Added support for VPC Service Controls (VPC SC) Secure Data Exchange

docs/resources/google_access_context_manager_service_perimeter.md

@@ -51,6 +51,66 @@ Properties that can be accessed from the `google_access_context_manager_service_
 
       * `allowed_services`: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True.
 
+    * `ingress_policies`: / List of `IngressPolicies` to apply to the perimeter. A perimeter may have multiple `IngressPolicies`, each of which is evaluated separately. Access is granted if any `Ingress Policy` grants it. Must be empty for a perimeter bridge.
+
+      * `ingress_from`: / Defines the conditions on the source of a request causing this `IngressPolicy` to apply.
+
+        * `identity_type`: / Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access.
+        Possible values:
+          * IDENTITY_TYPE_UNSPECIFIED
+          * ANY_IDENTITY
+          * ANY_USER_ACCOUNT
+          * ANY_SERVICE_ACCOUNT
+
+        * `identities`: / A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
+
+        * `sources`: / Sources that this `IngressPolicy` authorizes access from.
+
+          * `access_level`: / An `AccessLevel` resource name that allow resources within the `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` will cause an error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` If * is specified, then all IngressSources will be allowed.
+
+          * `resource`: / A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format `projects/{project_number}` The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported.
+
+      * `ingress_to`: / Defines the conditions on the `ApiOperation` and request destination that cause this `IngressPolicy` to apply.
+
+        * `resources`: / A list of resources, currently only projects in the form `projects/<projectnumber>`, protected by this `ServicePerimeter` that are allowed to be accessed by sources defined in the corresponding `IngressFrom`. A request matches if it contains a resource in this list. If `*` is specified for resources, then this `IngressTo` rule will authorize access to all resources inside the perimeter, provided that the request also matches the `operations` field.
+
+        * `operations`: / A list of `ApiOperations` the sources specified in corresponding `IngressFrom` are allowed to perform in this `ServicePerimeter`.
+
+          * `service_name`: / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` field set to `*` will allow all methods AND permissions for all services.
+
+          * `method_selectors`: / API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single `MethodSelector` entry with `*` specified for the method field will allow all methods AND permissions for the service specified in `serviceName`.
+
+            * `method`: / Value for method should be a valid method name for the corresponding serviceName in `ApiOperation`. If `*` used as value for `method`, then ALL methods and permissions are allowed.
+
+            * `permission`: / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`.
+
+    * `egress_policies`: / List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
+
+      * `egress_from`: / Defines conditions on the source of a request causing this `EgressPolicy` to apply.
+
+        * `identity_type`: / Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access.
+        Possible values:
+          * IDENTITY_TYPE_UNSPECIFIED
+          * ANY_IDENTITY
+          * ANY_USER_ACCOUNT
+          * ANY_SERVICE_ACCOUNT
+
+        * `identities`: / A list of identities that are allowed access through this `EgressPolicy`. Should be in the format of email address. The email address should represent individual user or service account only.
+
+      * `egress_to`: / Defines the conditions on the `ApiOperation` and destination resources that cause this `EgressPolicy` to apply.
+
+        * `resources`: / A list of resources, currently only projects in the form `projects/<projectnumber>`, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this `EgressTo` rule will authorize access to all resources outside the perimeter.
+
+        * `operations`: / A list of `ApiOperations` that this egress rule applies to. A request matches if it contains an operation/service in this list.
+
+          * `service_name`: / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with serviceName field set to `*` will allow all methods AND permissions for all services.
+
+          * `method_selectors`: / API methods or permissions to allow. Method or permission must belong to the service specified by `serviceName` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `serviceName`.
+
+            * `method`: / Value for `method` should be a valid method name for the corresponding `serviceName` in `ApiOperation`. If `*` used as value for method, then ALL methods and permissions are allowed.
+
+            * `permission`: / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`.
+
   * `spec`: Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the `useExplicitDryRunSpec` flag is set.
 
     * `resources`: A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}
@@ -65,6 +125,66 @@ Properties that can be accessed from the `google_access_context_manager_service_
 
       * `allowed_services`: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True.
 
+    * `ingress_policies`: / List of `IngressPolicies` to apply to the perimeter. A perimeter may have multiple `IngressPolicies`, each of which is evaluated separately. Access is granted if any `Ingress Policy` grants it. Must be empty for a perimeter bridge.
+
+      * `ingress_from`: / Defines the conditions on the source of a request causing this `IngressPolicy` to apply.
+
+        * `identity_type`: / Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access.
+        Possible values:
+          * IDENTITY_TYPE_UNSPECIFIED
+          * ANY_IDENTITY
+          * ANY_USER_ACCOUNT
+          * ANY_SERVICE_ACCOUNT
+
+        * `identities`: / A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
+
+        * `sources`: / Sources that this `IngressPolicy` authorizes access from.
+
+          * `access_level`: / An `AccessLevel` resource name that allow resources within the `ServicePerimeters` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` will cause an error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL.` If * is specified, then all IngressSources will be allowed.
+
+          * `resource`: / A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format `projects/{project_number}` The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported.
+
+      * `ingress_to`: / Defines the conditions on the `ApiOperation` and request destination that cause this `IngressPolicy` to apply.
+
+        * `resources`: / A list of resources, currently only projects in the form `projects/<projectnumber>`, protected by this `ServicePerimeter` that are allowed to be accessed by sources defined in the corresponding `IngressFrom`. A request matches if it contains a resource in this list. If `*` is specified for resources, then this `IngressTo` rule will authorize access to all resources inside the perimeter, provided that the request also matches the `operations` field.
+
+        * `operations`: / A list of `ApiOperations` the sources specified in corresponding `IngressFrom` are allowed to perform in this `ServicePerimeter`.
+
+          * `service_name`: / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with `serviceName` field set to `*` will allow all methods AND permissions for all services.
+
+          * `method_selectors`: / API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single `MethodSelector` entry with `*` specified for the method field will allow all methods AND permissions for the service specified in `serviceName`.
+
+            * `method`: / Value for method should be a valid method name for the corresponding serviceName in `ApiOperation`. If `*` used as value for `method`, then ALL methods and permissions are allowed.
+
+            * `permission`: / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`.
+
+    * `egress_policies`: / List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
+
+      * `egress_from`: / Defines conditions on the source of a request causing this `EgressPolicy` to apply.
+
+        * `identity_type`: / Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access.
+        Possible values:
+          * IDENTITY_TYPE_UNSPECIFIED
+          * ANY_IDENTITY
+          * ANY_USER_ACCOUNT
+          * ANY_SERVICE_ACCOUNT
+
+        * `identities`: / A list of identities that are allowed access through this `EgressPolicy`. Should be in the format of email address. The email address should represent individual user or service account only.
+
+      * `egress_to`: / Defines the conditions on the `ApiOperation` and destination resources that cause this `EgressPolicy` to apply.
+
+        * `resources`: / A list of resources, currently only projects in the form `projects/<projectnumber>`, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this `EgressTo` rule will authorize access to all resources outside the perimeter.
+
+        * `operations`: / A list of `ApiOperations` that this egress rule applies to. A request matches if it contains an operation/service in this list.
+
+          * `service_name`: / The name of the API whose methods or permissions the `IngressPolicy` or `EgressPolicy` want to allow. A single `ApiOperation` with serviceName field set to `*` will allow all methods AND permissions for all services.
+
+          * `method_selectors`: / API methods or permissions to allow. Method or permission must belong to the service specified by `serviceName` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `serviceName`.
+
+            * `method`: / Value for `method` should be a valid method name for the corresponding `serviceName` in `ApiOperation`. If `*` used as value for method, then ALL methods and permissions are allowed.
+
+            * `permission`: / Value for permission should be a valid Cloud IAM permission for the corresponding `serviceName` in `ApiOperation`.
+
   * `use_explicit_dry_run_spec`: Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. useExplicitDryRunSpec must bet set to True if any of the fields in the spec are set to non-default values.
 
   * `parent`: The AccessPolicy this ServicePerimeter lives in. Format: accessPolicies/{policy_id}

libraries/google/accesscontextmanager/property/serviceperimeter_spec.rb

@@ -13,6 +13,8 @@
 #     CONTRIBUTING.md located at the root of this package.
 #
 # ----------------------------------------------------------------------------
+require 'google/accesscontextmanager/property/serviceperimeter_spec_egress_policies'
+require 'google/accesscontextmanager/property/serviceperimeter_spec_ingress_policies'
 require 'google/accesscontextmanager/property/serviceperimeter_spec_vpc_accessible_services'
 module GoogleInSpec
   module AccessContextManager
@@ -26,13 +28,19 @@ class ServicePerimeterSpec
 
         attr_reader :vpc_accessible_services
 
+        attr_reader :ingress_policies
+
+        attr_reader :egress_policies
+
         def initialize(args = nil, parent_identifier = nil)
           return if args.nil?
           @parent_identifier = parent_identifier
           @resources = args['resources']
           @access_levels = args['accessLevels']
           @restricted_services = args['restrictedServices']
           @vpc_accessible_services = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecVPCAccessibleServices.new(args['vpcAccessibleServices'], to_s)
+          @ingress_policies = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecIngressPoliciesArray.parse(args['ingressPolicies'], to_s)
+          @egress_policies = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecEgressPoliciesArray.parse(args['egressPolicies'], to_s)
         end
 
         def to_s

libraries/google/accesscontextmanager/property/serviceperimeter_spec_egress_policies.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'google/accesscontextmanager/property/serviceperimeter_spec_egress_policies_egress_from'
+require 'google/accesscontextmanager/property/serviceperimeter_spec_egress_policies_egress_to'
+require 'google/accesscontextmanager/property/serviceperimeter_spec_egress_policies_egress_to_operations'
+module GoogleInSpec
+  module AccessContextManager
+    module Property
+      class ServicePerimeterSpecEgressPolicies
+        attr_reader :egress_from
+
+        attr_reader :egress_to
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @egress_from = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecEgressPoliciesEgressFrom.new(args['egressFrom'], to_s)
+          @egress_to = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecEgressPoliciesEgressTo.new(args['egressTo'], to_s)
+        end
+
+        def to_s
+          "#{@parent_identifier} ServicePerimeterSpecEgressPolicies"
+        end
+      end
+
+      class ServicePerimeterSpecEgressPoliciesArray
+        def self.parse(value, parent_identifier)
+          return if value.nil?
+          return ServicePerimeterSpecEgressPolicies.new(value, parent_identifier) unless value.is_a?(::Array)
+          value.map { |v| ServicePerimeterSpecEgressPolicies.new(v, parent_identifier) }
+        end
+      end
+    end
+  end
+end

libraries/google/accesscontextmanager/property/serviceperimeter_spec_egress_policies_egress_from.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+module GoogleInSpec
+  module AccessContextManager
+    module Property
+      class ServicePerimeterSpecEgressPoliciesEgressFrom
+        attr_reader :identity_type
+
+        attr_reader :identities
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @identity_type = args['identityType']
+          @identities = args['identities']
+        end
+
+        def to_s
+          "#{@parent_identifier} ServicePerimeterSpecEgressPoliciesEgressFrom"
+        end
+      end
+    end
+  end
+end

libraries/google/accesscontextmanager/property/serviceperimeter_spec_egress_policies_egress_to.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'google/accesscontextmanager/property/serviceperimeter_spec_egress_policies_egress_to_operations'
+module GoogleInSpec
+  module AccessContextManager
+    module Property
+      class ServicePerimeterSpecEgressPoliciesEgressTo
+        attr_reader :resources
+
+        attr_reader :operations
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @resources = args['resources']
+          @operations = GoogleInSpec::AccessContextManager::Property::ServicePerimeterSpecEgressPoliciesEgressToOperationsArray.parse(args['operations'], to_s)
+        end
+
+        def to_s
+          "#{@parent_identifier} ServicePerimeterSpecEgressPoliciesEgressTo"
+        end
+      end
+    end
+  end
+end