Fixes #19540 (#12253)

[upstream:3db026ca076c34e112178ab9c5e5a6a7fb251e8b]

Signed-off-by: Modular Magician <[email protected]>

.changelog/12253.txt

@@ -0,0 +1,3 @@
+```release-note:none
+
+```

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter.go

@@ -565,9 +565,11 @@ a perimeter bridge.`,
 												"identities": {
 													Type:     schema.TypeSet,
 													Optional: true,
-													Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+													Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},
@@ -705,9 +707,11 @@ to apply.`,
 												"identities": {
 													Type:     schema.TypeSet,
 													Optional: true,
-													Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+													Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 													Elem: &schema.Schema{
 														Type: schema.TypeString,
 													},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_egress_policy.go

@@ -114,9 +114,11 @@ func ResourceAccessContextManagerServicePerimeterDryRunEgressPolicy() *schema.Re
 							Type:     schema.TypeList,
 							Optional: true,
 							ForceNew: true,
-							Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+							Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_dry_run_ingress_policy.go

@@ -115,9 +115,11 @@ to apply.`,
 							Type:     schema.TypeList,
 							Optional: true,
 							ForceNew: true,
-							Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+							Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_egress_policy.go

@@ -114,9 +114,11 @@ func ResourceAccessContextManagerServicePerimeterEgressPolicy() *schema.Resource
 							Type:     schema.TypeList,
 							Optional: true,
 							ForceNew: true,
-							Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+							Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeter_ingress_policy.go

@@ -115,9 +115,11 @@ to apply.`,
 							Type:     schema.TypeList,
 							Optional: true,
 							ForceNew: true,
-							Description: `A list of identities that are allowed access through this ingress policy.
-Should be in the format of email address. The email address should represent
-individual user or service account only.`,
+							Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},

google/services/accesscontextmanager/resource_access_context_manager_service_perimeters.go

@@ -151,9 +151,11 @@ a perimeter bridge.`,
 															"identities": {
 																Type:     schema.TypeSet,
 																Optional: true,
-																Description: `A list of identities that are allowed access through this 'EgressPolicy'.
-Should be in the format of email address. The email address should
-represent individual user or service account only.`,
+																Description: `Identities can be an individual user, service account, Google group,
+or third-party identity. For third-party identity, only single identities
+are supported and other identity types are not supported.The v1 identities
+that have the prefix user, group and serviceAccount in
+https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.`,
 																Elem: &schema.Schema{
 																	Type: schema.TypeString,
 																},

website/docs/r/access_context_manager_service_perimeter.html.markdown

@@ -390,9 +390,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 * `sources` -
   (Optional)
@@ -510,9 +512,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 
 <a name="nested_sources"></a>The `sources` block supports:

website/docs/r/access_context_manager_service_perimeter_dry_run_egress_policy.html.markdown

@@ -117,9 +117,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 * `sources` -
   (Optional)

website/docs/r/access_context_manager_service_perimeter_dry_run_ingress_policy.html.markdown

@@ -122,9 +122,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 * `sources` -
   (Optional)

website/docs/r/access_context_manager_service_perimeter_egress_policy.html.markdown

@@ -117,9 +117,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 * `sources` -
   (Optional)

website/docs/r/access_context_manager_service_perimeter_ingress_policy.html.markdown

@@ -122,9 +122,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this ingress policy.
-  Should be in the format of email address. The email address should represent
-  individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 * `sources` -
   (Optional)

website/docs/r/access_context_manager_service_perimeters.html.markdown

@@ -640,9 +640,11 @@ The following arguments are supported:
 
 * `identities` -
   (Optional)
-  A list of identities that are allowed access through this `EgressPolicy`.
-  Should be in the format of email address. The email address should
-  represent individual user or service account only.
+  Identities can be an individual user, service account, Google group,
+  or third-party identity. For third-party identity, only single identities
+  are supported and other identity types are not supported.The v1 identities
+  that have the prefix user, group and serviceAccount in
+  https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
 
 * `sources` -
   (Optional)