accesscontextmanager - Update perimeter fine grained resources with ingore_changes note (#12372) (#20439)

[upstream:1f3b302a8bf982f31ade3b085fa5057fc55af702]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12372.txt

@@ -0,0 +1,3 @@
+```release-note:none
+
+```

website/docs/r/access_context_manager_service_perimeter_dry_run_egress_policy.html.markdown

@@ -31,6 +31,9 @@ or query against a BigQuery dataset).
 ~> **Note:** By default, updates to this resource will remove the EgressPolicy from the
 from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy
 is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
+~> **Note:** If this resource is used alongside a `google_access_context_manager_service_perimeter` resource,
+the service perimeter resource must have a `lifecycle` block with `ignore_changes = [spec[0].egress_policies]` so
+they don't fight over which egress rules should be in the policy.
 
 
 To get more information about ServicePerimeterDryRunEgressPolicy, see:
@@ -51,7 +54,7 @@ resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
     restricted_services = ["storage.googleapis.com"]
   }
   lifecycle {
-    ignore_changes = [status[0].resources]
+    ignore_changes = [spec[0].egress_policies] # Allows egress policies to be managed by google_access_context_manager_service_perimeter_dry_run_egress_policy resources
   }
 }
 

website/docs/r/access_context_manager_service_perimeter_dry_run_ingress_policy.html.markdown

@@ -32,6 +32,9 @@ or actions they match using the ingressTo field.
 ~> **Note:** By default, updates to this resource will remove the IngressPolicy from the
 from the perimeter and add it back in a non-atomic manner. To ensure that the new IngressPolicy
 is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
+~> **Note:** If this resource is used alongside a `google_access_context_manager_service_perimeter` resource,
+the service perimeter resource must have a `lifecycle` block with `ignore_changes = [spec[0].ingress_policies]` so
+they don't fight over which ingress rules should be in the policy.
 
 
 To get more information about ServicePerimeterDryRunIngressPolicy, see:
@@ -52,7 +55,7 @@ resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
     restricted_services = ["storage.googleapis.com"]
   }
   lifecycle {
-    ignore_changes = [status[0].resources]
+    ignore_changes = [spec[0].ingress_policies] # Allows ingress policies to be managed by google_access_context_manager_service_perimeter_dry_run_ingress_policy resources
   }
 }
 

website/docs/r/access_context_manager_service_perimeter_egress_policy.html.markdown

@@ -31,6 +31,9 @@ or query against a BigQuery dataset).
 ~> **Note:** By default, updates to this resource will remove the EgressPolicy from the
 from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy
 is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
+~> **Note:** If this resource is used alongside a `google_access_context_manager_service_perimeter` resource,
+the service perimeter resource must have a `lifecycle` block with `ignore_changes = [status[0].egress_policies]` so
+they don't fight over which egress rules should be in the policy.
 
 
 To get more information about ServicePerimeterEgressPolicy, see:
@@ -51,7 +54,7 @@ resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
     restricted_services = ["storage.googleapis.com"]
   }
   lifecycle {
-    ignore_changes = [status[0].resources]
+    ignore_changes = [status[0].egress_policies] # Allows ingress policies to be managed by google_access_context_manager_service_perimeter_egress_policy resources
   }
 }
 

website/docs/r/access_context_manager_service_perimeter_ingress_policy.html.markdown

@@ -32,6 +32,9 @@ or actions they match using the ingressTo field.
 ~> **Note:** By default, updates to this resource will remove the IngressPolicy from the
 from the perimeter and add it back in a non-atomic manner. To ensure that the new IngressPolicy
 is added before the old one is removed, add a `lifecycle` block with `create_before_destroy = true` to this resource.
+~> **Note:** If this resource is used alongside a `google_access_context_manager_service_perimeter` resource,
+the service perimeter resource must have a `lifecycle` block with `ignore_changes = [status[0].ingress_policies]` so
+they don't fight over which ingress rules should be in the policy.
 
 
 To get more information about ServicePerimeterIngressPolicy, see:
@@ -52,7 +55,7 @@ resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
     restricted_services = ["storage.googleapis.com"]
   }
   lifecycle {
-    ignore_changes = [status[0].resources]
+    ignore_changes = [status[0].ingress_policies] # Allows ingress policies to be managed by google_access_context_manager_service_perimeter_ingress_policy resources
   }
 }