Support for projects in EgressSource (GoogleCloudPlatform#12532)

Author: Angelina612

mmv1/products/accesscontextmanager/ServicePerimeter.yaml

@@ -384,6 +384,15 @@ properties:
                       - name: 'accessLevel'
                         type: String
                         description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
+                      - name: 'resource'
+                        type: String
+                        description: |
+                          A Google Cloud resource that is allowed to egress the perimeter.
+                          Requests from these resources are allowed to access data outside the perimeter.
+                          Currently only projects are allowed. Project format: `projects/{project_number}`.
+                          The resource may be in any Google Cloud organization, not just the
+                          organization that the perimeter is defined in. `*` is not allowed, the
+                          case of allowing all Google Cloud resources only is not supported.
                 - name: 'sourceRestriction'
                   type: Enum
                   description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'
@@ -693,6 +702,15 @@ properties:
                       - name: 'accessLevel'
                         type: String
                         description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
+                      - name: 'resource'
+                        type: String
+                        description: |
+                          A Google Cloud resource that is allowed to egress the perimeter.
+                          Requests from these resources are allowed to access data outside the perimeter.
+                          Currently only projects are allowed. Project format: `projects/{project_number}`.
+                          The resource may be in any Google Cloud organization, not just the
+                          organization that the perimeter is defined in. `*` is not allowed, the
+                          case of allowing all Google Cloud resources only is not supported.
                 - name: 'sourceRestriction'
                   type: Enum
                   description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'

mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml

@@ -128,6 +128,15 @@ properties:
             - name: 'accessLevel'
               type: String
               description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
+            - name: 'resource'
+              type: String
+              description: |
+                A Google Cloud resource that is allowed to egress the perimeter.
+                Requests from these resources are allowed to access data outside the perimeter.
+                Currently only projects are allowed. Project format: `projects/{project_number}`.
+                The resource may be in any Google Cloud organization, not just the
+                organization that the perimeter is defined in. `*` is not allowed, the
+                case of allowing all Google Cloud resources only is not supported.
       - name: 'sourceRestriction'
         type: Enum
         description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'

mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml

@@ -125,6 +125,15 @@ properties:
             - name: 'accessLevel'
               type: String
               description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
+            - name: 'resource'
+              type: String
+              description: |
+                A Google Cloud resource that is allowed to egress the perimeter.
+                Requests from these resources are allowed to access data outside the perimeter.
+                Currently only projects are allowed. Project format: `projects/{project_number}`.
+                The resource may be in any Google Cloud organization, not just the
+                organization that the perimeter is defined in. `*` is not allowed, the
+                case of allowing all Google Cloud resources only is not supported.
       - name: 'sourceRestriction'
         type: Enum
         description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'

mmv1/products/accesscontextmanager/ServicePerimeters.yaml

@@ -373,6 +373,15 @@ properties:
                             - name: 'accessLevel'
                               type: String
                               description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
+                            - name: 'resource'
+                              type: String
+                              description: |
+                                A Google Cloud resource that is allowed to egress the perimeter.
+                                Requests from these resources are allowed to access data outside the perimeter.
+                                Currently only projects are allowed. Project format: `projects/{project_number}`.
+                                The resource may be in any Google Cloud organization, not just the
+                                organization that the perimeter is defined in. `*` is not allowed, the
+                                case of allowing all Google Cloud resources only is not supported.
                       - name: 'sourceRestriction'
                         type: Enum
                         description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'
@@ -674,6 +683,15 @@ properties:
                             - name: 'accessLevel'
                               type: String
                               description: 'An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.'
+                            - name: 'resource'
+                              type: String
+                              description: |
+                                A Google Cloud resource that is allowed to egress the perimeter.
+                                Requests from these resources are allowed to access data outside the perimeter.
+                                Currently only projects are allowed. Project format: `projects/{project_number}`.
+                                The resource may be in any Google Cloud organization, not just the
+                                organization that the perimeter is defined in. `*` is not allowed, the
+                                case of allowing all Google Cloud resources only is not supported.
                       - name: 'sourceRestriction'
                         type: Enum
                         description: 'Whether to enforce traffic restrictions based on `sources` field. If the `sources` field is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`.'

mmv1/templates/terraform/custom_flatten/accesscontextmanager_serviceperimeters_custom_flatten.go.tmpl

@@ -341,6 +341,7 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPo
 		}
 		transformed = append(transformed, map[string]interface{}{
 			"access_level": flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourcesAccessLevel(original["accessLevel"], d, config),
+			"resource":     flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourcesResource(original["resource"], d, config),
 		})
 	}
 	return transformed
@@ -349,6 +350,10 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPo
 	return v
 }
 
+func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenAccessContextManagerServicePerimetersServicePerimetersStatusEgressPoliciesEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -713,6 +718,7 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoli
 		}
 		transformed = append(transformed, map[string]interface{}{
 			"access_level": flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourcesAccessLevel(original["accessLevel"], d, config),
+			"resource":     flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourcesResource(original["resource"], d, config),
 		})
 	}
 	return transformed
@@ -721,6 +727,10 @@ func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoli
 	return v
 }
 
+func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourcesResource(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenAccessContextManagerServicePerimetersServicePerimetersSpecEgressPoliciesEgressFromSourceRestriction(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }

mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy_test.go

@@ -20,13 +20,14 @@ func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basicTest(t *
 	//projects := acctest.BootstrapServicePerimeterProjects(t, 1)
 	policyTitle := acctest.RandString(t, 10)
 	perimeterTitle := "perimeter"
+	projectNumber := envvar.GetTestProjectNumberFromEnv()
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitle),
+				Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitle, projectNumber),
 			},
 			{
 				Config: testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitle),
@@ -83,7 +84,7 @@ func testAccCheckAccessContextManagerServicePerimeterDryRunEgressPolicyDestroyPr
 	}
 }
 
-func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitleName string) string {
+func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_basic(org, policyTitle, perimeterTitleName, projectNumber string) string {
 	return fmt.Sprintf(`
 %s
 
@@ -127,7 +128,17 @@ resource "google_access_context_manager_service_perimeter_dry_run_egress_policy"
   	depends_on = [google_access_context_manager_service_perimeter_dry_run_egress_policy.test-access1]
 }
 
-`, testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName))
+resource "google_access_context_manager_service_perimeter_dry_run_egress_policy" "test-access3" {
+  perimeter = google_access_context_manager_service_perimeter.test-access.name
+	egress_from {
+		sources {
+			resource = "projects/%s"
+		}
+		source_restriction = "SOURCE_RESTRICTION_ENABLED"
+	}
+}
+
+`, testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName), projectNumber)
 }
 
 func testAccAccessContextManagerServicePerimeterDryRunEgressPolicy_destroy(org, policyTitle, perimeterTitleName string) string {

mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy_test.go

@@ -22,13 +22,14 @@ func testAccAccessContextManagerServicePerimeterEgressPolicy_basicTest(t *testin
 	//projects := acctest.BootstrapServicePerimeterProjects(t, 1)
 	policyTitle := acctest.RandString(t, 10)
 	perimeterTitle := "perimeter"
+	projectNumber := envvar.GetTestProjectNumberFromEnv()
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitle),
+				Config: testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitle, projectNumber),
 			},
 			{
 				Config: testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitle),
@@ -85,7 +86,7 @@ func testAccCheckAccessContextManagerServicePerimeterEgressPolicyDestroyProducer
 	}
 }
 
-func testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitleName string) string {
+func testAccAccessContextManagerServicePerimeterEgressPolicy_basic(org, policyTitle, perimeterTitleName, projectNumber string) string {
 	return fmt.Sprintf(`
 %s
 
@@ -129,7 +130,17 @@ resource "google_access_context_manager_service_perimeter_egress_policy" "test-a
 	}
 }
 
-`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName))
+resource "google_access_context_manager_service_perimeter_egress_policy" "test-access3" {
+	perimeter = google_access_context_manager_service_perimeter.test-access.name
+	egress_from {
+		sources {
+			resource = "projects/%s"
+		}
+		source_restriction = "SOURCE_RESTRICTION_ENABLED"
+	}
+}
+
+`, testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName), projectNumber)
 }
 
 func testAccAccessContextManagerServicePerimeterEgressPolicy_destroy(org, policyTitle, perimeterTitleName string) string {

mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_service_perimeter_test.go.tmpl

@@ -38,6 +38,7 @@ func testAccAccessContextManagerServicePerimeter_basicTest(t *testing.T) {
 
 func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) {
 	org := envvar.GetTestOrgFromEnv(t)
+	projectNumber := envvar.GetTestProjectNumberFromEnv()
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -61,7 +62,7 @@ func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) {
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter"),
+				Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter", projectNumber),
 			},
 			{
 				ResourceName:      "google_access_context_manager_service_perimeter.test-access",
@@ -77,7 +78,7 @@ func testAccAccessContextManagerServicePerimeter_updateTest(t *testing.T) {
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter"),
+				Config: testAccAccessContextManagerServicePerimeter_updateAllowed(org, "my policy", "level", "perimeter", projectNumber),
 			},
 			{
 				ResourceName:      "google_access_context_manager_service_perimeter.test-access",
@@ -182,7 +183,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
 `, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
 }
 
-func testAccAccessContextManagerServicePerimeter_updateAllowed(org, policyTitle, levelTitleName, perimeterTitleName string) string {
+func testAccAccessContextManagerServicePerimeter_updateAllowed(org, policyTitle, levelTitleName, perimeterTitleName, projectNumber string) string {
 	return fmt.Sprintf(`
 resource "google_access_context_manager_access_policy" "test-access" {
   parent = "organizations/%s"
@@ -267,6 +268,11 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
 				sources {
 					access_level = google_access_context_manager_access_level.test-access.name
 				}
+					
+				sources {
+					resource = "projects/%s"
+				}
+					
 				source_restriction = "SOURCE_RESTRICTION_ENABLED"
 			}
 			egress_to {
@@ -347,6 +353,11 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
 				sources {
 					access_level = google_access_context_manager_access_level.test-access.name
 				}
+
+				sources {
+					resource = "projects/%s"
+				}
+					
 				source_restriction = "SOURCE_RESTRICTION_ENABLED"
 			}
 			egress_to {
@@ -369,7 +380,7 @@ resource "google_access_context_manager_service_perimeter" "test-access" {
 		}
   }
 }
-`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName)
+`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName, perimeterTitleName, projectNumber, projectNumber)
 }
 
 func testAccAccessContextManagerServicePerimeter_updateDryrun(org, policyTitle, levelTitleName, perimeterTitleName string) string {

mmv1/third_party/terraform/services/accesscontextmanager/resource_access_context_manager_services_perimeters_test.go

@@ -16,6 +16,7 @@ import (
 // can exist, they need to be run serially. See AccessPolicy for the test runner.
 func testAccAccessContextManagerServicePerimeters_basicTest(t *testing.T) {
 	org := envvar.GetTestOrgFromEnv(t)
+	projectNumber := envvar.GetTestProjectNumberFromEnv()
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -32,7 +33,7 @@ func testAccAccessContextManagerServicePerimeters_basicTest(t *testing.T) {
 				ImportStateVerifyIgnore: []string{"service_perimeters"},
 			},
 			{
-				Config: testAccAccessContextManagerServicePerimeters_update(org, "my policy", "level", "storage_perimeter", "bigquery_perimeter", "bigtable_perimeter", "bigquery_omni_perimeter"),
+				Config: testAccAccessContextManagerServicePerimeters_update(org, "my policy", "level", "storage_perimeter", "bigquery_perimeter", "bigtable_perimeter", "bigquery_omni_perimeter", projectNumber),
 			},
 			{
 				ResourceName:            "google_access_context_manager_service_perimeters.test-access",
@@ -153,7 +154,7 @@ resource "google_access_context_manager_service_perimeters" "test-access" {
 `, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName1, perimeterTitleName1, perimeterTitleName2, perimeterTitleName2, perimeterTitleName3, perimeterTitleName3)
 }
 
-func testAccAccessContextManagerServicePerimeters_update(org, policyTitle, levelTitleName, perimeterTitleName1, perimeterTitleName2, perimeterTitleName3, perimeterTitleName4 string) string {
+func testAccAccessContextManagerServicePerimeters_update(org, policyTitle, levelTitleName, perimeterTitleName1, perimeterTitleName2, perimeterTitleName3, perimeterTitleName4, projectNumber string) string {
 	return fmt.Sprintf(`
 resource "google_access_context_manager_access_policy" "test-access" {
   parent = "organizations/%s"
@@ -285,6 +286,14 @@ resource "google_access_context_manager_service_perimeters" "test-access" {
     			resources = ["*"]
     		}
     	}
+      egress_policies {
+    		egress_from {
+    			sources {
+            resource = "projects/%s"
+          }
+          source_restriction = "SOURCE_RESTRICTION_ENABLED"
+    		}
+    	}
     }
     status {
       restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
@@ -361,10 +370,18 @@ resource "google_access_context_manager_service_perimeters" "test-access" {
           resources = ["*"]
         }
       }
+      egress_policies {
+    		egress_from {
+    			sources {
+            resource = "projects/%s"
+          }
+          source_restriction = "SOURCE_RESTRICTION_ENABLED"
+    		}
+    	}
     }
   }
 }
-`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName1, perimeterTitleName1, perimeterTitleName2, perimeterTitleName2, perimeterTitleName3, perimeterTitleName3, perimeterTitleName4, perimeterTitleName4)
+`, org, policyTitle, levelTitleName, levelTitleName, perimeterTitleName1, perimeterTitleName1, perimeterTitleName2, perimeterTitleName2, perimeterTitleName3, perimeterTitleName3, perimeterTitleName4, perimeterTitleName4, projectNumber, projectNumber)
 }
 
 func testAccAccessContextManagerServicePerimeters_empty(org, policyTitle, levelTitleName string) string {

mmv1/third_party/tgc/tests/data/example_access_context_manager_service_perimeter.json

@@ -20,6 +20,9 @@
                 "sources": [
                     {
                       "accessLevel": "accessPolicies/987654/accessLevels/restrict_storage"
+                    },
+                    {
+                      "resource": "projects/4321"
                     }
                   ]
               }