Service
Manage a single EgressPolicy in the spec (dry-run) configuration for a service perimeter. EgressPolicies match requests based on egressFrom and egressTo stanzas. For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).
Note: By default, updates to this resource will remove the EgressPolicy from the from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy is added before the old one is removed, add a
lifecycleblock withcreate_before_destroy = trueto this resource. Note: If this resource is used alongside agcp.accesscontextmanager.ServicePerimeterresource, the service perimeter resource must have alifecycleblock withignore_changes = [spec[0].egress_policies]so they don't fight over which egress rules should be in the policy. To get more information about ServicePerimeterDryRunEgressPolicy, see:
How-to Guides
Example Usage
Properties
The name of the Access Policy this resource belongs to.
Defines conditions on the source of a request causing this EgressPolicy to apply. Structure is documented below.
Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply. Structure is documented below.
The perimeter etag is internally used to prevent overwriting the list of policies on PATCH calls. It is retrieved from the same GET perimeter API call that's used to get the current list of policies. The policy defined in this resource is added or removed from that list, and then this etag is sent with the PATCH call along with the updated policies.