import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * ServicePerimeter describes a set of GCP resources which can freely import * and export data amongst themselves, but not export outside of the * ServicePerimeter. If a request with a source within this ServicePerimeter * has a target outside of the ServicePerimeter, the request will be blocked. * Otherwise the request is allowed. There are two types of Service Perimeter * - Regular and Bridge. Regular Service Perimeters cannot overlap, a single * GCP project can only belong to a single regular Service Perimeter. Service * Perimeter Bridges can contain only GCP projects as members, a single GCP * project may belong to multiple Service Perimeter Bridges. * * To get more information about ServicePerimeter, see: * * * [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters) * * How-to Guides * * [Guide to Ingress and Egress Rules](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules) * * [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart) * * > **Warning:** If you are using User ADCs (Application Default Credentials) with this resource, * you must specify a `billingProject` and set `userProjectOverride` to true * in the provider configuration. Otherwise the ACM API will return a 403 error. * Your account must have the `serviceusage.services.use` permission on the * `billingProject` you defined. * * ## Example Usage * * ### Access Context Manager Service Perimeter Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const service_perimeter = new gcp.accesscontextmanager.ServicePerimeter("service-perimeter", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/restrict_storage`, * title: "restrict_storage", * status: { * restrictedServices: ["storage.googleapis.com"], * }, * }); * const access_level = new gcp.accesscontextmanager.AccessLevel("access-level", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/chromeos_no_lock`, * title: "chromeos_no_lock", * basic: { * conditions: [{ * devicePolicy: { * requireScreenLock: false, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: [ * "CH", * "IT", * "US", * ], * }], * }, * }); * ``` * ### Access Context Manager Service Perimeter Secure Data Exchange * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const secure_data_exchange = new gcp.accesscontextmanager.ServicePerimeters("secure-data-exchange", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * servicePerimeters: [ * { * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/`, * title: "", * status: { * restrictedServices: ["storage.googleapis.com"], * }, * }, * { * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/`, * title: "", * status: { * restrictedServices: ["bigtable.googleapis.com"], * vpcAccessibleServices: { * enableRestriction: true, * allowedServices: ["bigquery.googleapis.com"], * }, * }, * }, * ], * }); * const access_level = new gcp.accesscontextmanager.AccessLevel("access-level", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/secure_data_exchange`, * title: "secure_data_exchange", * basic: { * conditions: [{ * devicePolicy: { * requireScreenLock: false, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: [ * "CH", * "IT", * "US", * ], * }], * }, * }); * const test_access = new gcp.accesscontextmanager.ServicePerimeter("test-access", { * parent: `accessPolicies/${test_accessGoogleAccessContextManagerAccessPolicy.name}`, * name: `accessPolicies/${test_accessGoogleAccessContextManagerAccessPolicy.name}/servicePerimeters/%s`, * title: "%s", * perimeterType: "PERIMETER_TYPE_REGULAR", * status: { * restrictedServices: [ * "bigquery.googleapis.com", * "storage.googleapis.com", * ], * accessLevels: [access_level.name], * vpcAccessibleServices: { * enableRestriction: true, * allowedServices: [ * "bigquery.googleapis.com", * "storage.googleapis.com", * ], * }, * ingressPolicies: [{ * ingressFrom: { * sources: [{ * accessLevel: test_accessGoogleAccessContextManagerAccessLevel.name, * }], * identityType: "ANY_IDENTITY", * }, * ingressTo: { * resources: ["*"], * operations: [ * { * serviceName: "bigquery.googleapis.com", * methodSelectors: [ * { * method: "BigQueryStorage.ReadRows", * }, * { * method: "TableService.ListTables", * }, * { * permission: "bigquery.jobs.get", * }, * ], * }, * { * serviceName: "storage.googleapis.com", * methodSelectors: [{ * method: "google.storage.objects.create", * }], * }, * ], * }, * }], * egressPolicies: [{ * egressFrom: { * identityType: "ANY_USER_ACCOUNT", * }, * }], * }, * }); * ``` * ### Access Context Manager Service Perimeter Dry-Run * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const service_perimeter = new gcp.accesscontextmanager.ServicePerimeter("service-perimeter", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/restrict_bigquery_dryrun_storage`, * title: "restrict_bigquery_dryrun_storage", * status: { * restrictedServices: ["bigquery.googleapis.com"], * }, * spec: { * restrictedServices: ["storage.googleapis.com"], * }, * useExplicitDryRunSpec: true, * }); * ``` * ## Import * * ServicePerimeter can be imported using any of these accepted formats: * * * `{{name}}` * * When using the `pulumi import` command, ServicePerimeter can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:accesscontextmanager/servicePerimeter:ServicePerimeter default {{name}} * ``` */ export declare class ServicePerimeter extends pulumi.CustomResource { /** * Get an existing ServicePerimeter resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: ServicePerimeterState, opts?: pulumi.CustomResourceOptions): ServicePerimeter; /** * Returns true if the given object is an instance of ServicePerimeter. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ServicePerimeter; /** * Time the AccessPolicy was created in UTC. */ readonly createTime: pulumi.Output; /** * Description of the ServicePerimeter and its use. Does not affect * behavior. */ readonly description: pulumi.Output; /** * Resource name for the ServicePerimeter. The shortName component must * begin with a letter and only include alphanumeric and '_'. * Format: accessPolicies/{policy_id}/servicePerimeters/{short_name} * * * - - - */ readonly name: pulumi.Output; /** * The AccessPolicy this ServicePerimeter lives in. * Format: accessPolicies/{policy_id} */ readonly parent: pulumi.Output; /** * Specifies the type of the Perimeter. There are two types: regular and * bridge. Regular Service Perimeter contains resources, access levels, * and restricted services. Every resource can be in at most * ONE regular Service Perimeter. * In addition to being in a regular service perimeter, a resource can also * be in zero or more perimeter bridges. A perimeter bridge only contains * resources. Cross project operations are permitted if all effected * resources share some perimeter (whether bridge or regular). Perimeter * Bridge does not contain access levels or services: those are governed * entirely by the regular perimeter that resource is in. * Perimeter Bridges are typically useful when building more complex * topologies with many independent perimeters that need to share some data * with a common perimeter, but should not be able to share data among * themselves. * Default value is `PERIMETER_TYPE_REGULAR`. * Possible values are: `PERIMETER_TYPE_REGULAR`, `PERIMETER_TYPE_BRIDGE`. */ readonly perimeterType: pulumi.Output; /** * Proposed (or dry run) ServicePerimeter configuration. * This configuration allows to specify and test ServicePerimeter configuration * without enforcing actual access restrictions. Only allowed to be set when * the `useExplicitDryRunSpec` flag is set. * Structure is documented below. */ readonly spec: pulumi.Output; /** * ServicePerimeter configuration. Specifies sets of resources, * restricted services and access levels that determine * perimeter content and boundaries. * Structure is documented below. */ readonly status: pulumi.Output; /** * Human readable title. Must be unique within the Policy. */ readonly title: pulumi.Output; /** * Time the AccessPolicy was updated in UTC. */ readonly updateTime: pulumi.Output; /** * Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists * for all Service Perimeters, and that spec is identical to the status for those * Service Perimeters. When this flag is set, it inhibits the generation of the * implicit spec, thereby allowing the user to explicitly provide a * configuration ("spec") to use in a dry-run version of the Service Perimeter. * This allows the user to test changes to the enforced config ("status") without * actually enforcing them. This testing is done through analyzing the differences * between currently enforced and suggested restrictions. useExplicitDryRunSpec must * bet set to True if any of the fields in the spec are set to non-default values. */ readonly useExplicitDryRunSpec: pulumi.Output; /** * Create a ServicePerimeter resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ServicePerimeterArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ServicePerimeter resources. */ export interface ServicePerimeterState { /** * Time the AccessPolicy was created in UTC. */ createTime?: pulumi.Input; /** * Description of the ServicePerimeter and its use. Does not affect * behavior. */ description?: pulumi.Input; /** * Resource name for the ServicePerimeter. The shortName component must * begin with a letter and only include alphanumeric and '_'. * Format: accessPolicies/{policy_id}/servicePerimeters/{short_name} * * * - - - */ name?: pulumi.Input; /** * The AccessPolicy this ServicePerimeter lives in. * Format: accessPolicies/{policy_id} */ parent?: pulumi.Input; /** * Specifies the type of the Perimeter. There are two types: regular and * bridge. Regular Service Perimeter contains resources, access levels, * and restricted services. Every resource can be in at most * ONE regular Service Perimeter. * In addition to being in a regular service perimeter, a resource can also * be in zero or more perimeter bridges. A perimeter bridge only contains * resources. Cross project operations are permitted if all effected * resources share some perimeter (whether bridge or regular). Perimeter * Bridge does not contain access levels or services: those are governed * entirely by the regular perimeter that resource is in. * Perimeter Bridges are typically useful when building more complex * topologies with many independent perimeters that need to share some data * with a common perimeter, but should not be able to share data among * themselves. * Default value is `PERIMETER_TYPE_REGULAR`. * Possible values are: `PERIMETER_TYPE_REGULAR`, `PERIMETER_TYPE_BRIDGE`. */ perimeterType?: pulumi.Input; /** * Proposed (or dry run) ServicePerimeter configuration. * This configuration allows to specify and test ServicePerimeter configuration * without enforcing actual access restrictions. Only allowed to be set when * the `useExplicitDryRunSpec` flag is set. * Structure is documented below. */ spec?: pulumi.Input; /** * ServicePerimeter configuration. Specifies sets of resources, * restricted services and access levels that determine * perimeter content and boundaries. * Structure is documented below. */ status?: pulumi.Input; /** * Human readable title. Must be unique within the Policy. */ title?: pulumi.Input; /** * Time the AccessPolicy was updated in UTC. */ updateTime?: pulumi.Input; /** * Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists * for all Service Perimeters, and that spec is identical to the status for those * Service Perimeters. When this flag is set, it inhibits the generation of the * implicit spec, thereby allowing the user to explicitly provide a * configuration ("spec") to use in a dry-run version of the Service Perimeter. * This allows the user to test changes to the enforced config ("status") without * actually enforcing them. This testing is done through analyzing the differences * between currently enforced and suggested restrictions. useExplicitDryRunSpec must * bet set to True if any of the fields in the spec are set to non-default values. */ useExplicitDryRunSpec?: pulumi.Input; } /** * The set of arguments for constructing a ServicePerimeter resource. */ export interface ServicePerimeterArgs { /** * Description of the ServicePerimeter and its use. Does not affect * behavior. */ description?: pulumi.Input; /** * Resource name for the ServicePerimeter. The shortName component must * begin with a letter and only include alphanumeric and '_'. * Format: accessPolicies/{policy_id}/servicePerimeters/{short_name} * * * - - - */ name?: pulumi.Input; /** * The AccessPolicy this ServicePerimeter lives in. * Format: accessPolicies/{policy_id} */ parent: pulumi.Input; /** * Specifies the type of the Perimeter. There are two types: regular and * bridge. Regular Service Perimeter contains resources, access levels, * and restricted services. Every resource can be in at most * ONE regular Service Perimeter. * In addition to being in a regular service perimeter, a resource can also * be in zero or more perimeter bridges. A perimeter bridge only contains * resources. Cross project operations are permitted if all effected * resources share some perimeter (whether bridge or regular). Perimeter * Bridge does not contain access levels or services: those are governed * entirely by the regular perimeter that resource is in. * Perimeter Bridges are typically useful when building more complex * topologies with many independent perimeters that need to share some data * with a common perimeter, but should not be able to share data among * themselves. * Default value is `PERIMETER_TYPE_REGULAR`. * Possible values are: `PERIMETER_TYPE_REGULAR`, `PERIMETER_TYPE_BRIDGE`. */ perimeterType?: pulumi.Input; /** * Proposed (or dry run) ServicePerimeter configuration. * This configuration allows to specify and test ServicePerimeter configuration * without enforcing actual access restrictions. Only allowed to be set when * the `useExplicitDryRunSpec` flag is set. * Structure is documented below. */ spec?: pulumi.Input; /** * ServicePerimeter configuration. Specifies sets of resources, * restricted services and access levels that determine * perimeter content and boundaries. * Structure is documented below. */ status?: pulumi.Input; /** * Human readable title. Must be unique within the Policy. */ title: pulumi.Input; /** * Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists * for all Service Perimeters, and that spec is identical to the status for those * Service Perimeters. When this flag is set, it inhibits the generation of the * implicit spec, thereby allowing the user to explicitly provide a * configuration ("spec") to use in a dry-run version of the Service Perimeter. * This allows the user to test changes to the enforced config ("status") without * actually enforcing them. This testing is done through analyzing the differences * between currently enforced and suggested restrictions. useExplicitDryRunSpec must * bet set to True if any of the fields in the spec are set to non-default values. */ useExplicitDryRunSpec?: pulumi.Input; }