Access Context Manager - Add support for roles in service perimeter resources (GoogleCloudPlatform#13413)

Co-authored-by: Charlesleonius <[email protected]>

Author: 2 people

mmv1/products/accesscontextmanager/ServicePerimeter.yaml

@@ -68,6 +68,7 @@ custom_code:
   custom_import: 'templates/terraform/custom_import/set_access_policy_parent_from_self_link.go.tmpl'
 # Skipping the sweeper due to the non-standard base_url
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeter_basic'
     primary_resource_id: 'service-perimeter'
@@ -85,6 +86,11 @@ examples:
     vars:
       service_perimeter_name: 'restrict_bigquery_dryrun_storage'
     exclude_test: true
+  - name: 'access_context_manager_service_perimeter_granular_controls'
+    primary_resource_id: 'service-perimeter'
+    vars:
+      service_perimeter_name: 'granular_controls'
+    exclude_test: true
 parameters:
   # Parent is a path parameter that _cannot_ be read or sent in the request at all.
   # This must be done at the provider level.
@@ -313,6 +319,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `IngressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
@@ -441,6 +455,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `EgressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
@@ -639,6 +661,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `IngressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
@@ -765,6 +795,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `EgressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |

mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml

@@ -80,11 +80,16 @@ custom_code:
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeter_dry_run_egress_policy'
     vars:
       egress_policy_title: 'egress policy title'
     exclude_test: true
+  - name: 'access_context_manager_service_perimeter_dry_run_egress_policy_granular_controls'
+    vars:
+      egress_policy_title: 'granular controls egress policy title'
+    exclude_test: true
 parameters:
   - name: 'perimeter'
     type: ResourceRef
@@ -173,6 +178,14 @@ properties:
           s3://bucket/path). Currently '*' is not allowed.
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `EgressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |

mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml

@@ -81,11 +81,16 @@ custom_code:
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeter_dry_run_ingress_policy'
     vars:
       ingress_policy_title: 'ingress policy title'
     exclude_test: true
+  - name: 'access_context_manager_service_perimeter_dry_run_ingress_policy_granular_controls'
+    vars:
+      ingress_policy_title: 'granular controls ingress policy title'
+    exclude_test: true
 parameters:
   - name: 'perimeter'
     type: ResourceRef
@@ -173,6 +178,14 @@ properties:
         diff_suppress_func: AccessContextManagerServicePerimeterDryRunIngressPolicyIngressToResourcesDiffSuppressFunc
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `IngressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |

mmv1/products/accesscontextmanager/ServicePerimeterDryRunResource.yaml

@@ -76,6 +76,7 @@ custom_code:
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeter_dry_run_resource_basic'
     primary_resource_id: 'service-perimeter-dry-run-resource'

mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml

@@ -84,6 +84,10 @@ examples:
     vars:
       egress_policy_title: 'egress policy title'
     exclude_test: true
+  - name: 'access_context_manager_service_perimeter_egress_policy_granular_controls'
+    vars:
+      egress_policy_title: 'granular controls egress policy title'
+    exclude_test: true
 parameters:
   - name: 'perimeter'
     type: ResourceRef
@@ -173,6 +177,14 @@ properties:
           s3://bucket/path). Currently '*' is not allowed.
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `EgressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |

mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml

@@ -80,11 +80,16 @@ custom_code:
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeter_ingress_policy'
     vars:
       ingress_policy_title: 'ingress policy title'
     exclude_test: true
+  - name: 'access_context_manager_service_perimeter_ingress_policy_granular_controls'
+    vars:
+      ingress_policy_title: 'ingress policy title'
+    exclude_test: true
 parameters:
   - name: 'perimeter'
     type: ResourceRef
@@ -175,6 +180,14 @@ properties:
         diff_suppress_func: AccessContextManagerServicePerimeterIngressPolicyIngressToResourcesDiffSuppressFunc
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `IngressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |

mmv1/products/accesscontextmanager/ServicePerimeterResource.yaml

@@ -75,6 +75,7 @@ custom_code:
 exclude_tgc: true
 # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under ServicePerimeter
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeter_resource_basic'
     primary_resource_id: 'service-perimeter-resource'

mmv1/products/accesscontextmanager/ServicePerimeters.yaml

@@ -50,6 +50,7 @@ custom_code:
   custom_import: 'templates/terraform/custom_import/set_access_policy_parent_from_access_policy.go.tmpl'
 # Skipping the sweeper due to the non-standard base_url
 exclude_sweeper: true
+# Exclude tests for examples becauses tests run in parallel and will conflict when trying to create the org level access policy
 examples:
   - name: 'access_context_manager_service_perimeters_basic'
     primary_resource_id: 'service-perimeter'
@@ -294,6 +295,15 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        is_set: true
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `IngressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
@@ -419,6 +429,15 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        is_set: true
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `EgressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
@@ -610,6 +629,15 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        is_set: true
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `IngressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
@@ -737,6 +765,15 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        is_set: true
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `EgressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |

mmv1/templates/terraform/custom_flatten/accesscontextmanager_serviceperimeters_custom_flatten.go.tmpl

@@ -34,6 +34,13 @@ func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.Reso
     return sorted
 }
 
+func flattenStringArrayToStringSet(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	return schema.NewSet(schema.HashString, v.([]interface{}))
+}
+
 func flattenAccessContextManagerServicePerimetersServicePerimetersName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -220,6 +227,8 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressP
 		flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToResources(original["resources"], d, config)
 	transformed["operations"] =
 		flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToOperations(original["operations"], d, config)
+	transformed["roles"] =
+		flattenStringArrayToStringSet(original["roles"], d, config)
 	return []interface{}{transformed}
 }
 func flattenAccessContextManagerServicePerimetersServicePerimetersStatusIngressPoliciesIngressToResources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -379,8 +388,11 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPo
 		flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToExternalResources(original["externalResources"], d, config)
 	transformed["operations"] =
 		flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToOperations(original["operations"], d, config)
+	transformed["roles"] =
+		flattenStringArrayToStringSet(original["roles"], d, config)
 	return []interface{}{transformed}
 }
+
 func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressToResources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -607,6 +619,8 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPol
 		flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToResources(original["resources"], d, config)
 	transformed["operations"] =
 		flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToOperations(original["operations"], d, config)
+	transformed["roles"] =
+		flattenStringArrayToStringSet(original["roles"], d, config)
 	return []interface{}{transformed}
 }
 func flattenAccessContextManagerServicePerimetersServicePerimetersSpecIngressPoliciesIngressToResources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -766,8 +780,11 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoli
 		flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToExternalResources(original["externalResources"], d, config)
 	transformed["operations"] =
 		flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToOperations(original["operations"], d, config)
+	transformed["roles"] =
+		flattenStringArrayToStringSet(original["roles"], d, config)
 	return []interface{}{transformed}
 }
+
 func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressToResources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v

mmv1/templates/terraform/examples/access_context_manager_service_perimeter_dry_run_egress_policy_granular_controls.tf.tmpl

@@ -0,0 +1,34 @@
+resource "google_access_context_manager_service_perimeter" "storage-perimeter" {
+  parent = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}"
+  name   = "accesspolicies/${google_access_context_manager_access_policy.access-policy.name}/serviceperimeters/storage-perimeter"
+  title  = "Storage Perimeter"
+  spec {
+    restricted_services = ["storage.googleapis.com"]
+  }
+  lifecycle {
+    ignore_changes = [spec[0].egress_policies] # Allows egress policies to be managed by google_access_context_manager_service_perimeter_dry_run_egress_policy resources
+  }
+}
+
+resource "google_access_context_manager_service_perimeter_dry_run_egress_policy" "egress_policy" {
+  perimeter = "${google_access_context_manager_service_perimeter.storage-perimeter.name}"
+  title = "{{index $.Vars "egress_policy_title"}}"
+  egress_from {
+    identities = ["group:[email protected]"]
+    identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
+    identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
+  }
+  egress_to {
+    resources = [ "*" ]
+    roles = ["roles/bigquery.admin", "organizations/1234/roles/bigquery_custom_role"]
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "Storage Policy"
+}