- release_tracks: [ALPHA, BETA, GA]

  help_text:
    brief: Create a new service perimeter.
    description: |
      Create a new service perimeter in a given access policy.
    examples: |
        To create a new basic Service Perimeter:

          $ {command} --title=my_perimeter_title --resources=projects/12345 --restricted-services="storage.googleapis.com" --policy=9876543

  request:
    api_version: v1
    collection: accesscontextmanager.accessPolicies.servicePerimeters
    modify_request_hooks:
    - googlecloudsdk.command_lib.accesscontextmanager.policies:ValidateAccessPolicyArg
    - googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddAccessLevelsGA
    - googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddVpcAccessibleServicesGA
    - googlecloudsdk.command_lib.util.hooks.request_modifiers:SetFieldFromRelativeName:api_field=servicePerimeter.name
    ALPHA:
      api_version: v1alpha
      modify_request_hooks:
      - googlecloudsdk.command_lib.accesscontextmanager.policies:ValidateAccessPolicyArg
      - googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddAccessLevelsAlpha
      - googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddVpcAccessibleServicesAlpha
      - googlecloudsdk.command_lib.util.hooks.request_modifiers:SetFieldFromRelativeName:api_field=servicePerimeter.name
    BETA:
      api_version: v1
      modify_request_hooks:
      - googlecloudsdk.command_lib.accesscontextmanager.policies:ValidateAccessPolicyArg
      - googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddAccessLevelsGA
      - googlecloudsdk.command_lib.accesscontextmanager.perimeters:AddVpcAccessibleServicesGA
      - googlecloudsdk.command_lib.util.hooks.request_modifiers:SetFieldFromRelativeName:api_field=servicePerimeter.name


  async:
    collection: accesscontextmanager.operations

  arguments:
    resource:
      help_text: The service perimeter to create.
      spec: !REF googlecloudsdk.command_lib.accesscontextmanager.resources:perimeter
    params:
    - api_field: servicePerimeter.description
      arg_name: description
      required: false
      help_text: Long-form description of service perimeter.
    - api_field: servicePerimeter.title
      arg_name: title
      required: true
      help_text: Short human-readable title for the service perimeter.
    - api_field: servicePerimeter.status.resources
      arg_name: resources
      help_text: |
        Comma-separated list of resources (currently only projects, in the
        form `projects/<projectnumber>`) in this perimeter.
    - api_field: servicePerimeter.status.restrictedServices
      arg_name: restricted-services
      metavar: SERVICE
      help_text: |
        Comma-separated list of services to which the perimeter boundary
        *does* apply (for example, `storage.googleapis.com`).

    - arg_name: access-levels
      api_field: servicePerimeter.status.accessLevels
      metavar: LEVEL
      # Added in AddAccessLevels hook because a type wouldn't have access to
      # the policy of the service perimeter
      type: arg_list
      help_text: |
        Comma-separated list of IDs for access levels (in the same policy)
        that an intra-perimeter request must satisfy to be allowed.
    - api_field: servicePerimeter.perimeterType
      arg_name: perimeter-type
      help_text: |
        Type of the perimeter.
      default: regular
      choices:
      - arg_value: regular
        enum_value: PERIMETER_TYPE_REGULAR
        help_text: |
          Allows resources within this service perimeter to import and export
          data amongst themselves.

          A project may belong to at most one regular service perimeter.
      - arg_value: bridge
        enum_value: PERIMETER_TYPE_BRIDGE
        help_text: |
          Allows resources in different regular service perimeters to import
          and export data between each other.

          A project may belong to multiple bridge service perimeters (only if
          it also belongs to a regular service perimeter). Both restricted and
          unrestricted service lists, as well as access level lists,
          must be empty.
    - api_field: servicePerimeter.status.ingressPolicies
      metavar: YAML_FILE
      arg_name: ingress-policies
      help_text: |
        Path to a file containing a list of Ingress Policies.

        This file contains a list of YAML-compliant objects representing
        Ingress Policies described in the API reference.

        For more information about the alpha version, see:
        https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters
        For more information about non-alpha versions, see:
        https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters
      repeated: false
      ALPHA:
        processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseIngressPolicies:api_version=v1alpha
      BETA:
        processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseIngressPolicies:api_version=v1
      GA:
        processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseIngressPolicies:api_version=v1
    - api_field: servicePerimeter.status.egressPolicies
      metavar: YAML_FILE
      arg_name: egress-policies
      help_text: |
        Path to a file containing a list of Engress Policies.

        This file contains a list of YAML-compliant objects representing
        Engress Policies described in the API reference.

        For more information about the alpha version, see:
        https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters
        For more information about non-alpha versions, see:
        https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters
      repeated: false
      ALPHA:
        processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseEgressPolicies:api_version=v1alpha
      BETA:
        processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseEgressPolicies:api_version=v1
      GA:
        processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseEgressPolicies:api_version=v1
    - group:
        release_tracks: [ALPHA]
        mutex: true
        required: false
        params:
        - api_field: servicePerimeter.status.vpcAccessibleServices
          metavar: VPC_ACCESSIBLE_SERVICES_YAML_FILE
          arg_name: vpc-accessible-services
          help_text: |
            Path to a YAML file containing the full VPC Accessible Services configuration.
            This file should contain a single YAML object representing a VpcAccessibleServices
            message as described in the API reference. This cannot be used with
            `--vpc-allowed-services` or `--enable-vpc-accessible-services`.

            For more information about the alpha version, see:
            https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters
            For more information about non-alpha versions, see:
            https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters
          ALPHA:
            processor: googlecloudsdk.command_lib.accesscontextmanager.perimeters:ParseVpcAccessibleServices:api_version=v1alpha
        - group:
            mutex: false
            params:
            - api_field: servicePerimeter.status.vpcAccessibleServices.allowedServices
              arg_name: vpc-allowed-services
              metavar: VPC_SERVICE
              help_text: |
                Comma-separated list of APIs accessible from within the Service
                Perimeter. In order to include all restricted services, use
                reference "RESTRICTED-SERVICES".
                Requires vpc-accessible-services be enabled.
            - arg_name: enable-vpc-accessible-services
              # api_field is not used here to allow the modify_request_hooks to handle
              # the logic, preventing interference with the vpc-accessible-services YAML file.
              type: bool
              help_text: |
                Whether to restrict API calls within the perimeter to those in the
                vpc-allowed-services list.
    - group:
        release_tracks: [BETA, GA]
        params:
        - api_field: servicePerimeter.status.vpcAccessibleServices.allowedServices
          arg_name: vpc-allowed-services
          metavar: VPC_SERVICE
          required: false
          help_text: |
            Comma-separated list of APIs accessible from within the Service
            Perimeter. In order to include all restricted services, use
            reference "RESTRICTED-SERVICES".
            Requires vpc-accessible-services be enabled.
        - api_field: servicePerimeter.status.vpcAccessibleServices.enableRestriction
          arg_name: enable-vpc-accessible-services
          required: false
          type: bool
          help_text: |
            Whether to restrict API calls within the perimeter to those in the
            vpc-allowed-services list.