GoogleCloudPlatform · wdarling-g · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025
diff --git a/mmv1/products/accesscontextmanager/GcpUserAccessBinding.yaml b/mmv1/products/accesscontextmanager/GcpUserAccessBinding.yaml
@@ -113,3 +113,90 @@ properties:
         type: Boolean
         description: |
           Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
+  - name: 'scopedAccessSettings'
+    type: Array
+    item_type:
+      type: NestedObject
+      properties:
+        - name: 'scope'
+          type: NestedObject
+          description: |
+            Optional. Application, etc. to which the access settings will be applied to. Implicitly, this is the scoped access settings key; as such, it must be unique and non-empty.
+          properties:
+            - name: 'clientScope'
+              type: NestedObject
+              description: |
+                Optional. Client scope for this access scope.
+              properties:
+                - name: restrictedClientApplication
+                  type: NestedObject
+                  description: |
+                    Optional. The application that is subject to this binding's scope.
+                  properties:
+                    - name: clientId
+                      type: String
+                      description: |
+                        The OAuth client ID of the application.
+                      exactly_one_of:
+                        - scopedAccessSettings.0.scope.clientScope.restrictedClientApplication.name
+                    - name: name
+                      type: String
+                      description: |
+                        The name of the application. Example: "Cloud Console"
+                      exactly_one_of:
+                        - scopedAccessSettings.0.scope.clientScope.restrictedClientApplication.clientId
+        - name: 'activeSettings'
+          type: NestedObject
+          description: |
+            Optional. Access settings for this scoped access settings. This field may be empty if dryRunSettings is set.
+          properties:
+            - name: accessLevels
+              type: Array
+              item_type:
+                type: String
+              description: |
+                Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
+            - name: sessionSettings
+              type: NestedObject
+              description: |
+                Optional. Session settings applied to user access on a given AccessScope.
+              properties:
+                - name: 'sessionReauthMethod'
+                  description: |
+                    Optional. The session challenges proposed to users when the Google Cloud session length is up.
+                  type: Enum
+                  enum_values:
+                    - 'LOGIN'
+                    - 'SECURITY_KEY'
+                    - 'PASSWORD'
+                - name: 'sessionLength'
+                  description: |
+                    Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
+                  type: String
+                - name: 'maxInactivity'
+                  description: |
+                    Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
+                  type: String
+                - name: 'useOidcMaxAge'
+                  description: |
+                    Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
+                  type: Boolean
+                - name: 'sessionLengthEnabled'
+                  type: Boolean
+                  description: |
+                    Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
+        - name: 'dryRunSettings'
+          type: NestedObject
+          description: |
+            Optional. Dry-run access settings for this scoped access settings. This field may be empty if activeSettings is set. Cannot contain session settings.
+          properties:
+            - name: accessLevels
+              type: Array
+              item_type:
+                type: String
+              description: |
+                Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
+              min_size: 1
+              max_size: 1
+    description: |
+      Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications.
diff --git a/...ices/accesscontextmanager/resource_access_context_manager_gcp_user_access_binding_test.go b/...ices/accesscontextmanager/resource_access_context_manager_gcp_user_access_binding_test.go
@@ -85,20 +85,63 @@ resource "google_access_context_manager_access_policy" "access-policy" {
   title  = "my policy"
 }
 
-
-
 resource "google_access_context_manager_gcp_user_access_binding" "gcp_user_access_binding" {
   organization_id = "%{org_id}"
   group_key       = trimprefix(google_cloud_identity_group.group.id, "groups/")
   access_levels   = [
     google_access_context_manager_access_level.tf_test_access_level_id_for_user_access_binding%{random_suffix}.name,
   ]
   session_settings {
-	max_inactivity = "300s"
-	session_length = "1800s"
-	session_length_enabled = true
-	session_reauth_method = "LOGIN"
-	use_oidc_max_age = false
+    max_inactivity = "300s"
+    session_length = "1800s"
+    session_length_enabled = true
+    session_reauth_method = "LOGIN"
+    use_oidc_max_age = false
+  }
+  scoped_access_settings {
+    scope {
+      client_scope {
+        restricted_client_application {
+          name = "Cloud Console"
+        }
+      }
+    }
+    active_settings {
+      access_levels = [
+        google_access_context_manager_access_level.tf_test_access_level_id_for_user_access_binding%{random_suffix}.name,
+      ]
+    }
+    dry_run_settings {
+      access_levels = [
+        google_access_context_manager_access_level.tf_test_access_level_id_for_user_access_binding%{random_suffix}.name,
+      ]
+    }
+  }
+  scoped_access_settings {
+    scope {
+      client_scope {
+        restricted_client_application {
+          client_id = "TEST_APPLICATION"
+        }
+      }
+    }
+    active_settings {
+      access_levels = [
+        google_access_context_manager_access_level.tf_test_access_level_id_for_user_access_binding%{random_suffix}.name,
+      ]
+      session_settings {
+        max_inactivity = "300s"
+        session_length = "1800s"
+        session_length_enabled = true
+        session_reauth_method = "LOGIN"
+        use_oidc_max_age = false
+      }
+    }
+    dry_run_settings {
+      access_levels = [
+        google_access_context_manager_access_level.tf_test_access_level_id_for_user_access_binding%{random_suffix}.name,
+      ]
+    }
   }
 }
 `, context)