google_access_context_manager_service_perimeter_ingress_policy

IngressPolicies match requests based on ingressFrom and ingressTo stanzas. For an ingress policy to match, both the ingressFrom and ingressTo stanzas must be matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from outside the perimeter. For example, access from the internet can be allowed either based on an AccessLevel or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required. Individual ingress policies can be limited by restricting which services and/ or actions they match using the ingressTo field.

To get more information about ServicePerimeterIngressPolicy, see:

Example Usage - Access Context Manager Service Perimeter Ingress Policy

resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
  title  = "Storage Perimeter"
  status {
    restricted_services = ["storage.googleapis.com"]
  }
  lifecycle {
    ignore_changes = [status[0].resources]
  }
}

resource "google_access_context_manager_service_perimeter_ingress_policy" "ingress_policy" {
  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
  ingress_from {
    identity_type = "any_identity"
    sources {
      access_level = "*"
    }
  }
  ingress_to {
    resources = ["*"]
    operations {
      service_name = "bigquery.googleapis.com"
      method_selectors {
        method = "*"
      }
    }
  }
  lifecycle {
    create_before_destroy = true
  }
}


resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "Storage Policy"
}

Argument Reference

The following arguments are supported:


The ingress_from block supports:

The sources block supports:

The ingress_to block supports:

The operations block supports:

The method_selectors block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

ServicePerimeterIngressPolicy can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import ServicePerimeterIngressPolicy using one of the formats above. For example:

import {
  id = "{{perimeter}}"
  to = google_access_context_manager_service_perimeter_ingress_policy.default
}

When using the terraform import command, ServicePerimeterIngressPolicy can be imported using one of the formats above. For example:

$ terraform import google_access_context_manager_service_perimeter_ingress_policy.default {{perimeter}}