service_perimeters
Creates, updates, deletes, gets or lists a service_perimeters resource.
Overview
| Name | service_perimeters |
| Type | Resource |
| Id | google.accesscontextmanager.service_perimeters |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Identifier. Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name. |
description | string | Description of the ServicePerimeter and its use. Does not affect behavior. |
etag | string | Optional. An opaque identifier for the current version of the ServicePerimeter. This identifier does not follow any specific format. If an etag is not provided, the operation will be performed as if a valid etag is provided. |
perimeterType | string | Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. |
spec | object | Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set. (id: ServicePerimeterConfig) |
status | object | Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries. (id: ServicePerimeterConfig) |
title | string | Human readable title. Must be unique within the Policy. |
useExplicitDryRunSpec | boolean | Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Identifier. Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}. The service_perimeter component must begin with a letter, followed by alphanumeric characters or _. After you create a ServicePerimeter, you cannot change its name. |
description | string | Description of the ServicePerimeter and its use. Does not affect behavior. |
etag | string | Optional. An opaque identifier for the current version of the ServicePerimeter. This identifier does not follow any specific format. If an etag is not provided, the operation will be performed as if a valid etag is provided. |
perimeterType | string | Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. |
spec | object | Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set. (id: ServicePerimeterConfig) |
status | object | Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries. (id: ServicePerimeterConfig) |
title | string | Human readable title. Must be unique within the Policy. |
useExplicitDryRunSpec | boolean | Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | accessPoliciesId, servicePerimetersId | Gets a service perimeter based on the resource name. | |
list | select | accessPoliciesId | pageSize, pageToken | Lists all service perimeters for an access policy. |
create | insert | accessPoliciesId | Creates a service perimeter. The long-running operation from this RPC has a successful status after the service perimeter propagates to long-lasting storage. If a service perimeter contains errors, an error response is returned for the first error encountered. | |
patch | update | accessPoliciesId, servicePerimetersId | updateMask | Updates a service perimeter. The long-running operation from this RPC has a successful status after the service perimeter propagates to long-lasting storage. If a service perimeter contains errors, an error response is returned for the first error encountered. |
replace_all | replace | accessPoliciesId | Replace all existing service perimeters in an access policy with the service perimeters provided. This is done atomically. The long-running operation from this RPC has a successful status after all replacements propagate to long-lasting storage. Replacements containing errors result in an error response for the first error encountered. Upon an error, replacement are cancelled and existing service perimeters are not affected. The Operation.response field contains ReplaceServicePerimetersResponse. | |
delete | delete | accessPoliciesId, servicePerimetersId | Deletes a service perimeter based on the resource name. The long-running operation from this RPC has a successful status after the service perimeter is removed from long-lasting storage. | |
commit | exec | accessPoliciesId | Commits the dry-run specification for all the service perimeters in an access policy. A commit operation on a service perimeter involves copying its spec field to the status field of the service perimeter. Only service perimeters with use_explicit_dry_run_spec field set to true are affected by a commit operation. The long-running operation from this RPC has a successful status after the dry-run specifications for all the service perimeters have been committed. If a commit fails, it causes the long-running operation to return an error response and the entire commit operation is cancelled. When successful, the Operation.response field contains CommitServicePerimetersResponse. The dry_run and the spec fields are cleared after a successful commit operation. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
accessPoliciesId | string | |
servicePerimetersId | string | |
pageSize | integer (int32) | |
pageToken | string | |
updateMask | string (google-fieldmask) |
SELECT examples
- get
- list
Gets a service perimeter based on the resource name.
SELECT
name,
description,
etag,
perimeterType,
spec,
status,
title,
useExplicitDryRunSpec
FROM google.accesscontextmanager.service_perimeters
WHERE accessPoliciesId = '{{ accessPoliciesId }}' -- required
AND servicePerimetersId = '{{ servicePerimetersId }}' -- required;
Lists all service perimeters for an access policy.
SELECT
name,
description,
etag,
perimeterType,
spec,
status,
title,
useExplicitDryRunSpec
FROM google.accesscontextmanager.service_perimeters
WHERE accessPoliciesId = '{{ accessPoliciesId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';
INSERT examples
- create
- Manifest
Creates a service perimeter. The long-running operation from this RPC has a successful status after the service perimeter propagates to long-lasting storage. If a service perimeter contains errors, an error response is returned for the first error encountered.
INSERT INTO google.accesscontextmanager.service_perimeters (
data__name,
data__title,
data__description,
data__perimeterType,
data__status,
data__spec,
data__useExplicitDryRunSpec,
data__etag,
accessPoliciesId
)
SELECT
'{{ name }}',
'{{ title }}',
'{{ description }}',
'{{ perimeterType }}',
'{{ status }}',
'{{ spec }}',
{{ useExplicitDryRunSpec }},
'{{ etag }}',
'{{ accessPoliciesId }}'
RETURNING
name,
done,
error,
metadata,
response
;
# Description fields are for documentation purposes
- name: service_perimeters
props:
- name: accessPoliciesId
value: string
description: Required parameter for the service_perimeters resource.
- name: name
value: string
description: >
Identifier. Resource name for the `ServicePerimeter`. Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`. The `service_perimeter` component must begin with a letter, followed by alphanumeric characters or `_`. After you create a `ServicePerimeter`, you cannot change its `name`.
- name: title
value: string
description: >
Human readable title. Must be unique within the Policy.
- name: description
value: string
description: >
Description of the `ServicePerimeter` and its use. Does not affect behavior.
- name: perimeterType
value: string
description: >
Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
valid_values: ['PERIMETER_TYPE_REGULAR', 'PERIMETER_TYPE_BRIDGE']
- name: status
value: object
description: >
Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.
- name: spec
value: object
description: >
Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.
- name: useExplicitDryRunSpec
value: boolean
description: >
Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.
- name: etag
value: string
description: >
Optional. An opaque identifier for the current version of the `ServicePerimeter`. This identifier does not follow any specific format. If an etag is not provided, the operation will be performed as if a valid etag is provided.
UPDATE examples
- patch
Updates a service perimeter. The long-running operation from this RPC has a successful status after the service perimeter propagates to long-lasting storage. If a service perimeter contains errors, an error response is returned for the first error encountered.
UPDATE google.accesscontextmanager.service_perimeters
SET
data__name = '{{ name }}',
data__title = '{{ title }}',
data__description = '{{ description }}',
data__perimeterType = '{{ perimeterType }}',
data__status = '{{ status }}',
data__spec = '{{ spec }}',
data__useExplicitDryRunSpec = {{ useExplicitDryRunSpec }},
data__etag = '{{ etag }}'
WHERE
accessPoliciesId = '{{ accessPoliciesId }}' --required
AND servicePerimetersId = '{{ servicePerimetersId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
done,
error,
metadata,
response;
REPLACE examples
- replace_all
Replace all existing service perimeters in an access policy with the service perimeters provided. This is done atomically. The long-running operation from this RPC has a successful status after all replacements propagate to long-lasting storage. Replacements containing errors result in an error response for the first error encountered. Upon an error, replacement are cancelled and existing service perimeters are not affected. The Operation.response field contains ReplaceServicePerimetersResponse.
REPLACE google.accesscontextmanager.service_perimeters
SET
data__servicePerimeters = '{{ servicePerimeters }}',
data__etag = '{{ etag }}'
WHERE
accessPoliciesId = '{{ accessPoliciesId }}' --required
RETURNING
name,
done,
error,
metadata,
response;
DELETE examples
- delete
Deletes a service perimeter based on the resource name. The long-running operation from this RPC has a successful status after the service perimeter is removed from long-lasting storage.
DELETE FROM google.accesscontextmanager.service_perimeters
WHERE accessPoliciesId = '{{ accessPoliciesId }}' --required
AND servicePerimetersId = '{{ servicePerimetersId }}' --required;
Lifecycle Methods
- commit
Commits the dry-run specification for all the service perimeters in an access policy. A commit operation on a service perimeter involves copying its spec field to the status field of the service perimeter. Only service perimeters with use_explicit_dry_run_spec field set to true are affected by a commit operation. The long-running operation from this RPC has a successful status after the dry-run specifications for all the service perimeters have been committed. If a commit fails, it causes the long-running operation to return an error response and the entire commit operation is cancelled. When successful, the Operation.response field contains CommitServicePerimetersResponse. The dry_run and the spec fields are cleared after a successful commit operation.
EXEC google.accesscontextmanager.service_perimeters.commit
@accessPoliciesId='{{ accessPoliciesId }}' --required
@@json=
'{
"etag": "{{ etag }}"
}';