1. Packages
  2. Google Cloud Native
  3. API Docs
  4. accesscontextmanager
  5. accesscontextmanager/v1
  6. ServicePerimeter

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.accesscontextmanager/v1.ServicePerimeter

Explore with Pulumi AI

google-native logo

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

    Creates a service perimeter. The long-running operation from this RPC has a successful status after the service perimeter propagates to long-lasting storage. If a service perimeter contains errors, an error response is returned for the first error encountered.

    Create ServicePerimeter Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ServicePerimeter(name: string, args: ServicePerimeterArgs, opts?: CustomResourceOptions);
    @overload
    def ServicePerimeter(resource_name: str,
                         args: ServicePerimeterArgs,
                         opts: Optional[ResourceOptions] = None)
    
    @overload
    def ServicePerimeter(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         access_policy_id: Optional[str] = None,
                         description: Optional[str] = None,
                         name: Optional[str] = None,
                         perimeter_type: Optional[ServicePerimeterPerimeterType] = None,
                         spec: Optional[ServicePerimeterConfigArgs] = None,
                         title: Optional[str] = None,
                         use_explicit_dry_run_spec: Optional[bool] = None)
    func NewServicePerimeter(ctx *Context, name string, args ServicePerimeterArgs, opts ...ResourceOption) (*ServicePerimeter, error)
    public ServicePerimeter(string name, ServicePerimeterArgs args, CustomResourceOptions? opts = null)
    public ServicePerimeter(String name, ServicePerimeterArgs args)
    public ServicePerimeter(String name, ServicePerimeterArgs args, CustomResourceOptions options)
    
    type: google-native:accesscontextmanager/v1:ServicePerimeter
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args ServicePerimeterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ServicePerimeterArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ServicePerimeterArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ServicePerimeterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ServicePerimeterArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var servicePerimeterResource = new GoogleNative.AccessContextManager.V1.ServicePerimeter("servicePerimeterResource", new()
    {
        AccessPolicyId = "string",
        Description = "string",
        Name = "string",
        PerimeterType = GoogleNative.AccessContextManager.V1.ServicePerimeterPerimeterType.PerimeterTypeRegular,
        Spec = new GoogleNative.AccessContextManager.V1.Inputs.ServicePerimeterConfigArgs
        {
            AccessLevels = new[]
            {
                "string",
            },
            EgressPolicies = new[]
            {
                new GoogleNative.AccessContextManager.V1.Inputs.EgressPolicyArgs
                {
                    EgressFrom = new GoogleNative.AccessContextManager.V1.Inputs.EgressFromArgs
                    {
                        Identities = new[]
                        {
                            "string",
                        },
                        IdentityType = GoogleNative.AccessContextManager.V1.EgressFromIdentityType.IdentityTypeUnspecified,
                        SourceRestriction = GoogleNative.AccessContextManager.V1.EgressFromSourceRestriction.SourceRestrictionUnspecified,
                        Sources = new[]
                        {
                            new GoogleNative.AccessContextManager.V1.Inputs.EgressSourceArgs
                            {
                                AccessLevel = "string",
                            },
                        },
                    },
                    EgressTo = new GoogleNative.AccessContextManager.V1.Inputs.EgressToArgs
                    {
                        ExternalResources = new[]
                        {
                            "string",
                        },
                        Operations = new[]
                        {
                            new GoogleNative.AccessContextManager.V1.Inputs.ApiOperationArgs
                            {
                                MethodSelectors = new[]
                                {
                                    new GoogleNative.AccessContextManager.V1.Inputs.MethodSelectorArgs
                                    {
                                        Method = "string",
                                        Permission = "string",
                                    },
                                },
                                ServiceName = "string",
                            },
                        },
                        Resources = new[]
                        {
                            "string",
                        },
                    },
                },
            },
            IngressPolicies = new[]
            {
                new GoogleNative.AccessContextManager.V1.Inputs.IngressPolicyArgs
                {
                    IngressFrom = new GoogleNative.AccessContextManager.V1.Inputs.IngressFromArgs
                    {
                        Identities = new[]
                        {
                            "string",
                        },
                        IdentityType = GoogleNative.AccessContextManager.V1.IngressFromIdentityType.IdentityTypeUnspecified,
                        Sources = new[]
                        {
                            new GoogleNative.AccessContextManager.V1.Inputs.IngressSourceArgs
                            {
                                AccessLevel = "string",
                                Resource = "string",
                            },
                        },
                    },
                    IngressTo = new GoogleNative.AccessContextManager.V1.Inputs.IngressToArgs
                    {
                        Operations = new[]
                        {
                            new GoogleNative.AccessContextManager.V1.Inputs.ApiOperationArgs
                            {
                                MethodSelectors = new[]
                                {
                                    new GoogleNative.AccessContextManager.V1.Inputs.MethodSelectorArgs
                                    {
                                        Method = "string",
                                        Permission = "string",
                                    },
                                },
                                ServiceName = "string",
                            },
                        },
                        Resources = new[]
                        {
                            "string",
                        },
                    },
                },
            },
            Resources = new[]
            {
                "string",
            },
            RestrictedServices = new[]
            {
                "string",
            },
            VpcAccessibleServices = new GoogleNative.AccessContextManager.V1.Inputs.VpcAccessibleServicesArgs
            {
                AllowedServices = new[]
                {
                    "string",
                },
                EnableRestriction = false,
            },
        },
        Title = "string",
        UseExplicitDryRunSpec = false,
    });
    
    example, err := accesscontextmanager.NewServicePerimeter(ctx, "servicePerimeterResource", &accesscontextmanager.ServicePerimeterArgs{
    	AccessPolicyId: pulumi.String("string"),
    	Description:    pulumi.String("string"),
    	Name:           pulumi.String("string"),
    	PerimeterType:  accesscontextmanager.ServicePerimeterPerimeterTypePerimeterTypeRegular,
    	Spec: &accesscontextmanager.ServicePerimeterConfigArgs{
    		AccessLevels: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		EgressPolicies: accesscontextmanager.EgressPolicyArray{
    			&accesscontextmanager.EgressPolicyArgs{
    				EgressFrom: &accesscontextmanager.EgressFromArgs{
    					Identities: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					IdentityType:      accesscontextmanager.EgressFromIdentityTypeIdentityTypeUnspecified,
    					SourceRestriction: accesscontextmanager.EgressFromSourceRestrictionSourceRestrictionUnspecified,
    					Sources: accesscontextmanager.EgressSourceArray{
    						&accesscontextmanager.EgressSourceArgs{
    							AccessLevel: pulumi.String("string"),
    						},
    					},
    				},
    				EgressTo: &accesscontextmanager.EgressToArgs{
    					ExternalResources: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					Operations: accesscontextmanager.ApiOperationArray{
    						&accesscontextmanager.ApiOperationArgs{
    							MethodSelectors: accesscontextmanager.MethodSelectorArray{
    								&accesscontextmanager.MethodSelectorArgs{
    									Method:     pulumi.String("string"),
    									Permission: pulumi.String("string"),
    								},
    							},
    							ServiceName: pulumi.String("string"),
    						},
    					},
    					Resources: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    		},
    		IngressPolicies: accesscontextmanager.IngressPolicyArray{
    			&accesscontextmanager.IngressPolicyArgs{
    				IngressFrom: &accesscontextmanager.IngressFromArgs{
    					Identities: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					IdentityType: accesscontextmanager.IngressFromIdentityTypeIdentityTypeUnspecified,
    					Sources: accesscontextmanager.IngressSourceArray{
    						&accesscontextmanager.IngressSourceArgs{
    							AccessLevel: pulumi.String("string"),
    							Resource:    pulumi.String("string"),
    						},
    					},
    				},
    				IngressTo: &accesscontextmanager.IngressToArgs{
    					Operations: accesscontextmanager.ApiOperationArray{
    						&accesscontextmanager.ApiOperationArgs{
    							MethodSelectors: accesscontextmanager.MethodSelectorArray{
    								&accesscontextmanager.MethodSelectorArgs{
    									Method:     pulumi.String("string"),
    									Permission: pulumi.String("string"),
    								},
    							},
    							ServiceName: pulumi.String("string"),
    						},
    					},
    					Resources: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    		},
    		Resources: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		RestrictedServices: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		VpcAccessibleServices: &accesscontextmanager.VpcAccessibleServicesArgs{
    			AllowedServices: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			EnableRestriction: pulumi.Bool(false),
    		},
    	},
    	Title:                 pulumi.String("string"),
    	UseExplicitDryRunSpec: pulumi.Bool(false),
    })
    
    var servicePerimeterResource = new ServicePerimeter("servicePerimeterResource", ServicePerimeterArgs.builder()
        .accessPolicyId("string")
        .description("string")
        .name("string")
        .perimeterType("PERIMETER_TYPE_REGULAR")
        .spec(ServicePerimeterConfigArgs.builder()
            .accessLevels("string")
            .egressPolicies(EgressPolicyArgs.builder()
                .egressFrom(EgressFromArgs.builder()
                    .identities("string")
                    .identityType("IDENTITY_TYPE_UNSPECIFIED")
                    .sourceRestriction("SOURCE_RESTRICTION_UNSPECIFIED")
                    .sources(EgressSourceArgs.builder()
                        .accessLevel("string")
                        .build())
                    .build())
                .egressTo(EgressToArgs.builder()
                    .externalResources("string")
                    .operations(ApiOperationArgs.builder()
                        .methodSelectors(MethodSelectorArgs.builder()
                            .method("string")
                            .permission("string")
                            .build())
                        .serviceName("string")
                        .build())
                    .resources("string")
                    .build())
                .build())
            .ingressPolicies(IngressPolicyArgs.builder()
                .ingressFrom(IngressFromArgs.builder()
                    .identities("string")
                    .identityType("IDENTITY_TYPE_UNSPECIFIED")
                    .sources(IngressSourceArgs.builder()
                        .accessLevel("string")
                        .resource("string")
                        .build())
                    .build())
                .ingressTo(IngressToArgs.builder()
                    .operations(ApiOperationArgs.builder()
                        .methodSelectors(MethodSelectorArgs.builder()
                            .method("string")
                            .permission("string")
                            .build())
                        .serviceName("string")
                        .build())
                    .resources("string")
                    .build())
                .build())
            .resources("string")
            .restrictedServices("string")
            .vpcAccessibleServices(VpcAccessibleServicesArgs.builder()
                .allowedServices("string")
                .enableRestriction(false)
                .build())
            .build())
        .title("string")
        .useExplicitDryRunSpec(false)
        .build());
    
    service_perimeter_resource = google_native.accesscontextmanager.v1.ServicePerimeter("servicePerimeterResource",
        access_policy_id="string",
        description="string",
        name="string",
        perimeter_type=google_native.accesscontextmanager.v1.ServicePerimeterPerimeterType.PERIMETER_TYPE_REGULAR,
        spec={
            "access_levels": ["string"],
            "egress_policies": [{
                "egress_from": {
                    "identities": ["string"],
                    "identity_type": google_native.accesscontextmanager.v1.EgressFromIdentityType.IDENTITY_TYPE_UNSPECIFIED,
                    "source_restriction": google_native.accesscontextmanager.v1.EgressFromSourceRestriction.SOURCE_RESTRICTION_UNSPECIFIED,
                    "sources": [{
                        "access_level": "string",
                    }],
                },
                "egress_to": {
                    "external_resources": ["string"],
                    "operations": [{
                        "method_selectors": [{
                            "method": "string",
                            "permission": "string",
                        }],
                        "service_name": "string",
                    }],
                    "resources": ["string"],
                },
            }],
            "ingress_policies": [{
                "ingress_from": {
                    "identities": ["string"],
                    "identity_type": google_native.accesscontextmanager.v1.IngressFromIdentityType.IDENTITY_TYPE_UNSPECIFIED,
                    "sources": [{
                        "access_level": "string",
                        "resource": "string",
                    }],
                },
                "ingress_to": {
                    "operations": [{
                        "method_selectors": [{
                            "method": "string",
                            "permission": "string",
                        }],
                        "service_name": "string",
                    }],
                    "resources": ["string"],
                },
            }],
            "resources": ["string"],
            "restricted_services": ["string"],
            "vpc_accessible_services": {
                "allowed_services": ["string"],
                "enable_restriction": False,
            },
        },
        title="string",
        use_explicit_dry_run_spec=False)
    
    const servicePerimeterResource = new google_native.accesscontextmanager.v1.ServicePerimeter("servicePerimeterResource", {
        accessPolicyId: "string",
        description: "string",
        name: "string",
        perimeterType: google_native.accesscontextmanager.v1.ServicePerimeterPerimeterType.PerimeterTypeRegular,
        spec: {
            accessLevels: ["string"],
            egressPolicies: [{
                egressFrom: {
                    identities: ["string"],
                    identityType: google_native.accesscontextmanager.v1.EgressFromIdentityType.IdentityTypeUnspecified,
                    sourceRestriction: google_native.accesscontextmanager.v1.EgressFromSourceRestriction.SourceRestrictionUnspecified,
                    sources: [{
                        accessLevel: "string",
                    }],
                },
                egressTo: {
                    externalResources: ["string"],
                    operations: [{
                        methodSelectors: [{
                            method: "string",
                            permission: "string",
                        }],
                        serviceName: "string",
                    }],
                    resources: ["string"],
                },
            }],
            ingressPolicies: [{
                ingressFrom: {
                    identities: ["string"],
                    identityType: google_native.accesscontextmanager.v1.IngressFromIdentityType.IdentityTypeUnspecified,
                    sources: [{
                        accessLevel: "string",
                        resource: "string",
                    }],
                },
                ingressTo: {
                    operations: [{
                        methodSelectors: [{
                            method: "string",
                            permission: "string",
                        }],
                        serviceName: "string",
                    }],
                    resources: ["string"],
                },
            }],
            resources: ["string"],
            restrictedServices: ["string"],
            vpcAccessibleServices: {
                allowedServices: ["string"],
                enableRestriction: false,
            },
        },
        title: "string",
        useExplicitDryRunSpec: false,
    });
    
    type: google-native:accesscontextmanager/v1:ServicePerimeter
    properties:
        accessPolicyId: string
        description: string
        name: string
        perimeterType: PERIMETER_TYPE_REGULAR
        spec:
            accessLevels:
                - string
            egressPolicies:
                - egressFrom:
                    identities:
                        - string
                    identityType: IDENTITY_TYPE_UNSPECIFIED
                    sourceRestriction: SOURCE_RESTRICTION_UNSPECIFIED
                    sources:
                        - accessLevel: string
                  egressTo:
                    externalResources:
                        - string
                    operations:
                        - methodSelectors:
                            - method: string
                              permission: string
                          serviceName: string
                    resources:
                        - string
            ingressPolicies:
                - ingressFrom:
                    identities:
                        - string
                    identityType: IDENTITY_TYPE_UNSPECIFIED
                    sources:
                        - accessLevel: string
                          resource: string
                  ingressTo:
                    operations:
                        - methodSelectors:
                            - method: string
                              permission: string
                          serviceName: string
                    resources:
                        - string
            resources:
                - string
            restrictedServices:
                - string
            vpcAccessibleServices:
                allowedServices:
                    - string
                enableRestriction: false
        title: string
        useExplicitDryRunSpec: false
    

    ServicePerimeter Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The ServicePerimeter resource accepts the following input properties:

    AccessPolicyId string
    Description string
    Description of the ServicePerimeter and its use. Does not affect behavior.
    Name string
    Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name.
    PerimeterType Pulumi.GoogleNative.AccessContextManager.V1.ServicePerimeterPerimeterType
    Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    Spec Pulumi.GoogleNative.AccessContextManager.V1.Inputs.ServicePerimeterConfig
    Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
    Title string
    Human readable title. Must be unique within the Policy.
    UseExplicitDryRunSpec bool
    Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.
    AccessPolicyId string
    Description string
    Description of the ServicePerimeter and its use. Does not affect behavior.
    Name string
    Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name.
    PerimeterType ServicePerimeterPerimeterType
    Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    Spec ServicePerimeterConfigArgs
    Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
    Title string
    Human readable title. Must be unique within the Policy.
    UseExplicitDryRunSpec bool
    Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.
    accessPolicyId String
    description String
    Description of the ServicePerimeter and its use. Does not affect behavior.
    name String
    Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name.
    perimeterType ServicePerimeterPerimeterType
    Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    spec ServicePerimeterConfig
    Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
    title String
    Human readable title. Must be unique within the Policy.
    useExplicitDryRunSpec Boolean
    Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.
    accessPolicyId string
    description string
    Description of the ServicePerimeter and its use. Does not affect behavior.
    name string
    Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name.
    perimeterType ServicePerimeterPerimeterType
    Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    spec ServicePerimeterConfig
    Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
    title string
    Human readable title. Must be unique within the Policy.
    useExplicitDryRunSpec boolean
    Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.
    access_policy_id str
    description str
    Description of the ServicePerimeter and its use. Does not affect behavior.
    name str
    Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name.
    perimeter_type ServicePerimeterPerimeterType
    Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    spec ServicePerimeterConfigArgs
    Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
    title str
    Human readable title. Must be unique within the Policy.
    use_explicit_dry_run_spec bool
    Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.
    accessPolicyId String
    description String
    Description of the ServicePerimeter and its use. Does not affect behavior.
    name String
    Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name.
    perimeterType "PERIMETER_TYPE_REGULAR" | "PERIMETER_TYPE_BRIDGE"
    Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    spec Property Map
    Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
    title String
    Human readable title. Must be unique within the Policy.
    useExplicitDryRunSpec Boolean
    Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ServicePerimeter resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Status Pulumi.GoogleNative.AccessContextManager.V1.Outputs.ServicePerimeterConfigResponse
    Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.
    Id string
    The provider-assigned unique ID for this managed resource.
    Status ServicePerimeterConfigResponse
    Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.
    id String
    The provider-assigned unique ID for this managed resource.
    status ServicePerimeterConfigResponse
    Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.
    id string
    The provider-assigned unique ID for this managed resource.
    status ServicePerimeterConfigResponse
    Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.
    id str
    The provider-assigned unique ID for this managed resource.
    status ServicePerimeterConfigResponse
    Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.
    id String
    The provider-assigned unique ID for this managed resource.
    status Property Map
    Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.

    Supporting Types

    ApiOperation, ApiOperationArgs

    MethodSelectors List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.MethodSelector>
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    ServiceName string
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    MethodSelectors []MethodSelector
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    ServiceName string
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    methodSelectors List<MethodSelector>
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    serviceName String
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    methodSelectors MethodSelector[]
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    serviceName string
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    method_selectors Sequence[MethodSelector]
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    service_name str
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    methodSelectors List<Property Map>
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    serviceName String
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.

    ApiOperationResponse, ApiOperationResponseArgs

    MethodSelectors List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.MethodSelectorResponse>
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    ServiceName string
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    MethodSelectors []MethodSelectorResponse
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    ServiceName string
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    methodSelectors List<MethodSelectorResponse>
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    serviceName String
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    methodSelectors MethodSelectorResponse[]
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    serviceName string
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    method_selectors Sequence[MethodSelectorResponse]
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    service_name str
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.
    methodSelectors List<Property Map>
    API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.
    serviceName String
    The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.

    EgressFrom, EgressFromArgs

    Identities List<string>
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType Pulumi.GoogleNative.AccessContextManager.V1.EgressFromIdentityType
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    SourceRestriction Pulumi.GoogleNative.AccessContextManager.V1.EgressFromSourceRestriction
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    Sources List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressSource>
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    Identities []string
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType EgressFromIdentityType
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    SourceRestriction EgressFromSourceRestriction
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    Sources []EgressSource
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities List<String>
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType EgressFromIdentityType
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sourceRestriction EgressFromSourceRestriction
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources List<EgressSource>
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities string[]
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType EgressFromIdentityType
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sourceRestriction EgressFromSourceRestriction
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources EgressSource[]
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities Sequence[str]
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identity_type EgressFromIdentityType
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    source_restriction EgressFromSourceRestriction
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources Sequence[EgressSource]
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities List<String>
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType "IDENTITY_TYPE_UNSPECIFIED" | "ANY_IDENTITY" | "ANY_USER_ACCOUNT" | "ANY_SERVICE_ACCOUNT"
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sourceRestriction "SOURCE_RESTRICTION_UNSPECIFIED" | "SOURCE_RESTRICTION_ENABLED" | "SOURCE_RESTRICTION_DISABLED"
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources List<Property Map>
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.

    EgressFromIdentityType, EgressFromIdentityTypeArgs

    IdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    AnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    AnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    AnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    EgressFromIdentityTypeIdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    EgressFromIdentityTypeAnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    EgressFromIdentityTypeAnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    EgressFromIdentityTypeAnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    AnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    AnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    AnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    AnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    AnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    AnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IDENTITY_TYPE_UNSPECIFIED
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    ANY_IDENTITY
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    ANY_USER_ACCOUNT
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    ANY_SERVICE_ACCOUNT
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    "IDENTITY_TYPE_UNSPECIFIED"
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    "ANY_IDENTITY"
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    "ANY_USER_ACCOUNT"
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    "ANY_SERVICE_ACCOUNT"
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.

    EgressFromResponse, EgressFromResponseArgs

    Identities List<string>
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType string
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    SourceRestriction string
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    Sources List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressSourceResponse>
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    Identities []string
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType string
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    SourceRestriction string
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    Sources []EgressSourceResponse
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities List<String>
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType String
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sourceRestriction String
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources List<EgressSourceResponse>
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities string[]
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType string
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sourceRestriction string
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources EgressSourceResponse[]
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities Sequence[str]
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identity_type str
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    source_restriction str
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources Sequence[EgressSourceResponse]
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.
    identities List<String>
    A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType String
    Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sourceRestriction String
    Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.
    sources List<Property Map>
    Sources that this EgressPolicy authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.

    EgressFromSourceRestriction, EgressFromSourceRestrictionArgs

    SourceRestrictionUnspecified
    SOURCE_RESTRICTION_UNSPECIFIEDEnforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom.
    SourceRestrictionEnabled
    SOURCE_RESTRICTION_ENABLEDEnforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom.
    SourceRestrictionDisabled
    SOURCE_RESTRICTION_DISABLEDEnforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom.
    EgressFromSourceRestrictionSourceRestrictionUnspecified
    SOURCE_RESTRICTION_UNSPECIFIEDEnforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom.
    EgressFromSourceRestrictionSourceRestrictionEnabled
    SOURCE_RESTRICTION_ENABLEDEnforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom.
    EgressFromSourceRestrictionSourceRestrictionDisabled
    SOURCE_RESTRICTION_DISABLEDEnforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom.
    SourceRestrictionUnspecified
    SOURCE_RESTRICTION_UNSPECIFIEDEnforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom.
    SourceRestrictionEnabled
    SOURCE_RESTRICTION_ENABLEDEnforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom.
    SourceRestrictionDisabled
    SOURCE_RESTRICTION_DISABLEDEnforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom.
    SourceRestrictionUnspecified
    SOURCE_RESTRICTION_UNSPECIFIEDEnforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom.
    SourceRestrictionEnabled
    SOURCE_RESTRICTION_ENABLEDEnforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom.
    SourceRestrictionDisabled
    SOURCE_RESTRICTION_DISABLEDEnforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom.
    SOURCE_RESTRICTION_UNSPECIFIED
    SOURCE_RESTRICTION_UNSPECIFIEDEnforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom.
    SOURCE_RESTRICTION_ENABLED
    SOURCE_RESTRICTION_ENABLEDEnforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom.
    SOURCE_RESTRICTION_DISABLED
    SOURCE_RESTRICTION_DISABLEDEnforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom.
    "SOURCE_RESTRICTION_UNSPECIFIED"
    SOURCE_RESTRICTION_UNSPECIFIEDEnforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom.
    "SOURCE_RESTRICTION_ENABLED"
    SOURCE_RESTRICTION_ENABLEDEnforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom.
    "SOURCE_RESTRICTION_DISABLED"
    SOURCE_RESTRICTION_DISABLEDEnforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom.

    EgressPolicy, EgressPolicyArgs

    EgressFrom Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressFrom
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    EgressTo Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressTo
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    EgressFrom EgressFrom
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    EgressTo EgressTo
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egressFrom EgressFrom
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egressTo EgressTo
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egressFrom EgressFrom
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egressTo EgressTo
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egress_from EgressFrom
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egress_to EgressTo
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egressFrom Property Map
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egressTo Property Map
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.

    EgressPolicyResponse, EgressPolicyResponseArgs

    EgressFrom Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressFromResponse
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    EgressTo Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressToResponse
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    EgressFrom EgressFromResponse
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    EgressTo EgressToResponse
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egressFrom EgressFromResponse
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egressTo EgressToResponse
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egressFrom EgressFromResponse
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egressTo EgressToResponse
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egress_from EgressFromResponse
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egress_to EgressToResponse
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.
    egressFrom Property Map
    Defines conditions on the source of a request causing this EgressPolicy to apply.
    egressTo Property Map
    Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.

    EgressSource, EgressSourceArgs

    AccessLevel string
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    AccessLevel string
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    accessLevel String
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    accessLevel string
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    access_level str
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    accessLevel String
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.

    EgressSourceResponse, EgressSourceResponseArgs

    AccessLevel string
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    AccessLevel string
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    accessLevel String
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    accessLevel string
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    access_level str
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.
    accessLevel String
    An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all EgressSources will be allowed.

    EgressTo, EgressToArgs

    ExternalResources List<string>
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    Operations List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.ApiOperation>
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    Resources List<string>
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    ExternalResources []string
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    Operations []ApiOperation
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    Resources []string
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    externalResources List<String>
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations List<ApiOperation>
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources List<String>
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    externalResources string[]
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations ApiOperation[]
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources string[]
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    external_resources Sequence[str]
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations Sequence[ApiOperation]
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources Sequence[str]
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    externalResources List<String>
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations List<Property Map>
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources List<String>
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.

    EgressToResponse, EgressToResponseArgs

    ExternalResources List<string>
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    Operations List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.ApiOperationResponse>
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    Resources List<string>
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    ExternalResources []string
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    Operations []ApiOperationResponse
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    Resources []string
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    externalResources List<String>
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations List<ApiOperationResponse>
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources List<String>
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    externalResources string[]
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations ApiOperationResponse[]
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources string[]
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    external_resources Sequence[str]
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations Sequence[ApiOperationResponse]
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources Sequence[str]
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.
    externalResources List<String>
    A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.
    operations List<Property Map>
    A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.
    resources List<String>
    A list of resources, currently only projects in the form projects/, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.

    IngressFrom, IngressFromArgs

    Identities List<string>
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType Pulumi.GoogleNative.AccessContextManager.V1.IngressFromIdentityType
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    Sources List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressSource>
    Sources that this IngressPolicy authorizes access from.
    Identities []string
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType IngressFromIdentityType
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    Sources []IngressSource
    Sources that this IngressPolicy authorizes access from.
    identities List<String>
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType IngressFromIdentityType
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources List<IngressSource>
    Sources that this IngressPolicy authorizes access from.
    identities string[]
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType IngressFromIdentityType
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources IngressSource[]
    Sources that this IngressPolicy authorizes access from.
    identities Sequence[str]
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identity_type IngressFromIdentityType
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources Sequence[IngressSource]
    Sources that this IngressPolicy authorizes access from.
    identities List<String>
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType "IDENTITY_TYPE_UNSPECIFIED" | "ANY_IDENTITY" | "ANY_USER_ACCOUNT" | "ANY_SERVICE_ACCOUNT"
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources List<Property Map>
    Sources that this IngressPolicy authorizes access from.

    IngressFromIdentityType, IngressFromIdentityTypeArgs

    IdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    AnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    AnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    AnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IngressFromIdentityTypeIdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    IngressFromIdentityTypeAnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    IngressFromIdentityTypeAnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    IngressFromIdentityTypeAnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    AnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    AnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    AnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IdentityTypeUnspecified
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    AnyIdentity
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    AnyUserAccount
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    AnyServiceAccount
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    IDENTITY_TYPE_UNSPECIFIED
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    ANY_IDENTITY
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    ANY_USER_ACCOUNT
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    ANY_SERVICE_ACCOUNT
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.
    "IDENTITY_TYPE_UNSPECIFIED"
    IDENTITY_TYPE_UNSPECIFIEDNo blanket identity group specified.
    "ANY_IDENTITY"
    ANY_IDENTITYAuthorize access from all identities outside the perimeter.
    "ANY_USER_ACCOUNT"
    ANY_USER_ACCOUNTAuthorize access from all human users outside the perimeter.
    "ANY_SERVICE_ACCOUNT"
    ANY_SERVICE_ACCOUNTAuthorize access from all service accounts outside the perimeter.

    IngressFromResponse, IngressFromResponseArgs

    Identities List<string>
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType string
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    Sources List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressSourceResponse>
    Sources that this IngressPolicy authorizes access from.
    Identities []string
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    IdentityType string
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    Sources []IngressSourceResponse
    Sources that this IngressPolicy authorizes access from.
    identities List<String>
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType String
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources List<IngressSourceResponse>
    Sources that this IngressPolicy authorizes access from.
    identities string[]
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType string
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources IngressSourceResponse[]
    Sources that this IngressPolicy authorizes access from.
    identities Sequence[str]
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identity_type str
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources Sequence[IngressSourceResponse]
    Sources that this IngressPolicy authorizes access from.
    identities List<String>
    A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.
    identityType String
    Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.
    sources List<Property Map>
    Sources that this IngressPolicy authorizes access from.

    IngressPolicy, IngressPolicyArgs

    IngressFrom Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressFrom
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    IngressTo Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressTo
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    IngressFrom IngressFrom
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    IngressTo IngressTo
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingressFrom IngressFrom
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingressTo IngressTo
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingressFrom IngressFrom
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingressTo IngressTo
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingress_from IngressFrom
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingress_to IngressTo
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingressFrom Property Map
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingressTo Property Map
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.

    IngressPolicyResponse, IngressPolicyResponseArgs

    IngressFrom Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressFromResponse
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    IngressTo Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressToResponse
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    IngressFrom IngressFromResponse
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    IngressTo IngressToResponse
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingressFrom IngressFromResponse
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingressTo IngressToResponse
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingressFrom IngressFromResponse
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingressTo IngressToResponse
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingress_from IngressFromResponse
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingress_to IngressToResponse
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.
    ingressFrom Property Map
    Defines the conditions on the source of a request causing this IngressPolicy to apply.
    ingressTo Property Map
    Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.

    IngressSource, IngressSourceArgs

    AccessLevel string
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    Resource string
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    AccessLevel string
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    Resource string
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    accessLevel String
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource String
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    accessLevel string
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource string
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    access_level str
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource str
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    accessLevel String
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource String
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.

    IngressSourceResponse, IngressSourceResponseArgs

    AccessLevel string
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    Resource string
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    AccessLevel string
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    Resource string
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    accessLevel String
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource String
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    accessLevel string
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource string
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    access_level str
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource str
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.
    accessLevel String
    An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.
    resource String
    A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.

    IngressTo, IngressToArgs

    Operations List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.ApiOperation>
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    Resources List<string>
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    Operations []ApiOperation
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    Resources []string
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations List<ApiOperation>
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources List<String>
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations ApiOperation[]
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources string[]
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations Sequence[ApiOperation]
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources Sequence[str]
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations List<Property Map>
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources List<String>
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.

    IngressToResponse, IngressToResponseArgs

    Operations List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.ApiOperationResponse>
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    Resources List<string>
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    Operations []ApiOperationResponse
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    Resources []string
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations List<ApiOperationResponse>
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources List<String>
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations ApiOperationResponse[]
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources string[]
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations Sequence[ApiOperationResponse]
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources Sequence[str]
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.
    operations List<Property Map>
    A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.
    resources List<String>
    A list of resources, currently only projects in the form projects/, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.

    MethodSelector, MethodSelectorArgs

    Method string
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    Permission string
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    Method string
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    Permission string
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method String
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission String
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method string
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission string
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method str
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission str
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method String
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission String
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.

    MethodSelectorResponse, MethodSelectorResponseArgs

    Method string
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    Permission string
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    Method string
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    Permission string
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method String
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission String
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method string
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission string
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method str
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission str
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.
    method String
    Value for method should be a valid method name for the corresponding service_name in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.
    permission String
    Value for permission should be a valid Cloud IAM permission for the corresponding service_name in ApiOperation.

    ServicePerimeterConfig, ServicePerimeterConfigArgs

    AccessLevels List<string>
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    EgressPolicies List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressPolicy>
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    IngressPolicies List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressPolicy>
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    Resources List<string>
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    RestrictedServices List<string>
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    VpcAccessibleServices Pulumi.GoogleNative.AccessContextManager.V1.Inputs.VpcAccessibleServices
    Configuration for APIs allowed within Perimeter.
    AccessLevels []string
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    EgressPolicies []EgressPolicy
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    IngressPolicies []IngressPolicy
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    Resources []string
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    RestrictedServices []string
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    VpcAccessibleServices VpcAccessibleServices
    Configuration for APIs allowed within Perimeter.
    accessLevels List<String>
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egressPolicies List<EgressPolicy>
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingressPolicies List<IngressPolicy>
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources List<String>
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restrictedServices List<String>
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpcAccessibleServices VpcAccessibleServices
    Configuration for APIs allowed within Perimeter.
    accessLevels string[]
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egressPolicies EgressPolicy[]
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingressPolicies IngressPolicy[]
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources string[]
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restrictedServices string[]
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpcAccessibleServices VpcAccessibleServices
    Configuration for APIs allowed within Perimeter.
    access_levels Sequence[str]
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egress_policies Sequence[EgressPolicy]
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingress_policies Sequence[IngressPolicy]
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources Sequence[str]
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restricted_services Sequence[str]
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpc_accessible_services VpcAccessibleServices
    Configuration for APIs allowed within Perimeter.
    accessLevels List<String>
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egressPolicies List<Property Map>
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingressPolicies List<Property Map>
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources List<String>
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restrictedServices List<String>
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpcAccessibleServices Property Map
    Configuration for APIs allowed within Perimeter.

    ServicePerimeterConfigResponse, ServicePerimeterConfigResponseArgs

    AccessLevels List<string>
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    EgressPolicies List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.EgressPolicyResponse>
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    IngressPolicies List<Pulumi.GoogleNative.AccessContextManager.V1.Inputs.IngressPolicyResponse>
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    Resources List<string>
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    RestrictedServices List<string>
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    VpcAccessibleServices Pulumi.GoogleNative.AccessContextManager.V1.Inputs.VpcAccessibleServicesResponse
    Configuration for APIs allowed within Perimeter.
    AccessLevels []string
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    EgressPolicies []EgressPolicyResponse
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    IngressPolicies []IngressPolicyResponse
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    Resources []string
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    RestrictedServices []string
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    VpcAccessibleServices VpcAccessibleServicesResponse
    Configuration for APIs allowed within Perimeter.
    accessLevels List<String>
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egressPolicies List<EgressPolicyResponse>
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingressPolicies List<IngressPolicyResponse>
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources List<String>
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restrictedServices List<String>
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpcAccessibleServices VpcAccessibleServicesResponse
    Configuration for APIs allowed within Perimeter.
    accessLevels string[]
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egressPolicies EgressPolicyResponse[]
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingressPolicies IngressPolicyResponse[]
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources string[]
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restrictedServices string[]
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpcAccessibleServices VpcAccessibleServicesResponse
    Configuration for APIs allowed within Perimeter.
    access_levels Sequence[str]
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egress_policies Sequence[EgressPolicyResponse]
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingress_policies Sequence[IngressPolicyResponse]
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources Sequence[str]
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restricted_services Sequence[str]
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpc_accessible_services VpcAccessibleServicesResponse
    Configuration for APIs allowed within Perimeter.
    accessLevels List<String>
    A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
    egressPolicies List<Property Map>
    List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.
    ingressPolicies List<Property Map>
    List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.
    resources List<String>
    A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.
    restrictedServices List<String>
    Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
    vpcAccessibleServices Property Map
    Configuration for APIs allowed within Perimeter.

    ServicePerimeterPerimeterType, ServicePerimeterPerimeterTypeArgs

    PerimeterTypeRegular
    PERIMETER_TYPE_REGULARRegular Perimeter. When no value is specified, the perimeter uses this type.
    PerimeterTypeBridge
    PERIMETER_TYPE_BRIDGEPerimeter Bridge.
    ServicePerimeterPerimeterTypePerimeterTypeRegular
    PERIMETER_TYPE_REGULARRegular Perimeter. When no value is specified, the perimeter uses this type.
    ServicePerimeterPerimeterTypePerimeterTypeBridge
    PERIMETER_TYPE_BRIDGEPerimeter Bridge.
    PerimeterTypeRegular
    PERIMETER_TYPE_REGULARRegular Perimeter. When no value is specified, the perimeter uses this type.
    PerimeterTypeBridge
    PERIMETER_TYPE_BRIDGEPerimeter Bridge.
    PerimeterTypeRegular
    PERIMETER_TYPE_REGULARRegular Perimeter. When no value is specified, the perimeter uses this type.
    PerimeterTypeBridge
    PERIMETER_TYPE_BRIDGEPerimeter Bridge.
    PERIMETER_TYPE_REGULAR
    PERIMETER_TYPE_REGULARRegular Perimeter. When no value is specified, the perimeter uses this type.
    PERIMETER_TYPE_BRIDGE
    PERIMETER_TYPE_BRIDGEPerimeter Bridge.
    "PERIMETER_TYPE_REGULAR"
    PERIMETER_TYPE_REGULARRegular Perimeter. When no value is specified, the perimeter uses this type.
    "PERIMETER_TYPE_BRIDGE"
    PERIMETER_TYPE_BRIDGEPerimeter Bridge.

    VpcAccessibleServices, VpcAccessibleServicesArgs

    AllowedServices List<string>
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    EnableRestriction bool
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    AllowedServices []string
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    EnableRestriction bool
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowedServices List<String>
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enableRestriction Boolean
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowedServices string[]
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enableRestriction boolean
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowed_services Sequence[str]
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enable_restriction bool
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowedServices List<String>
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enableRestriction Boolean
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.

    VpcAccessibleServicesResponse, VpcAccessibleServicesResponseArgs

    AllowedServices List<string>
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    EnableRestriction bool
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    AllowedServices []string
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    EnableRestriction bool
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowedServices List<String>
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enableRestriction Boolean
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowedServices string[]
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enableRestriction boolean
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowed_services Sequence[str]
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enable_restriction bool
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.
    allowedServices List<String>
    The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
    enableRestriction Boolean
    Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.

    Package Details

    Repository
    Google Cloud Native pulumi/pulumi-google-native
    License
    Apache-2.0
    google-native logo

    Google Cloud Native is in preview. Google Cloud Classic is fully supported.

    Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi