pulumi-gcp-kotlin/com.pulumi.gcp.accesscontextmanager.kotlin/ServicePerimeterResource

ServicePerimeterResource

class ServicePerimeterResource : KotlinCustomResource

Allows configuring a single GCP resource that should be inside the status block of a service perimeter. This resource is intended to be used in cases where it is not possible to compile a full list of projects to include in a gcp.accesscontextmanager.ServicePerimeter resource, to enable them to be added separately. If your perimeter is in dry-run mode use gcp.accesscontextmanager.ServicePerimeterDryRunResource instead.

Note: If this resource is used alongside a gcp.accesscontextmanager.ServicePerimeter resource, the service perimeter resource must have a lifecycle block with ignore_changes = [status[0].resources] so they don't fight over which resources should be in the policy. To get more information about ServicePerimeterResource, see:

API documentation
How-to Guides

Service Perimeter Quickstart

Warning: If you are using User ADCs (Application Default Credentials) with this resource, you must specify a billing_project and set user_project_override to true in the provider configuration. Otherwise the ACM API will return a 403 error. Your account must have the serviceusage.services.use permission on the billing_project you defined.

Example Usage

Access Context Manager Service Perimeter Resource Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", {
    parent: "organizations/123456789",
    title: "my policy",
});
const service_perimeter_resourceServicePerimeter = new gcp.accesscontextmanager.ServicePerimeter("service-perimeter-resource", {
    parent: pulumi.interpolate`accessPolicies/${access_policy.name}`,
    name: pulumi.interpolate`accessPolicies/${access_policy.name}/servicePerimeters/restrict_all`,
    title: "restrict_all",
    status: {
        restrictedServices: ["storage&#46;googleapis&#46;com"],
    },
});
const service_perimeter_resource = new gcp.accesscontextmanager.ServicePerimeterResource("service-perimeter-resource", {
    perimeterName: service_perimeter_resourceServicePerimeter.name,
    resource: "projects/987654321",
});

import pulumi
import pulumi_gcp as gcp
access_policy = gcp.accesscontextmanager.AccessPolicy("access-policy",
    parent="organizations/123456789",
    title="my policy")
service_perimeter_resource_service_perimeter = gcp.accesscontextmanager.ServicePerimeter("service-perimeter-resource",
    parent=access_policy.name.apply(lambda name: f"accessPolicies/{name}"),
    name=access_policy.name.apply(lambda name: f"accessPolicies/{name}/servicePerimeters/restrict_all"),
    title="restrict_all",
    status={
        "restricted_services": ["storage&#46;googleapis&#46;com"],
    })
service_perimeter_resource = gcp.accesscontextmanager.ServicePerimeterResource("service-perimeter-resource",
    perimeter_name=service_perimeter_resource_service_perimeter.name,
    resource="projects/987654321")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new()
    {
        Parent = "organizations/123456789",
        Title = "my policy",
    });
    var service_perimeter_resourceServicePerimeter = new Gcp.AccessContextManager.ServicePerimeter("service-perimeter-resource", new()
    {
        Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
        Name = access_policy.Name.Apply(name => $"accessPolicies/{name}/servicePerimeters/restrict_all"),
        Title = "restrict_all",
        Status = new Gcp.AccessContextManager.Inputs.ServicePerimeterStatusArgs
        {
            RestrictedServices = new[]
            {
                "storage.googleapis.com",
            },
        },
    });
    var service_perimeter_resource = new Gcp.AccessContextManager.ServicePerimeterResource("service-perimeter-resource", new()
    {
        PerimeterName = service_perimeter_resourceServicePerimeter.Name,
        Resource = "projects/987654321",
    });
});

package main
import (
	"fmt"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/accesscontextmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		access_policy, err := accesscontextmanager.NewAccessPolicy(ctx, "access-policy", &accesscontextmanager.AccessPolicyArgs{
			Parent: pulumi.String("organizations/123456789"),
			Title:  pulumi.String("my policy"),
		})
		if err != nil {
			return err
		}
		service_perimeter_resourceServicePerimeter, err := accesscontextmanager.NewServicePerimeter(ctx, "service-perimeter-resource", &accesscontextmanager.ServicePerimeterArgs{
			Parent: access_policy.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("accessPolicies/%v", name), nil
			}).(pulumi.StringOutput),
			Name: access_policy.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("accessPolicies/%v/servicePerimeters/restrict_all", name), nil
			}).(pulumi.StringOutput),
			Title: pulumi.String("restrict_all"),
			Status: &accesscontextmanager.ServicePerimeterStatusArgs{
				RestrictedServices: pulumi.StringArray{
					pulumi.String("storage.googleapis.com"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = accesscontextmanager.NewServicePerimeterResource(ctx, "service-perimeter-resource", &accesscontextmanager.ServicePerimeterResourceArgs{
			PerimeterName: service_perimeter_resourceServicePerimeter.Name,
			Resource:      pulumi.String("projects/987654321"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accesscontextmanager.AccessPolicy;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyArgs;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeter;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterArgs;
import com.pulumi.gcp.accesscontextmanager.inputs.ServicePerimeterStatusArgs;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterResource;
import com.pulumi.gcp.accesscontextmanager.ServicePerimeterResourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var access_policy = new AccessPolicy("access-policy", AccessPolicyArgs.builder()
            .parent("organizations/123456789")
            .title("my policy")
            .build());
        var service_perimeter_resourceServicePerimeter = new ServicePerimeter("service-perimeter-resourceServicePerimeter", ServicePerimeterArgs.builder()
            .parent(access_policy.name().applyValue(_name -> String.format("accessPolicies/%s", _name)))
            .name(access_policy.name().applyValue(_name -> String.format("accessPolicies/%s/servicePerimeters/restrict_all", _name)))
            .title("restrict_all")
            .status(ServicePerimeterStatusArgs.builder()
                .restrictedServices("storage.googleapis.com")
                .build())
            .build());
        var service_perimeter_resource = new ServicePerimeterResource("service-perimeter-resource", ServicePerimeterResourceArgs.builder()
            .perimeterName(service_perimeter_resourceServicePerimeter.name())
            .resource("projects/987654321")
            .build());
    }
}

resources:
  service-perimeter-resource:
    type: gcp:accesscontextmanager:ServicePerimeterResource
    properties:
      perimeterName: ${["service-perimeter-resourceServicePerimeter"].name}
      resource: projects/987654321
  service-perimeter-resourceServicePerimeter:
    type: gcp:accesscontextmanager:ServicePerimeter
    name: service-perimeter-resource
    properties:
      parent: accessPolicies/${["access-policy"].name}
      name: accessPolicies/${["access-policy"].name}/servicePerimeters/restrict_all
      title: restrict_all
      status:
        restrictedServices:
          - storage.googleapis.com
  access-policy:
    type: gcp:accesscontextmanager:AccessPolicy
    properties:
      parent: organizations/123456789
      title: my policy

Import

ServicePerimeterResource can be imported using any of these accepted formats:

{{perimeter_name}}/{{resource}} When using the pulumi import command, ServicePerimeterResource can be imported using one of the formats above. For example:

$ pulumi import gcp:accesscontextmanager/servicePerimeterResource:ServicePerimeterResource default {{perimeter_name}}/{{resource}}

Properties

accessPolicyId

val accessPolicyId: Output<String>

The name of the Access Policy this resource belongs to.

etag

val etag: Output<String>

The perimeter etag is internally used to prevent overwriting the list of perimeter resources on PATCH calls. It is retrieved from the same GET perimeter API call that's used to get the current list of resources. The resource to add or remove is merged into that list and then this etag is sent with the PATCH call along with the updated resource list.

val id: Output<String>

perimeterName

val perimeterName: Output<String>

The name of the Service Perimeter to add this resource to.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

resource

val resource: Output<String>

A GCP resource that is inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}

urn

val urn: Output<String>