Skip to content

Change several fields in Access Context Manager from list to set #8788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shuyama1 merged 9 commits into from
Sep 7, 2023
Merged

Change several fields in Access Context Manager from list to set #8788

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
7eac97e
Make arrays into sets for Access Context Manager Service Perimeter re…
Charlesleonius Aug 29, 2023
9e42049
Add tests for missing fields for service_perimeters.status
Charlesleonius Sep 1, 2023
06c29e5
Add tests for missings fields for google_access_context_manager_servi…
Charlesleonius Sep 2, 2023
6205eb7
Also change fields on the service_perimeter resource
Charlesleonius Sep 4, 2023
53d2a0c
Add service perimeter test template file
Charlesleonius Sep 5, 2023
a0ecd40
Remove service perimeter test template file
Charlesleonius Sep 6, 2023
12dd1f9
Merge branch 'FEATURE-BRANCH-major-release-5.0.0' of https://github.c…
Sep 6, 2023
5c1de2f
Merge branch 'FEATURE-BRANCH-major-release-5.0.0' of https://github.c…
Sep 6, 2023
f3b86de
Add missings fields for spec in tests
Sep 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions mmv1/products/accesscontextmanager/ServicePerimeter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ properties:
- status.0.access_levels
- status.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'accessLevels'
description: |
Expand All @@ -175,6 +176,7 @@ properties:
- status.0.access_levels
- status.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'restrictedServices'
description: |
Expand Down Expand Up @@ -236,6 +238,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'identities'
item_type: Api::Type::String
is_set: true
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
Expand Down Expand Up @@ -275,6 +278,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, protected by this `ServicePerimeter`
Expand Down Expand Up @@ -348,6 +352,7 @@ properties:
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
is_set: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'egressTo'
Expand All @@ -357,6 +362,7 @@ properties:
properties:
- !ruby/object:Api::Type::Array
name: 'resources'
is_set: true
item_type: Api::Type::String
description: |
A list of resources, currently only projects in the form
Expand All @@ -366,6 +372,7 @@ properties:
the perimeter.
- !ruby/object:Api::Type::Array
name: 'externalResources'
is_set: true
item_type: Api::Type::String
description: |
A list of external resources that are allowed to be accessed. A request
Expand Down Expand Up @@ -423,6 +430,7 @@ properties:
- spec.0.access_levels
- spec.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'accessLevels'
description: |
Expand All @@ -441,6 +449,7 @@ properties:
- spec.0.access_levels
- spec.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'restrictedServices'
description: |
Expand All @@ -454,6 +463,7 @@ properties:
- spec.0.access_levels
- spec.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::NestedObject
name: 'vpcAccessibleServices'
description: |
Expand All @@ -471,6 +481,7 @@ properties:
The list of APIs usable within the Service Perimeter.
Must be empty unless `enableRestriction` is True.
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'ingressPolicies'
description: |
Expand Down Expand Up @@ -500,6 +511,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'identities'
item_type: Api::Type::String
is_set: true
description: |
A list of identities that are allowed access through this ingress policy.
Should be in the format of email address. The email address should represent
Expand Down Expand Up @@ -539,6 +551,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, protected by this `ServicePerimeter`
Expand Down Expand Up @@ -613,6 +626,7 @@ properties:
Should be in the format of email address. The email address should
represent individual user or service account only.
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::NestedObject
name: 'egressTo'
description: |
Expand All @@ -622,6 +636,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, that match this to stanza. A request matches
Expand All @@ -631,6 +646,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'externalResources'
item_type: Api::Type::String
is_set: true
description: |
A list of external resources that are allowed to be accessed. A request
matches if it contains an external resource in this list (Example:
Expand Down
18 changes: 17 additions & 1 deletion mmv1/products/accesscontextmanager/ServicePerimeters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ properties:
name: 'servicePerimeters'
description: |
The desired Service Perimeters that should replace all existing Service Perimeters in the Access Policy.
is_set: true
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::String
Expand Down Expand Up @@ -133,6 +132,7 @@ properties:
# - status.0.access_levels
# - status.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'accessLevels'
description: |
Expand All @@ -153,6 +153,7 @@ properties:
# - status.0.access_levels
# - status.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'restrictedServices'
description: |
Expand Down Expand Up @@ -194,6 +195,7 @@ properties:
have multiple `IngressPolicies`, each of which is evaluated
separately. Access is granted if any `Ingress Policy` grants it.
Must be empty for a perimeter bridge.
is_set: true
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::NestedObject
Expand All @@ -215,6 +217,7 @@ properties:
- :ANY_SERVICE_ACCOUNT
- !ruby/object:Api::Type::Array
name: 'identities'
is_set: true
item_type: Api::Type::String
description: |
A list of identities that are allowed access through this ingress policy.
Expand Down Expand Up @@ -255,6 +258,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, protected by this `ServicePerimeter`
Expand Down Expand Up @@ -328,6 +332,7 @@ properties:
A list of identities that are allowed access through this `EgressPolicy`.
Should be in the format of email address. The email address should
represent individual user or service account only.
is_set: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'egressTo'
Expand All @@ -338,6 +343,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, that match this to stanza. A request matches
Expand All @@ -347,6 +353,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'externalResources'
item_type: Api::Type::String
is_set: true
description: |
A list of external resources that are allowed to be accessed. A request
matches if it contains an external resource in this list (Example:
Expand Down Expand Up @@ -404,9 +411,11 @@ properties:
# - spec.0.resources
# - spec.0.access_levels
# - spec.0.restricted_services
is_set: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'accessLevels'
is_set: true
description: |
A list of AccessLevel resource names that allow resources within
the ServicePerimeter to be accessed from the internet.
Expand Down Expand Up @@ -440,6 +449,7 @@ properties:
# - spec.0.access_levels
# - spec.0.restricted_services
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::NestedObject
name: 'vpcAccessibleServices'
description: |
Expand All @@ -457,6 +467,7 @@ properties:
The list of APIs usable within the Service Perimeter.
Must be empty unless `enableRestriction` is True.
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::Array
name: 'ingressPolicies'
description: |
Expand Down Expand Up @@ -485,6 +496,7 @@ properties:
- :ANY_SERVICE_ACCOUNT
- !ruby/object:Api::Type::Array
name: 'identities'
is_set: true
item_type: Api::Type::String
description: |
A list of identities that are allowed access through this ingress policy.
Expand Down Expand Up @@ -525,6 +537,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, protected by this `ServicePerimeter`
Expand Down Expand Up @@ -599,6 +612,7 @@ properties:
Should be in the format of email address. The email address should
represent individual user or service account only.
item_type: Api::Type::String
is_set: true
- !ruby/object:Api::Type::NestedObject
name: 'egressTo'
description: |
Expand All @@ -608,6 +622,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'resources'
item_type: Api::Type::String
is_set: true
description: |
A list of resources, currently only projects in the form
`projects/<projectnumber>`, that match this to stanza. A request matches
Expand All @@ -617,6 +632,7 @@ properties:
- !ruby/object:Api::Type::Array
name: 'externalResources'
item_type: Api::Type::String
is_set: true
description: |
A list of external resources that are allowed to be accessed. A request
matches if it contains an external resource in this list (Example:
Expand Down
102 changes: 102 additions & 0 deletions ...rvices/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,83 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
name = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
title = "%s"
perimeter_type = "PERIMETER_TYPE_REGULAR"
use_explicit_dry_run_spec = true
spec {
restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
access_levels = [google_access_context_manager_access_level.test-access.name]

vpc_accessible_services {
enable_restriction = true
allowed_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
}

ingress_policies {
ingress_from {
sources {
access_level = google_access_context_manager_access_level.test-access.name
}
identity_type = "ANY_IDENTITY"
}

ingress_to {
resources = [ "*" ]
operations {
service_name = "bigquery.googleapis.com"

method_selectors {
method = "BigQueryStorage.ReadRows"
}

method_selectors {
method = "TableService.ListTables"
}

method_selectors {
permission = "bigquery.jobs.get"
}
}

operations {
service_name = "storage.googleapis.com"

method_selectors {
method = "google.storage.objects.create"
}
}
}
}
ingress_policies {
ingress_from {
identities = ["user:test@google.com"]
}
ingress_to {
resources = ["*"]
}
}

egress_policies {
egress_from {
identity_type = "ANY_USER_ACCOUNT"
}
egress_to {
operations {
service_name = "bigquery.googleapis.com"
method_selectors {
permission = "externalResource.read"
}
}
external_resources = ["s3://bucket1"]
}
}
egress_policies {
egress_from {
identities = ["user:test@google.com"]
}
egress_to {
resources = ["*"]
}
}
}
status {
restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
access_levels = [google_access_context_manager_access_level.test-access.name]
Expand Down Expand Up @@ -251,11 +328,36 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
}
}
}
ingress_policies {
ingress_from {
identities = ["user:test@google.com"]
}
ingress_to {
resources = ["*"]
}
}

egress_policies {
egress_from {
identity_type = "ANY_USER_ACCOUNT"
}
egress_to {
operations {
service_name = "bigquery.googleapis.com"
method_selectors {
permission = "externalResource.read"
}
}
external_resources = ["s3://bucket1"]
}
}
egress_policies {
egress_from {
identities = ["user:test@google.com"]
}
egress_to {
resources = ["*"]
}
}
}
}
Expand Down
Loading