gcp.accesscontextmanager.ServicePerimeterEgressPolicy
Explore with Pulumi AI
Manage a single EgressPolicy in the status (enforced) configuration for a service perimeter. EgressPolicies match requests based on egressFrom and egressTo stanzas. For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).
Note: By default, updates to this resource will remove the EgressPolicy from the from the perimeter and add it back in a non-atomic manner. To ensure that the new EgressPolicy is added before the old one is removed, add a
lifecycle
block withcreate_before_destroy = true
to this resource.
To get more information about ServicePerimeterEgressPolicy, see:
- API documentation
- How-to Guides
Example Usage
Create ServicePerimeterEgressPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ServicePerimeterEgressPolicy(name: string, args: ServicePerimeterEgressPolicyArgs, opts?: CustomResourceOptions);
@overload
def ServicePerimeterEgressPolicy(resource_name: str,
args: ServicePerimeterEgressPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ServicePerimeterEgressPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
perimeter: Optional[str] = None,
egress_from: Optional[ServicePerimeterEgressPolicyEgressFromArgs] = None,
egress_to: Optional[ServicePerimeterEgressPolicyEgressToArgs] = None)
func NewServicePerimeterEgressPolicy(ctx *Context, name string, args ServicePerimeterEgressPolicyArgs, opts ...ResourceOption) (*ServicePerimeterEgressPolicy, error)
public ServicePerimeterEgressPolicy(string name, ServicePerimeterEgressPolicyArgs args, CustomResourceOptions? opts = null)
public ServicePerimeterEgressPolicy(String name, ServicePerimeterEgressPolicyArgs args)
public ServicePerimeterEgressPolicy(String name, ServicePerimeterEgressPolicyArgs args, CustomResourceOptions options)
type: gcp:accesscontextmanager:ServicePerimeterEgressPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ServicePerimeterEgressPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var servicePerimeterEgressPolicyResource = new Gcp.AccessContextManager.ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource", new()
{
Perimeter = "string",
EgressFrom = new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressFromArgs
{
Identities = new[]
{
"string",
},
IdentityType = "string",
SourceRestriction = "string",
Sources = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressFromSourceArgs
{
AccessLevel = "string",
},
},
},
EgressTo = new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToArgs
{
ExternalResources = new[]
{
"string",
},
Operations = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToOperationArgs
{
MethodSelectors = new[]
{
new Gcp.AccessContextManager.Inputs.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs
{
Method = "string",
Permission = "string",
},
},
ServiceName = "string",
},
},
Resources = new[]
{
"string",
},
},
});
example, err := accesscontextmanager.NewServicePerimeterEgressPolicy(ctx, "servicePerimeterEgressPolicyResource", &accesscontextmanager.ServicePerimeterEgressPolicyArgs{
Perimeter: pulumi.String("string"),
EgressFrom: &accesscontextmanager.ServicePerimeterEgressPolicyEgressFromArgs{
Identities: pulumi.StringArray{
pulumi.String("string"),
},
IdentityType: pulumi.String("string"),
SourceRestriction: pulumi.String("string"),
Sources: accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSourceArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressFromSourceArgs{
AccessLevel: pulumi.String("string"),
},
},
},
EgressTo: &accesscontextmanager.ServicePerimeterEgressPolicyEgressToArgs{
ExternalResources: pulumi.StringArray{
pulumi.String("string"),
},
Operations: accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationArgs{
MethodSelectors: accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArray{
&accesscontextmanager.ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs{
Method: pulumi.String("string"),
Permission: pulumi.String("string"),
},
},
ServiceName: pulumi.String("string"),
},
},
Resources: pulumi.StringArray{
pulumi.String("string"),
},
},
})
var servicePerimeterEgressPolicyResource = new ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource", ServicePerimeterEgressPolicyArgs.builder()
.perimeter("string")
.egressFrom(ServicePerimeterEgressPolicyEgressFromArgs.builder()
.identities("string")
.identityType("string")
.sourceRestriction("string")
.sources(ServicePerimeterEgressPolicyEgressFromSourceArgs.builder()
.accessLevel("string")
.build())
.build())
.egressTo(ServicePerimeterEgressPolicyEgressToArgs.builder()
.externalResources("string")
.operations(ServicePerimeterEgressPolicyEgressToOperationArgs.builder()
.methodSelectors(ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs.builder()
.method("string")
.permission("string")
.build())
.serviceName("string")
.build())
.resources("string")
.build())
.build());
service_perimeter_egress_policy_resource = gcp.accesscontextmanager.ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource",
perimeter="string",
egress_from={
"identities": ["string"],
"identity_type": "string",
"source_restriction": "string",
"sources": [{
"access_level": "string",
}],
},
egress_to={
"external_resources": ["string"],
"operations": [{
"method_selectors": [{
"method": "string",
"permission": "string",
}],
"service_name": "string",
}],
"resources": ["string"],
})
const servicePerimeterEgressPolicyResource = new gcp.accesscontextmanager.ServicePerimeterEgressPolicy("servicePerimeterEgressPolicyResource", {
perimeter: "string",
egressFrom: {
identities: ["string"],
identityType: "string",
sourceRestriction: "string",
sources: [{
accessLevel: "string",
}],
},
egressTo: {
externalResources: ["string"],
operations: [{
methodSelectors: [{
method: "string",
permission: "string",
}],
serviceName: "string",
}],
resources: ["string"],
},
});
type: gcp:accesscontextmanager:ServicePerimeterEgressPolicy
properties:
egressFrom:
identities:
- string
identityType: string
sourceRestriction: string
sources:
- accessLevel: string
egressTo:
externalResources:
- string
operations:
- methodSelectors:
- method: string
permission: string
serviceName: string
resources:
- string
perimeter: string
ServicePerimeterEgressPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ServicePerimeterEgressPolicy resource accepts the following input properties:
- Perimeter string
- The name of the Service Perimeter to add this resource to.
- Egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below.
- Perimeter string
- The name of the Service Perimeter to add this resource to.
- Egress
From ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below.
- perimeter String
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below.
- perimeter string
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below.
- perimeter str
- The name of the Service Perimeter to add this resource to.
- egress_
from ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress_
to ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below.
- perimeter String
- The name of the Service Perimeter to add this resource to.
- egress
From Property Map - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress
To Property Map - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the ServicePerimeterEgressPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ServicePerimeterEgressPolicy Resource
Get an existing ServicePerimeterEgressPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ServicePerimeterEgressPolicyState, opts?: CustomResourceOptions): ServicePerimeterEgressPolicy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
egress_from: Optional[ServicePerimeterEgressPolicyEgressFromArgs] = None,
egress_to: Optional[ServicePerimeterEgressPolicyEgressToArgs] = None,
perimeter: Optional[str] = None) -> ServicePerimeterEgressPolicy
func GetServicePerimeterEgressPolicy(ctx *Context, name string, id IDInput, state *ServicePerimeterEgressPolicyState, opts ...ResourceOption) (*ServicePerimeterEgressPolicy, error)
public static ServicePerimeterEgressPolicy Get(string name, Input<string> id, ServicePerimeterEgressPolicyState? state, CustomResourceOptions? opts = null)
public static ServicePerimeterEgressPolicy get(String name, Output<String> id, ServicePerimeterEgressPolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below. - Perimeter string
- The name of the Service Perimeter to add this resource to.
- Egress
From ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - Egress
To ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below. - Perimeter string
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below. - perimeter String
- The name of the Service Perimeter to add this resource to.
- egress
From ServicePerimeter Egress Policy Egress From - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress
To ServicePerimeter Egress Policy Egress To - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below. - perimeter string
- The name of the Service Perimeter to add this resource to.
- egress_
from ServicePerimeter Egress Policy Egress From Args - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress_
to ServicePerimeter Egress Policy Egress To Args - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below. - perimeter str
- The name of the Service Perimeter to add this resource to.
- egress
From Property Map - Defines conditions on the source of a request causing this
EgressPolicy
to apply. Structure is documented below. - egress
To Property Map - Defines the conditions on the
ApiOperation
and destination resources that cause thisEgressPolicy
to apply. Structure is documented below. - perimeter String
- The name of the Service Perimeter to add this resource to.
Supporting Types
ServicePerimeterEgressPolicyEgressFrom, ServicePerimeterEgressPolicyEgressFromArgs
- Identities List<string>
- A list of identities that are allowed access through this
EgressPolicy
. Should be in the format of email address. The email address should represent individual user or service account only. - Identity
Type string - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identities
field will be allowed access. Possible values are:ANY_IDENTITY
,ANY_USER_ACCOUNT
,ANY_SERVICE_ACCOUNT
. - Source
Restriction string - Whether to enforce traffic restrictions based on
sources
field. If thesources
field is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED
. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED
,SOURCE_RESTRICTION_ENABLED
,SOURCE_RESTRICTION_DISABLED
. - Sources
List<Service
Perimeter Egress Policy Egress From Source> - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- Identities []string
- A list of identities that are allowed access through this
EgressPolicy
. Should be in the format of email address. The email address should represent individual user or service account only. - Identity
Type string - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identities
field will be allowed access. Possible values are:ANY_IDENTITY
,ANY_USER_ACCOUNT
,ANY_SERVICE_ACCOUNT
. - Source
Restriction string - Whether to enforce traffic restrictions based on
sources
field. If thesources
field is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED
. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED
,SOURCE_RESTRICTION_ENABLED
,SOURCE_RESTRICTION_DISABLED
. - Sources
[]Service
Perimeter Egress Policy Egress From Source - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities List<String>
- A list of identities that are allowed access through this
EgressPolicy
. Should be in the format of email address. The email address should represent individual user or service account only. - identity
Type String - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identities
field will be allowed access. Possible values are:ANY_IDENTITY
,ANY_USER_ACCOUNT
,ANY_SERVICE_ACCOUNT
. - source
Restriction String - Whether to enforce traffic restrictions based on
sources
field. If thesources
field is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED
. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED
,SOURCE_RESTRICTION_ENABLED
,SOURCE_RESTRICTION_DISABLED
. - sources
List<Service
Perimeter Egress Policy Egress From Source> - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities string[]
- A list of identities that are allowed access through this
EgressPolicy
. Should be in the format of email address. The email address should represent individual user or service account only. - identity
Type string - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identities
field will be allowed access. Possible values are:ANY_IDENTITY
,ANY_USER_ACCOUNT
,ANY_SERVICE_ACCOUNT
. - source
Restriction string - Whether to enforce traffic restrictions based on
sources
field. If thesources
field is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED
. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED
,SOURCE_RESTRICTION_ENABLED
,SOURCE_RESTRICTION_DISABLED
. - sources
Service
Perimeter Egress Policy Egress From Source[] - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities Sequence[str]
- A list of identities that are allowed access through this
EgressPolicy
. Should be in the format of email address. The email address should represent individual user or service account only. - identity_
type str - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identities
field will be allowed access. Possible values are:ANY_IDENTITY
,ANY_USER_ACCOUNT
,ANY_SERVICE_ACCOUNT
. - source_
restriction str - Whether to enforce traffic restrictions based on
sources
field. If thesources
field is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED
. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED
,SOURCE_RESTRICTION_ENABLED
,SOURCE_RESTRICTION_DISABLED
. - sources
Sequence[Service
Perimeter Egress Policy Egress From Source] - Sources that this EgressPolicy authorizes access from. Structure is documented below.
- identities List<String>
- A list of identities that are allowed access through this
EgressPolicy
. Should be in the format of email address. The email address should represent individual user or service account only. - identity
Type String - Specifies the type of identities that are allowed access to outside the
perimeter. If left unspecified, then members of
identities
field will be allowed access. Possible values are:ANY_IDENTITY
,ANY_USER_ACCOUNT
,ANY_SERVICE_ACCOUNT
. - source
Restriction String - Whether to enforce traffic restrictions based on
sources
field. If thesources
field is non-empty, then this field must be set toSOURCE_RESTRICTION_ENABLED
. Possible values are:SOURCE_RESTRICTION_UNSPECIFIED
,SOURCE_RESTRICTION_ENABLED
,SOURCE_RESTRICTION_DISABLED
. - sources List<Property Map>
- Sources that this EgressPolicy authorizes access from. Structure is documented below.
ServicePerimeterEgressPolicyEgressFromSource, ServicePerimeterEgressPolicyEgressFromSourceArgs
- Access
Level string - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- Access
Level string - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access
Level String - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access
Level string - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access_
level str - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
- access
Level String - An AccessLevel resource name that allows resources outside the ServicePerimeter to be accessed from the inside.
ServicePerimeterEgressPolicyEgressTo, ServicePerimeterEgressPolicyEgressToArgs
- External
Resources List<string> - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- Operations
List<Service
Perimeter Egress Policy Egress To Operation> - A list of
ApiOperations
that this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - Resources List<string>
- A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTo
rule will authorize access to all resources outside the perimeter.
- External
Resources []string - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- Operations
[]Service
Perimeter Egress Policy Egress To Operation - A list of
ApiOperations
that this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - Resources []string
- A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTo
rule will authorize access to all resources outside the perimeter.
- external
Resources List<String> - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations
List<Service
Perimeter Egress Policy Egress To Operation> - A list of
ApiOperations
that this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources List<String>
- A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTo
rule will authorize access to all resources outside the perimeter.
- external
Resources string[] - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations
Service
Perimeter Egress Policy Egress To Operation[] - A list of
ApiOperations
that this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources string[]
- A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTo
rule will authorize access to all resources outside the perimeter.
- external_
resources Sequence[str] - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations
Sequence[Service
Perimeter Egress Policy Egress To Operation] - A list of
ApiOperations
that this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources Sequence[str]
- A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTo
rule will authorize access to all resources outside the perimeter.
- external
Resources List<String> - A list of external resources that are allowed to be accessed. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
- operations List<Property Map>
- A list of
ApiOperations
that this egress rule applies to. A request matches if it contains an operation/service in this list. Structure is documented below. - resources List<String>
- A list of resources, currently only projects in the form
projects/<projectnumber>
, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then thisEgressTo
rule will authorize access to all resources outside the perimeter.
ServicePerimeterEgressPolicyEgressToOperation, ServicePerimeterEgressPolicyEgressToOperationArgs
- Method
Selectors List<ServicePerimeter Egress Policy Egress To Operation Method Selector> - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceName
field. A single MethodSelector entry with*
specified for themethod
field will allow all methods AND permissions for the service specified inserviceName
. Structure is documented below. - Service
Name string - The name of the API whose methods or permissions the
IngressPolicy
orEgressPolicy
want to allow. A singleApiOperation
with serviceName field set to*
will allow all methods AND permissions for all services.
- Method
Selectors []ServicePerimeter Egress Policy Egress To Operation Method Selector - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceName
field. A single MethodSelector entry with*
specified for themethod
field will allow all methods AND permissions for the service specified inserviceName
. Structure is documented below. - Service
Name string - The name of the API whose methods or permissions the
IngressPolicy
orEgressPolicy
want to allow. A singleApiOperation
with serviceName field set to*
will allow all methods AND permissions for all services.
- method
Selectors List<ServicePerimeter Egress Policy Egress To Operation Method Selector> - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceName
field. A single MethodSelector entry with*
specified for themethod
field will allow all methods AND permissions for the service specified inserviceName
. Structure is documented below. - service
Name String - The name of the API whose methods or permissions the
IngressPolicy
orEgressPolicy
want to allow. A singleApiOperation
with serviceName field set to*
will allow all methods AND permissions for all services.
- method
Selectors ServicePerimeter Egress Policy Egress To Operation Method Selector[] - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceName
field. A single MethodSelector entry with*
specified for themethod
field will allow all methods AND permissions for the service specified inserviceName
. Structure is documented below. - service
Name string - The name of the API whose methods or permissions the
IngressPolicy
orEgressPolicy
want to allow. A singleApiOperation
with serviceName field set to*
will allow all methods AND permissions for all services.
- method_
selectors Sequence[ServicePerimeter Egress Policy Egress To Operation Method Selector] - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceName
field. A single MethodSelector entry with*
specified for themethod
field will allow all methods AND permissions for the service specified inserviceName
. Structure is documented below. - service_
name str - The name of the API whose methods or permissions the
IngressPolicy
orEgressPolicy
want to allow. A singleApiOperation
with serviceName field set to*
will allow all methods AND permissions for all services.
- method
Selectors List<Property Map> - API methods or permissions to allow. Method or permission must belong
to the service specified by
serviceName
field. A single MethodSelector entry with*
specified for themethod
field will allow all methods AND permissions for the service specified inserviceName
. Structure is documented below. - service
Name String - The name of the API whose methods or permissions the
IngressPolicy
orEgressPolicy
want to allow. A singleApiOperation
with serviceName field set to*
will allow all methods AND permissions for all services.
ServicePerimeterEgressPolicyEgressToOperationMethodSelector, ServicePerimeterEgressPolicyEgressToOperationMethodSelectorArgs
- Method string
- Value for
method
should be a valid method name for the correspondingserviceName
inApiOperation
. If*
used as value for method, then ALL methods and permissions are allowed. - Permission string
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceName
inApiOperation
.
- Method string
- Value for
method
should be a valid method name for the correspondingserviceName
inApiOperation
. If*
used as value for method, then ALL methods and permissions are allowed. - Permission string
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceName
inApiOperation
.
- method String
- Value for
method
should be a valid method name for the correspondingserviceName
inApiOperation
. If*
used as value for method, then ALL methods and permissions are allowed. - permission String
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceName
inApiOperation
.
- method string
- Value for
method
should be a valid method name for the correspondingserviceName
inApiOperation
. If*
used as value for method, then ALL methods and permissions are allowed. - permission string
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceName
inApiOperation
.
- method str
- Value for
method
should be a valid method name for the correspondingserviceName
inApiOperation
. If*
used as value for method, then ALL methods and permissions are allowed. - permission str
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceName
inApiOperation
.
- method String
- Value for
method
should be a valid method name for the correspondingserviceName
inApiOperation
. If*
used as value for method, then ALL methods and permissions are allowed. - permission String
- Value for permission should be a valid Cloud IAM permission for the
corresponding
serviceName
inApiOperation
.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.