Docs
PackagesGoogle Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi
gcp.servicenetworking.VpcServiceControls
Explore with Pulumi AI
Manages the VPC Service Controls configuration for a service networking connection
When enabled, Google Cloud makes the following route configuration changes in the service producer VPC network:
- Removes the IPv4 default route (destination 0.0.0.0/0, next hop default internet gateway), Google Cloud then creates an IPv4 route for destination 199.36.153.4/30 using the default internet gateway next hop.
- Creates Cloud DNS managed private zones and authorizes those zones for the service producer VPC network. The zones include googleapis.com, gcr.io, pkg.dev, notebooks.cloud.google.com, kernels.googleusercontent.com, backupdr.cloud.google.com, and backupdr.googleusercontent.com as necessary domains or host names for Google APIs and services that are compatible with VPC Service Controls. Record data in the zones resolves all host names to 199.36.153.4, 199.36.153.5, 199.36.153.6, and 199.36.153.7.
When disabled, Google Cloud makes the following route configuration changes in the service producer VPC network:
- Restores a default route (destination 0.0.0.0/0, next hop default internet gateway)
- Deletes the Cloud DNS managed private zones that provided the host name overrides.
To get more information about VPCServiceControls, see:
- API documentation
- How-to Guides
Note: Destroying a
gcp.servicenetworking.VpcServiceControlsresource will remove it from state, but will not change the underlying VPC Service Controls configuration for the service producer network.
Example Usage
Service Networking Vpc Service Controls Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
// Create a VPC
const _default = new gcp.compute.Network("default", {name: "example-network"});
// Create an IP address
const defaultGlobalAddress = new gcp.compute.GlobalAddress("default", {
name: "psa-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: _default.id,
});
// Create a private connection
const defaultConnection = new gcp.servicenetworking.Connection("default", {
network: _default.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [defaultGlobalAddress.name],
});
// Enable VPC-SC on the producer network
const defaultVpcServiceControls = new gcp.servicenetworking.VpcServiceControls("default", {
network: _default.name,
service: "servicenetworking.googleapis.com",
enabled: true,
}, {
dependsOn: [defaultConnection],
});
import pulumi
import pulumi_gcp as gcp
# Create a VPC
default = gcp.compute.Network("default", name="example-network")
# Create an IP address
default_global_address = gcp.compute.GlobalAddress("default",
name="psa-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=default.id)
# Create a private connection
default_connection = gcp.servicenetworking.Connection("default",
network=default.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[default_global_address.name])
# Enable VPC-SC on the producer network
default_vpc_service_controls = gcp.servicenetworking.VpcServiceControls("default",
network=default.name,
service="servicenetworking.googleapis.com",
enabled=True,
opts = pulumi.ResourceOptions(depends_on=[default_connection]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Create a VPC
_, err := compute.NewNetwork(ctx, "default", &compute.NetworkArgs{
Name: pulumi.String("example-network"),
})
if err != nil {
return err
}
// Create an IP address
defaultGlobalAddress, err := compute.NewGlobalAddress(ctx, "default", &compute.GlobalAddressArgs{
Name: pulumi.String("psa-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: _default.ID(),
})
if err != nil {
return err
}
// Create a private connection
defaultConnection, err := servicenetworking.NewConnection(ctx, "default", &servicenetworking.ConnectionArgs{
Network: _default.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
defaultGlobalAddress.Name,
},
})
if err != nil {
return err
}
// Enable VPC-SC on the producer network
_, err = servicenetworking.NewVpcServiceControls(ctx, "default", &servicenetworking.VpcServiceControlsArgs{
Network: _default.Name,
Service: pulumi.String("servicenetworking.googleapis.com"),
Enabled: pulumi.Bool(true),
}, pulumi.DependsOn([]pulumi.Resource{
defaultConnection,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
// Create a VPC
var @default = new Gcp.Compute.Network("default", new()
{
Name = "example-network",
});
// Create an IP address
var defaultGlobalAddress = new Gcp.Compute.GlobalAddress("default", new()
{
Name = "psa-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = @default.Id,
});
// Create a private connection
var defaultConnection = new Gcp.ServiceNetworking.Connection("default", new()
{
Network = @default.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
defaultGlobalAddress.Name,
},
});
// Enable VPC-SC on the producer network
var defaultVpcServiceControls = new Gcp.ServiceNetworking.VpcServiceControls("default", new()
{
Network = @default.Name,
Service = "servicenetworking.googleapis.com",
Enabled = true,
}, new CustomResourceOptions
{
DependsOn =
{
defaultConnection,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.servicenetworking.VpcServiceControls;
import com.pulumi.gcp.servicenetworking.VpcServiceControlsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Create a VPC
var default_ = new Network("default", NetworkArgs.builder()
.name("example-network")
.build());
// Create an IP address
var defaultGlobalAddress = new GlobalAddress("defaultGlobalAddress", GlobalAddressArgs.builder()
.name("psa-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(default_.id())
.build());
// Create a private connection
var defaultConnection = new Connection("defaultConnection", ConnectionArgs.builder()
.network(default_.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(defaultGlobalAddress.name())
.build());
// Enable VPC-SC on the producer network
var defaultVpcServiceControls = new VpcServiceControls("defaultVpcServiceControls", VpcServiceControlsArgs.builder()
.network(default_.name())
.service("servicenetworking.googleapis.com")
.enabled(true)
.build(), CustomResourceOptions.builder()
.dependsOn(defaultConnection)
.build());
}
}
resources:
# Create a VPC
default:
type: gcp:compute:Network
properties:
name: example-network
# Create an IP address
defaultGlobalAddress:
type: gcp:compute:GlobalAddress
name: default
properties:
name: psa-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${default.id}
# Create a private connection
defaultConnection:
type: gcp:servicenetworking:Connection
name: default
properties:
network: ${default.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${defaultGlobalAddress.name}
# Enable VPC-SC on the producer network
defaultVpcServiceControls:
type: gcp:servicenetworking:VpcServiceControls
name: default
properties:
network: ${default.name}
service: servicenetworking.googleapis.com
enabled: true
options:
dependson:
- ${defaultConnection}
Create VpcServiceControls Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new VpcServiceControls(name: string, args: VpcServiceControlsArgs, opts?: CustomResourceOptions);@overload
def VpcServiceControls(resource_name: str,
args: VpcServiceControlsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def VpcServiceControls(resource_name: str,
opts: Optional[ResourceOptions] = None,
enabled: Optional[bool] = None,
network: Optional[str] = None,
service: Optional[str] = None,
project: Optional[str] = None)func NewVpcServiceControls(ctx *Context, name string, args VpcServiceControlsArgs, opts ...ResourceOption) (*VpcServiceControls, error)public VpcServiceControls(string name, VpcServiceControlsArgs args, CustomResourceOptions? opts = null)
public VpcServiceControls(String name, VpcServiceControlsArgs args)
public VpcServiceControls(String name, VpcServiceControlsArgs args, CustomResourceOptions options)
type: gcp:servicenetworking:VpcServiceControls
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args VpcServiceControlsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args VpcServiceControlsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args VpcServiceControlsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args VpcServiceControlsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args VpcServiceControlsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var vpcServiceControlsResource = new Gcp.ServiceNetworking.VpcServiceControls("vpcServiceControlsResource", new()
{
Enabled = false,
Network = "string",
Service = "string",
Project = "string",
});
example, err := servicenetworking.NewVpcServiceControls(ctx, "vpcServiceControlsResource", &servicenetworking.VpcServiceControlsArgs{
Enabled: pulumi.Bool(false),
Network: pulumi.String("string"),
Service: pulumi.String("string"),
Project: pulumi.String("string"),
})
var vpcServiceControlsResource = new VpcServiceControls("vpcServiceControlsResource", VpcServiceControlsArgs.builder()
.enabled(false)
.network("string")
.service("string")
.project("string")
.build());
vpc_service_controls_resource = gcp.servicenetworking.VpcServiceControls("vpcServiceControlsResource",
enabled=False,
network="string",
service="string",
project="string")
const vpcServiceControlsResource = new gcp.servicenetworking.VpcServiceControls("vpcServiceControlsResource", {
enabled: false,
network: "string",
service: "string",
project: "string",
});
type: gcp:servicenetworking:VpcServiceControls
properties:
enabled: false
network: string
project: string
service: string
VpcServiceControls Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The VpcServiceControls resource accepts the following input properties:
- Enabled bool
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- Network string
- The network that the consumer is using to connect with services.
- Service string
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com. - Project string
- The id of the Google Cloud project containing the consumer network.
- Enabled bool
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- Network string
- The network that the consumer is using to connect with services.
- Service string
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com. - Project string
- The id of the Google Cloud project containing the consumer network.
- enabled Boolean
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network String
- The network that the consumer is using to connect with services.
- service String
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com. - project String
- The id of the Google Cloud project containing the consumer network.
- enabled boolean
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network string
- The network that the consumer is using to connect with services.
- service string
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com. - project string
- The id of the Google Cloud project containing the consumer network.
- enabled bool
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network str
- The network that the consumer is using to connect with services.
- service str
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com. - project str
- The id of the Google Cloud project containing the consumer network.
- enabled Boolean
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network String
- The network that the consumer is using to connect with services.
- service String
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com. - project String
- The id of the Google Cloud project containing the consumer network.
Outputs
All input properties are implicitly available as output properties. Additionally, the VpcServiceControls resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing VpcServiceControls Resource
Get an existing VpcServiceControls resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: VpcServiceControlsState, opts?: CustomResourceOptions): VpcServiceControls@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
enabled: Optional[bool] = None,
network: Optional[str] = None,
project: Optional[str] = None,
service: Optional[str] = None) -> VpcServiceControlsfunc GetVpcServiceControls(ctx *Context, name string, id IDInput, state *VpcServiceControlsState, opts ...ResourceOption) (*VpcServiceControls, error)public static VpcServiceControls Get(string name, Input<string> id, VpcServiceControlsState? state, CustomResourceOptions? opts = null)public static VpcServiceControls get(String name, Output<String> id, VpcServiceControlsState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Enabled bool
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- Network string
- The network that the consumer is using to connect with services.
- Project string
- The id of the Google Cloud project containing the consumer network.
- Service string
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com.
- Enabled bool
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- Network string
- The network that the consumer is using to connect with services.
- Project string
- The id of the Google Cloud project containing the consumer network.
- Service string
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com.
- enabled Boolean
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network String
- The network that the consumer is using to connect with services.
- project String
- The id of the Google Cloud project containing the consumer network.
- service String
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com.
- enabled boolean
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network string
- The network that the consumer is using to connect with services.
- project string
- The id of the Google Cloud project containing the consumer network.
- service string
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com.
- enabled bool
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network str
- The network that the consumer is using to connect with services.
- project str
- The id of the Google Cloud project containing the consumer network.
- service str
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com.
- enabled Boolean
- Desired VPC Service Controls state service producer VPC network, as described at the top of this page.
- network String
- The network that the consumer is using to connect with services.
- project String
- The id of the Google Cloud project containing the consumer network.
- service String
- The service that is managing peering connectivity for a service
producer's organization. For Google services that support this
functionality, this value is
servicenetworking.googleapis.com.
Import
VPCServiceControls can be imported using any of these accepted formats:
services/{{service}}/projects/{{project}}/networks/{{network}}{{service}}/{{project}}/{{network}}{{service}}/{{network}}
When using the pulumi import command, VPCServiceControls can be imported using one of the formats above. For example:
$ pulumi import gcp:servicenetworking/vpcServiceControls:VpcServiceControls default services/{{service}}/projects/{{project}}/networks/{{network}}
$ pulumi import gcp:servicenetworking/vpcServiceControls:VpcServiceControls default {{service}}/{{project}}/{{network}}
$ pulumi import gcp:servicenetworking/vpcServiceControls:VpcServiceControls default {{service}}/{{network}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.