UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi.io

pulumi/pulumi-gcp

295 lines (294 loc) • 14.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a managed identity for a workload identity pool namespace. * * To get more information about WorkloadIdentityPoolManagedIdentity, see: * * * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces.managedIdentities) * * How-to Guides * * [Configure managed workload identity authentication for Compute Engine](https://cloud.google.com/iam/docs/create-managed-workload-identities) * * [Configure managed workload identity authentication for GKE](https://cloud.google.com/iam/docs/create-managed-workload-identities-gke) * * ## Example Usage * * ### Iam Workload Identity Pool Managed Identity Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", { * workloadIdentityPoolId: "example-pool", * mode: "TRUST_DOMAIN", * }); * const ns = new gcp.iam.WorkloadIdentityPoolNamespace("ns", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolNamespaceId: "example-namespace", * }); * const example = new gcp.iam.WorkloadIdentityPoolManagedIdentity("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolNamespaceId: ns.workloadIdentityPoolNamespaceId, * workloadIdentityPoolManagedIdentityId: "example-managed-identity", * }); * ``` * ### Iam Workload Identity Pool Managed Identity Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", { * workloadIdentityPoolId: "example-pool", * mode: "TRUST_DOMAIN", * }); * const ns = new gcp.iam.WorkloadIdentityPoolNamespace("ns", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolNamespaceId: "example-namespace", * }); * const example = new gcp.iam.WorkloadIdentityPoolManagedIdentity("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolNamespaceId: ns.workloadIdentityPoolNamespaceId, * workloadIdentityPoolManagedIdentityId: "example-managed-identity", * description: "Example Managed Identity in a Workload Identity Pool Namespace", * disabled: true, * attestationRules: [ * { * googleCloudResource: "//compute.googleapis.com/projects/1111111111111/uid/zones/us-central1-a/instances/12345678", * }, * { * googleCloudResource: "//run.googleapis.com/projects/1111111111111/name/locations/us-east1/services/my-service", * }, * ], * }); * ``` * * ## Import * * WorkloadIdentityPoolManagedIdentity can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}` * * * `{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}}` * * * `{{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}}` * * When using the `pulumi import` command, WorkloadIdentityPoolManagedIdentity can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:iam/workloadIdentityPoolManagedIdentity:WorkloadIdentityPoolManagedIdentity default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}} * ``` * * ```sh * $ pulumi import gcp:iam/workloadIdentityPoolManagedIdentity:WorkloadIdentityPoolManagedIdentity default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}} * ``` * * ```sh * $ pulumi import gcp:iam/workloadIdentityPoolManagedIdentity:WorkloadIdentityPoolManagedIdentity default {{workload_identity_pool_id}}/{{workload_identity_pool_namespace_id}}/{{workload_identity_pool_managed_identity_id}} * ``` */ export declare class WorkloadIdentityPoolManagedIdentity extends pulumi.CustomResource { /** * Get an existing WorkloadIdentityPoolManagedIdentity resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: WorkloadIdentityPoolManagedIdentityState, opts?: pulumi.CustomResourceOptions): WorkloadIdentityPoolManagedIdentity; /** * Returns true if the given object is an instance of WorkloadIdentityPoolManagedIdentity. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is WorkloadIdentityPoolManagedIdentity; /** * Defines which workloads can receive an identity within a pool. When an AttestationRule is * defined under a managed identity, matching workloads may receive that identity. A maximum of * 50 AttestationRules can be set. * Structure is documented below. */ readonly attestationRules: pulumi.Output<outputs.iam.WorkloadIdentityPoolManagedIdentityAttestationRule[] | undefined>; /** * A description of the managed identity. Cannot exceed 256 characters. */ readonly description: pulumi.Output<string | undefined>; /** * Whether the managed identity is disabled. If disabled, credentials may no longer be issued for * the identity, however existing credentials will still be accepted until they expire. */ readonly disabled: pulumi.Output<boolean | undefined>; /** * The resource name of the managed identity as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/namespaces/{workload_identity_pool_namespace_id}/managedIdentities/{workload_identity_pool_managed_identity_id}`. */ readonly name: pulumi.Output<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * The current state of the managed identity. * * `ACTIVE`: The managed identity is active. * * `DELETED`: The managed identity is soft-deleted. Soft-deleted managed identities are * permanently deleted after approximately 30 days. You can restore a soft-deleted managed * identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a * soft-deleted managed identity until it is permanently deleted. */ readonly state: pulumi.Output<string>; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ readonly workloadIdentityPoolId: pulumi.Output<string>; /** * The ID to use for the managed identity. This value must: * * contain at most 63 characters * * contain only lowercase alphanumeric characters or `-` * * start with an alphanumeric character * * end with an alphanumeric character * * The prefix `gcp-` will be reserved for future uses. */ readonly workloadIdentityPoolManagedIdentityId: pulumi.Output<string>; /** * The ID to use for the namespace. This value must: * * contain at most 63 characters * * contain only lowercase alphanumeric characters or `-` * * start with an alphanumeric character * * end with an alphanumeric character * * The prefix `gcp-` will be reserved for future uses. */ readonly workloadIdentityPoolNamespaceId: pulumi.Output<string>; /** * Create a WorkloadIdentityPoolManagedIdentity resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkloadIdentityPoolManagedIdentityArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering WorkloadIdentityPoolManagedIdentity resources. */ export interface WorkloadIdentityPoolManagedIdentityState { /** * Defines which workloads can receive an identity within a pool. When an AttestationRule is * defined under a managed identity, matching workloads may receive that identity. A maximum of * 50 AttestationRules can be set. * Structure is documented below. */ attestationRules?: pulumi.Input<pulumi.Input<inputs.iam.WorkloadIdentityPoolManagedIdentityAttestationRule>[]>; /** * A description of the managed identity. Cannot exceed 256 characters. */ description?: pulumi.Input<string>; /** * Whether the managed identity is disabled. If disabled, credentials may no longer be issued for * the identity, however existing credentials will still be accepted until they expire. */ disabled?: pulumi.Input<boolean>; /** * The resource name of the managed identity as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/namespaces/{workload_identity_pool_namespace_id}/managedIdentities/{workload_identity_pool_managed_identity_id}`. */ name?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The current state of the managed identity. * * `ACTIVE`: The managed identity is active. * * `DELETED`: The managed identity is soft-deleted. Soft-deleted managed identities are * permanently deleted after approximately 30 days. You can restore a soft-deleted managed * identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a * soft-deleted managed identity until it is permanently deleted. */ state?: pulumi.Input<string>; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId?: pulumi.Input<string>; /** * The ID to use for the managed identity. This value must: * * contain at most 63 characters * * contain only lowercase alphanumeric characters or `-` * * start with an alphanumeric character * * end with an alphanumeric character * * The prefix `gcp-` will be reserved for future uses. */ workloadIdentityPoolManagedIdentityId?: pulumi.Input<string>; /** * The ID to use for the namespace. This value must: * * contain at most 63 characters * * contain only lowercase alphanumeric characters or `-` * * start with an alphanumeric character * * end with an alphanumeric character * * The prefix `gcp-` will be reserved for future uses. */ workloadIdentityPoolNamespaceId?: pulumi.Input<string>; } /** * The set of arguments for constructing a WorkloadIdentityPoolManagedIdentity resource. */ export interface WorkloadIdentityPoolManagedIdentityArgs { /** * Defines which workloads can receive an identity within a pool. When an AttestationRule is * defined under a managed identity, matching workloads may receive that identity. A maximum of * 50 AttestationRules can be set. * Structure is documented below. */ attestationRules?: pulumi.Input<pulumi.Input<inputs.iam.WorkloadIdentityPoolManagedIdentityAttestationRule>[]>; /** * A description of the managed identity. Cannot exceed 256 characters. */ description?: pulumi.Input<string>; /** * Whether the managed identity is disabled. If disabled, credentials may no longer be issued for * the identity, however existing credentials will still be accepted until they expire. */ disabled?: pulumi.Input<boolean>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId: pulumi.Input<string>; /** * The ID to use for the managed identity. This value must: * * contain at most 63 characters * * contain only lowercase alphanumeric characters or `-` * * start with an alphanumeric character * * end with an alphanumeric character * * The prefix `gcp-` will be reserved for future uses. */ workloadIdentityPoolManagedIdentityId: pulumi.Input<string>; /** * The ID to use for the namespace. This value must: * * contain at most 63 characters * * contain only lowercase alphanumeric characters or `-` * * start with an alphanumeric character * * end with an alphanumeric character * * The prefix `gcp-` will be reserved for future uses. */ workloadIdentityPoolNamespaceId: pulumi.Input<string>; }