IngressPolicies match requests based on ingressFrom and ingressTo stanzas. For an ingress policy to match, both the ingressFrom and ingressTo stanzas must be matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from outside the perimeter. For example, access from the internet can be allowed either based on an AccessLevel or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required. Individual ingress policies can be limited by restricting which services and/ or actions they match using the ingressTo field.
To get more information about ServicePerimeterIngressPolicy, see:
resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
name = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
title = "Storage Perimeter"
status {
restricted_services = ["storage.googleapis.com"]
}
lifecycle {
ignore_changes = [status[0].resources]
}
}
resource "google_access_context_manager_service_perimeter_ingress_policy" "ingress_policy" {
perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
ingress_from {
identity_type = "any_identity"
sources {
access_level = "*"
}
}
ingress_to {
resources = ["*"]
operations {
service_name = "bigquery.googleapis.com"
method_selectors {
method = "*"
}
}
}
lifecycle {
create_before_destroy = true
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "Storage Policy"
}
The following arguments are supported:
perimeter
-
(Required)
The name of the Service Perimeter to add this resource to.ingress_from
-
(Optional)
Defines the conditions on the source of a request causing this IngressPolicy
to apply.
Structure is documented below.
ingress_to
-
(Optional)
Defines the conditions on the ApiOperation
and request destination that cause
this IngressPolicy
to apply.
Structure is documented below.
The ingress_from
block supports:
identity_type
-
(Optional)
Specifies the type of identities that are allowed access from outside the
perimeter. If left unspecified, then members of identities
field will be
allowed access.
Possible values are: ANY_IDENTITY
, ANY_USER_ACCOUNT
, ANY_SERVICE_ACCOUNT
.
identities
-
(Optional)
A list of identities that are allowed access through this IngressPolicy
.
Should be in the format of an email address. The email address should represent
an individual user, service account, or Google group.
sources
-
(Optional)
Sources that this IngressPolicy
authorizes access from.
Structure is documented below.
access_level
-
(Optional)
An AccessLevel
resource name that allow resources within the
ServicePerimeters
to be accessed from the internet. AccessLevels
listed
must be in the same policy as this ServicePerimeter
. Referencing a nonexistent
AccessLevel
will cause an error. If no AccessLevel
names are listed,
resources within the perimeter can only be accessed via Google Cloud calls
with request origins within the perimeter.
Example accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.
If * is specified, then all IngressSources will be allowed.
resource
-
(Optional)
A Google Cloud resource that is allowed to ingress the perimeter.
Requests from these resources will be allowed to access perimeter data.
Currently only projects are allowed. Format projects/{project_number}
The project may be in any Google Cloud organization, not just the
organization that the perimeter is defined in. *
is not allowed, the case
of allowing all Google Cloud resources only is not supported.
The ingress_to
block supports:
resources
-
(Optional)
A list of resources, currently only projects in the form
projects/<projectnumber>
, protected by this ServicePerimeter
that are allowed to be accessed by sources defined in the
corresponding IngressFrom
. A request matches if it contains
a resource in this list. If *
is specified for resources,
then this IngressTo
rule will authorize access to all
resources inside the perimeter, provided that the request
also matches the operations
field.
operations
-
(Optional)
A list of ApiOperations
the sources specified in corresponding IngressFrom
are allowed to perform in this ServicePerimeter
.
Structure is documented below.
The operations
block supports:
service_name
-
(Optional)
The name of the API whose methods or permissions the IngressPolicy
or
EgressPolicy
want to allow. A single ApiOperation
with serviceName
field set to *
will allow all methods AND permissions for all services.
method_selectors
-
(Optional)
API methods or permissions to allow. Method or permission must belong to
the service specified by serviceName field. A single MethodSelector
entry
with *
specified for the method field will allow all methods AND
permissions for the service specified in serviceName
.
Structure is documented below.
The method_selectors
block supports:
method
-
(Optional)
Value for method should be a valid method name for the corresponding
serviceName in ApiOperation
. If *
used as value for method
, then
ALL methods and permissions are allowed.
permission
-
(Optional)
Value for permission should be a valid Cloud IAM permission for the
corresponding serviceName
in ApiOperation
.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{perimeter}}
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.delete
- Default is 20 minutes.ServicePerimeterIngressPolicy can be imported using any of these accepted formats:
{{perimeter}}
In Terraform v1.5.0 and later, use an import
block to import ServicePerimeterIngressPolicy using one of the formats above. For example:
import {
id = "{{perimeter}}"
to = google_access_context_manager_service_perimeter_ingress_policy.default
}
When using the terraform import
command, ServicePerimeterIngressPolicy can be imported using one of the formats above. For example:
$ terraform import google_access_context_manager_service_perimeter_ingress_policy.default {{perimeter}}