GoogleCloudPlatform · megan07 · Oct 14, 2020 · Oct 8, 2020 · Oct 8, 2020 · Oct 12, 2020
diff --git a/products/accesscontextmanager/api.yaml b/products/accesscontextmanager/api.yaml
@@ -571,6 +571,174 @@ objects:
                   - !ruby/object:Api::Type::String
                     name: 'location'
                     description: String indicating the location of the expression for error reporting, e.g. a file name and a position in the file      
+  - !ruby/object:Api::Resource
+    name: 'AccessLevelCondition'
+    create_url: "{{access_level}}"
+    base_url: ""
+    self_link: "{{access_level}}"
+    create_verb: :PATCH
+    delete_verb: :PATCH
+    input: true
+    update_mask: true
+    identity:
+      - ipSubnetworks
+      - requiredAccessLevels
+      - members
+      - negate
+      - devicePolicy
+      - regions
+    nested_query: !ruby/object:Api::Resource::NestedQuery
+      modify_by_patch: true
+      keys:
+        - basic
+        - conditions
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Access Policy Quickstart': 'https://cloud.google.com/access-context-manager/docs/quickstart'
+      api: 'https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels'
+    description: |
+      Allows configuring a single access level condition to be appended to an access level's conditions.
+      This resource is intended to be used in cases where it is not possible to compile a full list
+      of conditions to include in a `google_access_context_manager_access_level` resource,
+      to enable them to be added separately.
+
+      ~> **Note:** If this resource is used alongside a `google_access_context_manager_access_level` resource,
+      the access level resource must have a `lifecycle` block with `ignore_changes = [basic[0].conditions]` so
+      they don't fight over which service accounts should be included.
+    parameters:
+      - !ruby/object:Api::Type::ResourceRef
+        name: 'accessLevel'
+        resource: 'AccessLevel'
+        imports: 'name'
+        description: |
+          The name of the Access Level to add this condition to.
+        required: true
+        input: true
+        url_param_only: true
+    properties:
+      - !ruby/object:Api::Type::Array
+        name: 'ipSubnetworks'
+        description: |
+          A list of CIDR block IP subnetwork specification. May be IPv4
+          or IPv6.
+          Note that for a CIDR IP address block, the specified IP address
+          portion must be properly truncated (i.e. all the host bits must
+          be zero) or the input is considered malformed. For example,
+          "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
+          for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
+          is not. The originating IP of a request must be in one of the
+          listed subnets in order for this Condition to be true.
+          If empty, all IP addresses are allowed.
+        item_type: Api::Type::String
+      - !ruby/object:Api::Type::Array
+        name: 'requiredAccessLevels'
+        description: |
+          A list of other access levels defined in the same Policy,
+          referenced by resource name. Referencing an AccessLevel which
+          does not exist is an error. All access levels listed must be
+          granted for the Condition to be true.
+          Format: accessPolicies/{policy_id}/accessLevels/{short_name}
+        item_type: Api::Type::String
+      - !ruby/object:Api::Type::Array
+        name: 'members'
+        description: |
+          An allowed list of members (users, service accounts).
+          Using groups is not supported yet.
+
+          The signed-in user originating the request must be a part of one
+          of the provided members. If not specified, a request may come
+          from any user (logged in/not logged in, not present in any
+          groups, etc.).
+          Formats: `user:{emailid}`, `serviceAccount:{emailid}`
+        item_type: Api::Type::String
+      - !ruby/object:Api::Type::Boolean
+        name: 'negate'
+        description: |
+          Whether to negate the Condition. If true, the Condition becomes
+          a NAND over its non-empty fields, each field must be false for
+          the Condition overall to be satisfied. Defaults to false.
+      - !ruby/object:Api::Type::NestedObject
+        name: 'devicePolicy'
+        description: |
+          Device specific restrictions, all restrictions must hold for
+          the Condition to be true. If not specified, all devices are
+          allowed.
+        properties:
+          - !ruby/object:Api::Type::Boolean
+            name: 'requireScreenLock'
+            api_name: 'requireScreenlock'
+            description: |
+              Whether or not screenlock is required for the DevicePolicy
+              to be true. Defaults to false.
+          - !ruby/object:Api::Type::Array
+            name: 'allowedEncryptionStatuses'
+            description: |
+              A list of allowed encryptions statuses.
+              An empty list allows all statuses.
+            item_type: !ruby/object:Api::Type::Enum
+              name: 'undefined'
+              description: |
+                This field only has a name and description because of MM
+                limitations. It should not appear in downstreams.
+              values:
+                - :ENCRYPTION_UNSPECIFIED
+                - :ENCRYPTION_UNSUPPORTED
+                - :UNENCRYPTED
+                - :ENCRYPTED
+          - !ruby/object:Api::Type::Array
+            name: 'allowedDeviceManagementLevels'
+            description: |
+              A list of allowed device management levels.
+              An empty list allows all management levels.
+            item_type: !ruby/object:Api::Type::Enum
+              name: 'undefined'
+              description: |
+                This field only has a name and description because of MM
+                limitations. It should not appear in downstreams.
+              values:
+                - :MANAGEMENT_UNSPECIFIED
+                - :NONE
+                - :BASIC
+                - :COMPLETE
+          - !ruby/object:Api::Type::Array
+            name: 'osConstraints'
+            description: |
+              A list of allowed OS versions.
+              An empty list allows all types and all versions.
+            item_type: !ruby/object:Api::Type::NestedObject
+              properties:
+              - !ruby/object:Api::Type::String
+                name: 'minimumVersion'
+                description: |
+                  The minimum allowed OS version. If not set, any version
+                  of this OS satisfies the constraint.
+                  Format: "major.minor.patch" such as "10.5.301", "9.2.1".
+              - !ruby/object:Api::Type::Enum
+                name: 'osType'
+                required: true
+                description: |
+                  The operating system type of the device.
+                values:
+                  - :OS_UNSPECIFIED
+                  - :DESKTOP_MAC
+                  - :DESKTOP_WINDOWS
+                  - :DESKTOP_LINUX
+                  - :DESKTOP_CHROME_OS
+          - !ruby/object:Api::Type::Boolean
+            name: 'requireAdminApproval'
+            description: |
+              Whether the device needs to be approved by the customer admin.
+          - !ruby/object:Api::Type::Boolean
+            name: 'requireCorpOwned'
+            description: |
+              Whether the device needs to be corp owned.
+      - !ruby/object:Api::Type::Array
+        name: 'regions'
+        description: |
+          The request must originate from one of the provided
+          countries/regions.
+          Format: A valid ISO 3166-1 alpha-2 code.
+        item_type: Api::Type::String
   - !ruby/object:Api::Resource
     # This is the singular of `ServicePerimeters`, any changes here should be made to `ServicePerimeters` as well
     name: 'ServicePerimeter'

diff --git a/products/accesscontextmanager/inspec.yaml b/products/accesscontextmanager/inspec.yaml
@@ -24,6 +24,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     exclude: true
   AccessLevels: !ruby/object:Overrides::Inspec::ResourceOverride
     exclude: true
+  AccessLevelCondition: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
   ServicePerimeter: !ruby/object:Overrides::Inspec::ResourceOverride
     base_url: "accessPolicies/{{policy_name}}/servicePerimeters"
     self_link: "accessPolicies/{{policy_name}}/servicePerimeters/{{name}}"

diff --git a/products/accesscontextmanager/terraform.yaml b/products/accesscontextmanager/terraform.yaml
@@ -102,14 +102,43 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     custom_code: !ruby/object:Provider::Terraform::CustomCode
       custom_import: templates/terraform/custom_import/set_access_policy_parent_from_access_policy.go.erb
       custom_delete: templates/terraform/custom_delete/replace_all_access_levels_empty_list.go.erb
-  ServicePerimeter: !ruby/object:Overrides::Terraform::ResourceOverride
+  AccessLevelCondition: !ruby/object:Overrides::Terraform::ResourceOverride
     docs: !ruby/object:Provider::Terraform::Docs
       warning: |
         If you are using User ADCs (Application Default Credentials) with this resource,
         you must specify a `billing_project` and set `user_project_override` to true 
         in the provider configuration. Otherwise the ACM API will return a 403 error. 
         Your account must have the `serviceusage.services.use` permission on the 
         `billing_project` you defined.
+    async: !ruby/object:Provider::Terraform::PollAsync
+      check_response_func_existence: PollCheckForExistence
+      actions: ['create']
+      operation: !ruby/object:Api::Async::Operation
+        timeouts: !ruby/object:Api::Timeouts
+          insert_minutes: 4
+    autogen_async: true
+    exclude_validator: true
+    exclude_import: true # no unique way to specify
+    # Skipping the sweeper due to the non-standard base_url and because this is fine-grained under AccessLevel
+    skip_sweeper: true
+    id_format: "{{access_level}}"
+    import_format: ["{{access_level}}"]
+    mutex: "{{access_level}}"
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "access_context_manager_access_level_condition_basic"
+        skip_test: true
+        primary_resource_id: "access-level-condition"
+        vars:
+          access_level_name: "chromeos_no_lock"
+  ServicePerimeter: !ruby/object:Overrides::Terraform::ResourceOverride
+    docs: !ruby/object:Provider::Terraform::Docs
+      warning: |
+        If you are using User ADCs (Application Default Credentials) with this resource,
+        you must specify a `billing_project` and set `user_project_override` to true
+        in the provider configuration. Otherwise the ACM API will return a 403 error.
+        Your account must have the `serviceusage.services.use` permission on the
+        `billing_project` you defined.
     timeouts: !ruby/object:Api::Timeouts
       insert_minutes: 6
       update_minutes: 6

diff --git a/templates/terraform/examples/access_context_manager_access_level_condition_basic.tf.erb b/templates/terraform/examples/access_context_manager_access_level_condition_basic.tf.erb
@@ -0,0 +1,53 @@
+resource "google_access_context_manager_access_level" "access-level-service-account" {
+  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
+  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/tf_test_chromeos_no_lock%{random_suffix}"
+  title  = "tf_test_chromeos_no_lock%{random_suffix}"
+  basic {
+    conditions {
+      device_policy {
+        require_screen_lock = true
+        os_constraints {
+          os_type = "DESKTOP_CHROME_OS"
+        }
+      }
+      regions = [
+  "CH",
+  "IT",
+  "US",
+      ]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [basic.0.conditions]
+  }
+}
+
+resource "google_service_account" "created-later" {
+  account_id = "tf-test-%{random_suffix}"
+  depends_on = [google_access_context_manager_access_level.access-level-service-account]
+}
+
+resource "google_access_context_manager_access_level_condition" "access-level-conditions" {
+  access_level = google_access_context_manager_access_level.access-level-service-account.name
+  ip_subnetworks = ["192.0.4.0/24"]
+  members = ["user:[email protected]", "user:[email protected]"]
+  negate = false
+  device_policy {
+    require_screen_lock = false
+    require_admin_approval = false
+    require_corp_owned = true
+    os_constraints {
+      os_type = "DESKTOP_CHROME_OS"
+    }
+  }
+  regions = [
+    "IT",
+    "US",
+  ]
+}
+
+resource "google_access_context_manager_access_policy" "access-policy" {
+  parent = "organizations/123456789"
+  title  = "my policy"
+}