google_access_context_manager_service_perimeter_egress_policy

EgressPolicies match requests based on egressFrom and egressTo stanzas. For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).

To get more information about ServicePerimeterEgressPolicy, see:

Example Usage - Access Context Manager Service Perimeter Egress Policy

resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
  title  = "Storage Perimeter"
  status {
    restricted_services = ["storage.googleapis.com"]
  }
  lifecycle {
    ignore_changes = [status[0].resources]
  }
}

resource "google_access_context_manager_service_perimeter_egress_policy" "egress_policy" {
  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
  egress_from {
    identity_type = "ANY_IDENTITY"
  }
  egress_to {
    resources = ["*"]
    operations {
      service_name = "bigquery.googleapis.com"
      method_selectors {
        method = "*"
      }
    }
  }
  lifecycle {
    create_before_destroy = true
  }
}


resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/123456789"
  title  = "Storage Policy"
}

Argument Reference

The following arguments are supported:


The egress_from block supports:

The sources block supports:

The egress_to block supports:

The operations block supports:

The method_selectors block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

ServicePerimeterEgressPolicy can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import ServicePerimeterEgressPolicy using one of the formats above. For example:

import {
  id = "{{perimeter}}"
  to = google_access_context_manager_service_perimeter_egress_policy.default
}

When using the terraform import command, ServicePerimeterEgressPolicy can be imported using one of the formats above. For example:

$ terraform import google_access_context_manager_service_perimeter_egress_policy.default {{perimeter}}