import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Allows configuring a single access level condition to be appended to an access level's conditions. * This resource is intended to be used in cases where it is not possible to compile a full list * of conditions to include in a `gcp.accesscontextmanager.AccessLevel` resource, * to enable them to be added separately. * * > **Note:** If this resource is used alongside a `gcp.accesscontextmanager.AccessLevel` resource, * the access level resource must have a `lifecycle` block with `ignoreChanges = [basic[0].conditions]` so * they don't fight over which service accounts should be included. * * To get more information about AccessLevelCondition, see: * * * [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels) * * How-to Guides * * [Access Policy Quickstart](https://cloud.google.com/access-context-manager/docs/quickstart) * * > **Warning:** If you are using User ADCs (Application Default Credentials) with this resource, * you must specify a `billingProject` and set `userProjectOverride` to true * in the provider configuration. Otherwise the ACM API will return a 403 error. * Your account must have the `serviceusage.services.use` permission on the * `billingProject` you defined. * * ## Example Usage * * ### Access Context Manager Access Level Condition Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const access_level_service_account = new gcp.accesscontextmanager.AccessLevel("access-level-service-account", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/chromeos_no_lock`, * title: "chromeos_no_lock", * basic: { * conditions: [{ * devicePolicy: { * requireScreenLock: true, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: [ * "CH", * "IT", * "US", * ], * }], * }, * }); * const created_later = new gcp.serviceaccount.Account("created-later", {accountId: "my-account-id"}); * const access_level_conditions = new gcp.accesscontextmanager.AccessLevelCondition("access-level-conditions", { * accessLevel: access_level_service_account.name, * ipSubnetworks: ["192.0.4.0/24"], * members: [ * "user:test@google.com", * "user:test2@google.com", * pulumi.interpolate`serviceAccount:${created_later.email}`, * ], * negate: false, * devicePolicy: { * requireScreenLock: false, * requireAdminApproval: false, * requireCorpOwned: true, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: [ * "IT", * "US", * ], * }); * ``` * * ## Import * * This resource does not support import. */ export declare class AccessLevelCondition extends pulumi.CustomResource { /** * Get an existing AccessLevelCondition resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AccessLevelConditionState, opts?: pulumi.CustomResourceOptions): AccessLevelCondition; /** * Returns true if the given object is an instance of AccessLevelCondition. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AccessLevelCondition; /** * The name of the Access Level to add this condition to. * * * - - - */ readonly accessLevel: pulumi.Output; /** * The name of the Access Policy this resource belongs to. */ readonly accessPolicyId: pulumi.Output; /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ readonly devicePolicy: pulumi.Output; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ readonly ipSubnetworks: pulumi.Output; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ readonly members: pulumi.Output; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ readonly negate: pulumi.Output; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ readonly regions: pulumi.Output; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ readonly requiredAccessLevels: pulumi.Output; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ readonly vpcNetworkSources: pulumi.Output; /** * Create a AccessLevelCondition resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AccessLevelConditionArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AccessLevelCondition resources. */ export interface AccessLevelConditionState { /** * The name of the Access Level to add this condition to. * * * - - - */ accessLevel?: pulumi.Input; /** * The name of the Access Policy this resource belongs to. */ accessPolicyId?: pulumi.Input; /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ devicePolicy?: pulumi.Input; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ ipSubnetworks?: pulumi.Input[]>; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ members?: pulumi.Input[]>; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ negate?: pulumi.Input; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ regions?: pulumi.Input[]>; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ requiredAccessLevels?: pulumi.Input[]>; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ vpcNetworkSources?: pulumi.Input[]>; } /** * The set of arguments for constructing a AccessLevelCondition resource. */ export interface AccessLevelConditionArgs { /** * The name of the Access Level to add this condition to. * * * - - - */ accessLevel: pulumi.Input; /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ devicePolicy?: pulumi.Input; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ ipSubnetworks?: pulumi.Input[]>; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ members?: pulumi.Input[]>; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ negate?: pulumi.Input; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ regions?: pulumi.Input[]>; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ requiredAccessLevels?: pulumi.Input[]>; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ vpcNetworkSources?: pulumi.Input[]>; }