.DeepEqual(v, statusProp)) {
obj["status"] = statusProp
}
parentProp, err := expandAccessContextManagerServicePerimeterParent(d.Get("parent"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("parent"); !isEmptyValue(reflect.ValueOf(parentProp)) && (ok || !reflect.DeepEqual(v, parentProp)) {
obj["parent"] = parentProp
}
nameProp, err := expandAccessContextManagerServicePerimeterName(d.Get("name"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("name"); !isEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) {
obj["name"] = nameProp
}
obj, err = resourceAccessContextManagerServicePerimeterEncoder(d, meta, obj)
if err != nil {
return err
}
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{parent}}/servicePerimeters")
if err != nil {
return err
}
log.Printf("[DEBUG] Creating new ServicePerimeter: %#v", obj)
res, err := sendRequestWithTimeout(config, "POST", url, obj, d.Timeout(schema.TimeoutCreate))
if err != nil {
return fmt.Errorf("Error creating ServicePerimeter: %s", err)
}
// Store the ID now
id, err := replaceVars(d, config, "{{name}}")
if err != nil {
return fmt.Errorf("Error constructing id: %s", err)
}
d.SetId(id)
waitErr := accessContextManagerOperationWaitTime(
config, res, "Creating ServicePerimeter",
int(d.Timeout(schema.TimeoutCreate).Minutes()))
if waitErr != nil {
// The resource didn't actually create
d.SetId("")
return fmt.Errorf("Error waiting to create ServicePerimeter: %s", waitErr)
}
log.Printf("[DEBUG] Finished creating ServicePerimeter %q: %#v", d.Id(), res)
return resourceAccessContextManagerServicePerimeterRead(d, meta)
}
func resourceAccessContextManagerServicePerimeterRead(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
if err != nil {
return err
}
res, err := sendRequest(config, "GET", url, nil)
if err != nil {
return handleNotFoundError(err, d, fmt.Sprintf("AccessContextManagerServicePerimeter %q", d.Id()))
}
if err := d.Set("title", flattenAccessContextManagerServicePerimeterTitle(res["title"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
if err := d.Set("description", flattenAccessContextManagerServicePerimeterDescription(res["description"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
if err := d.Set("create_time", flattenAccessContextManagerServicePerimeterCreateTime(res["createTime"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
if err := d.Set("update_time", flattenAccessContextManagerServicePerimeterUpdateTime(res["updateTime"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
if err := d.Set("perimeter_type", flattenAccessContextManagerServicePerimeterPerimeterType(res["perimeterType"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
if err := d.Set("status", flattenAccessContextManagerServicePerimeterStatus(res["status"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
if err := d.Set("name", flattenAccessContextManagerServicePerimeterName(res["name"], d)); err != nil {
return fmt.Errorf("Error reading ServicePerimeter: %s", err)
}
return nil
}
func resourceAccessContextManagerServicePerimeterUpdate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
obj := make(map[string]interface{})
titleProp, err := expandAccessContextManagerServicePerimeterTitle(d.Get("title"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("title"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, titleProp)) {
obj["title"] = titleProp
}
descriptionProp, err := expandAccessContextManagerServicePerimeterDescription(d.Get("description"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
obj["description"] = descriptionProp
}
statusProp, err := expandAccessContextManagerServicePerimeterStatus(d.Get("status"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("status"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, statusProp)) {
obj["status"] = statusProp
}
obj, err = resourceAccessContextManagerServicePerimeterEncoder(d, meta, obj)
if err != nil {
return err
}
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
if err != nil {
return err
}
log.Printf("[DEBUG] Updating ServicePerimeter %q: %#v", d.Id(), obj)
updateMask := []string{}
if d.HasChange("title") {
updateMask = append(updateMask, "title")
}
if d.HasChange("description") {
updateMask = append(updateMask, "description")
}
if d.HasChange("status") {
updateMask = append(updateMask, "status")
}
// updateMask is a URL parameter but not present in the schema, so replaceVars
// won't set it
url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
if err != nil {
return err
}
res, err := sendRequestWithTimeout(config, "PATCH", url, obj, d.Timeout(schema.TimeoutUpdate))
if err != nil {
return fmt.Errorf("Error updating ServicePerimeter %q: %s", d.Id(), err)
}
err = accessContextManagerOperationWaitTime(
config, res, "Updating ServicePerimeter",
int(d.Timeout(schema.TimeoutUpdate).Minutes()))
if err != nil {
return err
}
return resourceAccessContextManagerServicePerimeterRead(d, meta)
}
func resourceAccessContextManagerServicePerimeterDelete(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
url, err := replaceVars(d, config, "https://accesscontextmanager.googleapis.com/v1/{{name}}")
if err != nil {
return err
}
var obj map[string]interface{}
log.Printf("[DEBUG] Deleting ServicePerimeter %q", d.Id())
res, err := sendRequestWithTimeout(config, "DELETE", url, obj, d.Timeout(schema.TimeoutDelete))
if err != nil {
return handleNotFoundError(err, d, "ServicePerimeter")
}
err = accessContextManagerOperationWaitTime(
config, res, "Deleting ServicePerimeter",
int(d.Timeout(schema.TimeoutDelete).Minutes()))
if err != nil {
return err
}
log.Printf("[DEBUG] Finished deleting ServicePerimeter %q: %#v", d.Id(), res)
return nil
}
func resourceAccessContextManagerServicePerimeterImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
config := meta.(*Config)
// current import_formats can't import ids with forward slashes in them.
if err := parseImportId([]string{"(?P<name>.+)"}, d, config); err != nil {
return nil, err
}
stringParts := strings.Split(d.Get("name").(string), "/")
d.Set("parent", fmt.Sprintf("%s/%s", stringParts[0], stringParts[1]))
return []*schema.ResourceData{d}, nil
}
func flattenAccessContextManagerServicePerimeterTitle(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterDescription(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterCreateTime(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterUpdateTime(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterPerimeterType(v interface{}, d *schema.ResourceData) interface{} {
if v == nil || v.(string) == "" {
return "PERIMETER_TYPE_REGULAR"
}
return v
}
func flattenAccessContextManagerServicePerimeterStatus(v interface{}, d *schema.ResourceData) interface{} {
if v == nil {
return nil
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil
}
transformed := make(map[string]interface{})
transformed["resources"] =
flattenAccessContextManagerServicePerimeterStatusResources(original["resources"], d)
transformed["access_levels"] =
flattenAccessContextManagerServicePerimeterStatusAccessLevels(original["accessLevels"], d)
transformed["restricted_services"] =
flattenAccessContextManagerServicePerimeterStatusRestrictedServices(original["restrictedServices"], d)
return []interface{}{transformed}
}
func flattenAccessContextManagerServicePerimeterStatusResources(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterStatusAccessLevels(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterStatusRestrictedServices(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func flattenAccessContextManagerServicePerimeterName(v interface{}, d *schema.ResourceData) interface{} {
return v
}
func expandAccessContextManagerServicePerimeterTitle(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterDescription(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterPerimeterType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterStatus(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil, nil
}
raw := l[0]
original := raw.(map[string]interface{})
transformed := make(map[string]interface{})
transformedResources, err := expandAccessContextManagerServicePerimeterStatusResources(original["resources"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedResources); val.IsValid() && !isEmptyValue(val) {
transformed["resources"] = transformedResources
}
transformedAccessLevels, err := expandAccessContextManagerServicePerimeterStatusAccessLevels(original["access_levels"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedAccessLevels); val.IsValid() && !isEmptyValue(val) {
transformed["accessLevels"] = transformedAccessLevels
}
transformedRestrictedServices, err := expandAccessContextManagerServicePerimeterStatusRestrictedServices(original["restricted_services"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedRestrictedServices); val.IsValid() && !isEmptyValue(val) {
transformed["restrictedServices"] = transformedRestrictedServices
}
return transformed, nil
}
func expandAccessContextManagerServicePerimeterStatusResources(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterStatusAccessLevels(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterStatusRestrictedServices(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterParent(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func expandAccessContextManagerServicePerimeterName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}
func resourceAccessContextManagerServicePerimeterEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
delete(obj, "parent")
return obj, nil
}

170
google/resource_access_context_manager_service_perimeter_test.go
View File

@ -1,3 +1,171 @@
package google
// Magic Modules doesn't let us remove files - blank out beta-only common-compile files for now.
import (
"fmt"
"testing"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
// Since each test here is acting on the same organization and only one AccessPolicy
// can exist, they need to be ran serially. See AccessPolicy for the test runner.
func testAccAccessContextManagerServicePerimeter_basicTest(t *testing.T) {
org := getTestOrgFromEnv(t)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAccessContextManagerServicePerimeterDestroy,
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerServicePerimeter_basic(org, "my policy", "level", "perimeter"),
},
{
ResourceName: "google_access_context_manager_service_perimeter.test-access",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) {
org := getTestOrgFromEnv(t)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAccessContextManagerServicePerimeterDestroy,
Steps: []resource.TestStep{
{
Config: testAccAccessContextManagerServicePerimeter_update(org, "my policy", "level", "perimeter"),
},
{
ResourceName: "google_access_context_manager_service_perimeter.test-access",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccAccessContextManagerServicePerimeter_update2(org, "my policy", "level", "perimeter"),
},
{
ResourceName: "google_access_context_manager_service_perimeter.test-access",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccCheckAccessContextManagerServicePerimeterDestroy(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "google_access_context_manager_service_perimeter" {
continue
}
config := testAccProvider.Meta().(*Config)
url, err := replaceVarsForTest(rs, "https://accesscontextmanager.googleapis.com/v1beta/{{name}}")
if err != nil {
return err
}
_, err = sendRequest(config, "GET", url, nil)
if err == nil {
return fmt.Errorf("ServicePerimeter still exists at %s", url)
}
}
return nil
}
func testAccAccessContextManagerServicePerimeter_basic(org, policyTitle, levelTitleName, perimeterTitleName string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
title = "%s"
description = "hello"
basic {
combining_function = "AND"
conditions {
ip_subnetworks = ["192.0.4.0/24"]
}
}
}
resource "google_access_context_manager_service_perimeter" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
title = "%s"
perimeter_type = "PERIMETER_TYPE_BRIDGE"
}
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
}
func testAccAccessContextManagerServicePerimeter_update(org, policyTitle, levelTitleName, perimeterTitleName string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
title = "%s"
description = "hello"
basic {
combining_function = "AND"
conditions {
ip_subnetworks = ["192.0.4.0/24"]
}
}
}
resource "google_access_context_manager_service_perimeter" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
title = "%s"
perimeter_type = "PERIMETER_TYPE_REGULAR"
status {
restricted_services = ["storage.googleapis.com"]
}
}
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
}
func testAccAccessContextManagerServicePerimeter_update2(org, policyTitle, levelTitleName, perimeterTitleName string) string {
return fmt.Sprintf(`
resource "google_access_context_manager_access_policy" "test-access" {
parent = "organizations/%s"
title = "%s"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/%s"
title = "%s"
description = "hello"
basic {
combining_function = "AND"
conditions {
ip_subnetworks = ["192.0.4.0/24"]
}
}
}
resource "google_access_context_manager_service_perimeter" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
title = "%s"
perimeter_type = "PERIMETER_TYPE_REGULAR"
}
`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
}

208
website/docs/r/access_context_manager_access_level.html.markdown Normal file
View File

@ -0,0 +1,208 @@
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
layout: "google"
page_title: "Google: google_access_context_manager_access_level"
sidebar_current: "docs-google-access-context-manager-access-level"
description: |-
An AccessLevel is a label that can be applied to requests to GCP services,
along with a list of requirements necessary for the label to be applied.
---
# google\_access\_context\_manager\_access\_level
An AccessLevel is a label that can be applied to requests to GCP services,
along with a list of requirements necessary for the label to be applied.
To get more information about AccessLevel, see:
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels)
* How-to Guides
* [Access Policy Quickstart](https://cloud.google.com/access-context-manager/docs/quickstart)
## Example Usage - Access Context Manager Access Level Basic
```hcl
resource "google_access_context_manager_access_level" "access-level" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"
title = "chromeos_no_lock"
basic {
conditions {
device_policy {
require_screen_lock = false
os_constraints {
os_type = "DESKTOP_CHROME_OS"
}
}
}
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "my policy"
}
```
## Argument Reference
The following arguments are supported:
* `title` -
(Required)
Human readable title. Must be unique within the Policy.
* `parent` -
(Required)
The AccessPolicy this AccessLevel lives in.
Format: accessPolicies/{policy_id}
* `name` -
(Required)
Resource name for the Access Level. The short_name component must begin
with a letter and only include alphanumeric and '_'.
Format: accessPolicies/{policy_id}/accessLevels/{short_name}
- - -
* `description` -
(Optional)
Description of the AccessLevel and its use. Does not affect behavior.
* `basic` -
(Optional)
A set of predefined conditions for the access level and a combining function. Structure is documented below.
The `basic` block supports:
* `combining_function` -
(Optional)
How the conditions list should be combined to determine if a request
is granted this AccessLevel. If AND is used, each Condition in
conditions must be satisfied for the AccessLevel to be applied. If
OR is used, at least one Condition in conditions must be satisfied
for the AccessLevel to be applied. Defaults to AND if unspecified.
* `conditions` -
(Required)
A set of requirements for the AccessLevel to be granted. Structure is documented below.
The `conditions` block supports:
* `ip_subnetworks` -
(Optional)
A list of CIDR block IP subnetwork specification. May be IPv4
or IPv6.
Note that for a CIDR IP address block, the specified IP address
portion must be properly truncated (i.e. all the host bits must
be zero) or the input is considered malformed. For example,
"192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
is not. The originating IP of a request must be in one of the
listed subnets in order for this Condition to be true.
If empty, all IP addresses are allowed.
* `required_access_levels` -
(Optional)
A list of other access levels defined in the same Policy,
referenced by resource name. Referencing an AccessLevel which
does not exist is an error. All access levels listed must be
granted for the Condition to be true.
Format: accessPolicies/{policy_id}/accessLevels/{short_name}
* `members` -
(Optional)
An allowed list of members (users, groups, service accounts).
The signed-in user originating the request must be a part of one
of the provided members. If not specified, a request may come
from any user (logged in/not logged in, not present in any
groups, etc.).
Formats: `user:{emailid}`, `group:{emailid}`, `serviceAccount:{emailid}`
* `negate` -
(Optional)
Whether to negate the Condition. If true, the Condition becomes
a NAND over its non-empty fields, each field must be false for
the Condition overall to be satisfied. Defaults to false.
* `device_policy` -
(Optional)
Device specific restrictions, all restrictions must hold for
the Condition to be true. If not specified, all devices are
allowed. Structure is documented below.
The `device_policy` block supports:
* `require_screen_lock` -
(Optional)
Whether or not screenlock is required for the DevicePolicy
to be true. Defaults to false.
* `allowed_encryption_statuses` -
(Optional)
A list of allowed encryptions statuses.
An empty list allows all statuses.
* `allowed_device_management_levels` -
(Optional)
A list of allowed device management levels.
An empty list allows all management levels.
* `os_constraints` -
(Optional)
A list of allowed OS versions.
An empty list allows all types and all versions. Structure is documented below.
The `os_constraints` block supports:
* `minimum_version` -
(Optional)
The minimum allowed OS version. If not set, any version
of this OS satisfies the constraint.
Format: "major.minor.patch" such as "10.5.301", "9.2.1".
* `os_type` -
(Optional)
The operating system type of the device.
## Timeouts
This resource provides the following
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `create` - Default is 6 minutes.
- `update` - Default is 6 minutes.
- `delete` - Default is 6 minutes.
## Import
AccessLevel can be imported using any of these accepted formats:
```
$ terraform import google_access_context_manager_access_level.default {{name}}
```
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
as an argument so that Terraform uses the correct provider to import your resource.

101
website/docs/r/access_context_manager_access_policy.html.markdown Normal file
View File

@ -0,0 +1,101 @@
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
layout: "google"
page_title: "Google: google_access_context_manager_access_policy"
sidebar_current: "docs-google-access-context-manager-access-policy"
description: |-
AccessPolicy is a container for AccessLevels (which define the necessary
attributes to use GCP services) and ServicePerimeters (which define
regions of services able to freely pass data within a perimeter).
---
# google\_access\_context\_manager\_access\_policy
AccessPolicy is a container for AccessLevels (which define the necessary
attributes to use GCP services) and ServicePerimeters (which define
regions of services able to freely pass data within a perimeter). An
access policy is globally visible within an organization, and the
restrictions it specifies apply to all projects within an organization.
To get more information about AccessPolicy, see:
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies)
* How-to Guides
* [Access Policy Quickstart](https://cloud.google.com/access-context-manager/docs/quickstart)
## Example Usage - Access Context Manager Access Policy Basic
```hcl
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "my policy"
}
```
## Argument Reference
The following arguments are supported:
* `parent` -
(Required)
The parent of this AccessPolicy in the Cloud Resource Hierarchy.
Format: organizations/{organization_id}
* `title` -
(Required)
Human readable title. Does not affect behavior.
- - -
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `name` -
Resource name of the AccessPolicy. Format: {policy_id}
* `create_time` -
Time the AccessPolicy was created in UTC.
* `update_time` -
Time the AccessPolicy was updated in UTC.
## Timeouts
This resource provides the following
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `create` - Default is 6 minutes.
- `update` - Default is 6 minutes.
- `delete` - Default is 6 minutes.
## Import
AccessPolicy can be imported using any of these accepted formats:
```
$ terraform import google_access_context_manager_access_policy.default {{name}}
```
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
as an argument so that Terraform uses the correct provider to import your resource.

189
website/docs/r/access_context_manager_service_perimeter.html.markdown Normal file
View File

@ -0,0 +1,189 @@
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
layout: "google"
page_title: "Google: google_access_context_manager_service_perimeter"
sidebar_current: "docs-google-access-context-manager-service-perimeter"
description: |-
ServicePerimeter describes a set of GCP resources which can freely import
and export data amongst themselves, but not export outside of the
ServicePerimeter.
---
# google\_access\_context\_manager\_service\_perimeter
ServicePerimeter describes a set of GCP resources which can freely import
and export data amongst themselves, but not export outside of the
ServicePerimeter. If a request with a source within this ServicePerimeter
has a target outside of the ServicePerimeter, the request will be blocked.
Otherwise the request is allowed. There are two types of Service Perimeter
- Regular and Bridge. Regular Service Perimeters cannot overlap, a single
GCP project can only belong to a single regular Service Perimeter. Service
Perimeter Bridges can contain only GCP projects as members, a single GCP
project may belong to multiple Service Perimeter Bridges.
To get more information about ServicePerimeter, see:
* [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters)
* How-to Guides
* [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart)
## Example Usage - Access Context Manager Service Perimeter Basic
```hcl
resource "google_access_context_manager_service_perimeter" "service-perimeter" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/restrict_all"
title = "restrict_all"
status {
restricted_services = ["storage.googleapis.com"]
}
}
resource "google_access_context_manager_access_level" "access-level" {
parent = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/accessLevels/chromeos_no_lock"
title = "chromeos_no_lock"
basic {
conditions {
device_policy {
require_screen_lock = false
os_constraints {
os_type = "DESKTOP_CHROME_OS"
}
}
}
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "my policy"
}
```
## Argument Reference
The following arguments are supported:
* `title` -
(Required)
Human readable title. Must be unique within the Policy.
* `parent` -
(Required)
The AccessPolicy this ServicePerimeter lives in.
Format: accessPolicies/{policy_id}
* `name` -
(Required)
Resource name for the ServicePerimeter. The short_name component must
begin with a letter and only include alphanumeric and '_'.
Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}
- - -
* `description` -
(Optional)
Description of the ServicePerimeter and its use. Does not affect
behavior.
* `perimeter_type` -
(Optional)
Specifies the type of the Perimeter. There are two types: regular and
bridge. Regular Service Perimeter contains resources, access levels,
and restricted services. Every resource can be in at most
ONE regular Service Perimeter.
In addition to being in a regular service perimeter, a resource can also
be in zero or more perimeter bridges. A perimeter bridge only contains
resources. Cross project operations are permitted if all effected
resources share some perimeter (whether bridge or regular). Perimeter
Bridge does not contain access levels or services: those are governed
entirely by the regular perimeter that resource is in.
Perimeter Bridges are typically useful when building more complex
toplogies with many independent perimeters that need to share some data
with a common perimeter, but should not be able to share data among
themselves.
* `status` -
(Optional)
ServicePerimeter configuration. Specifies sets of resources,
restricted services and access levels that determine
perimeter content and boundaries. Structure is documented below.
The `status` block supports:
* `resources` -
(Optional)
A list of GCP resources that are inside of the service perimeter.
Currently only projects are allowed.
Format: projects/{project_number}
* `access_levels` -
(Optional)
A list of AccessLevel resource names that allow resources within
the ServicePerimeter to be accessed from the internet.
AccessLevels listed must be in the same policy as this
ServicePerimeter. Referencing a nonexistent AccessLevel is a
syntax error. If no AccessLevel names are listed, resources within
the perimeter can only be accessed via GCP calls with request
origins within the perimeter. For Service Perimeter Bridge, must
be empty.
Format: accessPolicies/{policy_id}/accessLevels/{access_level_name}
* `restricted_services` -
(Optional)
GCP services that are subject to the Service Perimeter
restrictions. Must contain a list of services. For example, if
`storage.googleapis.com` is specified, access to the storage
buckets inside the perimeter must meet the perimeter's access
restrictions.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `create_time` -
Time the AccessPolicy was created in UTC.
* `update_time` -
Time the AccessPolicy was updated in UTC.
## Timeouts
This resource provides the following
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `create` - Default is 6 minutes.
- `update` - Default is 6 minutes.
- `delete` - Default is 6 minutes.
## Import
ServicePerimeter can be imported using any of these accepted formats:
```
$ terraform import google_access_context_manager_service_perimeter.default {{name}}
```
-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
as an argument so that Terraform uses the correct provider to import your resource.