Access Context Manager - Add support for roles in service perimeter resources.

Charlesleonius · Charlesleonius · commit b0eaecfdc33e · 2025-03-20T09:29:16.000-07:00
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml
@@ -313,6 +313,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `IngressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
@@ -428,6 +436,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `EgressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
@@ -622,6 +638,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `IngressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
@@ -735,6 +759,14 @@ properties:
                   is_set: true
                   item_type:
                     type: String
+                - name: 'roles'
+                  type: Array
+                  item_type:
+                    type: String
+                  description: |
+                    A list of IAM roles that represent the set of operations that the sources
+                    specified in the corresponding `EgressFrom`
+                    are allowed to perform.
                 - name: 'operations'
                   type: Array
                   description: |
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml
@@ -157,6 +157,14 @@ properties:
           s3://bucket/path). Currently '*' is not allowed.
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `EgressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml
@@ -166,6 +166,14 @@ properties:
         diff_suppress_func: AccessContextManagerServicePerimeterDryRunIngressPolicyIngressToResourcesDiffSuppressFunc
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `IngressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
@@ -155,6 +155,14 @@ properties:
           s3://bucket/path). Currently '*' is not allowed.
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `EgressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
@@ -166,6 +166,14 @@ properties:
         diff_suppress_func: AccessContextManagerServicePerimeterIngressPolicyIngressToResourcesDiffSuppressFunc
         item_type:
           type: String
+      - name: 'roles'
+        type: Array
+        item_type:
+          type: String
+        description: |
+          A list of IAM roles that represent the set of operations that the sources
+          specified in the corresponding `IngressFrom`
+          are allowed to perform.
       - name: 'operations'
         type: Array
         description: |
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml
@@ -293,6 +293,14 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `IngressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
@@ -405,6 +413,14 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `EgressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
@@ -592,6 +608,14 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `IngressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
@@ -706,6 +730,14 @@ properties:
                         is_set: true
                         item_type:
                           type: String
+                      - name: 'roles'
+                        type: Array
+                        item_type:
+                          type: String
+                        description: |
+                          A list of IAM roles that represent the set of operations that the sources
+                          specified in the corresponding `EgressFrom`
+                          are allowed to perform.
                       - name: 'operations'
                         type: Array
                         description: |
diff --git a/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.tmpl b/mmv1/templates/terraform/examples/access_context_manager_service_perimeter_granular_controls.tf.tmpl
@@ -1,40 +1,33 @@
 resource "google_access_context_manager_access_policy" "access-policy" {
   parent = "organizations/123456789"
-  title  = "Policy with Granular Controls Group Support"
+  title  = "Policy with Granular Controls Support"
 }
 
-resource "google_access_context_manager_service_perimeter" "test-access" {
+resource "google_access_context_manager_service_perimeter" "granular-controls-perimeter" {
   parent         = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
   name           = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
   title          = "%s"
   perimeter_type = "PERIMETER_TYPE_REGULAR"
   status {
-      restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
+      restricted_services = ["bigquery.googleapis.com"]
 
       vpc_accessible_services {
           enable_restriction = true
-          allowed_services   = ["bigquery.googleapis.com", "storage.googleapis.com"]
+          allowed_services   = ["bigquery.googleapis.com"]
       }
 
       ingress_policies {
           ingress_from {
               sources {
-                  access_level = google_access_context_manager_access_level.test-access.name
+                 resource = "projects/1234" 
               }
               identities = ["group:database-admins@google.com"]
               identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
               identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
           }
-
           ingress_to {
               resources = [ "*" ]
-              operations {
-                  service_name = "storage.googleapis.com"
-
-                  method_selectors {
-                      method = "google.storage.objects.create"
-                  }
-              }
+              roles = ["roles/bigquery.admin", "organizations/1234/roles/bigquery_custom_role"]
           }
       }
 
@@ -46,13 +39,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
           }
           egress_to {
               resources = [ "*" ]
-              operations {
-                  service_name = "storage.googleapis.com"
-
-                  method_selectors {
-                      method = "google.storage.objects.create"
-                  }
-              }
+              roles = ["roles/bigquery.admin", "organizations/1234/roles/bigquery_custom_role"]
           }
       }
    }
diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go
@@ -124,6 +124,10 @@ resource "google_access_context_manager_service_perimeter_dry_run_egress_policy"
 		}
 		source_restriction = "SOURCE_RESTRICTION_ENABLED"
 	}
+	egress_to {
+		resources = ["*"]
+		roles = ["roles/bigquery.admin"]
+	}
   	depends_on = [google_access_context_manager_service_perimeter_dry_run_egress_policy.test-access1]
 }
 
diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy_test.go
@@ -126,6 +126,10 @@ resource "google_access_context_manager_service_perimeter_dry_run_ingress_policy
 			access_level = google_access_context_manager_access_level.test-access.name
 		}
 	}
+	ingress_to {
+		resources = ["*"]
+		roles = ["roles/bigquery.admin"]
+	}
   depends_on = [google_access_context_manager_service_perimeter_dry_run_ingress_policy.test-access1]
 }
 
diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go
@@ -102,7 +102,6 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a
 	    }
 	  }
 	}
-
 }
 
 resource "google_access_context_manager_access_level" "test-access" {
@@ -127,6 +126,10 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a
 		}
 		source_restriction = "SOURCE_RESTRICTION_ENABLED"
 	}
+	egress_to {
+		resources = ["*"]
+		roles = ["roles/bigquery.admin"]
+	}
 }
 
 `, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName))
diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_ingress_policy_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_ingress_policy_test.go
@@ -127,6 +127,10 @@ resource "google_access_context_manager_service_perimeter_ingress_policy" "test-
 	ingress_from {
 		identity_type = "ANY_IDENTITY"
 	}
+	ingress_to {
+		resources = ["*"]
+		roles = ["roles/bigquery.admin"]
+	}
 }
 
 `, testAccAccessContextManagerServicePerimeterIngressPolicy_destroy(org, policyTitle, perimeterTitleName))
diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl
@@ -338,6 +338,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
 			}
 			ingress_to {
 				resources = ["*"]
+				roles = ["roles/bigquery.admin"]
 			}
 		}
 
@@ -367,6 +368,15 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
 				resources = ["*"]
 			}
 		}
+		egress_policies {
+			egress_from {
+				identity_type = "ANY_IDENTITY"
+			}
+			egress_to {
+				resources = ["*"]
+				roles = ["roles/bigquery.admin"]
+			}
+		}
   }
 }
 `, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
diff --git a/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go b/mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go
@@ -336,6 +336,7 @@ resource "google_access_context_manager_service_perimeters" "test-access" {
         }
         ingress_to {
           resources = ["*"]
+          roles = ["roles/bigquery.admin"]
         }
       }
 
@@ -361,6 +362,15 @@ resource "google_access_context_manager_service_perimeters" "test-access" {
           resources = ["*"]
         }
       }
+      egress_policies {
+        egress_from {
+          identity_type = "ANY_IDENTITY"
+        }
+        egress_to {
+          resources = ["*"]
+          roles = ["roles/bigquery.admin"]
+        }
+      }
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ resource "google_access_context_manager_service_perimeter_dry_run_egress_policy"`
`124`	`124`	`}`
`125`	`125`	`source_restriction = "SOURCE_RESTRICTION_ENABLED"`
`126`	`126`	`}`
	`127`	`+ egress_to {`
	`128`	`+ resources = ["*"]`
	`129`	`+ roles = ["roles/bigquery.admin"]`
	`130`	`+ }`
`127`	`131`	`depends_on = [google_access_context_manager_service_perimeter_dry_run_egress_policy.test-access1]`
`128`	`132`	`}`
`129`	`133`
Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,10 @@ resource "google_access_context_manager_service_perimeter_dry_run_ingress_policy`
`126`	`126`	`access_level = google_access_context_manager_access_level.test-access.name`
`127`	`127`	`}`
`128`	`128`	`}`
	`129`	`+ ingress_to {`
	`130`	`+ resources = ["*"]`
	`131`	`+ roles = ["roles/bigquery.admin"]`
	`132`	`+ }`
`129`	`133`	`depends_on = [google_access_context_manager_service_perimeter_dry_run_ingress_policy.test-access1]`
`130`	`134`	`}`
`131`	`135`
Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,6 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a`
`102`	`102`	`}`
`103`	`103`	`}`
`104`	`104`	`}`
`105`		`-`
`106`	`105`	`}`
`107`	`106`
`108`	`107`	`resource "google_access_context_manager_access_level" "test-access" {`
`@@ -127,6 +126,10 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a`
`127`	`126`	`}`
`128`	`127`	`source_restriction = "SOURCE_RESTRICTION_ENABLED"`
`129`	`128`	`}`
	`129`	`+ egress_to {`
	`130`	`+ resources = ["*"]`
	`131`	`+ roles = ["roles/bigquery.admin"]`
	`132`	`+ }`
`130`	`133`	`}`
`131`	`134`
`132`	`135`	`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName))
Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,10 @@ resource "google_access_context_manager_service_perimeter_ingress_policy" "test-`
`127`	`127`	`ingress_from {`
`128`	`128`	`identity_type = "ANY_IDENTITY"`
`129`	`129`	`}`
	`130`	`+ ingress_to {`
	`131`	`+ resources = ["*"]`
	`132`	`+ roles = ["roles/bigquery.admin"]`
	`133`	`+ }`
`130`	`134`	`}`
`131`	`135`
`132`	`136`	`, testAccAccessContextManagerServicePerimeterIngressPolicy_destroy(org, policyTitle, perimeterTitleName))
Original file line number	Diff line number	Diff line change
`@@ -338,6 +338,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" {`
`338`	`338`	`}`
`339`	`339`	`ingress_to {`
`340`	`340`	`resources = ["*"]`
	`341`	`+ roles = ["roles/bigquery.admin"]`
`341`	`342`	`}`
`342`	`343`	`}`
`343`	`344`
`@@ -367,6 +368,15 @@ resource "google_access_context_manager_service_perimeter" "test-access" {`
`367`	`368`	`resources = ["*"]`
`368`	`369`	`}`
`369`	`370`	`}`
	`371`	`+ egress_policies {`
	`372`	`+ egress_from {`
	`373`	`+ identity_type = "ANY_IDENTITY"`
	`374`	`+ }`
	`375`	`+ egress_to {`
	`376`	`+ resources = ["*"]`
	`377`	`+ roles = ["roles/bigquery.admin"]`
	`378`	`+ }`
	`379`	`+ }`
`370`	`380`	`}`
`371`	`381`	`}`
`372`	`382`	`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
Original file line number	Diff line number	Diff line change
`@@ -336,6 +336,7 @@ resource "google_access_context_manager_service_perimeters" "test-access" {`
`336`	`336`	`}`
`337`	`337`	`ingress_to {`
`338`	`338`	`resources = ["*"]`
	`339`	`+ roles = ["roles/bigquery.admin"]`
`339`	`340`	`}`
`340`	`341`	`}`
`341`	`342`
`@@ -361,6 +362,15 @@ resource "google_access_context_manager_service_perimeters" "test-access" {`
`361`	`362`	`resources = ["*"]`
`362`	`363`	`}`
`363`	`364`	`}`
	`365`	`+ egress_policies {`
	`366`	`+ egress_from {`
	`367`	`+ identity_type = "ANY_IDENTITY"`
	`368`	`+ }`
	`369`	`+ egress_to {`
	`370`	`+ resources = ["*"]`
	`371`	`+ roles = ["roles/bigquery.admin"]`
	`372`	`+ }`
	`373`	`+ }`
`364`	`374`	`}`
`365`	`375`	`}`
`366`	`376`	`}`