UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi/pulumi-gcp

285 lines • 12.2 kB

JavaScript

"use strict"; // *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.ServicePerimeter = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../utilities"); /** * ServicePerimeter describes a set of GCP resources which can freely import * and export data amongst themselves, but not export outside of the * ServicePerimeter. If a request with a source within this ServicePerimeter * has a target outside of the ServicePerimeter, the request will be blocked. * Otherwise the request is allowed. There are two types of Service Perimeter * - Regular and Bridge. Regular Service Perimeters cannot overlap, a single * GCP project can only belong to a single regular Service Perimeter. Service * Perimeter Bridges can contain only GCP projects as members, a single GCP * project may belong to multiple Service Perimeter Bridges. * * To get more information about ServicePerimeter, see: * * * [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters) * * How-to Guides * * [Guide to Ingress and Egress Rules](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules) * * [Service Perimeter Quickstart](https://cloud.google.com/vpc-service-controls/docs/quickstart) * * > **Warning:** If you are using User ADCs (Application Default Credentials) with this resource, * you must specify a `billingProject` and set `userProjectOverride` to true * in the provider configuration. Otherwise the ACM API will return a 403 error. * Your account must have the `serviceusage.services.use` permission on the * `billingProject` you defined. * * ## Example Usage * * ### Access Context Manager Service Perimeter Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const service_perimeter = new gcp.accesscontextmanager.ServicePerimeter("service-perimeter", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/restrict_storage`, * title: "restrict_storage", * status: { * restrictedServices: ["storage.googleapis.com"], * }, * }); * const access_level = new gcp.accesscontextmanager.AccessLevel("access-level", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/chromeos_no_lock`, * title: "chromeos_no_lock", * basic: { * conditions: [{ * devicePolicy: { * requireScreenLock: false, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: [ * "CH", * "IT", * "US", * ], * }], * }, * }); * ``` * ### Access Context Manager Service Perimeter Secure Data Exchange * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const secure_data_exchange = new gcp.accesscontextmanager.ServicePerimeters("secure-data-exchange", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * servicePerimeters: [ * { * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/`, * title: "", * status: { * restrictedServices: ["storage.googleapis.com"], * }, * }, * { * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/`, * title: "", * status: { * restrictedServices: ["bigtable.googleapis.com"], * vpcAccessibleServices: { * enableRestriction: true, * allowedServices: ["bigquery.googleapis.com"], * }, * }, * }, * ], * }); * const access_level = new gcp.accesscontextmanager.AccessLevel("access-level", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/secure_data_exchange`, * title: "secure_data_exchange", * basic: { * conditions: [{ * devicePolicy: { * requireScreenLock: false, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: [ * "CH", * "IT", * "US", * ], * }], * }, * }); * const test_access = new gcp.accesscontextmanager.ServicePerimeter("test-access", { * parent: `accessPolicies/${test_accessGoogleAccessContextManagerAccessPolicy.name}`, * name: `accessPolicies/${test_accessGoogleAccessContextManagerAccessPolicy.name}/servicePerimeters/%s`, * title: "%s", * perimeterType: "PERIMETER_TYPE_REGULAR", * status: { * restrictedServices: [ * "bigquery.googleapis.com", * "storage.googleapis.com", * ], * accessLevels: [access_level.name], * vpcAccessibleServices: { * enableRestriction: true, * allowedServices: [ * "bigquery.googleapis.com", * "storage.googleapis.com", * ], * }, * ingressPolicies: [{ * ingressFrom: { * sources: [{ * accessLevel: test_accessGoogleAccessContextManagerAccessLevel.name, * }], * identityType: "ANY_IDENTITY", * }, * ingressTo: { * resources: ["*"], * operations: [ * { * serviceName: "bigquery.googleapis.com", * methodSelectors: [ * { * method: "BigQueryStorage.ReadRows", * }, * { * method: "TableService.ListTables", * }, * { * permission: "bigquery.jobs.get", * }, * ], * }, * { * serviceName: "storage.googleapis.com", * methodSelectors: [{ * method: "google.storage.objects.create", * }], * }, * ], * }, * }], * egressPolicies: [{ * egressFrom: { * identityType: "ANY_USER_ACCOUNT", * }, * }], * }, * }); * ``` * ### Access Context Manager Service Perimeter Dry-Run * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const service_perimeter = new gcp.accesscontextmanager.ServicePerimeter("service-perimeter", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/restrict_bigquery_dryrun_storage`, * title: "restrict_bigquery_dryrun_storage", * status: { * restrictedServices: ["bigquery.googleapis.com"], * }, * spec: { * restrictedServices: ["storage.googleapis.com"], * }, * useExplicitDryRunSpec: true, * }); * ``` * ## Import * * ServicePerimeter can be imported using any of these accepted formats: * * * `{{name}}` * * When using the `pulumi import` command, ServicePerimeter can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:accesscontextmanager/servicePerimeter:ServicePerimeter default {{name}} * ``` */ class ServicePerimeter extends pulumi.CustomResource { /** * Get an existing ServicePerimeter resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new ServicePerimeter(name, state, Object.assign(Object.assign({}, opts), { id: id })); } /** * Returns true if the given object is an instance of ServicePerimeter. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === ServicePerimeter.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["createTime"] = state ? state.createTime : undefined; resourceInputs["description"] = state ? state.description : undefined; resourceInputs["name"] = state ? state.name : undefined; resourceInputs["parent"] = state ? state.parent : undefined; resourceInputs["perimeterType"] = state ? state.perimeterType : undefined; resourceInputs["spec"] = state ? state.spec : undefined; resourceInputs["status"] = state ? state.status : undefined; resourceInputs["title"] = state ? state.title : undefined; resourceInputs["updateTime"] = state ? state.updateTime : undefined; resourceInputs["useExplicitDryRunSpec"] = state ? state.useExplicitDryRunSpec : undefined; } else { const args = argsOrState; if ((!args || args.parent === undefined) && !opts.urn) { throw new Error("Missing required property 'parent'"); } if ((!args || args.title === undefined) && !opts.urn) { throw new Error("Missing required property 'title'"); } resourceInputs["description"] = args ? args.description : undefined; resourceInputs["name"] = args ? args.name : undefined; resourceInputs["parent"] = args ? args.parent : undefined; resourceInputs["perimeterType"] = args ? args.perimeterType : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = args ? args.status : undefined; resourceInputs["title"] = args ? args.title : undefined; resourceInputs["useExplicitDryRunSpec"] = args ? args.useExplicitDryRunSpec : undefined; resourceInputs["createTime"] = undefined /*out*/; resourceInputs["updateTime"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(ServicePerimeter.__pulumiType, name, resourceInputs, opts); } } exports.ServicePerimeter = ServicePerimeter; /** @internal */ ServicePerimeter.__pulumiType = 'gcp:accesscontextmanager/servicePerimeter:ServicePerimeter'; //# sourceMappingURL=servicePerimeter.js.map