1# Copyright 2022 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: core.cnrm.cloud.google.com/v1alpha1
16kind: ServiceMapping
17metadata:
18 name: accesscontextmanager.cnrm.cloud.google.com
19 namespace: cnrm-system
20spec:
21 name: AccessContextManager
22 version: v1beta1
23 serviceHostName: "accesscontextmanager.googleapis.com"
24 resources:
25 - name: google_access_context_manager_access_level
26 kind: AccessContextManagerAccessLevel
27 idTemplate: "{{name}}"
28 # importer doesn't parse out the various fields (organization etc)
29 idTemplateCanBeUsedToMatchResourceName: false
30 resourceAvailableInAssetInventory: false
31 metadataMapping:
32 name: name
33 nameValueTemplate: "{{parent}}/accessLevels/{{value}}"
34 resourceID:
35 targetField: name
36 valueTemplate: "{{parent}}/accessLevels/{{value}}"
37 resourceReferences:
38 - tfField: parent
39 description: |-
40 The AccessContextManagerAccessPolicy this
41 AccessContextManagerAccessLevel lives in.
42 key: accessPolicyRef
43 gvk:
44 kind: AccessContextManagerAccessPolicy
45 version: v1beta1
46 group: accesscontextmanager.cnrm.cloud.google.com
47 valueTemplate: "accessPolicies/{{value}}"
48 targetField: name
49 - tfField: basic.conditions.required_access_levels
50 description: |-
51 A list of other access levels defined in the same policy.
52 Referencing an AccessContextManagerAccessLevel which does not exist
53 is an error. All access levels listed must be granted for the
54 condition to be true.
55 gvk:
56 kind: AccessContextManagerAccessLevel
57 version: v1beta1
58 group: accesscontextmanager.cnrm.cloud.google.com
59 targetField: name
60 - tfField: basic.conditions.members
61 description: |-
62 An allowed list of members (users, service accounts).
63 Using groups is not supported.
64
65 The signed-in user originating the request must be a part of one
66 of the provided members. If not specified, a request may come
67 from any user (logged in/not logged in, not present in any
68 groups, etc.).
69 types:
70 - key: serviceAccountRef
71 gvk:
72 kind: IAMServiceAccount
73 version: v1beta1
74 group: iam.cnrm.cloud.google.com
75 targetField: email
76 valueTemplate: "serviceAccount:{{value}}"
77 - key: user
78 jsonSchemaType: string
79 valueTemplate: "user:{{value}}"
80 - name: google_access_context_manager_access_policy
81 kind: AccessContextManagerAccessPolicy
82 # importer doesn't parse out the various fields (organization etc)
83 idTemplateCanBeUsedToMatchResourceName: false
84 resourceAvailableInAssetInventory: false
85 serverGeneratedIDField: name
86 resourceID:
87 targetField: name
88 containers:
89 - type: organization
90 tfField: org_id
91 ignoredFields:
92 # TODO(b/229420363): Add 'scopesRefs' after multi-kind reference with 'kind' field is supported in KCC-TF bridge.
93 - scopes
94 iamConfig:
95 policyName: google_access_context_manager_access_policy_iam_policy
96 policyMemberName: google_access_context_manager_access_policy_iam_member
97 referenceField:
98 name: name
99 type: name
100 supportsConditions: false
101 - name: google_access_context_manager_service_perimeter
102 kind: AccessContextManagerServicePerimeter
103 idTemplate: "{{name}}"
104 # importer doesn't parse out the various fields (organization etc)
105 idTemplateCanBeUsedToMatchResourceName: false
106 resourceAvailableInAssetInventory: false
107 metadataMapping:
108 name: name
109 nameValueTemplate: "{{parent}}/servicePerimeters/{{value}}"
110 resourceID:
111 targetField: name
112 valueTemplate: "{{parent}}/servicePerimeters/{{value}}"
113 resourceReferences:
114 - tfField: parent
115 description: |-
116 The AccessContextManagerAccessPolicy this
117 AccessContextManagerServicePerimeter lives in.
118 key: accessPolicyRef
119 gvk:
120 kind: AccessContextManagerAccessPolicy
121 version: v1beta1
122 group: accesscontextmanager.cnrm.cloud.google.com
123 targetField: name
124 valueTemplate: "accessPolicies/{{value}}"
125 - tfField: spec.access_levels
126 description: |-
127 (Optional) A list of AccessLevel resource names that allow resources within
128 the ServicePerimeter to be accessed from the internet. AccessLevels listed
129 must be in the same policy as this ServicePerimeter.
130 Referencing a nonexistent AccessLevel is a syntax error. If no
131 AccessLevel names are listed, resources within the perimeter can
132 only be accessed via GCP calls with request origins within the
133 perimeter. For Service Perimeter Bridge, must be empty.
134 gvk:
135 kind: AccessContextManagerAccessLevel
136 version: v1beta1
137 group: accesscontextmanager.cnrm.cloud.google.com
138 # TODO(b/171825578): Remove this value template once `name` field starts get value in correct format
139 valueTemplate: "{{parent}}/accessLevels/{{value}}"
140 - tfField: spec.egress_policies.egress_from.identities
141 description: |-
142 (Optional) A list of identities that are allowed access through this
143 EgressPolicy. Should be in the format of email address. The email
144 address should represent individual user or service account only.
145 types:
146 - key: serviceAccountRef
147 gvk:
148 kind: IAMServiceAccount
149 version: v1beta1
150 group: iam.cnrm.cloud.google.com
151 targetField: email
152 valueTemplate: "serviceAccount:{{value}}"
153 - key: user
154 jsonSchemaType: string
155 valueTemplate: "user:{{value}}"
156 - tfField: spec.egress_policies.egress_to.resources
157 description: |-
158 (Optional) A list of resources, currently only projects in the form
159 "projects/{project_number}". A request
160 matches if it contains a resource in this list.
161 types:
162 - key: projectRef
163 gvk:
164 kind: Project
165 version: v1beta1
166 group: resourcemanager.cnrm.cloud.google.com
167 targetField: "number"
168 valueTemplate: "projects/{{value}}"
169 - tfField: spec.ingress_policies.ingress_from.identities
170 description: |-
171 (Optional) A list of identities that are allowed access through this
172 ingress policy. Should be in the format of email address. The email
173 address should represent individual user or service account only.
174 types:
175 - key: serviceAccountRef
176 gvk:
177 kind: IAMServiceAccount
178 version: v1beta1
179 group: iam.cnrm.cloud.google.com
180 targetField: email
181 valueTemplate: "serviceAccount:{{value}}"
182 - key: user
183 jsonSchemaType: string
184 valueTemplate: "user:{{value}}"
185 - tfField: spec.ingress_policies.ingress_from.sources.access_level
186 description: |-
187 An AccessLevel resource name that allow resources within the
188 ServicePerimeters to be accessed from the internet. AccessLevels
189 listed must be in the same policy as this ServicePerimeter.
190 Referencing a nonexistent AccessLevel will cause an error. If no
191 AccessLevel names are listed, resources within the perimeter can
192 only be accessed via Google Cloud calls with request origins within
193 the perimeter.
194 key: accessLevelRef
195 gvk:
196 kind: AccessContextManagerAccessLevel
197 version: v1beta1
198 group: accesscontextmanager.cnrm.cloud.google.com
199 # TODO(b/171825578): Remove this value template once `name` field starts get value in correct format.
200 valueTemplate: "{{parent}}/accessLevels/{{value}}"
201 - tfField: spec.ingress_policies.ingress_from.sources.resource
202 description: |-
203 (Optional) A Google Cloud resource that is allowed to ingress the
204 perimeter. Requests from these resources will be allowed to access
205 perimeter data. Currently only projects are allowed. Format
206 "projects/{project_number}" The project may be in any Google Cloud
207 organization, not just the organization that the perimeter is defined in.
208 key: projectRef
209 gvk:
210 kind: Project
211 version: v1beta1
212 group: resourcemanager.cnrm.cloud.google.com
213 targetField: "number"
214 valueTemplate: "projects/{{value}}"
215 - tfField: spec.ingress_policies.ingress_to.resources
216 description: |-
217 A list of resources, currently only projects in the form
218 "projects/{project_number}", protected by this ServicePerimeter
219 that are allowed to be accessed by sources defined in the
220 corresponding IngressFrom. A request matches if it contains a
221 resource in this list.
222 types:
223 - key: projectRef
224 gvk:
225 kind: Project
226 version: v1beta1
227 group: resourcemanager.cnrm.cloud.google.com
228 targetField: "number"
229 valueTemplate: "projects/{{value}}"
230 - tfField: spec.resources
231 description: |-
232 (Optional) A list of GCP resources that are inside of the service perimeter.
233 Currently only projects are allowed.
234 types:
235 - key: projectRef
236 gvk:
237 kind: Project
238 version: v1beta1
239 group: resourcemanager.cnrm.cloud.google.com
240 targetField: "number"
241 valueTemplate: "projects/{{value}}"
242 - tfField: status.access_levels
243 description: |-
244 (Optional) A list of AccessLevel resource names that allow resources within
245 the ServicePerimeter to be accessed from the internet. AccessLevels listed
246 must be in the same policy as this ServicePerimeter.
247 Referencing a nonexistent AccessLevel is a syntax error. If no
248 AccessLevel names are listed, resources within the perimeter can
249 only be accessed via GCP calls with request origins within the
250 perimeter. For Service Perimeter Bridge, must be empty.
251 gvk:
252 kind: AccessContextManagerAccessLevel
253 version: v1beta1
254 group: accesscontextmanager.cnrm.cloud.google.com
255 # TODO(b/171825578): Remove this value template once `name` field starts get value in correct format
256 valueTemplate: "{{parent}}/accessLevels/{{value}}"
257 - tfField: status.egress_policies.egress_from.identities
258 description: |-
259 (Optional) A list of identities that are allowed access through this
260 EgressPolicy. Should be in the format of email address. The email
261 address should represent individual user or service account only.
262 types:
263 - key: serviceAccountRef
264 gvk:
265 kind: IAMServiceAccount
266 version: v1beta1
267 group: iam.cnrm.cloud.google.com
268 targetField: email
269 valueTemplate: "serviceAccount:{{value}}"
270 - key: user
271 jsonSchemaType: string
272 valueTemplate: "user:{{value}}"
273 - tfField: status.egress_policies.egress_to.resources
274 description: |-
275 (Optional) A list of resources, currently only projects in the form
276 "projects/{project_number}". A request
277 matches if it contains a resource in this list.
278 types:
279 - key: projectRef
280 gvk:
281 kind: Project
282 version: v1beta1
283 group: resourcemanager.cnrm.cloud.google.com
284 targetField: "number"
285 valueTemplate: "projects/{{value}}"
286 - tfField: status.ingress_policies.ingress_from.identities
287 description: |-
288 (Optional) A list of identities that are allowed access through this
289 EgressPolicy. Should be in the format of email address. The email
290 address should represent individual user or service account only.
291 types:
292 - key: serviceAccountRef
293 gvk:
294 kind: IAMServiceAccount
295 version: v1beta1
296 group: iam.cnrm.cloud.google.com
297 targetField: email
298 valueTemplate: "serviceAccount:{{value}}"
299 - key: user
300 jsonSchemaType: string
301 valueTemplate: "user:{{value}}"
302 - tfField: status.ingress_policies.ingress_from.sources.access_level
303 description: |-
304 An AccessLevel resource name that allow resources within the
305 ServicePerimeters to be accessed from the internet. AccessLevels
306 listed must be in the same policy as this ServicePerimeter.
307 Referencing a nonexistent AccessLevel will cause an error. If no
308 AccessLevel names are listed, resources within the perimeter can
309 only be accessed via Google Cloud calls with request origins within
310 the perimeter.
311 key: accessLevelRef
312 gvk:
313 kind: AccessContextManagerAccessLevel
314 version: v1beta1
315 group: accesscontextmanager.cnrm.cloud.google.com
316 # TODO(b/171825578): Remove this value template once `name` field starts get value in correct format
317 valueTemplate: "{{parent}}/accessLevels/{{value}}"
318 - tfField: status.ingress_policies.ingress_from.sources.resource
319 description: |-
320 (Optional) A Google Cloud resource that is allowed to ingress the
321 perimeter. Requests from these resources will be allowed to access
322 perimeter data. Currently only projects are allowed. Format
323 "projects/{project_number}" The project may be in any Google Cloud
324 organization, not just the organization that the perimeter is defined in.
325 key: projectRef
326 gvk:
327 kind: Project
328 version: v1beta1
329 group: resourcemanager.cnrm.cloud.google.com
330 targetField: "number"
331 valueTemplate: "projects/{{value}}"
332 - tfField: status.ingress_policies.ingress_to.resources
333 description: |-
334 A list of resources, currently only projects in the form
335 "projects/{project_number}", protected by this ServicePerimeter
336 that are allowed to be accessed by sources defined in the
337 corresponding IngressFrom. A request matches if it contains a
338 resource in this list.
339 types:
340 - key: projectRef
341 gvk:
342 kind: Project
343 version: v1beta1
344 group: resourcemanager.cnrm.cloud.google.com
345 targetField: "number"
346 valueTemplate: "projects/{{value}}"
347 - tfField: status.resources
348 description: |-
349 (Optional) A list of GCP resources that are inside of the service perimeter.
350 Currently only projects are allowed.
351 types:
352 - key: projectRef
353 gvk:
354 kind: Project
355 version: v1beta1
356 group: resourcemanager.cnrm.cloud.google.com
357 targetField: "number"
358 valueTemplate: "projects/{{value}}"
View as plain text