Update Documentation for ACM Service Perimeter resources to reflect Granular Controls group support (#10087) (#17558)

groups



[upstream:f72682f39d30f1eb3263acf8a6b4c3603ba4acdd]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/10087.txt

@@ -0,0 +1,12 @@
+```release-note:none
+accesscontextmanager: updated documentation reflecting group support in `google_access_context_manager_service_perimeter`
+```
+```release-note:none
+accesscontextmanager: updated documentation reflecting group support in `google_access_context_manager_service_perimeters`
+```
+```release-note:none
+accesscontextmanager: updated documentation reflecting group support in `google_access_context_manager_service_perimeter_egress_policy`
+```
+```release-note:none
+accesscontextmanager: updated documentation reflecting group support in `google_access_context_manager_service_perimeter_ingress_policy`
+```

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter.go

@@ -146,9 +146,10 @@ a perimeter bridge.`,
 												"identities": {
 													Type:     schema.TypeSet,
 													Optional: true,
-													Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+													Description: `'A list of identities that are allowed access through this 'EgressPolicy'.
+To specify an identity or identity group, use the IAM v1
+format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},
@@ -285,9 +286,10 @@ to apply.`,
 												"identities": {
 													Type:     schema.TypeSet,
 													Optional: true,
-													Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+													Description: `'A list of identities that are allowed access through this 'IngressPolicy'.
+To specify an identity or identity group, use the IAM v1
+format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},
@@ -510,9 +512,10 @@ a perimeter bridge.`,
 												"identities": {
 													Type:     schema.TypeSet,
 													Optional: true,
-													Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+													Description: `'A list of identities that are allowed access through this 'EgressPolicy'.
+To specify an identity or identity group, use the IAM v1
+format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},
@@ -649,9 +652,10 @@ to apply.`,
 												"identities": {
 													Type:     schema.TypeSet,
 													Optional: true,
-													Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+													Description: `'A list of identities that are allowed access through this 'IngressPolicy'.
+To specify an identity or identity group, use the IAM v1
+format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy.go

@@ -67,8 +67,8 @@ func ResourceAccessContextManagerServicePerimeterEgressPolicy() *schema.Resource
 							Type:     schema.TypeList,
 							Optional: true,
 							Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+Should be in the format of an email address. The email address should
+represent an individual user, service account, or Google group.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_ingress_policy.go

@@ -67,9 +67,9 @@ to apply.`,
 						"identities": {
 							Type:     schema.TypeList,
 							Optional: true,
-							Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+							Description: `A list of identities that are allowed access through this 'IngressPolicy'.
+Should be in the format of an email address. The email address should represent
+an individual user, service account, or Google group.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeters.go

@@ -150,9 +150,10 @@ a perimeter bridge.`,
 															"identities": {
 																Type:     schema.TypeSet,
 																Optional: true,
-																Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+																Description: `'A list of identities that are allowed access through this 'EgressPolicy'.
+To specify an identity or identity group, use the IAM v1 format
+specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 																Elem: &schema.Schema{
 																	Type: schema.TypeString,
 																},
@@ -289,9 +290,10 @@ to apply.`,
 															"identities": {
 																Type:     schema.TypeSet,
 																Optional: true,
-																Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+																Description: `'A list of identities that are allowed access through this 'IngressPolicy'.
+To specify an identity or identity group, use the IAM v1 format
+specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 																Elem: &schema.Schema{
 																	Type: schema.TypeString,
 																},
@@ -511,9 +513,10 @@ a perimeter bridge.`,
 															"identities": {
 																Type:     schema.TypeSet,
 																Optional: true,
-																Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+																Description: `'A list of identities that are allowed access through this 'EgressPolicy'.
+To specify an identity or identity group, use the IAM v1 format
+specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 																Elem: &schema.Schema{
 																	Type: schema.TypeString,
 																},
@@ -739,9 +742,10 @@ to apply.`,
 						"identities": {
 							Type:     schema.TypeSet,
 							Optional: true,
-							Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+							Description: `'A list of identities that are allowed access through this 'IngressPolicy'.
+To specify an identity or identity group, use the IAM v1 format
+specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

website/docs/r/access_context_manager_service_perimeter.html.markdown

@@ -223,6 +223,70 @@ resource "google_access_context_manager_access_policy" "access-policy" {
   title  = "my policy"
 }
 ```
+## Example Usage - Access Context Manager Service Perimeter Granular Controls
+
+
+```hcl
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "Policy with Granular Controls Group Support"
+}
+
+resource "google_access_context_manager_service_perimeter" "test-access" {
+  parent         = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
+  name           = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
+  title          = "%s"
+  perimeter_type = "PERIMETER_TYPE_REGULAR"
+  status {
+      restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
+
+      vpc_accessible_services {
+          enable_restriction = true
+          allowed_services   = ["bigquery.googleapis.com", "storage.googleapis.com"]
+      }
+
+      ingress_policies {
+          ingress_from {
+              sources {
+                  access_level = google_access_context_manager_access_level.test-access.name
+              }
+              identities = ["group:[email protected]"]
+              identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
+              identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
+          }
+
+          ingress_to {
+              resources = [ "*" ]
+              operations {
+                  service_name = "storage.googleapis.com"
+
+                  method_selectors {
+                      method = "google.storage.objects.create"
+                  }
+              }
+          }
+      }
+
+      egress_policies {
+          egress_from {
+              identities = ["group:[email protected]"]
+              identities = ["principal://iam.googleapis.com/locations/global/workforcePools/1234/subject/janedoe"]
+              identities = ["principalSet://iam.googleapis.com/locations/global/workforcePools/1234/*"]
+          }
+          egress_to {
+              resources = [ "*" ]
+              operations {
+                  service_name = "storage.googleapis.com"
+
+                  method_selectors {
+                      method = "google.storage.objects.create"
+                  }
+              }
+          }
+      }
+   }
+}
+```
 
 ## Argument Reference
 
@@ -389,9 +453,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  'A list of identities that are allowed access through this `IngressPolicy`.
+  To specify an identity or identity group, use the IAM v1
+  format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 * `sources` -
   (Optional)
@@ -506,9 +571,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  'A list of identities that are allowed access through this `EgressPolicy`.
+  To specify an identity or identity group, use the IAM v1
+  format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 
 <a name="nested_sources"></a>The `sources` block supports:
@@ -659,9 +725,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  'A list of identities that are allowed access through this `IngressPolicy`.
+  To specify an identity or identity group, use the IAM v1
+  format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 * `sources` -
   (Optional)
@@ -776,9 +843,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  'A list of identities that are allowed access through this `EgressPolicy`.
+  To specify an identity or identity group, use the IAM v1
+  format specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 
 <a name="nested_sources"></a>The `sources` block supports:

website/docs/r/access_context_manager_service_perimeter_egress_policy.html.markdown

@@ -69,8 +69,8 @@ The following arguments are supported:
 * `identities` -
   (Optional)
   A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  Should be in the format of an email address. The email address should
+  represent an individual user, service account, or Google group.
 
 * `sources` -
   (Optional)

website/docs/r/access_context_manager_service_perimeter_ingress_policy.html.markdown

@@ -70,9 +70,9 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  A list of identities that are allowed access through this `IngressPolicy`.
+  Should be in the format of an email address. The email address should represent
+  an individual user, service account, or Google group.
 
 * `sources` -
   (Optional)

website/docs/r/access_context_manager_service_perimeters.html.markdown

@@ -262,9 +262,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  'A list of identities that are allowed access through this `IngressPolicy`.
+  To specify an identity or identity group, use the IAM v1 format
+  specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 * `sources` -
   (Optional)
@@ -369,9 +370,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  'A list of identities that are allowed access through this `EgressPolicy`.
+  To specify an identity or identity group, use the IAM v1 format
+  specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 * `sources` -
   (Optional)
@@ -532,9 +534,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  'A list of identities that are allowed access through this `IngressPolicy`.
+  To specify an identity or identity group, use the IAM v1 format
+  specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 * `sources` -
   (Optional)
@@ -639,9 +642,10 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  'A list of identities that are allowed access through this `EgressPolicy`.
+  To specify an identity or identity group, use the IAM v1 format
+  specified [here](https://cloud.google.com/iam/docs/principal-identifiers.md#v1).
+  The following prefixes are supprted: user, group, serviceAccount, principal, and principalSet.'
 
 * `sources` -
   (Optional)