Namespace Pulumi.Gcp.AccessContextManager
Classes
AccessLevel
An AccessLevel is a label that can be applied to requests to GCP services, along with a list of requirements necessary for the label to be applied.
To get more information about AccessLevel, see:
- API documentation
- How-to Guides
- Access Policy Quickstart
Example Usage - Access Context Manager Access Level Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new Gcp.AccessContextManager.AccessPolicyArgs
{
Parent = "organizations/123456789",
Title = "my policy",
});
var access_level = new Gcp.AccessContextManager.AccessLevel("access-level", new Gcp.AccessContextManager.AccessLevelArgs
{
Basic = new Gcp.AccessContextManager.Inputs.AccessLevelBasicArgs
{
Conditions =
{
new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionArgs
{
DevicePolicy = new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionDevicePolicyArgs
{
OsConstraints =
{
new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionDevicePolicyOsConstraintArgs
{
OsType = "DESKTOP_CHROME_OS",
},
},
RequireScreenLock = true,
},
Regions =
{
"CH",
"IT",
"US",
},
},
},
},
Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
Title = "chromeos_no_lock",
});
}
}
AccessLevelArgs
AccessLevelState
AccessPolicy
AccessPolicy is a container for AccessLevels (which define the necessary attributes to use GCP services) and ServicePerimeters (which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.
To get more information about AccessPolicy, see:
- API documentation
- How-to Guides
- Access Policy Quickstart
Example Usage - Access Context Manager Access Policy Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new Gcp.AccessContextManager.AccessPolicyArgs
{
Parent = "organizations/123456789",
Title = "my policy",
});
}
}
AccessPolicyArgs
AccessPolicyState
ServicePerimeter
ServicePerimeter describes a set of GCP resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter. If a request with a source within this ServicePerimeter has a target outside of the ServicePerimeter, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter
- Regular and Bridge. Regular Service Perimeters cannot overlap, a single GCP project can only belong to a single regular Service Perimeter. Service Perimeter Bridges can contain only GCP projects as members, a single GCP project may belong to multiple Service Perimeter Bridges.
To get more information about ServicePerimeter, see:
- API documentation
- How-to Guides
- Service Perimeter Quickstart
Example Usage - Access Context Manager Service Perimeter Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new Gcp.AccessContextManager.AccessPolicyArgs
{
Parent = "organizations/123456789",
Title = "my policy",
});
var service_perimeter = new Gcp.AccessContextManager.ServicePerimeter("service-perimeter", new Gcp.AccessContextManager.ServicePerimeterArgs
{
Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
Status = new Gcp.AccessContextManager.Inputs.ServicePerimeterStatusArgs
{
RestrictedServices =
{
"storage.googleapis.com",
},
},
Title = "restrict_storage",
});
var access_level = new Gcp.AccessContextManager.AccessLevel("access-level", new Gcp.AccessContextManager.AccessLevelArgs
{
Basic = new Gcp.AccessContextManager.Inputs.AccessLevelBasicArgs
{
Conditions =
{
new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionArgs
{
DevicePolicy = new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionDevicePolicyArgs
{
OsConstraints =
{
new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionDevicePolicyOsConstraintArgs
{
OsType = "DESKTOP_CHROME_OS",
},
},
RequireScreenLock = false,
},
Regions =
{
"CH",
"IT",
"US",
},
},
},
},
Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
Title = "chromeos_no_lock",
});
}
}
Example Usage - Access Context Manager Service Perimeter Dry Run
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new Gcp.AccessContextManager.AccessPolicyArgs
{
Parent = "organizations/123456789",
Title = "my policy",
});
var service_perimeter = new Gcp.AccessContextManager.ServicePerimeter("service-perimeter", new Gcp.AccessContextManager.ServicePerimeterArgs
{
Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
Spec = new Gcp.AccessContextManager.Inputs.ServicePerimeterSpecArgs
{
RestrictedServices =
{
"storage.googleapis.com",
},
},
Status = new Gcp.AccessContextManager.Inputs.ServicePerimeterStatusArgs
{
RestrictedServices =
{
"bigquery.googleapis.com",
},
},
Title = "restrict_bigquery_dryrun_storage",
UseExplicitDryRunSpec = true,
});
}
}
ServicePerimeterArgs
ServicePerimeterResource
Allows configuring a single GCP resource that should be inside of a service perimeter.
This resource is intended to be used in cases where it is not possible to compile a full list
of projects to include in a gcp.accesscontextmanager.ServicePerimeter resource,
to enable them to be added separately.
Note: If this resource is used alongside a
gcp.accesscontextmanager.ServicePerimeterresource, the service perimeter resource must have alifecycleblock withignore_changes = [status[0].resources]so they don't fight over which resources should be in the policy.
To get more information about ServicePerimeterResource, see:
- API documentation
- How-to Guides
- Service Perimeter Quickstart
Example Usage - Access Context Manager Service Perimeter Resource Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new Gcp.AccessContextManager.AccessPolicyArgs
{
Parent = "organizations/123456789",
Title = "my policy",
});
var service_perimeter_resourceServicePerimeter = new Gcp.AccessContextManager.ServicePerimeter("service-perimeter-resourceServicePerimeter", new Gcp.AccessContextManager.ServicePerimeterArgs
{
Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
Title = "restrict_all",
Status = new Gcp.AccessContextManager.Inputs.ServicePerimeterStatusArgs
{
RestrictedServices =
{
"storage.googleapis.com",
},
},
});
var service_perimeter_resourceServicePerimeterResource = new Gcp.AccessContextManager.ServicePerimeterResource("service-perimeter-resourceServicePerimeterResource", new Gcp.AccessContextManager.ServicePerimeterResourceArgs
{
PerimeterName = service_perimeter_resourceServicePerimeter.Name,
Resource = "projects/987654321",
});
}
}