Skip to content

Commit c55c78e

Browse files
modular-magicianmodular-magician
authored
Support for projects in EgressSource (#12532) (#21190)
[upstream:43ea8747f7ccc2ef1774b12444a8f4dae98cc0cb] Signed-off-by: Modular Magician <[email protected]>
1 parent 08abea4 commit c55c78e

17 files changed

+284
-13
lines changed

.changelog/12532.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
accesscontextmanager: added `resource` to `sources` in `egress_from` under resources `google_access_context_manager_service_perimeter`, `google_access_context_manager_service_perimeters`, `google_access_context_manager_service_perimeter_egress_policy`, `google_access_context_manager_service_perimeter_dry_run_egress_policy`
3+
```

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter.go

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -275,6 +275,16 @@ be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY"
275275
Optional: true,
276276
Description: `An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.`,
277277
},
278+
"resource": {
279+
Type: schema.TypeString,
280+
Optional: true,
281+
Description: `A Google Cloud resource that is allowed to egress the perimeter.
282+
Requests from these resources are allowed to access data outside the perimeter.
283+
Currently only projects are allowed. Project format: 'projects/{project_number}'.
284+
The resource may be in any Google Cloud organization, not just the
285+
organization that the perimeter is defined in. '*' is not allowed, the
286+
case of allowing all Google Cloud resources only is not supported.`,
287+
},
278288
},
279289
},
280290
},
@@ -643,6 +653,16 @@ be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY"
643653
Optional: true,
644654
Description: `An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.`,
645655
},
656+
"resource": {
657+
Type: schema.TypeString,
658+
Optional: true,
659+
Description: `A Google Cloud resource that is allowed to egress the perimeter.
660+
Requests from these resources are allowed to access data outside the perimeter.
661+
Currently only projects are allowed. Project format: 'projects/{project_number}'.
662+
The resource may be in any Google Cloud organization, not just the
663+
organization that the perimeter is defined in. '*' is not allowed, the
664+
case of allowing all Google Cloud resources only is not supported.`,
665+
},
646666
},
647667
},
648668
},
@@ -1651,6 +1671,7 @@ func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSo
16511671
}
16521672
transformed = append(transformed, map[string]interface{}{
16531673
"access_level": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourcesAccessLevel(original["accessLevel"], d, config),
1674+
"resource": flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourcesResource(original["resource"], d, config),
16541675
})
16551676
}
16561677
return transformed
@@ -1659,6 +1680,10 @@ func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSo
16591680
return v
16601681
}
16611682

1683+
func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
1684+
return v
1685+
}
1686+
16621687
func flattenAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
16631688
return v
16641689
}
@@ -2023,6 +2048,7 @@ func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSour
20232048
}
20242049
transformed = append(transformed, map[string]interface{}{
20252050
"access_level": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourcesAccessLevel(original["accessLevel"], d, config),
2051+
"resource": flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourcesResource(original["resource"], d, config),
20262052
})
20272053
}
20282054
return transformed
@@ -2031,6 +2057,10 @@ func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSour
20312057
return v
20322058
}
20332059

2060+
func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
2061+
return v
2062+
}
2063+
20342064
func flattenAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
20352065
return v
20362066
}
@@ -2546,6 +2576,13 @@ func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSou
25462576
transformed["accessLevel"] = transformedAccessLevel
25472577
}
25482578

2579+
transformedResource, err := expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourcesResource(original["resource"], d, config)
2580+
if err != nil {
2581+
return nil, err
2582+
} else if val := reflect.ValueOf(transformedResource); val.IsValid() && !tpgresource.IsEmptyValue(val) {
2583+
transformed["resource"] = transformedResource
2584+
}
2585+
25492586
req = append(req, transformed)
25502587
}
25512588
return req, nil
@@ -2555,6 +2592,10 @@ func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSou
25552592
return v, nil
25562593
}
25572594

2595+
func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourcesResource(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
2596+
return v, nil
2597+
}
2598+
25582599
func expandAccessContextManagerServicePerimeterStatusEgressPoliciesEgressFromSourceRestriction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
25592600
return v, nil
25602601
}
@@ -3080,6 +3121,13 @@ func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourc
30803121
transformed["accessLevel"] = transformedAccessLevel
30813122
}
30823123

3124+
transformedResource, err := expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourcesResource(original["resource"], d, config)
3125+
if err != nil {
3126+
return nil, err
3127+
} else if val := reflect.ValueOf(transformedResource); val.IsValid() && !tpgresource.IsEmptyValue(val) {
3128+
transformed["resource"] = transformedResource
3129+
}
3130+
30833131
req = append(req, transformed)
30843132
}
30853133
return req, nil
@@ -3089,6 +3137,10 @@ func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourc
30893137
return v, nil
30903138
}
30913139

3140+
func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourcesResource(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
3141+
return v, nil
3142+
}
3143+
30923144
func expandAccessContextManagerServicePerimeterSpecEgressPoliciesEgressFromSourceRestriction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
30933145
return v, nil
30943146
}

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy.go

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,17 @@ be allowed access. Possible values: ["ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SE
197197
ForceNew: true,
198198
Description: `An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.`,
199199
},
200+
"resource": {
201+
Type: schema.TypeString,
202+
Optional: true,
203+
ForceNew: true,
204+
Description: `A Google Cloud resource that is allowed to egress the perimeter.
205+
Requests from these resources are allowed to access data outside the perimeter.
206+
Currently only projects are allowed. Project format: 'projects/{project_number}'.
207+
The resource may be in any Google Cloud organization, not just the
208+
organization that the perimeter is defined in. '*' is not allowed, the
209+
case of allowing all Google Cloud resources only is not supported.`,
210+
},
200211
},
201212
},
202213
},
@@ -602,6 +613,7 @@ func flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFr
602613
}
603614
transformed = append(transformed, map[string]interface{}{
604615
"access_level": flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourcesAccessLevel(original["accessLevel"], d, config),
616+
"resource": flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourcesResource(original["resource"], d, config),
605617
})
606618
}
607619
return transformed
@@ -610,6 +622,10 @@ func flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFr
610622
return v
611623
}
612624

625+
func flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
626+
return v
627+
}
628+
613629
func flattenNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
614630
return v
615631
}
@@ -777,6 +793,13 @@ func expandNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFro
777793
transformed["accessLevel"] = transformedAccessLevel
778794
}
779795

796+
transformedResource, err := expandNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourcesResource(original["resource"], d, config)
797+
if err != nil {
798+
return nil, err
799+
} else if val := reflect.ValueOf(transformedResource); val.IsValid() && !tpgresource.IsEmptyValue(val) {
800+
transformed["resource"] = transformedResource
801+
}
802+
780803
req = append(req, transformed)
781804
}
782805
return req, nil
@@ -786,6 +809,10 @@ func expandNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFro
786809
return v, nil
787810
}
788811

812+
func expandNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourcesResource(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
813+
return v, nil
814+
}
815+
789816
func expandNestedAccessContextManagerServicePerimeterDryRunEgressPolicyEgressFromSourceRestriction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
790817
return v, nil
791818
}

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_generated_meta.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ fields:
99
- field: 'egress_from.identity_type'
1010
- field: 'egress_from.source_restriction'
1111
- field: 'egress_from.sources.access_level'
12+
- field: 'egress_from.sources.resource'
1213
- field: 'egress_to.external_resources'
1314
- field: 'egress_to.operations.method_selectors.method'
1415
- field: 'egress_to.operations.method_selectors.permission'

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,14 @@ func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basicTest(t *
2222
//projects := acctest.BootstrapServicePerimeterProjects(t, 1)
2323
policyTitle := acctest.RandString(t, 10)
2424
perimeterTitle := "perimeter"
25+
projectNumber := envvar.GetTestProjectNumberFromEnv()
2526

2627
acctest.VcrTest(t, resource.TestCase{
2728
PreCheck: func() { acctest.AccTestPreCheck(t) },
2829
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
2930
Steps: []resource.TestStep{
3031
{
31-
Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitle),
32+
Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitle, projectNumber),
3233
},
3334
{
3435
Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitle),
@@ -85,7 +86,7 @@ func testAccCheckAccessContextManagerServicePerimeterDryRunEgressPolicyDestroyPr
8586
}
8687
}
8788

88-
func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitleName string) string {
89+
func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitleName, projectNumber string) string {
8990
return fmt.Sprintf(`
9091
%s
9192
@@ -129,7 +130,17 @@ resource "google_access_context_manager_service_perimeter_dry_run_egress_policy"
129130
depends_on = [google_access_context_manager_service_perimeter_dry_run_egress_policy.test-access1]
130131
}
131132
132-
`, testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName))
133+
resource "google_access_context_manager_service_perimeter_dry_run_egress_policy" "test-access3" {
134+
perimeter = google_access_context_manager_service_perimeter.test-access.name
135+
egress_from {
136+
sources {
137+
resource = "projects/%s"
138+
}
139+
source_restriction = "SOURCE_RESTRICTION_ENABLED"
140+
}
141+
}
142+
143+
`, testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName), projectNumber)
133144
}
134145

135146
func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName string) string {

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy.go

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,17 @@ be allowed access. Possible values: ["ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SE
197197
ForceNew: true,
198198
Description: `An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.`,
199199
},
200+
"resource": {
201+
Type: schema.TypeString,
202+
Optional: true,
203+
ForceNew: true,
204+
Description: `A Google Cloud resource that is allowed to egress the perimeter.
205+
Requests from these resources are allowed to access data outside the perimeter.
206+
Currently only projects are allowed. Project format: 'projects/{project_number}'.
207+
The resource may be in any Google Cloud organization, not just the
208+
organization that the perimeter is defined in. '*' is not allowed, the
209+
case of allowing all Google Cloud resources only is not supported.`,
210+
},
200211
},
201212
},
202213
},
@@ -600,6 +611,7 @@ func flattenNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSour
600611
}
601612
transformed = append(transformed, map[string]interface{}{
602613
"access_level": flattenNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourcesAccessLevel(original["accessLevel"], d, config),
614+
"resource": flattenNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourcesResource(original["resource"], d, config),
603615
})
604616
}
605617
return transformed
@@ -608,6 +620,10 @@ func flattenNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSour
608620
return v
609621
}
610622

623+
func flattenNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
624+
return v
625+
}
626+
611627
func flattenNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
612628
return v
613629
}
@@ -775,6 +791,13 @@ func expandNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourc
775791
transformed["accessLevel"] = transformedAccessLevel
776792
}
777793

794+
transformedResource, err := expandNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourcesResource(original["resource"], d, config)
795+
if err != nil {
796+
return nil, err
797+
} else if val := reflect.ValueOf(transformedResource); val.IsValid() && !tpgresource.IsEmptyValue(val) {
798+
transformed["resource"] = transformedResource
799+
}
800+
778801
req = append(req, transformed)
779802
}
780803
return req, nil
@@ -784,6 +807,10 @@ func expandNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourc
784807
return v, nil
785808
}
786809

810+
func expandNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourcesResource(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
811+
return v, nil
812+
}
813+
787814
func expandNestedAccessContextManagerServicePerimeterEgressPolicyEgressFromSourceRestriction(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
788815
return v, nil
789816
}

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_generated_meta.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ fields:
99
- field: 'egress_from.identity_type'
1010
- field: 'egress_from.source_restriction'
1111
- field: 'egress_from.sources.access_level'
12+
- field: 'egress_from.sources.resource'
1213
- field: 'egress_to.external_resources'
1314
- field: 'egress_to.operations.method_selectors.method'
1415
- field: 'egress_to.operations.method_selectors.permission'

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,14 @@ func testAccAccessContextManagerServicePerimeterEgressPolicy_basicTest(t *testin
2424
//projects := acctest.BootstrapServicePerimeterProjects(t, 1)
2525
policyTitle := acctest.RandString(t, 10)
2626
perimeterTitle := "perimeter"
27+
projectNumber := envvar.GetTestProjectNumberFromEnv()
2728

2829
acctest.VcrTest(t, resource.TestCase{
2930
PreCheck: func() { acctest.AccTestPreCheck(t) },
3031
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
3132
Steps: []resource.TestStep{
3233
{
33-
Config: testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitle),
34+
Config: testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitle, projectNumber),
3435
},
3536
{
3637
Config: testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitle),
@@ -87,7 +88,7 @@ func testAccCheckAccessContextManagerServicePerimeterEgressPolicyDestroyProducer
8788
}
8889
}
8990

90-
func testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitleName string) string {
91+
func testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitleName, projectNumber string) string {
9192
return fmt.Sprintf(`
9293
%s
9394
@@ -131,7 +132,17 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a
131132
}
132133
}
133134
134-
`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName))
135+
resource "google_access_context_manager_service_perimeter_egress_policy" "test-access3" {
136+
perimeter = google_access_context_manager_service_perimeter.test-access.name
137+
egress_from {
138+
sources {
139+
resource = "projects/%s"
140+
}
141+
source_restriction = "SOURCE_RESTRICTION_ENABLED"
142+
}
143+
}
144+
145+
`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName), projectNumber)
135146
}
136147

137148
func testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName string) string {

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_generated_meta.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ fields:
1414
- field: 'spec.egress_policies.egress_from.identity_type'
1515
- field: 'spec.egress_policies.egress_from.source_restriction'
1616
- field: 'spec.egress_policies.egress_from.sources.access_level'
17+
- field: 'spec.egress_policies.egress_from.sources.resource'
1718
- field: 'spec.egress_policies.egress_to.external_resources'
1819
- field: 'spec.egress_policies.egress_to.operations.method_selectors.method'
1920
- field: 'spec.egress_policies.egress_to.operations.method_selectors.permission'
@@ -36,6 +37,7 @@ fields:
3637
- field: 'status.egress_policies.egress_from.identity_type'
3738
- field: 'status.egress_policies.egress_from.source_restriction'
3839
- field: 'status.egress_policies.egress_from.sources.access_level'
40+
- field: 'status.egress_policies.egress_from.sources.resource'
3941
- field: 'status.egress_policies.egress_to.external_resources'
4042
- field: 'status.egress_policies.egress_to.operations.method_selectors.method'
4143
- field: 'status.egress_policies.egress_to.operations.method_selectors.permission'

0 commit comments

Comments
 (0)