File: //snap/google-cloud-cli/current/lib/surface/access_context_manager/perimeters/create.yaml
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Create a new service perimeter.
description: |
Create a new service perimeter in a given access policy.
examples: |
To create a new basic Service Perimeter:
$ {command} --title=my_perimeter_title --resources=projects/12345 --restricted-services="storage.googleapis.com" --policy=9876543
request:
api_version: v1
collection: accesscontextmanager.accessPolicies.servicePerimeters
modify_request_hooks:
- googlecloudsdk.command_lib.accesscontextmanager.policies:ValidateAccessPolicyArg
- googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddAccessLevelsGA
- googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddVpcAccessibleServicesGA
- googlecloudsdk.command_lib.util.hooks.request_modifiers:SetFieldFromRelativeName:api_field=servicePerimeter.name
ALPHA:
api_version: v1alpha
modify_request_hooks:
- googlecloudsdk.command_lib.accesscontextmanager.policies:ValidateAccessPolicyArg
- googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddAccessLevelsAlpha
- googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddVpcAccessibleServicesAlpha
- googlecloudsdk.command_lib.util.hooks.request_modifiers:SetFieldFromRelativeName:api_field=servicePerimeter.name
BETA:
api_version: v1
modify_request_hooks:
- googlecloudsdk.command_lib.accesscontextmanager.policies:ValidateAccessPolicyArg
- googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddAccessLevelsGA
- googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddVpcAccessibleServicesGA
- googlecloudsdk.command_lib.util.hooks.request_modifiers:SetFieldFromRelativeName:api_field=servicePerimeter.name
async:
collection: accesscontextmanager.operations
arguments:
resource:
help_text: The service perimeter to create.
spec: !REF googlecloudsdk.command_lib.accesscontextmanager.resources:perimeter
params:
- api_field: servicePerimeter.description
arg_name: description
required: false
help_text: Long-form description of service perimeter.
- api_field: servicePerimeter.title
arg_name: title
required: true
help_text: Short human-readable title for the service perimeter.
- api_field: servicePerimeter.status.resources
arg_name: resources
help_text: |
Comma-separated list of resources (currently only projects, in the
form `projects/<projectnumber>`) in this perimeter.
- api_field: servicePerimeter.status.restrictedServices
arg_name: restricted-services
metavar: SERVICE
help_text: |
Comma-separated list of services to which the perimeter boundary
*does* apply (for example, `storage.googleapis.com`).
- arg_name: access-levels
api_field: servicePerimeter.status.accessLevels
metavar: LEVEL
# Added in AddAccessLevels hook because a type wouldn't have access to
# the policy of the service perimeter
type: arg_list
help_text: |
Comma-separated list of IDs for access levels (in the same policy)
that an intra-perimeter request must satisfy to be allowed.
- api_field: servicePerimeter.perimeterType
arg_name: perimeter-type
help_text: |
Type of the perimeter.
default: regular
choices:
- arg_value: regular
enum_value: PERIMETER_TYPE_REGULAR
help_text: |
Allows resources within this service perimeter to import and export
data amongst themselves.
A project may belong to at most one regular service perimeter.
- arg_value: bridge
enum_value: PERIMETER_TYPE_BRIDGE
help_text: |
Allows resources in different regular service perimeters to import
and export data between each other.
A project may belong to multiple bridge service perimeters (only if
it also belongs to a regular service perimeter). Both restricted and
unrestricted service lists, as well as access level lists,
must be empty.
- api_field: servicePerimeter.status.ingressPolicies
metavar: YAML_FILE
arg_name: ingress-policies
help_text: |
Path to a file containing a list of Ingress Policies.
This file contains a list of YAML-compliant objects representing
Ingress Policies described in the API reference.
For more information about the alpha version, see:
https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters
For more information about non-alpha versions, see:
https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters
repeated: false
ALPHA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseIngressPolicies:api_version=v1alpha
BETA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseIngressPolicies:api_version=v1
GA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseIngressPolicies:api_version=v1
- api_field: servicePerimeter.status.egressPolicies
metavar: YAML_FILE
arg_name: egress-policies
help_text: |
Path to a file containing a list of Engress Policies.
This file contains a list of YAML-compliant objects representing
Engress Policies described in the API reference.
For more information about the alpha version, see:
https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters
For more information about non-alpha versions, see:
https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters
repeated: false
ALPHA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseEgressPolicies:api_version=v1alpha
BETA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseEgressPolicies:api_version=v1
GA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseEgressPolicies:api_version=v1
- group:
release_tracks: [ALPHA]
mutex: true
required: false
params:
- api_field: servicePerimeter.status.vpcAccessibleServices
metavar: VPC_ACCESSIBLE_SERVICES_YAML_FILE
arg_name: vpc-accessible-services
help_text: |
Path to a YAML file containing the full VPC Accessible Services configuration.
This file should contain a single YAML object representing a VpcAccessibleServices
message as described in the API reference. This cannot be used with
`--vpc-allowed-services` or `--enable-vpc-accessible-services`.
For more information about the alpha version, see:
https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters
For more information about non-alpha versions, see:
https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters
ALPHA:
processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseVpcAccessibleServices:api_version=v1alpha
- group:
mutex: false
params:
- api_field: servicePerimeter.status.vpcAccessibleServices.allowedServices
arg_name: vpc-allowed-services
metavar: VPC_SERVICE
help_text: |
Comma-separated list of APIs accessible from within the Service
Perimeter. In order to include all restricted services, use
reference "RESTRICTED-SERVICES".
Requires vpc-accessible-services be enabled.
- arg_name: enable-vpc-accessible-services
# api_field is not used here to allow the modify_request_hooks to handle
# the logic, preventing interference with the vpc-accessible-services YAML file.
type: bool
help_text: |
Whether to restrict API calls within the perimeter to those in the
vpc-allowed-services list.
- group:
release_tracks: [BETA, GA]
params:
- api_field: servicePerimeter.status.vpcAccessibleServices.allowedServices
arg_name: vpc-allowed-services
metavar: VPC_SERVICE
required: false
help_text: |
Comma-separated list of APIs accessible from within the Service
Perimeter. In order to include all restricted services, use
reference "RESTRICTED-SERVICES".
Requires vpc-accessible-services be enabled.
- api_field: servicePerimeter.status.vpcAccessibleServices.enableRestriction
arg_name: enable-vpc-accessible-services
required: false
type: bool
help_text: |
Whether to restrict API calls within the perimeter to those in the
vpc-allowed-services list.