google_access_context_manager_service_perimeter

ServicePerimeter describes a set of GCP resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter. If a request with a source within this ServicePerimeter has a target outside of the ServicePerimeter, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter

To get more information about ServicePerimeter, see:

Example Usage - Access Context Manager Service Perimeter Basic

resource "google_access_context_manager_service_perimeter" "service-perimeter" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/restrict_storage"
  title  = "restrict_storage"
  status {
    restricted_services = ["storage.googleapis.com"]
  }
}

resource "google_access_context_manager_access_level" "access-level" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/chromeos_no_lock"
  title  = "chromeos_no_lock"
  basic {
    conditions {
      device_policy {
        require_screen_lock = false
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
      regions = [
        "CH",
        "IT",
        "US",
      ]
    }
  }
}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "my policy"
}

Example Usage - Access Context Manager Service Perimeter Secure Data Exchange

resource "google_access_context_manager_service_perimeters" "secure-data-exchange" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"

  service_perimeters {
    name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/"
    title  = ""
    status {
      restricted_services = ["storage.googleapis.com"]
    }
  }

  service_perimeters {
    name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/"
    title  = ""
    status {
      restricted_services = ["bigtable.googleapis.com"]
            vpcAccessibleServices = {
            enableRestriction = true
            allowedServices = ["bigquery.googleapis.com"]
        }
    }
  }
}

resource "google_access_context_manager_access_level" "access-level" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/secure_data_exchange"
  title  = "secure_data_exchange"
  basic {
    conditions {
      device_policy {
        require_screen_lock = false
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
      regions = [
        "CH",
        "IT",
        "US",
      ]
    }
  }
}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "my policy"
}

resource "google_access_context_manager_service_perimeter" "test-access" {
  parent         = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
  name           = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
  title          = "%s"
  perimeter_type = "PERIMETER_TYPE_REGULAR"
  status {
    restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
        access_levels       = [google_access_context_manager_access_level.access-level.name]

        vpc_accessible_services {
            enable_restriction = true
            allowed_services   = ["bigquery.googleapis.com", "storage.googleapis.com"]
        }

        ingress_policies {
            ingress_from {
                sources {
                    access_level = google_access_context_manager_access_level.test-access.name
                }
                identity_type = "ANY_IDENTITY"
            }

            ingress_to {
                resources = [ "*" ]
                operations {
                    service_name = "bigquery.googleapis.com"

                    method_selectors {
                        method = "BigQueryStorage.ReadRows"
                    }

                    method_selectors {
                        method = "TableService.ListTables"
                    }

                    method_selectors {
                        permission = "bigquery.jobs.get"
                    }
                }

                operations {
                    service_name = "storage.googleapis.com"

                    method_selectors {
                        method = "google.storage.objects.create"
                    }
                }
            }
        }

        egress_policies {
            egress_from {
                identity_type = "ANY_USER_ACCOUNT"
            }
        }
  }
}

Example Usage - Access Context Manager Service Perimeter Dry-Run

resource "google_access_context_manager_service_perimeter" "service-perimeter" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/restrict_bigquery_dryrun_storage"
  title  = "restrict_bigquery_dryrun_storage"

  # Service 'bigquery.googleapis.com' will be restricted.
  status {
    restricted_services = ["bigquery.googleapis.com"]
  }

  # Service 'storage.googleapis.com' will be in dry-run mode.
  spec {
    restricted_services = ["storage.googleapis.com"]
  }

  use_explicit_dry_run_spec = true

}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "my policy"
}

Example Usage - Access Context Manager Service Perimeter Granular Controls

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "Policy with Granular Controls Group Support"
}

resource "google_access_context_manager_service_perimeter" "test-access" {
  parent         = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
  name           = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
  title          = "%s"
  perimeter_type = "PERIMETER_TYPE_REGULAR"
  status {
      restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]

      vpc_accessible_services {
          enable_restriction = true
          allowed_services   = ["bigquery.googleapis.com", "storage.googleapis.com"]
      }

      ingress_policies {
          ingress_from {
              sources {
                  access_level = google_access_context_manager_access_level.test-access.name
              }
              identities = ["group:database-admins@google.com"]
              identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
              identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
          }

          ingress_to {
              resources = [ "*" ]
              operations {
                  service_name = "storage.googleapis.com"

                  method_selectors {
                      method = "google.storage.objects.create"
                  }
              }
          }
      }

      egress_policies {
          egress_from {
              identities = ["group:database-admins@google.com"]
              identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
              identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
          }
          egress_to {
              resources = [ "*" ]
              operations {
                  service_name = "storage.googleapis.com"

                  method_selectors {
                      method = "google.storage.objects.create"
                  }
              }
          }
      }
   }
}

Argument Reference

The following arguments are supported:


The status block supports:

The vpc_accessible_services block supports:

The ingress_policies block supports:

The ingress_from block supports:

The sources block supports:

The ingress_to block supports:

The operations block supports:

The method_selectors block supports:

The egress_policies block supports:

The egress_from block supports:

The sources block supports:

The egress_to block supports:

The operations block supports:

The method_selectors block supports:

The spec block supports:

The vpc_accessible_services block supports:

The ingress_policies block supports:

The ingress_from block supports:

The sources block supports:

The ingress_to block supports:

The operations block supports:

The method_selectors block supports:

The egress_policies block supports:

The egress_from block supports:

The sources block supports:

The egress_to block supports:

The operations block supports:

The method_selectors block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

ServicePerimeter can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import ServicePerimeter using one of the formats above. For example:

import {
  id = "{{name}}"
  to = google_access_context_manager_service_perimeter.default
}

When using the terraform import command, ServicePerimeter can be imported using one of the formats above. For example:

$ terraform import google_access_context_manager_service_perimeter.default {{name}}