Docs
PackagesGoogle Cloud Classic v7.20.0 published on Wednesday, Apr 24, 2024 by Pulumi
gcp.accesscontextmanager.ServicePerimeterEgressPolicy
Explore with Pulumi AI
EgressPolicies match requests based on egressFrom and egressTo stanzas. For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).
Note: By default, updates to this resource will remove the EgressPolicy from the from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy is added before the old one is removed, add a
lifecycleblock withcreate_before_destroy = trueto this resource.
To get more information about ServicePerimeterEgressPolicy, see:
Example Usage
Access Context Manager Service Perimeter Egress Policy
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", {
parent: "organizations/123456789",
title: "Storage Policy",
});
const storage_perimeter = new gcp.accesscontextmanager.ServicePerimeter("storage-perimeter", {
parent: pulumi.interpolate`accesspolicies/${access_policy.name}`,
name: pulumi.interpolate`accesspolicies/${access_policy.name}/serviceperimeters/storage-perimeter`,
title: "Storage Perimeter",
status: {
restrictedServices: ["storage.googleapis.com"],
},
});
const egressPolicy = new gcp.accesscontextmanager.ServicePerimeterEgressPolicy("egress_policy", {
perimeter: storage_perimeter.name,
egressFrom: {
identityType: "ANY_IDENTITY",
},
egressTo: {
resources: ["*"],
operations: [{
serviceName: "bigquery.googleapis.com",
methodSelectors: [{
method: "*",
}],
}],
},
});
import pulumi
import pulumi_gcp as gcp
access_policy = gcp.accesscontextmanager.AccessPolicy("access-policy",
parent="organizations/123456789",
title="Storage Policy")
storage_perimeter = gcp.accesscontextmanager.ServicePerimeter("storage-perimeter",
parent=access_policy.name.apply(lambda name: f"accesspolicies/{name}"),
name=access_policy.name.apply(lambda name: f"accesspolicies/{name}/serviceperimeters/storage-perimeter"),
title="Storage Perimeter",
status=gcp.accesscontextmanager.ServicePerimeterStatusArgs(
restricted_services=["storage.googleapis.com"],
))
egress_policy = gcp.accesscontextmanager.ServicePerimeterEgressPolicy("egress_policy",
perimeter=storage_perimeter.name,
egress_from=gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressFromArgs(
identity_type="ANY_IDENTITY",
),
egress_to=gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressToArgs(
resources=["*"],
operations=[gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArgs(
service_name="bigquery.googleapis.com",
method_selectors=[gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs(
method="*",
)],
)],
))
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/accesscontextmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := accesscontextmanager.NewAccessPolicy(ctx, "access-policy", &accesscontextmanager.AccessPolicyArgs{
Parent: pulumi.String("organizations/123456789"),
Title: pulumi.String("Storage Policy"),
})
if err != nil {
return err
}
_, err = accesscontextmanager.NewServicePerimeter(ctx, "storage-perimeter", &accesscontextmanager.ServicePerimeterArgs{
Parent: access_policy.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("accesspolicies/%v", name), nil
}).(pulumi.StringOutput),
Name: access_policy.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("accesspolicies/%v/serviceperimeters/storage-perimeter", name), nil
}).(pulumi.StringOutput),
Title: pulumi.String("Storage Perimeter"),
Status: &accesscontextmanager.ServicePerimeterStatusArgs{
RestrictedServices: pulumi.StringArray{
pulumi.String("storage.googleapis.com"),
},
},
})
if err != nil {
return err
}
_, err = accesscontextmanager.NewServicePerimeterEgressPolicy(ctx, "egress_policy", &accesscontextmanager.ServicePerimeterEgressPolicyArgs{
Perimeter: storage_perimeter.Name,
EgressFrom: &accesscontextmanager.ServicePerimeterEgressPolicyEgressFromArgs{
IdentityType: pulumi.String("ANY_IDENTITY"),
},
EgressTo: &accesscontextmanager.ServicePerimeterEgressPolicyEgressToArgs{
Resources: pulumi.StringArray{
pulumi.String("*"),
},
Operations: accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArgs{
ServiceName: pulumi.String("bigquery.googleapis.com"),
MethodSelectors: accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs{
Method: pulumi.String("*"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new()
{
Parent = "organizations/123456789",
Title = "Storage Policy",
});
var storage_perimeter = new Gcp.AccessContextManager.ServicePerimeter("storage-perimeter", new()
{
Parent = access_policy.Name.Apply(name => $"accesspolicies/{name}"),
Name = access_policy.Name.Apply(name => $"accesspolicies/{name}/serviceperimeters/storage-perimeter"),
Title = "Storage Perimeter",
Status = new Gcp.AccessContextManager.Inputs.ServicePerimeterStatusArgs
{
RestrictedServices = new[]
{
"storage.googleapis.com",
},
},
});
var egressPolicy = new Gcp.AccessContextManager.ServicePerimeterEgressPolicy("egress_policy", new()
{
Perimeter = storage_perimeter.Name,
EgressFrom = new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressFromArgs
{
IdentityType = "ANY_IDENTITY",
},
EgressTo = new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToArgs
{
Resources = new[]
{
"*",
},
Operations = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToOperationArgs
{
ServiceName = "bigquery.googleapis.com",
MethodSelectors = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs
{
Method = "*",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accesscontextmanager.AccessPolicy;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyArgs;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeter;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterArgs;
import com.pulumi.gcp.accesscontextmanager.inputs.ServicePerimeterStatusArgs;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterEgressPolicy;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterEgressPolicyArgs;
import com.pulumi.gcp.accesscontextmanager.inputs.ServicePerimeterEgressPolicyEgressFromArgs;
import com.pulumi.gcp.accesscontextmanager.inputs.ServicePerimeterEgressPolicyEgressToArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var access_policy = new AccessPolicy("access-policy", AccessPolicyArgs.builder()
.parent("organizations/123456789")
.title("Storage Policy")
.build());
var storage_perimeter = new ServicePerimeter("storage-perimeter", ServicePerimeterArgs.builder()
.parent(access_policy.name().applyValue(name -> String.format("accesspolicies/%s", name)))
.name(access_policy.name().applyValue(name -> String.format("accesspolicies/%s/serviceperimeters/storage-perimeter", name)))
.title("Storage Perimeter")
.status(ServicePerimeterStatusArgs.builder()
.restrictedServices("storage.googleapis.com")
.build())
.build());
var egressPolicy = new ServicePerimeterEgressPolicy("egressPolicy", ServicePerimeterEgressPolicyArgs.builder()
.perimeter(storage_perimeter.name())
.egressFrom(ServicePerimeterEgressPolicyEgressFromArgs.builder()
.identityType("ANY_IDENTITY")
.build())
.egressTo(ServicePerimeterEgressPolicyEgressToArgs.builder()
.resources("*")
.operations(ServicePerimeterEgressPolicyEgressToOperationArgs.builder()
.serviceName("bigquery.googleapis.com")
.methodSelectors(ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs.builder()
.method("*")
.build())
.build())
.build())
.build());
}
}
resources:
storage-perimeter:
type: gcp:accesscontextmanager:ServicePerimeter
properties:
parent: accesspolicies/${["access-policy"].name}
name: accesspolicies/${["access-policy"].name}/serviceperimeters/storage-perimeter
title: Storage Perimeter
status:
restrictedServices:
- storage.googleapis.com
egressPolicy:
type: gcp:accesscontextmanager:ServicePerimeterEgressPolicy
name: egress_policy
properties:
perimeter: ${["storage-perimeter"].name}
egressFrom:
identityType: ANY_IDENTITY
egressTo:
resources:
- '*'
operations:
- serviceName: bigquery.googleapis.com
methodSelectors:
- method: '*'
access-policy:
type: gcp:accesscontextmanager:AccessPolicy
properties:
parent: organizations/123456789
title: Storage Policy
Create ServicePerimeterEgressPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ServicePerimeterEgressPolicy(name: string, args: ServicePerimeterEgressPolicyArgs, opts?: CustomResourceOptions);@overload
def ServicePerimeterEgressPolicy(resource_name: str,
args: ServicePerimeterEgressPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ServicePerimeterEgressPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
perimeter: Optional[str] = None,
egress_from: Optional[ServicePerimeterEgressPolicyEgressFromArgs] = None,
egress_to: Optional[ServicePerimeterEgressPolicyEgressToArgs] = None)func NewServicePerimeterEgressPolicy(ctx *Context, name string, args ServicePerimeterEgressPolicyArgs, opts ...ResourceOption) (*ServicePerimeterEgressPolicy, error)public ServicePerimeterEgressPolicy(string name, ServicePerimeterEgressPolicyArgs args, CustomResourceOptions? opts = null)
public ServicePerimeterEgressPolicy(String name, ServicePerimeterEgressPolicyArgs args)
public ServicePerimeterEgressPolicy(String name, ServicePerimeterEgressPolicyArgs args, CustomResourceOptions options)
type: gcp:accesscontextmanager:ServicePerimeterEgressPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var servicePerimeterEgressPolicyResource = new Gcp.AccessContextManager.ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource", new()
{
Perimeter = "string",
EgressFrom = new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressFromArgs
{
Identities = new[]
{
"string",
},
IdentityType = "string",
SourceRestriction = "string",
Sources = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressFromSourceArgs
{
AccessLevel = "string",
},
},
},
EgressTo = new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToArgs
{
ExternalResources = new[]
{
"string",
},
Operations = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToOperationArgs
{
MethodSelectors = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs
{
Method = "string",
Permission = "string",
},
},
ServiceName = "string",
},
},
Resources = new[]
{
"string",
},
},
});
example, err := accesscontextmanager.NewServicePerimeterEgressPolicy(ctx, "servicePerimeterEgressPolicyResource", &accesscontextmanager.ServicePerimeterEgressPolicyArgs{
Perimeter: pulumi.String("string"),
EgressFrom: &accesscontextmanager.ServicePerimeterEgressPolicyEgressFromArgs{
Identities: pulumi.StringArray{
pulumi.String("string"),
},
IdentityType: pulumi.String("string"),
SourceRestriction: pulumi.String("string"),
Sources: accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSourceArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSourceArgs{
AccessLevel: pulumi.String("string"),
},
},
},
EgressTo: &accesscontextmanager.ServicePerimeterEgressPolicyEgressToArgs{
ExternalResources: pulumi.StringArray{
pulumi.String("string"),
},
Operations: accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArgs{
MethodSelectors: accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs{
Method: pulumi.String("string"),
Permission: pulumi.String("string"),
},
},
ServiceName: pulumi.String("string"),
},
},
Resources: pulumi.StringArray{
pulumi.String("string"),
},
},
})
var servicePerimeterEgressPolicyResource = new ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource", ServicePerimeterEgressPolicyArgs.builder()
.perimeter("string")
.egressFrom(ServicePerimeterEgressPolicyEgressFromArgs.builder()
.identities("string")
.identityType("string")
.sourceRestriction("string")
.sources(ServicePerimeterEgressPolicyEgressFromSourceArgs.builder()
.accessLevel("string")
.build())
.build())
.egressTo(ServicePerimeterEgressPolicyEgressToArgs.builder()
.externalResources("string")
.operations(ServicePerimeterEgressPolicyEgressToOperationArgs.builder()
.methodSelectors(ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs.builder()
.method("string")
.permission("string")
.build())
.serviceName("string")
.build())
.resources("string")
.build())
.build());
service_perimeter_egress_policy_resource = gcp.accesscontextmanager.ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource",
perimeter="string",
egress_from=gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressFromArgs(
identities=["string"],
identity_type="string",
source_restriction="string",
sources=[gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSourceArgs(
access_level="string",
)],
),
egress_to=gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressToArgs(
external_resources=["string"],
operations=[gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArgs(
method_selectors=[gcp.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs(
method="string",
permission="string",
)],
service_name="string",
)],
resources=["string"],
))
const servicePerimeterEgressPolicyResource = new gcp.accesscontextmanager.ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource", {
perimeter: "string",
egressFrom: {
identities: ["string"],
identityType: "string",
sourceRestriction: "string",
sources: [{
accessLevel: "string",
}],
},
egressTo: {
externalResources: ["string"],
operations: [{
methodSelectors: [{
method: "string",
permission: "string",
}],
serviceName: "string",
}],
resources: ["string"],
},
});
type: gcp:accesscontextmanager:ServicePerimeterEgressPolicy
properties:
egressFrom:
identities:
- string
identityType: string
sourceRestriction: string
sources:
- accessLevel: string
egressTo:
externalResources:
- string
operations:
- methodSelectors:
- method: string
permission: string
serviceName: string
resources:
- string
perimeter: string
ServicePerimeterEgressPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ServicePerimeterEgressPolicy resource accepts the following input properties:
- Perimeter string
- The name of the Service Perimeter to add this resource to.
- Egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below.
- Perimeter string
- The name of the Service Perimeter to add this resource to.
- Egress
From ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below.
- perimeter String
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below.
- perimeter string
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below.
- perimeter str
- The name of the Service Perimeter to add this resource to.
- egress_
from ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress_
to ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below.
- perimeter String
- The name of the Service Perimeter to add this resource to.
- egress
From Property Map - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress
To Property Map - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the ServicePerimeterEgressPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ServicePerimeterEgressPolicy Resource
Get an existing ServicePerimeterEgressPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ServicePerimeterEgressPolicyState, opts?: CustomResourceOptions): ServicePerimeterEgressPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
egress_from: Optional[ServicePerimeterEgressPolicyEgressFromArgs] = None,
egress_to: Optional[ServicePerimeterEgressPolicyEgressToArgs] = None,
perimeter: Optional[str] = None) -> ServicePerimeterEgressPolicyfunc GetServicePerimeterEgressPolicy(ctx *Context, name string, id IDInput, state *ServicePerimeterEgressPolicyState, opts ...ResourceOption) (*ServicePerimeterEgressPolicy, error)public static ServicePerimeterEgressPolicy Get(string name, Input<string> id, ServicePerimeterEgressPolicyState? state, CustomResourceOptions? opts = null)public static ServicePerimeterEgressPolicy get(String name, Output<String> id, ServicePerimeterEgressPolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below. - Perimeter string
- The name of the Service Perimeter to add this resource to.
- Egress
From ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below. - Perimeter string
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below. - perimeter String
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below. - perimeter string
- The name of the Service Perimeter to add this resource to.
- egress_
from ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress_
to ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below. - perimeter str
- The name of the Service Perimeter to add this resource to.
- egress
From Property Map - Defines conditions on the source of a request causing this
EgressPolicyto apply. Structure is documented below. - egress
To Property Map - Defines the conditions on the
ApiOperationand destination resources that cause thisEgressPolicyto apply. Structure is documented below. - perimeter String
- The name of the Service Perimeter to add this resource to.
Supporting Types
ServicePerimeterEgressPolicyEgressFrom, ServicePerimeterEgressPolicyEgressFromArgs
- Identities List<string>
- A list of identities that are allowed access through this
EgressPolicy. Should be in the format of an email address. The email address should represent an individual user, service account, or Google group. - Identity
Type string - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identitiesfield will be allowed access. Possible values are:ANY_IDENTITY,ANY_USER_ACCOUNT,ANY_SERVICE_ACCOUNT. - Source
Restriction string - Whether to enforce traffic restrictions based on
sourcesfield. If thesourcesfield is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED,SOURCE_RESTRICTION_ENABLED,SOURCE_RESTRICTION_DISABLED. - Sources
List<Service
Perimeter Egress Policy Egress From Source> - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- Identities []string
- A list of identities that are allowed access through this
EgressPolicy. Should be in the format of an email address. The email address should represent an individual user, service account, or Google group. - Identity
Type string - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identitiesfield will be allowed access. Possible values are:ANY_IDENTITY,ANY_USER_ACCOUNT,ANY_SERVICE_ACCOUNT. - Source
Restriction string - Whether to enforce traffic restrictions based on
sourcesfield. If thesourcesfield is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED,SOURCE_RESTRICTION_ENABLED,SOURCE_RESTRICTION_DISABLED. - Sources
[]Service
Perimeter Egress Policy Egress From Source - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities List<String>
- A list of identities that are allowed access through this
EgressPolicy. Should be in the format of an email address. The email address should represent an individual user, service account, or Google group. - identity
Type String - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identitiesfield will be allowed access. Possible values are:ANY_IDENTITY,ANY_USER_ACCOUNT,ANY_SERVICE_ACCOUNT. - source
Restriction String - Whether to enforce traffic restrictions based on
sourcesfield. If thesourcesfield is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED,SOURCE_RESTRICTION_ENABLED,SOURCE_RESTRICTION_DISABLED. - sources
List<Service
Perimeter Egress Policy Egress From Source> - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities string[]
- A list of identities that are allowed access through this
EgressPolicy. Should be in the format of an email address. The email address should represent an individual user, service account, or Google group. - identity
Type string - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identitiesfield will be allowed access. Possible values are:ANY_IDENTITY,ANY_USER_ACCOUNT,ANY_SERVICE_ACCOUNT. - source
Restriction string - Whether to enforce traffic restrictions based on
sourcesfield. If thesourcesfield is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED,SOURCE_RESTRICTION_ENABLED,SOURCE_RESTRICTION_DISABLED. - sources
Service
Perimeter Egress Policy Egress From Source[] - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities Sequence[str]
- A list of identities that are allowed access through this
EgressPolicy. Should be in the format of an email address. The email address should represent an individual user, service account, or Google group. - identity_
type str - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identitiesfield will be allowed access. Possible values are:ANY_IDENTITY,ANY_USER_ACCOUNT,ANY_SERVICE_ACCOUNT. - source_
restriction str - Whether to enforce traffic restrictions based on
sourcesfield. If thesourcesfield is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED,SOURCE_RESTRICTION_ENABLED,SOURCE_RESTRICTION_DISABLED. - sources
Sequence[Service
Perimeter Egress Policy Egress From Source] - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities List<String>
- A list of identities that are allowed access through this
EgressPolicy. Should be in the format of an email address. The email address should represent an individual user, service account, or Google group. - identity
Type String - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identitiesfield will be allowed access. Possible values are:ANY_IDENTITY,ANY_USER_ACCOUNT,ANY_SERVICE_ACCOUNT. - source
Restriction String - Whether to enforce traffic restrictions based on
sourcesfield. If thesourcesfield is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED,SOURCE_RESTRICTION_ENABLED,SOURCE_RESTRICTION_DISABLED. - sources List<Property Map>
- Sources that this EgressPolicy authorizes access from. Structure is documented below.
ServicePerimeterEgressPolicyEgressFromSource, ServicePerimeterEgressPolicyEgressFromSourceArgs
- Access
Level string - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- Access
Level string - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access
Level String - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access
Level string - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access_
level str - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access
Level String - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
ServicePerimeterEgressPolicyEgressTo, ServicePerimeterEgressPolicyEgressToArgs
- External
Resources List<string> - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- Operations
List<Service
Perimeter Egress Policy Egress To Operation> - A list of
ApiOperationsthat this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - Resources List<string>
- A list of resources, currently only projects in the form
projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTorule will authorize access to all resources outside the perimeter.
- External
Resources []string - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- Operations
[]Service
Perimeter Egress Policy Egress To Operation - A list of
ApiOperationsthat this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - Resources []string
- A list of resources, currently only projects in the form
projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTorule will authorize access to all resources outside the perimeter.
- external
Resources List<String> - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations
List<Service
Perimeter Egress Policy Egress To Operation> - A list of
ApiOperationsthat this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources List<String>
- A list of resources, currently only projects in the form
projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTorule will authorize access to all resources outside the perimeter.
- external
Resources string[] - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations
Service
Perimeter Egress Policy Egress To Operation[] - A list of
ApiOperationsthat this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources string[]
- A list of resources, currently only projects in the form
projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTorule will authorize access to all resources outside the perimeter.
- external_
resources Sequence[str] - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations
Sequence[Service
Perimeter Egress Policy Egress To Operation] - A list of
ApiOperationsthat this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources Sequence[str]
- A list of resources, currently only projects in the form
projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTorule will authorize access to all resources outside the perimeter.
- external
Resources List<String> - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations List<Property Map>
- A list of
ApiOperationsthat this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources List<String>
- A list of resources, currently only projects in the form
projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTorule will authorize access to all resources outside the perimeter.
ServicePerimeterEgressPolicyEgressToOperation, ServicePerimeterEgressPolicyEgressToOperationArgs
- Method
Selectors List<ServicePerimeter Egress Policy Egress To Operation Method Selector> - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceNamefield. A single MethodSelector entry with*specified for themethodfield will allow all methods AND permissions for the service specified inserviceName. Structure is documented below. - Service
Name string - The name of the API whose methods or permissions the
IngressPolicyorEgressPolicywant to allow. A singleApiOperationwith serviceName field set to*will allow all methods AND permissions for all services.
- Method
Selectors []ServicePerimeter Egress Policy Egress To Operation Method Selector - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceNamefield. A single MethodSelector entry with*specified for themethodfield will allow all methods AND permissions for the service specified inserviceName. Structure is documented below. - Service
Name string - The name of the API whose methods or permissions the
IngressPolicyorEgressPolicywant to allow. A singleApiOperationwith serviceName field set to*will allow all methods AND permissions for all services.
- method
Selectors List<ServicePerimeter Egress Policy Egress To Operation Method Selector> - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceNamefield. A single MethodSelector entry with*specified for themethodfield will allow all methods AND permissions for the service specified inserviceName. Structure is documented below. - service
Name String - The name of the API whose methods or permissions the
IngressPolicyorEgressPolicywant to allow. A singleApiOperationwith serviceName field set to*will allow all methods AND permissions for all services.
- method
Selectors ServicePerimeter Egress Policy Egress To Operation Method Selector[] - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceNamefield. A single MethodSelector entry with*specified for themethodfield will allow all methods AND permissions for the service specified inserviceName. Structure is documented below. - service
Name string - The name of the API whose methods or permissions the
IngressPolicyorEgressPolicywant to allow. A singleApiOperationwith serviceName field set to*will allow all methods AND permissions for all services.
- method_
selectors Sequence[ServicePerimeter Egress Policy Egress To Operation Method Selector] - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceNamefield. A single MethodSelector entry with*specified for themethodfield will allow all methods AND permissions for the service specified inserviceName. Structure is documented below. - service_
name str - The name of the API whose methods or permissions the
IngressPolicyorEgressPolicywant to allow. A singleApiOperationwith serviceName field set to*will allow all methods AND permissions for all services.
- method
Selectors List<Property Map> - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceNamefield. A single MethodSelector entry with*specified for themethodfield will allow all methods AND permissions for the service specified inserviceName. Structure is documented below. - service
Name String - The name of the API whose methods or permissions the
IngressPolicyorEgressPolicywant to allow. A singleApiOperationwith serviceName field set to*will allow all methods AND permissions for all services.
ServicePerimeterEgressPolicyEgressToOperationMethodSelector, ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs
- Method string
- Value for
methodshould be a valid method name for the correspondingserviceNameinApiOperation. If*used as value for method, then ALL methods and permissions are allowed. - Permission string
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceNameinApiOperation.
- Method string
- Value for
methodshould be a valid method name for the correspondingserviceNameinApiOperation. If*used as value for method, then ALL methods and permissions are allowed. - Permission string
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceNameinApiOperation.
- method String
- Value for
methodshould be a valid method name for the correspondingserviceNameinApiOperation. If*used as value for method, then ALL methods and permissions are allowed. - permission String
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceNameinApiOperation.
- method string
- Value for
methodshould be a valid method name for the correspondingserviceNameinApiOperation. If*used as value for method, then ALL methods and permissions are allowed. - permission string
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceNameinApiOperation.
- method str
- Value for
methodshould be a valid method name for the correspondingserviceNameinApiOperation. If*used as value for method, then ALL methods and permissions are allowed. - permission str
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceNameinApiOperation.
- method String
- Value for
methodshould be a valid method name for the correspondingserviceNameinApiOperation. If*used as value for method, then ALL methods and permissions are allowed. - permission String
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceNameinApiOperation.
Import
ServicePerimeterEgressPolicy can be imported using any of these accepted formats:
{{perimeter}}
When using the pulumi import command, ServicePerimeterEgressPolicy can be imported using one of the formats above. For example:
$ pulumi import gcp:accesscontextmanager/servicePerimeterEgressPolicy:ServicePerimeterEgressPolicy default {{perimeter}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.