pulumi-gcp-kotlin/com.pulumi.gcp.accesscontextmanager.kotlin/ServicePerimeterResourceArgs

ServicePerimeterResourceArgs

data class ServicePerimeterResourceArgs(val perimeterName: Output<String>? = null, val resource: Output<String>? = null) : ConvertibleToJava<ServicePerimeterResourceArgs>

Allows configuring a single GCP resource that should be inside the status block of a service perimeter. This resource is intended to be used in cases where it is not possible to compile a full list of projects to include in a gcp.accesscontextmanager.ServicePerimeter resource, to enable them to be added separately. If your perimeter is in dry-run mode use gcp.accesscontextmanager.ServicePerimeterDryRunResource instead.

Note: If this resource is used alongside a gcp.accesscontextmanager.ServicePerimeter resource, the service perimeter resource must have a lifecycle block with ignore_changes = [status[0].resources] so they don't fight over which resources should be in the policy. To get more information about ServicePerimeterResource, see:

API documentation
How-to Guides

Service Perimeter Quickstart

Warning: If you are using User ADCs (Application Default Credentials) with this resource, you must specify a billing_project and set user_project_override to true in the provider configuration. Otherwise the ACM API will return a 403 error. Your account must have the serviceusage.services.use permission on the billing_project you defined.

Example Usage

Access Context Manager Service Perimeter Resource Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", {
    parent: "organizations/123456789",
    title: "my policy",
});
const service_perimeter_resourceServicePerimeter = new gcp.accesscontextmanager.ServicePerimeter("service-perimeter-resource", {
    parent: pulumi.interpolate`accessPolicies/${access_policy.name}`,
    name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/restrict_all`,
    title: "restrict_all",
    status: {
        restrictedServices: ["storage&#46;googleapis&#46;com"],
    },
});
const service_perimeter_resource = new gcp.accesscontextmanager.ServicePerimeterResource("service-perimeter-resource", {
    perimeterName: service_perimeter_resourceServicePerimeter.name,
    resource: "projects/987654321",
});

import pulumi
import pulumi_gcp as gcp
access_policy = gcp.accesscontextmanager.AccessPolicy("access-policy",
    parent="organizations/123456789",
    title="my policy")
service_perimeter_resource_service_perimeter = gcp.accesscontextmanager.ServicePerimeter("service-perimeter-resource",
    parent=access_policy.name.apply(lambda name: f"accessPolicies/{name}"),
    name=access_policy.name.apply(lambda name: f"accessPolicies/{name}/servicePerimeters/restrict_all"),
    title="restrict_all",
    status={
        "restricted_services": ["storage&#46;googleapis&#46;com"],
    })
service_perimeter_resource = gcp.accesscontextmanager.ServicePerimeterResource("service-perimeter-resource",
    perimeter_name=service_perimeter_resource_service_perimeter.name,
    resource="projects/987654321")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new()
    {
        Parent = "organizations/123456789",
        Title = "my policy",
    });
    var service_perimeter_resourceServicePerimeter = new Gcp.AccessContextManager.ServicePerimeter("service-perimeter-resource", new()
    {
        Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
        Name = access_policy.Name.Apply(name => $"accessPolicies/{name}/servicePerimeters/restrict_all"),
        Title = "restrict_all",
        Status = new Gcp.AccessContextManager.Inputs.ServicePerimeterStatusArgs
        {
            RestrictedServices = new[]
            {
                "storage.googleapis.com",
            },
        },
    });
    var service_perimeter_resource = new Gcp.AccessContextManager.ServicePerimeterResource("service-perimeter-resource", new()
    {
        PerimeterName = service_perimeter_resourceServicePerimeter.Name,
        Resource = "projects/987654321",
    });
});

package main
import (
	"fmt"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/accesscontextmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		access_policy, err := accesscontextmanager.NewAccessPolicy(ctx, "access-policy", &accesscontextmanager.AccessPolicyArgs{
			Parent: pulumi.String("organizations/123456789"),
			Title:  pulumi.String("my policy"),
		})
		if err != nil {
			return err
		}
		service_perimeter_resourceServicePerimeter, err := accesscontextmanager.NewServicePerimeter(ctx, "service-perimeter-resource", &accesscontextmanager.ServicePerimeterArgs{
			Parent: access_policy.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("accessPolicies/%v", name), nil
			}).(pulumi.StringOutput),
			Name: access_policy.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("accessPolicies/%v/servicePerimeters/restrict_all", name), nil
			}).(pulumi.StringOutput),
			Title: pulumi.String("restrict_all"),
			Status: &accesscontextmanager.ServicePerimeterStatusArgs{
				RestrictedServices: pulumi.StringArray{
					pulumi.String("storage.googleapis.com"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = accesscontextmanager.NewServicePerimeterResource(ctx, "service-perimeter-resource", &accesscontextmanager.ServicePerimeterResourceArgs{
			PerimeterName: service_perimeter_resourceServicePerimeter.Name,
			Resource:      pulumi.String("projects/987654321"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accesscontextmanager.AccessPolicy;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyArgs;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeter;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterArgs;
import com.pulumi.gcp.accesscontextmanager.inputs.ServicePerimeterStatusArgs;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterResource;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterResourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var access_policy = new AccessPolicy("access-policy", AccessPolicyArgs.builder()
            .parent("organizations/123456789")
            .title("my policy")
            .build());
        var service_perimeter_resourceServicePerimeter = new ServicePerimeter("service-perimeter-resourceServicePerimeter", ServicePerimeterArgs.builder()
            .parent(access_policy.name().applyValue(_name -> String.format("accessPolicies/%s", _name)))
            .name(access_policy.name().applyValue(_name -> String.format("accessPolicies/%s/servicePerimeters/restrict_all", _name)))
            .title("restrict_all")
            .status(ServicePerimeterStatusArgs.builder()
                .restrictedServices("storage.googleapis.com")
                .build())
            .build());
        var service_perimeter_resource = new ServicePerimeterResource("service-perimeter-resource", ServicePerimeterResourceArgs.builder()
            .perimeterName(service_perimeter_resourceServicePerimeter.name())
            .resource("projects/987654321")
            .build());
    }
}

resources:
  service-perimeter-resource:
    type: gcp:accesscontextmanager:ServicePerimeterResource
    properties:
      perimeterName: ${["service-perimeter-resourceServicePerimeter"].name}
      resource: projects/987654321
  service-perimeter-resourceServicePerimeter:
    type: gcp:accesscontextmanager:ServicePerimeter
    name: service-perimeter-resource
    properties:
      parent: accessPolicies/${["access-policy"].name}
      name: accessPolicies/${["access-policy"].name}/servicePerimeters/restrict_all
      title: restrict_all
      status:
        restrictedServices:
          - storage.googleapis.com
  access-policy:
    type: gcp:accesscontextmanager:AccessPolicy
    properties:
      parent: organizations/123456789
      title: my policy

Import

ServicePerimeterResource can be imported using any of these accepted formats:

{{perimeter_name}}/{{resource}} When using the pulumi import command, ServicePerimeterResource can be imported using one of the formats above. For example:

$ pulumi import gcp:accesscontextmanager/servicePerimeterResource:ServicePerimeterResource default {{perimeter_name}}/{{resource}}

Constructors

ServicePerimeterResourceArgs

constructor(perimeterName: Output<String>? = null, resource: Output<String>? = null)

Properties

perimeterName

val perimeterName: Output<String>? = null

The name of the Service Perimeter to add this resource to.

resource

val resource: Output<String>? = null

A GCP resource that is inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}

Functions

toJava

open override fun toJava(): ServicePerimeterResourceArgs