Skip to content

Commit

Permalink
Add dry run version of ingress and egress policy resources
Browse files Browse the repository at this point in the history
  • Loading branch information
Charlesleonius committed Jul 8, 2024
1 parent bb3772e commit 6034a6b
Show file tree
Hide file tree
Showing 13 changed files with 733 additions and 13 deletions.
164 changes: 164 additions & 0 deletions mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
# Copyright 2018 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- !ruby/object:Api::Resource
name: 'ServicePerimeterDryRunEgressPolicy'
create_url: '{{perimeter}}'
base_url: ''
self_link: '{{perimeter}}'
create_verb: :PATCH
delete_verb: :PATCH
update_mask: true
immutable: true
identity:
- egressFrom
- egressTo
nested_query: !ruby/object:Api::Resource::NestedQuery
modify_by_patch: true
is_list_of_ids: false
keys:
- spec
- egressPolicies
references: !ruby/object:Api::Resource::ReferenceLinks
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#egresspolicy'
description: |
Manage a single EgressPolicy in the spec (dry-run) configuration for a service perimeter.
EgressPolicies match requests based on egressFrom and egressTo stanzas.
For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched.
If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter
boundary. For example, an EgressPolicy can be used to allow VMs on networks
within the ServicePerimeter to access a defined set of projects outside the
perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket
or query against a BigQuery dataset).
~> **Note:** By default, updates to this resource will remove the EgressPolicy from the
from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy
is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
examples:
- !ruby/object:Provider::Terraform::Examples
name: 'access_context_manager_service_perimeter_dry_run_egress_policy'
skip_test: true
autogen_async: true
exclude_tgc: true
# Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
skip_sweeper: true
exclude_import: true
id_format: '{{perimeter}}'
import_format: ['{{perimeter}}']
mutex: '{{perimeter}}'
custom_code: !ruby/object:Provider::Terraform::CustomCode
custom_import: templates/terraform/custom_import/access_context_manager_service_perimeter_ingress_policy.go.erb
pre_update: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
pre_create: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
pre_delete: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
parameters:
- !ruby/object:Api::Type::ResourceRef
name: 'perimeter'
resource: 'ServicePerimeter'
imports: 'name'
description: |
The name of the Service Perimeter to add this resource to.
required: true
url_param_only: true
properties:
- !ruby/object:Api::Type::NestedObject
name: 'egressFrom'
description: |
Defines conditions on the source of a request causing this `EgressPolicy` to apply.
properties:
- !ruby/object:Api::Type::Enum
name: 'identityType'
description: |
Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of `identities` field will
be allowed access.
values:
- :ANY_IDENTITY
- :ANY_USER_ACCOUNT
- :ANY_SERVICE_ACCOUNT
- !ruby/object:Api::Type::Array
name: 'identities'
description: |
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'sources'
description: 'Sources that this EgressPolicy authorizes access from.'
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
name: 'accessLevel'
description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
- !ruby/object:Api::Type::Enum
name: 'sourceRestriction'
description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'
values:
- :SOURCE_RESTRICTION_UNSPECIFIED
- :SOURCE_RESTRICTION_ENABLED
- :SOURCE_RESTRICTION_DISABLED
- !ruby/object:Api::Type::NestedObject
name: 'egressTo'
description: |
Defines the conditions on the `ApiOperation` and destination resources that
cause this `EgressPolicy` to apply.
properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, that match this to stanza. A request matches
if it contains a resource in this list. If * is specified for resources,
then this `EgressTo` rule will authorize access to all resources outside
the perimeter.
- !ruby/object:Api::Type::Array
name: 'externalResources'
item_type: Api::Type::String
description: |
A list of external resources that are allowed to be accessed. A request
matches if it contains an external resource in this list (Example:
s3://bucket/path). Currently '*' is not allowed.
- !ruby/object:Api::Type::Array
name: 'operations'
description: |
A list of `ApiOperations` that this egress rule applies to. A request matches
if it contains an operation/service in this list.
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
name: 'serviceName'
description: |
The name of the API whose methods or permissions the `IngressPolicy` or
`EgressPolicy` want to allow. A single `ApiOperation` with serviceName
field set to `*` will allow all methods AND permissions for all services.
- !ruby/object:Api::Type::Array
name: 'methodSelectors'
description: |
API methods or permissions to allow. Method or permission must belong
to the service specified by `serviceName` field. A single MethodSelector
entry with `*` specified for the `method` field will allow all methods
AND permissions for the service specified in `serviceName`.
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
name: 'method'
description: |
Value for `method` should be a valid method name for the corresponding
`serviceName` in `ApiOperation`. If `*` used as value for method,
then ALL methods and permissions are allowed.
- !ruby/object:Api::Type::String
name: 'permission'
description: |
Value for permission should be a valid Cloud IAM permission for the
corresponding `serviceName` in `ApiOperation`.
173 changes: 173 additions & 0 deletions mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
# Copyright 2018 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- !ruby/object:Api::Resource
name: 'ServicePerimeterDryRunIngressPolicy'
create_url: '{{perimeter}}'
base_url: ''
self_link: '{{perimeter}}'
create_verb: :PATCH
delete_verb: :PATCH
update_mask: true
immutable: true
identity:
- ingressFrom
- ingressTo
nested_query: !ruby/object:Api::Resource::NestedQuery
modify_by_patch: true
is_list_of_ids: false
keys:
- spec
- ingressPolicies
references: !ruby/object:Api::Resource::ReferenceLinks
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#ingresspolicy'
description: |
Manage a single IngressPolicy in the spec (dry-run) configuration for a service perimeter.
IngressPolicies match requests based on ingressFrom and ingressTo stanzas. For an ingress policy to match,
both the ingressFrom and ingressTo stanzas must be matched. If an IngressPolicy matches a request,
the request is allowed through the perimeter boundary from outside the perimeter.
For example, access from the internet can be allowed either based on an AccessLevel or,
for traffic hosted on Google Cloud, the project of the source network.
For access from private networks, using the project of the hosting network is required.
Individual ingress policies can be limited by restricting which services and/
or actions they match using the ingressTo field.
~> **Note:** By default, updates to this resource will remove the IngressPolicy from the
from the perimeter and add it back in a non-atomic manner. To ensure that the new IngressPolicy
is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
examples:
- !ruby/object:Provider::Terraform::Examples
name: 'access_context_manager_service_perimeter_dry_run_ingress_policy'
skip_test: true
autogen_async: true
exclude_tgc: true
# Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
skip_sweeper: true
exclude_import: true
id_format: '{{perimeter}}'
import_format: ['{{perimeter}}']
mutex: '{{perimeter}}'
custom_code: !ruby/object:Provider::Terraform::CustomCode
custom_import: templates/terraform/custom_import/access_context_manager_service_perimeter_ingress_policy.go.erb
pre_update: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
pre_create: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
pre_delete: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
parameters:
- !ruby/object:Api::Type::ResourceRef
name: 'perimeter'
resource: 'ServicePerimeter'
imports: 'name'
description: |
The name of the Service Perimeter to add this resource to.
required: true
url_param_only: true
properties:
- !ruby/object:Api::Type::NestedObject
name: 'ingressFrom'
description: |
Defines the conditions on the source of a request causing this `IngressPolicy`
to apply.
properties:
- !ruby/object:Api::Type::Enum
name: 'identityType'
description: |
Specifies the type of identities that are allowed access from outside the
perimeter. If left unspecified, then members of `identities` field will be
allowed access.
values:
- :ANY_IDENTITY
- :ANY_USER_ACCOUNT
- :ANY_SERVICE_ACCOUNT
- !ruby/object:Api::Type::Array
name: 'identities'
item_type: Api::Type::String
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
individual user or service account only.
- !ruby/object:Api::Type::Array
name: 'sources'
description: |
Sources that this `IngressPolicy` authorizes access from.
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
name: 'accessLevel'
description: |
An `AccessLevel` resource name that allow resources within the
`ServicePerimeters` to be accessed from the internet. `AccessLevels` listed
must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent
`AccessLevel` will cause an error. If no `AccessLevel` names are listed,
resources within the perimeter can only be accessed via Google Cloud calls
with request origins within the perimeter.
Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.`
If * is specified, then all IngressSources will be allowed.
- !ruby/object:Api::Type::String
name: 'resource'
description: |
A Google Cloud resource that is allowed to ingress the perimeter.
Requests from these resources will be allowed to access perimeter data.
Currently only projects are allowed. Format `projects/{project_number}`
The project may be in any Google Cloud organization, not just the
organization that the perimeter is defined in. `*` is not allowed, the case
of allowing all Google Cloud resources only is not supported.
- !ruby/object:Api::Type::NestedObject
name: 'ingressTo'
description: |
Defines the conditions on the `ApiOperation` and request destination that cause
this `IngressPolicy` to apply.
properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, protected by this `ServicePerimeter`
that are allowed to be accessed by sources defined in the
corresponding `IngressFrom`. A request matches if it contains
a resource in this list. If `*` is specified for resources,
then this `IngressTo` rule will authorize access to all
resources inside the perimeter, provided that the request
also matches the `operations` field.
- !ruby/object:Api::Type::Array
name: 'operations'
description: |
A list of `ApiOperations` the sources specified in corresponding `IngressFrom`
are allowed to perform in this `ServicePerimeter`.
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
name: 'serviceName'
description: |
The name of the API whose methods or permissions the `IngressPolicy` or
`EgressPolicy` want to allow. A single `ApiOperation` with `serviceName`
field set to `*` will allow all methods AND permissions for all services.
- !ruby/object:Api::Type::Array
name: 'methodSelectors'
description: |
API methods or permissions to allow. Method or permission must belong to
the service specified by serviceName field. A single `MethodSelector` entry
with `*` specified for the method field will allow all methods AND
permissions for the service specified in `serviceName`.
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
name: 'method'
description: |
Value for method should be a valid method name for the corresponding
serviceName in `ApiOperation`. If `*` used as value for `method`, then
ALL methods and permissions are allowed.
- !ruby/object:Api::Type::String
name: 'permission'
description: |
Value for permission should be a valid Cloud IAM permission for the
corresponding `serviceName` in `ApiOperation`.
6 changes: 3 additions & 3 deletions mmv1/products/accesscontextmanager/ServicePerimeterDryRunResource.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,9 @@ examples:
service_perimeter_name: 'restrict_all'
custom_code: !ruby/object:Provider::Terraform::CustomCode
custom_import: templates/terraform/custom_import/access_context_manager_service_perimeter_resource.go.erb
pre_update: templates/terraform/pre_create/access_context_manager_service_perimeter_dry_run_resource.go.erb
pre_create: templates/terraform/pre_create/access_context_manager_service_perimeter_dry_run_resource.go.erb
pre_delete: templates/terraform/pre_create/access_context_manager_service_perimeter_dry_run_resource.go.erb
pre_update: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
pre_create: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
pre_delete: templates/terraform/pre_create/access_context_manager_dry_run_resource.go.erb
parameters:
- !ruby/object:Api::Type::ResourceRef
name: 'perimeterName'
Expand Down
2 changes: 2 additions & 0 deletions mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ nested_query: !ruby/object:Api::Resource::NestedQuery
references: !ruby/object:Api::Resource::ReferenceLinks
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#egresspolicy'
description: |
Manage a single EgressPolicy in the status (enforced) configuration for a service perimeter.
EgressPolicies match requests based on egressFrom and egressTo stanzas.
For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched.
If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter
Expand All @@ -50,6 +51,7 @@ autogen_async: true
exclude_tgc: true
# Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
skip_sweeper: true
exclude_import: true
id_format: '{{perimeter}}'
import_format: ['{{perimeter}}']
mutex: '{{perimeter}}'
Expand Down
2 changes: 2 additions & 0 deletions mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ nested_query: !ruby/object:Api::Resource::NestedQuery
references: !ruby/object:Api::Resource::ReferenceLinks
api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#ingresspolicy'
description: |
Manage a single IngressPolicy in the status (enforced) configuration for a service perimeter.
IngressPolicies match requests based on ingressFrom and ingressTo stanzas. For an ingress policy to match,
both the ingressFrom and ingressTo stanzas must be matched. If an IngressPolicy matches a request,
the request is allowed through the perimeter boundary from outside the perimeter.
Expand All @@ -51,6 +52,7 @@ autogen_async: true
exclude_tgc: true
# Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
skip_sweeper: true
exclude_import: true
id_format: '{{perimeter}}'
import_format: ['{{perimeter}}']
mutex: '{{perimeter}}'
Expand Down
Loading

0 comments on commit 6034a6b

Please sign in to comment.