UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi/pulumi-gcp

320 lines • 11.2 kB

JavaScript

"use strict"; // *** WARNING: this file was generated by pulumi-language-nodejs. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.IamAuditConfig = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../utilities"); /** * Four different resources help you manage your IAM policy for a folder. Each of these resources serves a different use case: * * * `gcp.folder.IAMPolicy`: Authoritative. Sets the IAM policy for the folder and replaces any existing policy already attached. * * `gcp.folder.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the folder are preserved. * * `gcp.folder.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the folder are preserved. * * `gcp.folder.IamAuditConfig`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service. * * > **Note:** `gcp.folder.IAMPolicy` **cannot** be used in conjunction with `gcp.folder.IAMBinding`, `gcp.folder.IAMMember`, or `gcp.folder.IamAuditConfig` or they will fight over what your policy should be. * * > **Note:** `gcp.folder.IAMBinding` resources **can be** used in conjunction with `gcp.folder.IAMMember` resources **only if** they do not grant privilege to the same role. * * > **Note:** The underlying API method `projects.setIamPolicy` has constraints which are documented [here](https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy). In addition to these constraints, * IAM Conditions cannot be used with Basic Roles such as Owner. Violating these constraints will result in the API returning a 400 error code so please review these if you encounter errors with this resource. * * ## gcp.folder.IAMPolicy * * !> **Be careful!** You can accidentally lock yourself out of your folder * using this resource. Deleting a `gcp.folder.IAMPolicy` removes access * from anyone without permissions on its parent folder/organization. Proceed with caution. * It's not recommended to use `gcp.folder.IAMPolicy` with your provider folder * to avoid locking yourself out, and it should generally only be used with folders * fully managed by this provider. If you do use this resource, it is recommended to **import** the policy before * applying the change. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * }], * }); * const folder = new gcp.folder.IAMPolicy("folder", { * folder: "folders/1234567", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/compute.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }], * }); * const folder = new gcp.folder.IAMPolicy("folder", { * folder: "folders/1234567", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.folder.IAMBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMBinding("folder", { * folder: "folders/1234567", * role: "roles/editor", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMBinding("folder", { * folder: "folders/1234567", * role: "roles/container.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.folder.IAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMMember("folder", { * folder: "folders/1234567", * role: "roles/editor", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMMember("folder", { * folder: "folders/1234567", * role: "roles/firebase.admin", * member: "user:jane@example.com", * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.folder.IamAuditConfig * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IamAuditConfig("folder", { * folder: "folders/1234567", * service: "allServices", * auditLogConfigs: [ * { * logType: "ADMIN_READ", * }, * { * logType: "DATA_READ", * exemptedMembers: ["user:joebloggs@example.com"], * }, * ], * }); * ``` * * ## gcp.folder.IAMBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMBinding("folder", { * folder: "folders/1234567", * role: "roles/editor", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMBinding("folder", { * folder: "folders/1234567", * role: "roles/container.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.folder.IAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMMember("folder", { * folder: "folders/1234567", * role: "roles/editor", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IAMMember("folder", { * folder: "folders/1234567", * role: "roles/firebase.admin", * member: "user:jane@example.com", * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.folder.IamAuditConfig * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.folder.IamAuditConfig("folder", { * folder: "folders/1234567", * service: "allServices", * auditLogConfigs: [ * { * logType: "ADMIN_READ", * }, * { * logType: "DATA_READ", * exemptedMembers: ["user:joebloggs@example.com"], * }, * ], * }); * ``` * * ## Import * * ### Importing Audit Configs * * An audit config can be imported into a `google_folder_iam_audit_config` resource using the resource's `folder_id` and the `service`, e.g: * * * `"folder/{{folder_id}} foo.googleapis.com"` * * An `import` block (Terraform v1.5.0 and later) can be used to import audit configs: * * tf * * import { * * id = "folder/{{folder_id}} foo.googleapis.com" * * to = google_folder_iam_audit_config.default * * } * * The `pulumi import` command can also be used: * * ```sh * $ pulumi import gcp:folder/iamAuditConfig:IamAuditConfig default "folder/{{folder_id}} foo.googleapis.com" * ``` */ class IamAuditConfig extends pulumi.CustomResource { /** * Get an existing IamAuditConfig resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new IamAuditConfig(name, state, { ...opts, id: id }); } /** * Returns true if the given object is an instance of IamAuditConfig. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === IamAuditConfig.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["auditLogConfigs"] = state?.auditLogConfigs; resourceInputs["etag"] = state?.etag; resourceInputs["folder"] = state?.folder; resourceInputs["service"] = state?.service; } else { const args = argsOrState; if (args?.auditLogConfigs === undefined && !opts.urn) { throw new Error("Missing required property 'auditLogConfigs'"); } if (args?.folder === undefined && !opts.urn) { throw new Error("Missing required property 'folder'"); } if (args?.service === undefined && !opts.urn) { throw new Error("Missing required property 'service'"); } resourceInputs["auditLogConfigs"] = args?.auditLogConfigs; resourceInputs["folder"] = args?.folder; resourceInputs["service"] = args?.service; resourceInputs["etag"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(IamAuditConfig.__pulumiType, name, resourceInputs, opts); } } exports.IamAuditConfig = IamAuditConfig; /** @internal */ IamAuditConfig.__pulumiType = 'gcp:folder/iamAuditConfig:IamAuditConfig'; //# sourceMappingURL=iamAuditConfig.js.map