"google_access_context_manager_access_level" "members" condition should include groups

[kevin-greenan-tempus]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

From the docs:

members - An allowed list of members (users, service accounts). Using groups is not supported yet. The signed-in user originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, not present in any groups, etc.). Formats: user:{emailid}, serviceAccount:{emailid}

Access Levels should allow the use of group membership conditions. Listing each user or service account identity exhaustively is not scalable. On the surface, this seems to be expected - access to a resource is handled by IAM bindings. When using VPC Service Controls, however, we want to allow access to a resource to be controlled through a condition within an access-level.

New or Affected Resource(s)

• google_access_context_manager_access_level

Potential Terraform Configuration

resource "google_access_context_manager_access_level" "access-level" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/group_member"
  title  = "group_member"
  basic {
    conditions {
      members = [
        "group:group-name@example.com",
      ]
    }
  }
}

References

• 0000

b/308569238

[rileykarson]

Note: This warning comes from the API docs

[imrannayer]

@kevin-greenan-tempus This is not a terraform provider limitation. According to API docs it is not supported.

The request must be made by one of the provided user or service accounts. Groups are not supported

[Charlesleonius]

Thank you for requesting this feature, as stated here, it is a limitation of the service itself and not the Terraform provider. It is on our radar. I can not give any indication as to timeline but it will be supported.

[jeremiahbowen]

This comes up in all of our SOC2, HITRUST, and GCP audits when granting permissions to individual users.

[Charlesleonius]

Hi @jeremiahbowen, are you using access levels as part of VPC-SC or another security feature? VPC-SC Service perimeters now support groups in ingress / egress rules which are intended to replace the use of access levels. Here is some documentation regarding the new feature: https://cloud.google.com/vpc-service-controls/docs/configure-identity-groups