Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

google_access_context_manager_service_perimeter should support group: identity type #19540

Open
danekantner opened this issue Sep 19, 2024 · 0 comments
Open

google_access_context_manager_service_perimeter should support group: identity type #19540

danekantner opened this issue Sep 19, 2024 · 0 comments
Labels
enhancement forward/review In review; remove label to forward service/accesscontextmanager

Comments

@danekantner
Copy link

danekantner commented Sep 19, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

google_access_context_manager_service_perimeter should support group: identity type

Presently, the identity specified within ingress/egress rules of a service perimeter is documented to only allow service account identities specifically. Presently the documentation states The email address should represent individual user or service account only. and the actual code has 'The email address should
represent individual user or service account only.' specified (though, there may not be any actual validation beyond that)

Recently, google has added the ability to specify a group and this feature is available in the same API call that is already made.

The API itself lists a group is acceptable: A list of identities that are allowed access through [IngressPolicy]. Identities can be an individual user, service account, Google group, or third-party identity. For third-party identity, only single identities are supported and other identity types are not supported. The v1 identities that have the prefix user, group, serviceAccount, and principal in https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.

New or Affected Resource(s)

  • google_access_context_manager_service_perimeter

Potential Terraform Configuration

resource "google_access_context_manager_service_perimeter" "test-access" {
  parent         = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
  name           = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
  title          = "%s"
  perimeter_type = "PERIMETER_TYPE_REGULAR"
  status {
    restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
        access_levels       = [google_access_context_manager_access_level.access-level.name]

        vpc_accessible_services {
            enable_restriction = true
            allowed_services   = ["bigquery.googleapis.com", "storage.googleapis.com"]
        }
           
        egress_policies {
            egress_from {
                identities = ["group:[email protected]"]
                identity_type = "ANY_IDENTITY"
            }
        }
  }
}

References

https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#ingressfrom
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement forward/review In review; remove label to forward service/accesscontextmanager
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danekantner