google_access_context_manager_access_level_condition should provide an option to add the new condition to the existing condition with an "OR" operator

[anubbhavm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Introduce a new parameter "operator" to "google_access_context_manager_access_level_condition" to provide an option to add the new condition to the existing condition with an "OR" operator. Currently, the new condition gets added with an "AND" operator. See below for example.

Include all the following attributes
Regions match CH (Switzerland), IT (Italy), and US (United States)
Device screen lock
OS restrictions match Chrome OS (any version)
Members match vpc-sc@XXXX.iam.gserviceaccount.com
AND
Include all the following attributes
IP Subnetworks match 192.0.4.0/24
Regions match IT (Italy) and US (United States)
Device corp owned
OS restrictions match Chrome OS (any version)
Members match test@google.com, test2@google.com, and tf-test-123@XXXX.iam.gserviceaccount.com

New or Affected Resource(s)

• google_access_context_manager_access_level_condition

Potential Terraform Configuration

resource "google_access_context_manager_access_level" "access-level-service-account" {
  parent = "accessPolicies/410809943175"
  name   = "accessPolicies/410809943175/accessLevels/tf_test_new_resource"
  title  = "tf_test_new_resource"
  basic {
    conditions {
      device_policy {
        require_screen_lock = true
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
      members = ["serviceAccount:vpc-sc@XXXX.iam.gserviceaccount.com"]
      regions = [
  "CH",
  "IT",
  "US",
      ]
    }
  }

  lifecycle {
    ignore_changes = [basic.0.conditions]
  }
}

resource "google_service_account" "created-later" {
  account_id = "tf-test-123"
}

resource "google_access_context_manager_access_level_condition" "access-level-conditions" {
  access_level = google_access_context_manager_access_level.access-level-service-account.name
  operator = "OR"
  ip_subnetworks = ["192.0.4.0/24"]
  members = ["user:test@google.com", "user:test2@google.com", "serviceAccount:${google_service_account.created-later.email}"]
  negate = false
  device_policy {
    require_screen_lock = false
    require_admin_approval = false
    require_corp_owned = true
    os_constraints {
      os_type = "DESKTOP_CHROME_OS"
    }
  }
  regions = [
    "IT",
    "US",
  ]
}

b/359383500

[ggtisc]

The user is looking too add a new argument called operator to manage different operators like OR to the google_access_context_manager_access_level_condition resource.

[roaks3]

Note that this should technically be possible through the API by using combiningFunction, but I believe it should be a change to google_access_context_manager_access_level. Adding it to the condition presents 2 problems: it becomes unclear which resource controls the behavior, and the combiningFunction field exists one level up from the fields that the condition resource interacts with.