EgressPolicies match requests based on egressFrom and egressTo stanzas. For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).
To get more information about ServicePerimeterEgressPolicy, see:
resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
name = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
title = "Storage Perimeter"
status {
restricted_services = ["storage.googleapis.com"]
}
lifecycle {
ignore_changes = [status[0].resources]
}
}
resource "google_access_context_manager_service_perimeter_egress_policy" "egress_policy" {
perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
egress_from {
identity_type = "ANY_IDENTITY"
}
egress_to {
resources = ["*"]
operations {
service_name = "bigquery.googleapis.com"
method_selectors {
method = "*"
}
}
}
lifecycle {
create_before_destroy = true
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "Storage Policy"
}
The following arguments are supported:
perimeter
-
(Required)
The name of the Service Perimeter to add this resource to.egress_from
-
(Optional)
Defines conditions on the source of a request causing this EgressPolicy
to apply.
Structure is documented below.
egress_to
-
(Optional)
Defines the conditions on the ApiOperation
and destination resources that
cause this EgressPolicy
to apply.
Structure is documented below.
The egress_from
block supports:
identity_type
-
(Optional)
Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of identities
field will
be allowed access.
Possible values are: ANY_IDENTITY
, ANY_USER_ACCOUNT
, ANY_SERVICE_ACCOUNT
.
identities
-
(Optional)
A list of identities that are allowed access through this EgressPolicy
.
Should be in the format of an email address. The email address should
represent an individual user, service account, or Google group.
sources
-
(Optional)
Sources that this EgressPolicy authorizes access from.
Structure is documented below.
source_restriction
-
(Optional)
Whether to enforce traffic restrictions based on sources
field. If the sources
field is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED
.
Possible values are: SOURCE_RESTRICTION_UNSPECIFIED
, SOURCE_RESTRICTION_ENABLED
, SOURCE_RESTRICTION_DISABLED
.
access_level
-
(Optional)
An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.resources
-
(Optional)
A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches
if it contains a resource in this list. If * is specified for resources,
then this EgressTo
rule will authorize access to all resources outside
the perimeter.
external_resources
-
(Optional)
A list of external resources that are allowed to be accessed. A request
matches if it contains an external resource in this list (Example:
s3://bucket/path). Currently '*' is not allowed.
operations
-
(Optional)
A list of ApiOperations
that this egress rule applies to. A request matches
if it contains an operation/service in this list.
Structure is documented below.
The operations
block supports:
service_name
-
(Optional)
The name of the API whose methods or permissions the IngressPolicy
or
EgressPolicy
want to allow. A single ApiOperation
with serviceName
field set to *
will allow all methods AND permissions for all services.
method_selectors
-
(Optional)
API methods or permissions to allow. Method or permission must belong
to the service specified by serviceName
field. A single MethodSelector
entry with *
specified for the method
field will allow all methods
AND permissions for the service specified in serviceName
.
Structure is documented below.
The method_selectors
block supports:
method
-
(Optional)
Value for method
should be a valid method name for the corresponding
serviceName
in ApiOperation
. If *
used as value for method,
then ALL methods and permissions are allowed.
permission
-
(Optional)
Value for permission should be a valid Cloud IAM permission for the
corresponding serviceName
in ApiOperation
.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{perimeter}}
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.delete
- Default is 20 minutes.ServicePerimeterEgressPolicy can be imported using any of these accepted formats:
{{perimeter}}
In Terraform v1.5.0 and later, use an import
block to import ServicePerimeterEgressPolicy using one of the formats above. For example:
import {
id = "{{perimeter}}"
to = google_access_context_manager_service_perimeter_egress_policy.default
}
When using the terraform import
command, ServicePerimeterEgressPolicy can be imported using one of the formats above. For example:
$ terraform import google_access_context_manager_service_perimeter_egress_policy.default {{perimeter}}