google_access_context_manager_service_perimeter should support group: identity type

[danekantner]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

google_access_context_manager_service_perimeter should support group: identity type

Presently, the identity specified within ingress/egress rules of a service perimeter is documented to only allow service account identities specifically. Presently the documentation states The email address should represent individual user or service account only. and the actual code has 'The email address should represent individual user or service account only.' specified (though, there may not be any actual validation beyond that)

Recently, google has added the ability to specify a group and this feature is available in the same API call that is already made.

The API itself lists a group is acceptable: A list of identities that are allowed access through [IngressPolicy]. Identities can be an individual user, service account, Google group, or third-party identity. For third-party identity, only single identities are supported and other identity types are not supported. The v1 identities that have the prefix user, group, serviceAccount, and principal in https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.

New or Affected Resource(s)

• google_access_context_manager_service_perimeter

Potential Terraform Configuration

resource "google_access_context_manager_service_perimeter" "test-access" {
  parent         = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}"
  name           = "accessPolicies/${google_access_context_manager_access_policy.test-access.name}/servicePerimeters/%s"
  title          = "%s"
  perimeter_type = "PERIMETER_TYPE_REGULAR"
  status {
    restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
        access_levels       = [google_access_context_manager_access_level.access-level.name]

        vpc_accessible_services {
            enable_restriction = true
            allowed_services   = ["bigquery.googleapis.com", "storage.googleapis.com"]
        }

        egress_policies {
            egress_from {
                identities = ["group:foo@company.com"]
                identity_type = "ANY_IDENTITY"
            }
        }
  }
}

References

• https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#ingressfrom
• https://cloud.google.com/vpc-service-controls/docs/identity-groups-examples
• https://cloud.google.com/vpc-service-controls/docs/configure-identity-groups

b/373407399

[Charlesleonius]

There is no validation to prevent you from using groups. We will work on updating the documentation but in the meantime you should be able to go ahead and use them in your Terraform config.