1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14apiVersion: accesscontextmanager.cnrm.cloud.google.com/v1beta1
15kind: AccessContextManagerServicePerimeter
16metadata:
17 name: serviceperimetersample
18spec:
19 # Config for DRY-RUN
20 # To use this 'useExplicitDryRunSpec' must be set to 'true'
21 # Replace "${ACCESS_POLICY_NUMBER}" with the numeric ID for your Access Policy
22 # Replace "${PROJECT_NUMBERx}" with the appropriate `project number` for the project to be protected by the perimeter
23 spec:
24 # List of Access Levels to be applied for this perimeter
25 accessLevels:
26 - name: serviceperimeterdep2
27 # List of projects to be included in this perimeter
28 resources:
29 - projectRef:
30 external: "projects/${PROJECT_NUMBER1}"
31 - projectRef:
32 external: "projects/${PROJECT_NUMBER2}"
33 # List of restricted services
34 restrictedServices:
35 - "storage.googleapis.com"
36 # List of services that could be accessed from within the perimeter
37 vpcAccessibleServices:
38 allowedServices:
39 - "storage.googleapis.com"
40 - "pubsub.googleapis.com"
41 enableRestriction: true
42 egressPolicies:
43 - egressFrom:
44 identities:
45 - name: serviceperimeterengressdep
46 - egressTo:
47 resources:
48 - projectRef:
49 external: "projects/${PROJECT_NUMBER1}"
50 ingressPolicies:
51 - ingressFrom:
52 identities:
53 - name: serviceperimeteringressdep
54 sources:
55 - accessLevelRef:
56 name: serviceperimeterdep2
57 ingressTo:
58 resources:
59 - projectRef:
60 external: "projects/${PROJECT_NUMBER2}"
61 # Config to ENFORCE
62 # Config items are repeated as above for DRY-RUN
63 # Replace "${ACCESS_POLICY_NUMBER}" with the numeric ID for your Access Policy
64 # Replace "${PROJECT_NUMBERx}" with the appropriate `project number` for the project to be protected by the perimeter
65 status:
66 accessLevels:
67 - name: serviceperimeterdep2
68 resources:
69 - projectRef:
70 external: "projects/${PROJECT_NUMBER3}"
71 - projectRef:
72 external: "projects/${PROJECT_NUMBER4}"
73 restrictedServices:
74 - "bigquery.googleapis.com"
75 vpcAccessibleServices:
76 allowedServices:
77 - "bigquery.googleapis.com"
78 - "logging.googleapis.com"
79 enableRestriction: true
80 title: Service Perimeter created by Config Connector
81 useExplicitDryRunSpec: true
82 accessPolicyRef:
83 # Using an already existing Access Policy. Currently there is a limitation
84 # of only one Access Policy per Organisation.
85 # Use one of the two options below to select Access Policy
86 # 1. The dependent Access Policy Object created via Config Connector
87 # name: accesscontextmanagerserviceperimeterdep
88 # 2. Set the appropriate ACCESS_POLICY_NUMBER
89 external: accessPolicies/${ACCESS_POLICY_NUMBER}
90 description: A Service Perimeter Created by Config Connector
91 perimeterType: PERIMETER_TYPE_REGULARView as plain text