@pulumi/gcp

import * as outputs from "../types/output"; export declare namespace accesscontextmanager { interface AccessLevelBasic { /** * How the conditions list should be combined to determine if a request * is granted this AccessLevel. If AND is used, each Condition in * conditions must be satisfied for the AccessLevel to be applied. If * OR is used, at least one Condition in conditions must be satisfied * for the AccessLevel to be applied. * Default value is `AND`. * Possible values are: `AND`, `OR`. */ combiningFunction?: string; /** * A set of requirements for the AccessLevel to be granted. * Structure is documented below. */ conditions: outputs.accesscontextmanager.AccessLevelBasicCondition[]; } interface AccessLevelBasicCondition { /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ devicePolicy?: outputs.accesscontextmanager.AccessLevelBasicConditionDevicePolicy; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ ipSubnetworks?: string[]; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ members?: string[]; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ negate?: boolean; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ regions?: string[]; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ requiredAccessLevels?: string[]; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ vpcNetworkSources?: outputs.accesscontextmanager.AccessLevelBasicConditionVpcNetworkSource[]; } interface AccessLevelBasicConditionDevicePolicy { /** * A list of allowed device management levels. * An empty list allows all management levels. * Each value may be one of: `MANAGEMENT_UNSPECIFIED`, `NONE`, `BASIC`, `COMPLETE`. */ allowedDeviceManagementLevels?: string[]; /** * A list of allowed encryptions statuses. * An empty list allows all statuses. * Each value may be one of: `ENCRYPTION_UNSPECIFIED`, `ENCRYPTION_UNSUPPORTED`, `UNENCRYPTED`, `ENCRYPTED`. */ allowedEncryptionStatuses?: string[]; /** * A list of allowed OS versions. * An empty list allows all types and all versions. * Structure is documented below. */ osConstraints?: outputs.accesscontextmanager.AccessLevelBasicConditionDevicePolicyOsConstraint[]; /** * Whether the device needs to be approved by the customer admin. */ requireAdminApproval?: boolean; /** * Whether the device needs to be corp owned. */ requireCorpOwned?: boolean; /** * Whether or not screenlock is required for the DevicePolicy * to be true. Defaults to false. */ requireScreenLock?: boolean; } interface AccessLevelBasicConditionDevicePolicyOsConstraint { /** * The minimum allowed OS version. If not set, any version * of this OS satisfies the constraint. * Format: "major.minor.patch" such as "10.5.301", "9.2.1". */ minimumVersion?: string; /** * The operating system type of the device. * Possible values are: `OS_UNSPECIFIED`, `DESKTOP_MAC`, `DESKTOP_WINDOWS`, `DESKTOP_LINUX`, `DESKTOP_CHROME_OS`, `ANDROID`, `IOS`. */ osType: string; /** * If you specify DESKTOP_CHROME_OS for osType, you can optionally include requireVerifiedChromeOs to require Chrome Verified Access. */ requireVerifiedChromeOs?: boolean; } interface AccessLevelBasicConditionVpcNetworkSource { /** * Sub networks within a VPC network. * Structure is documented below. */ vpcSubnetwork?: outputs.accesscontextmanager.AccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork; } interface AccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork { /** * Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller. */ network: string; /** * A list of CIDR block IP subnetwork specification. Must be IPv4. */ vpcIpSubnetworks?: string[]; } interface AccessLevelConditionDevicePolicy { /** * A list of allowed device management levels. * An empty list allows all management levels. * Each value may be one of: `MANAGEMENT_UNSPECIFIED`, `NONE`, `BASIC`, `COMPLETE`. */ allowedDeviceManagementLevels?: string[]; /** * A list of allowed encryptions statuses. * An empty list allows all statuses. * Each value may be one of: `ENCRYPTION_UNSPECIFIED`, `ENCRYPTION_UNSUPPORTED`, `UNENCRYPTED`, `ENCRYPTED`. */ allowedEncryptionStatuses?: string[]; /** * A list of allowed OS versions. * An empty list allows all types and all versions. * Structure is documented below. */ osConstraints?: outputs.accesscontextmanager.AccessLevelConditionDevicePolicyOsConstraint[]; /** * Whether the device needs to be approved by the customer admin. */ requireAdminApproval?: boolean; /** * Whether the device needs to be corp owned. */ requireCorpOwned?: boolean; /** * Whether or not screenlock is required for the DevicePolicy * to be true. Defaults to false. */ requireScreenLock?: boolean; } interface AccessLevelConditionDevicePolicyOsConstraint { /** * The minimum allowed OS version. If not set, any version * of this OS satisfies the constraint. * Format: "major.minor.patch" such as "10.5.301", "9.2.1". */ minimumVersion?: string; /** * The operating system type of the device. * Possible values are: `OS_UNSPECIFIED`, `DESKTOP_MAC`, `DESKTOP_WINDOWS`, `DESKTOP_LINUX`, `DESKTOP_CHROME_OS`, `ANDROID`, `IOS`. */ osType: string; } interface AccessLevelConditionVpcNetworkSource { /** * Sub networks within a VPC network. * Structure is documented below. */ vpcSubnetwork?: outputs.accesscontextmanager.AccessLevelConditionVpcNetworkSourceVpcSubnetwork; } interface AccessLevelConditionVpcNetworkSourceVpcSubnetwork { /** * Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller. */ network: string; /** * CIDR block IP subnetwork specification. Must be IPv4. */ vpcIpSubnetworks?: string[]; } interface AccessLevelCustom { /** * Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. * This page details the objects and attributes that are used to the build the CEL expressions for * custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec. * Structure is documented below. */ expr: outputs.accesscontextmanager.AccessLevelCustomExpr; } interface AccessLevelCustomExpr { /** * Description of the expression */ description?: string; /** * Textual representation of an expression in Common Expression Language syntax. */ expression: string; /** * String indicating the location of the expression for error reporting, e.g. a file name and a position in the file */ location?: string; /** * Title for the expression, i.e. a short string describing its purpose. */ title?: string; } interface AccessLevelsAccessLevel { /** * A set of predefined conditions for the access level and a combining function. * Structure is documented below. */ basic?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasic; /** * Custom access level conditions are set using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. * See CEL spec at: https://github.com/google/cel-spec. * Structure is documented below. */ custom?: outputs.accesscontextmanager.AccessLevelsAccessLevelCustom; /** * Description of the AccessLevel and its use. Does not affect behavior. */ description?: string; /** * Resource name for the Access Level. The shortName component must begin * with a letter and only include alphanumeric and '_'. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ name: string; /** * Human readable title. Must be unique within the Policy. */ title: string; } interface AccessLevelsAccessLevelBasic { /** * How the conditions list should be combined to determine if a request * is granted this AccessLevel. If AND is used, each Condition in * conditions must be satisfied for the AccessLevel to be applied. If * OR is used, at least one Condition in conditions must be satisfied * for the AccessLevel to be applied. * Default value is `AND`. * Possible values are: `AND`, `OR`. */ combiningFunction?: string; /** * A set of requirements for the AccessLevel to be granted. * Structure is documented below. */ conditions: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicCondition[]; } interface AccessLevelsAccessLevelBasicCondition { /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ devicePolicy?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionDevicePolicy; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ ipSubnetworks?: string[]; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ members?: string[]; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ negate?: boolean; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ regions?: string[]; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ requiredAccessLevels?: string[]; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ vpcNetworkSources?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionVpcNetworkSource[]; } interface AccessLevelsAccessLevelBasicConditionDevicePolicy { /** * A list of allowed device management levels. * An empty list allows all management levels. * Each value may be one of: `MANAGEMENT_UNSPECIFIED`, `NONE`, `BASIC`, `COMPLETE`. */ allowedDeviceManagementLevels?: string[]; /** * A list of allowed encryptions statuses. * An empty list allows all statuses. * Each value may be one of: `ENCRYPTION_UNSPECIFIED`, `ENCRYPTION_UNSUPPORTED`, `UNENCRYPTED`, `ENCRYPTED`. */ allowedEncryptionStatuses?: string[]; /** * A list of allowed OS versions. * An empty list allows all types and all versions. * Structure is documented below. */ osConstraints?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionDevicePolicyOsConstraint[]; /** * Whether the device needs to be approved by the customer admin. */ requireAdminApproval?: boolean; /** * Whether the device needs to be corp owned. */ requireCorpOwned?: boolean; /** * Whether or not screenlock is required for the DevicePolicy * to be true. Defaults to false. */ requireScreenLock?: boolean; } interface AccessLevelsAccessLevelBasicConditionDevicePolicyOsConstraint { /** * The minimum allowed OS version. If not set, any version * of this OS satisfies the constraint. * Format: "major.minor.patch" such as "10.5.301", "9.2.1". */ minimumVersion?: string; /** * The operating system type of the device. * Possible values are: `OS_UNSPECIFIED`, `DESKTOP_MAC`, `DESKTOP_WINDOWS`, `DESKTOP_LINUX`, `DESKTOP_CHROME_OS`, `ANDROID`, `IOS`. */ osType: string; } interface AccessLevelsAccessLevelBasicConditionVpcNetworkSource { /** * Sub networks within a VPC network. * Structure is documented below. */ vpcSubnetwork?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork; } interface AccessLevelsAccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork { /** * Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller. */ network: string; /** * CIDR block IP subnetwork specification. Must be IPv4. */ vpcIpSubnetworks?: string[]; } interface AccessLevelsAccessLevelCustom { /** * Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. * This page details the objects and attributes that are used to the build the CEL expressions for * custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec. * Structure is documented below. */ expr: outputs.accesscontextmanager.AccessLevelsAccessLevelCustomExpr; } interface AccessLevelsAccessLevelCustomExpr { /** * Description of the expression */ description?: string; /** * Textual representation of an expression in Common Expression Language syntax. */ expression: string; /** * String indicating the location of the expression for error reporting, e.g. a file name and a position in the file */ location?: string; /** * Title for the expression, i.e. a short string describing its purpose. */ title?: string; } interface AccessPolicyIamBindingCondition { description?: string; expression: string; title: string; } interface AccessPolicyIamMemberCondition { description?: string; expression: string; title: string; } interface ServicePerimeterDryRunEgressPolicyEgressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access to outside the * perimeter. If left unspecified, then members of `identities` field will * be allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. * Possible values are: `SOURCE_RESTRICTION_ENABLED`, `SOURCE_RESTRICTION_DISABLED`. */ sourceRestriction?: string; /** * Sources that this EgressPolicy authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterDryRunEgressPolicyEgressFromSource[]; } interface ServicePerimeterDryRunEgressPolicyEgressFromSource { /** * An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to egress the perimeter. * Requests from these resources are allowed to access data outside the perimeter. * Currently only projects are allowed. Project format: `projects/{project_number}`. * The resource may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the * case of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterDryRunEgressPolicyEgressTo { /** * A list of external resources that are allowed to be accessed. A request * matches if it contains an external resource in this list (Example: * s3://bucket/path). Currently '*' is not allowed. */ externalResources?: string[]; /** * A list of `ApiOperations` that this egress rule applies to. A request matches * if it contains an operation/service in this list. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterDryRunEgressPolicyEgressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, that match this to stanza. A request matches * if it contains a resource in this list. If * is specified for resources, * then this `EgressTo` rule will authorize access to all resources outside * the perimeter. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `EgressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterDryRunEgressPolicyEgressToOperation { /** * API methods or permissions to allow. Method or permission must belong * to the service specified by `serviceName` field. A single MethodSelector * entry with `*` specified for the `method` field will allow all methods * AND permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterDryRunEgressPolicyEgressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with serviceName * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterDryRunEgressPolicyEgressToOperationMethodSelector { /** * Value for `method` should be a valid method name for the corresponding * `serviceName` in `ApiOperation`. If `*` used as value for method, * then ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterDryRunIngressPolicyIngressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access from outside the * perimeter. If left unspecified, then members of `identities` field will be * allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Sources that this `IngressPolicy` authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterDryRunIngressPolicyIngressFromSource[]; } interface ServicePerimeterDryRunIngressPolicyIngressFromSource { /** * An `AccessLevel` resource name that allow resources within the * `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed * must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent * `AccessLevel` will cause an error. If no `AccessLevel` names are listed, * resources within the perimeter can only be accessed via Google Cloud calls * with request origins within the perimeter. * Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` * If * is specified, then all IngressSources will be allowed. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to ingress the perimeter. * Requests from these resources will be allowed to access perimeter data. * Currently only projects are allowed. Format `projects/{project_number}` * The project may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the case * of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterDryRunIngressPolicyIngressTo { /** * A list of `ApiOperations` the sources specified in corresponding `IngressFrom` * are allowed to perform in this `ServicePerimeter`. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterDryRunIngressPolicyIngressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, protected by this `ServicePerimeter` * that are allowed to be accessed by sources defined in the * corresponding `IngressFrom`. A request matches if it contains * a resource in this list. If `*` is specified for resources, * then this `IngressTo` rule will authorize access to all * resources inside the perimeter, provided that the request * also matches the `operations` field. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `IngressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterDryRunIngressPolicyIngressToOperation { /** * API methods or permissions to allow. Method or permission must belong to * the service specified by serviceName field. A single `MethodSelector` entry * with `*` specified for the method field will allow all methods AND * permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterDryRunIngressPolicyIngressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterDryRunIngressPolicyIngressToOperationMethodSelector { /** * Value for method should be a valid method name for the corresponding * serviceName in `ApiOperation`. If `*` used as value for `method`, then * ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterEgressPolicyEgressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access to outside the * perimeter. If left unspecified, then members of `identities` field will * be allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. * Possible values are: `SOURCE_RESTRICTION_UNSPECIFIED`, `SOURCE_RESTRICTION_ENABLED`, `SOURCE_RESTRICTION_DISABLED`. */ sourceRestriction?: string; /** * Sources that this EgressPolicy authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSource[]; } interface ServicePerimeterEgressPolicyEgressFromSource { /** * An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to egress the perimeter. * Requests from these resources are allowed to access data outside the perimeter. * Currently only projects are allowed. Project format: `projects/{project_number}`. * The resource may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the * case of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterEgressPolicyEgressTo { /** * A list of external resources that are allowed to be accessed. A request * matches if it contains an external resource in this list (Example: * s3://bucket/path). Currently '*' is not allowed. */ externalResources?: string[]; /** * A list of `ApiOperations` that this egress rule applies to. A request matches * if it contains an operation/service in this list. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, that match this to stanza. A request matches * if it contains a resource in this list. If * is specified for resources, * then this `EgressTo` rule will authorize access to all resources outside * the perimeter. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `EgressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterEgressPolicyEgressToOperation { /** * API methods or permissions to allow. Method or permission must belong * to the service specified by `serviceName` field. A single MethodSelector * entry with `*` specified for the `method` field will allow all methods * AND permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with serviceName * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterEgressPolicyEgressToOperationMethodSelector { /** * Value for `method` should be a valid method name for the corresponding * `serviceName` in `ApiOperation`. If `*` used as value for method, * then ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterIngressPolicyIngressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access from outside the * perimeter. If left unspecified, then members of `identities` field will be * allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Sources that this `IngressPolicy` authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterIngressPolicyIngressFromSource[]; } interface ServicePerimeterIngressPolicyIngressFromSource { /** * An `AccessLevel` resource name that allow resources within the * `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed * must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent * `AccessLevel` will cause an error. If no `AccessLevel` names are listed, * resources within the perimeter can only be accessed via Google Cloud calls * with request origins within the perimeter. * Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` * If * is specified, then all IngressSources will be allowed. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to ingress the perimeter. * Requests from these resources will be allowed to access perimeter data. * Currently only projects and VPCs are allowed. * Project format: `projects/{projectNumber}` * VPC network format: * `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}`. * The project may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the case * of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterIngressPolicyIngressTo { /** * A list of `ApiOperations` the sources specified in corresponding `IngressFrom` * are allowed to perform in this `ServicePerimeter`. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterIngressPolicyIngressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, protected by this `ServicePerimeter` * that are allowed to be accessed by sources defined in the * corresponding `IngressFrom`. A request matches if it contains * a resource in this list. If `*` is specified for resources, * then this `IngressTo` rule will authorize access to all * resources inside the perimeter, provided that the request * also matches the `operations` field. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `IngressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterIngressPolicyIngressToOperation { /** * API methods or permissions to allow. Method or permission must belong to * the service specified by serviceName field. A single `MethodSelector` entry * with `*` specified for the method field will allow all methods AND * permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterIngressPolicyIngressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterIngressPolicyIngressToOperationMethodSelector { /** * Value for method should be a valid method name for the corresponding * serviceName in `ApiOperation`. If `*` used as value for `method`, then * ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterSpec { /** * A list of AccessLevel resource names that allow resources within * the ServicePerimeter to be accessed from the internet. * AccessLevels listed must be in the same policy as this * ServicePerimeter. Referencing a nonexistent AccessLevel is a * syntax error. If no AccessLevel names are listed, resources within * the perimeter can only be accessed via GCP calls with request * origins within the perimeter. For Service Perimeter Bridge, must * be empty. * Format: accessPolicies/{policy_id}/accessLevels/{access_level_name} */ accessLevels?: string[]; /** * List of EgressPolicies to apply to the perimeter. A perimeter may * have multiple EgressPolicies, each of which is evaluated separately. * Access is granted if any EgressPolicy grants it. Must be empty for * a perimeter bridge. * Structure is documented below. */ egressPolicies?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicy[]; /** * List of `IngressPolicies` to apply to the perimeter. A perimeter may * have multiple `IngressPolicies`, each of which is evaluated * separately. Access is granted if any `Ingress Policy` grants it. * Must be empty for a perimeter bridge. * Structure is documented below. */ ingressPolicies?: outputs.accesscontextmanager.ServicePerimeterSpecIngressPolicy[]; /** * A list of GCP resources that are inside of the service perimeter. * Currently only projects are allowed. * Format: projects/{project_number} */ resources?: string[]; /** * GCP services that are subject to the Service Perimeter * restrictions. Must contain a list of services. For example, if * `storage.googleapis.com` is specified, access to the storage * buckets inside the perimeter must meet the perimeter's access * restrictions. */ restrictedServices?: string[]; /** * Specifies how APIs are allowed to communicate within the Service * Perimeter. * Structure is documented below. */ vpcAccessibleServices?: outputs.accesscontextmanager.ServicePerimeterSpecVpcAccessibleServices; } interface ServicePerimeterSpecEgressPolicy { /** * Defines conditions on the source of a request causing this `EgressPolicy` to apply. * Structure is documented below. */ egressFrom?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressFrom; /** * Defines the conditions on the `ApiOperation` and destination resources that * cause this `EgressPolicy` to apply. * Structure is documented below. */ egressTo?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressTo; /** * Human readable title. Must be unique within the perimeter. Does not affect behavior. */ title?: string; } interface ServicePerimeterSpecEgressPolicyEgressFrom { /** * A list of identities that are allowed access through this `EgressPolicy`. * Should be in the format of email address. The email address should * represent individual user or service account only. */ identities?: string[]; /** * Specifies the type of identities that are allowed access to outside the * perimeter. If left unspecified, then members of `identities` field will * be allowed access. * Possible values are: `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. * Possible values are: `SOURCE_RESTRICTION_UNSPECIFIED`, `SOURCE_RESTRICTION_ENABLED`, `SOURCE_RESTRICTION_DISABLED`. */ sourceRestriction?: string; /** * Sources that this EgressPolicy authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressFromSource[]; } interface ServicePerimeterSpecEgressPolicyEgressFromSource { /** * An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to egress the perimeter. * Requests from these resources are allowed to access data outside the perimeter. * Currently only projects are allowed. Project format: `projects/{project_number}`. * The resource may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the * case of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterSpecEgressPolicyEgressTo { /** * A list of external resources that are allowed to be accessed. A request * matches if it contains an external resource in this list (Example: * s3://bucket/path). Currently '*' is not allowed. */ externalResources?: string[]; /** * A list of `ApiOperations` that this egress rule applies to. A request matches * if it contains an operation/service in this list. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, that match this to stanza. A request matches * if it contains a resource in this list. If * is specified for resources, * then this `EgressTo` rule will authorize access to all resources outside * the perimeter. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `EgressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterSpecEgressPolicyEgressToOperation { /** * API methods or permissions to allow. Method or permission must belong * to the service specified by `serviceName` field. A single MethodSelector * entry with `*` specified for the `method` field will allow all methods * AND permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with serviceName * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterSpecEgressPolicyEgressToOperationMethodSelector { /** * Value for `method` should be a valid method name for the corresponding * `serviceName` in `ApiOperation`. If `*` used as value for method, * then ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterSpecIngressPolicy { /** * Defines the conditions on the source of a request causing this `IngressPolicy` * to apply. * Structure is documented below. */ ingressFrom?: outputs.accesscontextmanager.ServicePerimeterSpecIngressPolicyIngressFrom; /** * Defines the conditions on the `ApiOperation` and request destination that cause * this `IngressPolicy` to apply. * Structure is documented below. */ ingressTo?: outputs.accesscontextmanager.ServicePerimeterSpecIngressPolicyIngressTo; /** * Human readable title. Must be unique within the perimeter. Does not affect behavior. */ title?: string; } interface ServicePerimeterSpecIngressPolicyIngressFrom { /** * A list of identities that are allowed access through this ingress policy. * Should be in the format of email address. The email address should represent * individual user or service account only. */ identities?: string[]; /** * Specifies the type of identities that are allowed access from outside the * perimeter. If left unspecified, then members of `identities` field will be * allowed access. * Possible values are: `IDENTITY_TYPE_UNSPECIFIED`, `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Sources that this `IngressPolicy` authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterSpecIngressPolicyIngressFromSource[]; } interface ServicePerimeterSpecIngressPolicyIngressFromSource { /** * An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to egress the perimeter. * Requests from these resources are allowed to access data outside the perimeter. * Currently only projects are allowed. Project format: `projects/{project_number}`. * The resource may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the * case of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterSpecIngressPolicyIngressTo { /** * A list of `ApiOperations` the sources specified in corresponding `IngressFrom` * are allowed to perform in this `ServicePerimeter`. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterSpecIngressPolicyIngressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, protected by this `ServicePerimeter` * that are allowed to be accessed by sources defined in the * corresponding `IngressFrom`. A req