@pulumi/gcp

import * as outputs from "../types/output"; export declare namespace accesscontextmanager { interface AccessLevelBasic { /** * How the conditions list should be combined to determine if a request * is granted this AccessLevel. If AND is used, each Condition in * conditions must be satisfied for the AccessLevel to be applied. If * OR is used, at least one Condition in conditions must be satisfied * for the AccessLevel to be applied. * Default value is `AND`. * Possible values are: `AND`, `OR`. */ combiningFunction?: string; /** * A set of requirements for the AccessLevel to be granted. * Structure is documented below. */ conditions: outputs.accesscontextmanager.AccessLevelBasicCondition[]; } interface AccessLevelBasicCondition { /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ devicePolicy?: outputs.accesscontextmanager.AccessLevelBasicConditionDevicePolicy; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ ipSubnetworks?: string[]; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ members?: string[]; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ negate?: boolean; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ regions?: string[]; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ requiredAccessLevels?: string[]; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ vpcNetworkSources?: outputs.accesscontextmanager.AccessLevelBasicConditionVpcNetworkSource[]; } interface AccessLevelBasicConditionDevicePolicy { /** * A list of allowed device management levels. * An empty list allows all management levels. * Each value may be one of: `MANAGEMENT_UNSPECIFIED`, `NONE`, `BASIC`, `COMPLETE`. */ allowedDeviceManagementLevels?: string[]; /** * A list of allowed encryptions statuses. * An empty list allows all statuses. * Each value may be one of: `ENCRYPTION_UNSPECIFIED`, `ENCRYPTION_UNSUPPORTED`, `UNENCRYPTED`, `ENCRYPTED`. */ allowedEncryptionStatuses?: string[]; /** * A list of allowed OS versions. * An empty list allows all types and all versions. * Structure is documented below. */ osConstraints?: outputs.accesscontextmanager.AccessLevelBasicConditionDevicePolicyOsConstraint[]; /** * Whether the device needs to be approved by the customer admin. */ requireAdminApproval?: boolean; /** * Whether the device needs to be corp owned. */ requireCorpOwned?: boolean; /** * Whether or not screenlock is required for the DevicePolicy * to be true. Defaults to false. */ requireScreenLock?: boolean; } interface AccessLevelBasicConditionDevicePolicyOsConstraint { /** * The minimum allowed OS version. If not set, any version * of this OS satisfies the constraint. * Format: "major.minor.patch" such as "10.5.301", "9.2.1". */ minimumVersion?: string; /** * The operating system type of the device. * Possible values are: `OS_UNSPECIFIED`, `DESKTOP_MAC`, `DESKTOP_WINDOWS`, `DESKTOP_LINUX`, `DESKTOP_CHROME_OS`, `ANDROID`, `IOS`. */ osType: string; /** * If you specify DESKTOP_CHROME_OS for osType, you can optionally include requireVerifiedChromeOs to require Chrome Verified Access. */ requireVerifiedChromeOs?: boolean; } interface AccessLevelBasicConditionVpcNetworkSource { /** * Sub networks within a VPC network. * Structure is documented below. */ vpcSubnetwork?: outputs.accesscontextmanager.AccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork; } interface AccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork { /** * Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller. */ network: string; /** * A list of CIDR block IP subnetwork specification. Must be IPv4. */ vpcIpSubnetworks?: string[]; } interface AccessLevelConditionDevicePolicy { /** * A list of allowed device management levels. * An empty list allows all management levels. * Each value may be one of: `MANAGEMENT_UNSPECIFIED`, `NONE`, `BASIC`, `COMPLETE`. */ allowedDeviceManagementLevels?: string[]; /** * A list of allowed encryptions statuses. * An empty list allows all statuses. * Each value may be one of: `ENCRYPTION_UNSPECIFIED`, `ENCRYPTION_UNSUPPORTED`, `UNENCRYPTED`, `ENCRYPTED`. */ allowedEncryptionStatuses?: string[]; /** * A list of allowed OS versions. * An empty list allows all types and all versions. * Structure is documented below. */ osConstraints?: outputs.accesscontextmanager.AccessLevelConditionDevicePolicyOsConstraint[]; /** * Whether the device needs to be approved by the customer admin. */ requireAdminApproval?: boolean; /** * Whether the device needs to be corp owned. */ requireCorpOwned?: boolean; /** * Whether or not screenlock is required for the DevicePolicy * to be true. Defaults to false. */ requireScreenLock?: boolean; } interface AccessLevelConditionDevicePolicyOsConstraint { /** * The minimum allowed OS version. If not set, any version * of this OS satisfies the constraint. * Format: "major.minor.patch" such as "10.5.301", "9.2.1". */ minimumVersion?: string; /** * The operating system type of the device. * Possible values are: `OS_UNSPECIFIED`, `DESKTOP_MAC`, `DESKTOP_WINDOWS`, `DESKTOP_LINUX`, `DESKTOP_CHROME_OS`, `ANDROID`, `IOS`. */ osType: string; } interface AccessLevelConditionVpcNetworkSource { /** * Sub networks within a VPC network. * Structure is documented below. */ vpcSubnetwork?: outputs.accesscontextmanager.AccessLevelConditionVpcNetworkSourceVpcSubnetwork; } interface AccessLevelConditionVpcNetworkSourceVpcSubnetwork { /** * Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller. */ network: string; /** * CIDR block IP subnetwork specification. Must be IPv4. */ vpcIpSubnetworks?: string[]; } interface AccessLevelCustom { /** * Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. * This page details the objects and attributes that are used to the build the CEL expressions for * custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec. * Structure is documented below. */ expr: outputs.accesscontextmanager.AccessLevelCustomExpr; } interface AccessLevelCustomExpr { /** * Description of the expression */ description?: string; /** * Textual representation of an expression in Common Expression Language syntax. */ expression: string; /** * String indicating the location of the expression for error reporting, e.g. a file name and a position in the file */ location?: string; /** * Title for the expression, i.e. a short string describing its purpose. */ title?: string; } interface AccessLevelsAccessLevel { /** * A set of predefined conditions for the access level and a combining function. * Structure is documented below. */ basic?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasic; /** * Custom access level conditions are set using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. * See CEL spec at: https://github.com/google/cel-spec. * Structure is documented below. */ custom?: outputs.accesscontextmanager.AccessLevelsAccessLevelCustom; /** * Description of the AccessLevel and its use. Does not affect behavior. */ description?: string; /** * Resource name for the Access Level. The shortName component must begin * with a letter and only include alphanumeric and '_'. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ name: string; /** * Human readable title. Must be unique within the Policy. */ title: string; } interface AccessLevelsAccessLevelBasic { /** * How the conditions list should be combined to determine if a request * is granted this AccessLevel. If AND is used, each Condition in * conditions must be satisfied for the AccessLevel to be applied. If * OR is used, at least one Condition in conditions must be satisfied * for the AccessLevel to be applied. * Default value is `AND`. * Possible values are: `AND`, `OR`. */ combiningFunction?: string; /** * A set of requirements for the AccessLevel to be granted. * Structure is documented below. */ conditions: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicCondition[]; } interface AccessLevelsAccessLevelBasicCondition { /** * Device specific restrictions, all restrictions must hold for * the Condition to be true. If not specified, all devices are * allowed. * Structure is documented below. */ devicePolicy?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionDevicePolicy; /** * A list of CIDR block IP subnetwork specification. May be IPv4 * or IPv6. * Note that for a CIDR IP address block, the specified IP address * portion must be properly truncated (i.e. all the host bits must * be zero) or the input is considered malformed. For example, * "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, * for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" * is not. The originating IP of a request must be in one of the * listed subnets in order for this Condition to be true. * If empty, all IP addresses are allowed. */ ipSubnetworks?: string[]; /** * An allowed list of members (users, service accounts). * Using groups is not supported yet. * The signed-in user originating the request must be a part of one * of the provided members. If not specified, a request may come * from any user (logged in/not logged in, not present in any * groups, etc.). * Formats: `user:{emailid}`, `serviceAccount:{emailid}` */ members?: string[]; /** * Whether to negate the Condition. If true, the Condition becomes * a NAND over its non-empty fields, each field must be false for * the Condition overall to be satisfied. Defaults to false. */ negate?: boolean; /** * The request must originate from one of the provided * countries/regions. * Format: A valid ISO 3166-1 alpha-2 code. */ regions?: string[]; /** * A list of other access levels defined in the same Policy, * referenced by resource name. Referencing an AccessLevel which * does not exist is an error. All access levels listed must be * granted for the Condition to be true. * Format: accessPolicies/{policy_id}/accessLevels/{short_name} */ requiredAccessLevels?: string[]; /** * The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with `ipSubnetworks`. * Structure is documented below. */ vpcNetworkSources?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionVpcNetworkSource[]; } interface AccessLevelsAccessLevelBasicConditionDevicePolicy { /** * A list of allowed device management levels. * An empty list allows all management levels. * Each value may be one of: `MANAGEMENT_UNSPECIFIED`, `NONE`, `BASIC`, `COMPLETE`. */ allowedDeviceManagementLevels?: string[]; /** * A list of allowed encryptions statuses. * An empty list allows all statuses. * Each value may be one of: `ENCRYPTION_UNSPECIFIED`, `ENCRYPTION_UNSUPPORTED`, `UNENCRYPTED`, `ENCRYPTED`. */ allowedEncryptionStatuses?: string[]; /** * A list of allowed OS versions. * An empty list allows all types and all versions. * Structure is documented below. */ osConstraints?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionDevicePolicyOsConstraint[]; /** * Whether the device needs to be approved by the customer admin. */ requireAdminApproval?: boolean; /** * Whether the device needs to be corp owned. */ requireCorpOwned?: boolean; /** * Whether or not screenlock is required for the DevicePolicy * to be true. Defaults to false. */ requireScreenLock?: boolean; } interface AccessLevelsAccessLevelBasicConditionDevicePolicyOsConstraint { /** * The minimum allowed OS version. If not set, any version * of this OS satisfies the constraint. * Format: "major.minor.patch" such as "10.5.301", "9.2.1". */ minimumVersion?: string; /** * The operating system type of the device. * Possible values are: `OS_UNSPECIFIED`, `DESKTOP_MAC`, `DESKTOP_WINDOWS`, `DESKTOP_LINUX`, `DESKTOP_CHROME_OS`, `ANDROID`, `IOS`. */ osType: string; } interface AccessLevelsAccessLevelBasicConditionVpcNetworkSource { /** * Sub networks within a VPC network. * Structure is documented below. */ vpcSubnetwork?: outputs.accesscontextmanager.AccessLevelsAccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork; } interface AccessLevelsAccessLevelBasicConditionVpcNetworkSourceVpcSubnetwork { /** * Required. Network name to be allowed by this Access Level. Networks of foreign organizations requires `compute.network.get` permission to be granted to caller. */ network: string; /** * CIDR block IP subnetwork specification. Must be IPv4. */ vpcIpSubnetworks?: string[]; } interface AccessLevelsAccessLevelCustom { /** * Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. * This page details the objects and attributes that are used to the build the CEL expressions for * custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec. * Structure is documented below. */ expr: outputs.accesscontextmanager.AccessLevelsAccessLevelCustomExpr; } interface AccessLevelsAccessLevelCustomExpr { /** * Description of the expression */ description?: string; /** * Textual representation of an expression in Common Expression Language syntax. */ expression: string; /** * String indicating the location of the expression for error reporting, e.g. a file name and a position in the file */ location?: string; /** * Title for the expression, i.e. a short string describing its purpose. */ title?: string; } interface AccessPolicyIamBindingCondition { description?: string; expression: string; title: string; } interface AccessPolicyIamMemberCondition { description?: string; expression: string; title: string; } interface GcpUserAccessBindingScopedAccessSetting { /** * Optional. Access settings for this scoped access settings. This field may be empty if dryRunSettings is set. * Structure is documented below. */ activeSettings?: outputs.accesscontextmanager.GcpUserAccessBindingScopedAccessSettingActiveSettings; /** * Optional. Dry-run access settings for this scoped access settings. This field may be empty if activeSettings is set. Cannot contain session settings. * Structure is documented below. */ dryRunSettings?: outputs.accesscontextmanager.GcpUserAccessBindingScopedAccessSettingDryRunSettings; /** * Optional. Application, etc. to which the access settings will be applied to. Implicitly, this is the scoped access settings key; as such, it must be unique and non-empty. * Structure is documented below. */ scope?: outputs.accesscontextmanager.GcpUserAccessBindingScopedAccessSettingScope; } interface GcpUserAccessBindingScopedAccessSettingActiveSettings { /** * Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" */ accessLevels?: string[]; /** * Optional. Session settings applied to user access on a given AccessScope. * Structure is documented below. */ sessionSettings?: outputs.accesscontextmanager.GcpUserAccessBindingScopedAccessSettingActiveSettingsSessionSettings; } interface GcpUserAccessBindingScopedAccessSettingActiveSettingsSessionSettings { /** * Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps. */ maxInactivity?: string; /** * Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC maxAge param. */ sessionLength?: string; /** * Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite. */ sessionLengthEnabled?: boolean; /** * Optional. The session challenges proposed to users when the Google Cloud session length is up. * Possible values are: `LOGIN`, `SECURITY_KEY`, `PASSWORD`. */ sessionReauthMethod?: string; /** * Optional. Only useful for OIDC apps. When false, the OIDC maxAge param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the maxAge OIDC param. */ useOidcMaxAge?: boolean; } interface GcpUserAccessBindingScopedAccessSettingDryRunSettings { /** * Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" */ accessLevels?: string; } interface GcpUserAccessBindingScopedAccessSettingScope { /** * Optional. Client scope for this access scope. * Structure is documented below. */ clientScope?: outputs.accesscontextmanager.GcpUserAccessBindingScopedAccessSettingScopeClientScope; } interface GcpUserAccessBindingScopedAccessSettingScopeClientScope { /** * Optional. The application that is subject to this binding's scope. Only one of clientId or name should be specified. * Structure is documented below. */ restrictedClientApplication?: outputs.accesscontextmanager.GcpUserAccessBindingScopedAccessSettingScopeClientScopeRestrictedClientApplication; } interface GcpUserAccessBindingScopedAccessSettingScopeClientScopeRestrictedClientApplication { /** * The OAuth client ID of the application. */ clientId?: string; /** * The name of the application. Example: "Cloud Console" */ name?: string; } interface GcpUserAccessBindingSessionSettings { /** * Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps. */ maxInactivity?: string; /** * Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC maxAge param. */ sessionLength?: string; /** * Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite. */ sessionLengthEnabled?: boolean; /** * Optional. The session challenges proposed to users when the Google Cloud session length is up. * Possible values are: `LOGIN`, `SECURITY_KEY`, `PASSWORD`. */ sessionReauthMethod?: string; /** * Optional. Only useful for OIDC apps. When false, the OIDC maxAge param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the maxAge OIDC param. */ useOidcMaxAge?: boolean; } interface GetSupportedServiceSupportedMethod { /** * A valid method name for the respective request mode. Must be a fully qualified name, for example, `storage.googleapis.com/BucketService.GetBucket`. */ method: string; /** * A valid Cloud IAM permission for the respective request mode, for example, `storage.buckets.get`. */ permission: string; } interface GetSupportedServicesSupportedService { /** * True if the service is available on the restricted VIP. Services on the restricted VIP typically either support VPC Service Controls or are core infrastructure services required for the functioning of Google Cloud. */ availableOnRestrictedVip: boolean; /** * True if the service is supported with some limitations. Check [documentation](https://cloud.google.com/vpc-service-controls/docs/supported-products) for details. */ knownLimitations: boolean; /** * The service name or address of the supported service, such as `storage.googleapis.com`. */ name: string; /** * The support stage of the service. Values are `GA`, `PREVIEW`, and `DEPRECATED`. */ serviceSupportStage: string; /** * The support stage of the service. */ supportStage: string; /** * The name of the supported product, such as 'Cloud Storage'. */ title: string; } interface ServicePerimeterDryRunEgressPolicyEgressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access to outside the * perimeter. If left unspecified, then members of `identities` field will * be allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. * Possible values are: `SOURCE_RESTRICTION_ENABLED`, `SOURCE_RESTRICTION_DISABLED`. */ sourceRestriction?: string; /** * Sources that this EgressPolicy authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterDryRunEgressPolicyEgressFromSource[]; } interface ServicePerimeterDryRunEgressPolicyEgressFromSource { /** * An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to egress the perimeter. * Requests from these resources are allowed to access data outside the perimeter. * Currently only projects are allowed. Project format: `projects/{project_number}`. * The resource may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the * case of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterDryRunEgressPolicyEgressTo { /** * A list of external resources that are allowed to be accessed. A request * matches if it contains an external resource in this list (Example: * s3://bucket/path). Currently '*' is not allowed. */ externalResources?: string[]; /** * A list of `ApiOperations` that this egress rule applies to. A request matches * if it contains an operation/service in this list. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterDryRunEgressPolicyEgressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, that match this to stanza. A request matches * if it contains a resource in this list. If * is specified for resources, * then this `EgressTo` rule will authorize access to all resources outside * the perimeter. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `EgressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterDryRunEgressPolicyEgressToOperation { /** * API methods or permissions to allow. Method or permission must belong * to the service specified by `serviceName` field. A single MethodSelector * entry with `*` specified for the `method` field will allow all methods * AND permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterDryRunEgressPolicyEgressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with serviceName * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterDryRunEgressPolicyEgressToOperationMethodSelector { /** * Value for `method` should be a valid method name for the corresponding * `serviceName` in `ApiOperation`. If `*` used as value for method, * then ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterDryRunIngressPolicyIngressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access from outside the * perimeter. If left unspecified, then members of `identities` field will be * allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Sources that this `IngressPolicy` authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterDryRunIngressPolicyIngressFromSource[]; } interface ServicePerimeterDryRunIngressPolicyIngressFromSource { /** * An `AccessLevel` resource name that allow resources within the * `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed * must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent * `AccessLevel` will cause an error. If no `AccessLevel` names are listed, * resources within the perimeter can only be accessed via Google Cloud calls * with request origins within the perimeter. * Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` * If * is specified, then all IngressSources will be allowed. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to ingress the perimeter. * Requests from these resources will be allowed to access perimeter data. * Currently only projects are allowed. Format `projects/{project_number}` * The project may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the case * of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterDryRunIngressPolicyIngressTo { /** * A list of `ApiOperations` the sources specified in corresponding `IngressFrom` * are allowed to perform in this `ServicePerimeter`. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterDryRunIngressPolicyIngressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, protected by this `ServicePerimeter` * that are allowed to be accessed by sources defined in the * corresponding `IngressFrom`. A request matches if it contains * a resource in this list. If `*` is specified for resources, * then this `IngressTo` rule will authorize access to all * resources inside the perimeter, provided that the request * also matches the `operations` field. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `IngressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterDryRunIngressPolicyIngressToOperation { /** * API methods or permissions to allow. Method or permission must belong to * the service specified by serviceName field. A single `MethodSelector` entry * with `*` specified for the method field will allow all methods AND * permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterDryRunIngressPolicyIngressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterDryRunIngressPolicyIngressToOperationMethodSelector { /** * Value for method should be a valid method name for the corresponding * serviceName in `ApiOperation`. If `*` used as value for `method`, then * ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterEgressPolicyEgressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access to outside the * perimeter. If left unspecified, then members of `identities` field will * be allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. * Possible values are: `SOURCE_RESTRICTION_UNSPECIFIED`, `SOURCE_RESTRICTION_ENABLED`, `SOURCE_RESTRICTION_DISABLED`. */ sourceRestriction?: string; /** * Sources that this EgressPolicy authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSource[]; } interface ServicePerimeterEgressPolicyEgressFromSource { /** * An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to egress the perimeter. * Requests from these resources are allowed to access data outside the perimeter. * Currently only projects are allowed. Project format: `projects/{project_number}`. * The resource may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the * case of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterEgressPolicyEgressTo { /** * A list of external resources that are allowed to be accessed. A request * matches if it contains an external resource in this list (Example: * s3://bucket/path). Currently '*' is not allowed. */ externalResources?: string[]; /** * A list of `ApiOperations` that this egress rule applies to. A request matches * if it contains an operation/service in this list. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, that match this to stanza. A request matches * if it contains a resource in this list. If * is specified for resources, * then this `EgressTo` rule will authorize access to all resources outside * the perimeter. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `EgressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterEgressPolicyEgressToOperation { /** * API methods or permissions to allow. Method or permission must belong * to the service specified by `serviceName` field. A single MethodSelector * entry with `*` specified for the `method` field will allow all methods * AND permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with serviceName * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterEgressPolicyEgressToOperationMethodSelector { /** * Value for `method` should be a valid method name for the corresponding * `serviceName` in `ApiOperation`. If `*` used as value for method, * then ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterIngressPolicyIngressFrom { /** * Identities can be an individual user, service account, Google group, * or third-party identity. For third-party identity, only single identities * are supported and other identity types are not supported.The v1 identities * that have the prefix user, group and serviceAccount in * https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. */ identities?: string[]; /** * Specifies the type of identities that are allowed access from outside the * perimeter. If left unspecified, then members of `identities` field will be * allowed access. * Possible values are: `ANY_IDENTITY`, `ANY_USER_ACCOUNT`, `ANY_SERVICE_ACCOUNT`. */ identityType?: string; /** * Sources that this `IngressPolicy` authorizes access from. * Structure is documented below. */ sources?: outputs.accesscontextmanager.ServicePerimeterIngressPolicyIngressFromSource[]; } interface ServicePerimeterIngressPolicyIngressFromSource { /** * An `AccessLevel` resource name that allow resources within the * `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed * must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent * `AccessLevel` will cause an error. If no `AccessLevel` names are listed, * resources within the perimeter can only be accessed via Google Cloud calls * with request origins within the perimeter. * Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` * If * is specified, then all IngressSources will be allowed. */ accessLevel?: string; /** * A Google Cloud resource that is allowed to ingress the perimeter. * Requests from these resources will be allowed to access perimeter data. * Currently only projects and VPCs are allowed. * Project format: `projects/{projectNumber}` * VPC network format: * `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}`. * The project may be in any Google Cloud organization, not just the * organization that the perimeter is defined in. `*` is not allowed, the case * of allowing all Google Cloud resources only is not supported. */ resource?: string; } interface ServicePerimeterIngressPolicyIngressTo { /** * A list of `ApiOperations` the sources specified in corresponding `IngressFrom` * are allowed to perform in this `ServicePerimeter`. * Structure is documented below. */ operations?: outputs.accesscontextmanager.ServicePerimeterIngressPolicyIngressToOperation[]; /** * A list of resources, currently only projects in the form * `projects/<projectnumber>`, protected by this `ServicePerimeter` * that are allowed to be accessed by sources defined in the * corresponding `IngressFrom`. A request matches if it contains * a resource in this list. If `*` is specified for resources, * then this `IngressTo` rule will authorize access to all * resources inside the perimeter, provided that the request * also matches the `operations` field. */ resources?: string[]; /** * A list of IAM roles that represent the set of operations that the sources * specified in the corresponding `IngressFrom` * are allowed to perform. */ roles?: string[]; } interface ServicePerimeterIngressPolicyIngressToOperation { /** * API methods or permissions to allow. Method or permission must belong to * the service specified by serviceName field. A single `MethodSelector` entry * with `*` specified for the method field will allow all methods AND * permissions for the service specified in `serviceName`. * Structure is documented below. */ methodSelectors?: outputs.accesscontextmanager.ServicePerimeterIngressPolicyIngressToOperationMethodSelector[]; /** * The name of the API whose methods or permissions the `IngressPolicy` or * `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` * field set to `*` will allow all methods AND permissions for all services. */ serviceName?: string; } interface ServicePerimeterIngressPolicyIngressToOperationMethodSelector { /** * Value for method should be a valid method name for the corresponding * serviceName in `ApiOperation`. If `*` used as value for `method`, then * ALL methods and permissions are allowed. */ method?: string; /** * Value for permission should be a valid Cloud IAM permission for the * corresponding `serviceName` in `ApiOperation`. */ permission?: string; } interface ServicePerimeterSpec { /** * A list of AccessLevel resource names that allow resources within * the ServicePerimeter to be accessed from the internet. * AccessLevels listed must be in the same policy as this * ServicePerimeter. Referencing a nonexistent AccessLevel is a * syntax error. If no AccessLevel names are listed, resources within * the perimeter can only be accessed via GCP calls with request * origins within the perimeter. For Service Perimeter Bridge, must * be empty. * Format: accessPolicies/{policy_id}/accessLevels/{access_level_name} */ accessLevels?: string[]; /** * List of EgressPolicies to apply to the perimeter. A perimeter may * have multiple EgressPolicies, each of which is evaluated separately. * Access is granted if any EgressPolicy grants it. Must be empty for * a perimeter bridge. * Structure is documented below. */ egressPolicies?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicy[]; /** * List of `IngressPolicies` to apply to the perimeter. A perimeter may * have multiple `IngressPolicies`, each of which is evaluated * separately. Access is granted if any `Ingress Policy` grants it. * Must be empty for a perimeter bridge. * Structure is documented below. */ ingressPolicies?: outputs.accesscontextmanager.ServicePerimeterSpecIngressPolicy[]; /** * A list of GCP resources that are inside of the service perimeter. * Currently only projects are allowed. * Format: projects/{project_number} */ resources?: string[]; /** * GCP services that are subject to the Service Perimeter * restrictions. Must contain a list of services. For example, if * `storage.googleapis.com` is specified, access to the storage * buckets inside the perimeter must meet the perimeter's access * restrictions. */ restrictedServices?: string[]; /** * Specifies how APIs are allowed to communicate within the Service * Perimeter. * Structure is documented below. */ vpcAccessibleServices?: outputs.accesscontextmanager.ServicePerimeterSpecVpcAccessibleServices; } interface ServicePerimeterSpecEgressPolicy { /** * Defines conditions on the source of a request causing this `EgressPolicy` to apply. * Structure is documented below. */ egressFrom?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressFrom; /** * Defines the conditions on the `ApiOperation` and destination resources that * cause this `EgressPolicy` to apply. * Structure is documented below. */ egressTo?: outputs.accesscontextmanager.ServicePerimeterSpecEgressPolicyEgressTo; /** * Human readable title. Must be unique within the perimeter. Does not affect behavior. */ title?: string; } interface ServicePerimeterSpecEgressPolicyEgressFrom { /** * A list of identities that are allowed access through this `EgressPolicy`. * Should be in the format of email address. The email address should * represent individual user or service account only. */ identities?: string[]; /** * Specifies the type of identities that are allowed access to outside the * perimeter. If left unspecified, then members of `identities` field will * be allowed access. * Possible value