UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi/pulumi-gcp

357 lines • 14.1 kB

JavaScript

"use strict"; // *** WARNING: this file was generated by pulumi-language-nodejs. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.DatabaseIAMMember = void 0; const pulumi = __importStar(require("@pulumi/pulumi")); const utilities = __importStar(require("../utilities")); /** * Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case: * * * `gcp.spanner.DatabaseIAMPolicy`: Authoritative. Sets the IAM policy for the database and replaces any existing policy already attached. * * > **Warning:** It's entirely possibly to lock yourself out of your database using `gcp.spanner.DatabaseIAMPolicy`. Any permissions granted by default will be removed unless you include them in your config. * * * `gcp.spanner.DatabaseIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the database are preserved. * * `gcp.spanner.DatabaseIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the database are preserved. * * > **Note:** `gcp.spanner.DatabaseIAMPolicy` **cannot** be used in conjunction with `gcp.spanner.DatabaseIAMBinding` and `gcp.spanner.DatabaseIAMMember` or they will fight over what your policy should be. * * > **Note:** `gcp.spanner.DatabaseIAMBinding` resources **can be** used in conjunction with `gcp.spanner.DatabaseIAMMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.spanner.DatabaseIAMPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * }], * }); * const database = new gcp.spanner.DatabaseIAMPolicy("database", { * instance: "your-instance-name", * database: "your-database-name", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * condition: { * title: "My Role", * description: "Grant permissions on my_role", * expression: "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))", * }, * }], * }); * const database = new gcp.spanner.DatabaseIAMPolicy("database", { * instance: "your-instance-name", * database: "your-database-name", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.spanner.DatabaseIAMBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMBinding("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMBinding("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * members: ["user:jane@example.com"], * condition: { * title: "My Role", * description: "Grant permissions on my_role", * expression: "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))", * }, * }); * ``` * * ## gcp.spanner.DatabaseIAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMMember("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMMember("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * member: "user:jane@example.com", * condition: { * title: "My Role", * description: "Grant permissions on my_role", * expression: "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))", * }, * }); * ``` * * ## This resource supports User Project Overrides. * * - * * # IAM policy for Spanner Databases * * Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case: * * * `gcp.spanner.DatabaseIAMPolicy`: Authoritative. Sets the IAM policy for the database and replaces any existing policy already attached. * * > **Warning:** It's entirely possibly to lock yourself out of your database using `gcp.spanner.DatabaseIAMPolicy`. Any permissions granted by default will be removed unless you include them in your config. * * * `gcp.spanner.DatabaseIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the database are preserved. * * `gcp.spanner.DatabaseIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the database are preserved. * * > **Note:** `gcp.spanner.DatabaseIAMPolicy` **cannot** be used in conjunction with `gcp.spanner.DatabaseIAMBinding` and `gcp.spanner.DatabaseIAMMember` or they will fight over what your policy should be. * * > **Note:** `gcp.spanner.DatabaseIAMBinding` resources **can be** used in conjunction with `gcp.spanner.DatabaseIAMMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.spanner.DatabaseIAMPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * }], * }); * const database = new gcp.spanner.DatabaseIAMPolicy("database", { * instance: "your-instance-name", * database: "your-database-name", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * condition: { * title: "My Role", * description: "Grant permissions on my_role", * expression: "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))", * }, * }], * }); * const database = new gcp.spanner.DatabaseIAMPolicy("database", { * instance: "your-instance-name", * database: "your-database-name", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.spanner.DatabaseIAMBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMBinding("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMBinding("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * members: ["user:jane@example.com"], * condition: { * title: "My Role", * description: "Grant permissions on my_role", * expression: "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))", * }, * }); * ``` * * ## gcp.spanner.DatabaseIAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMMember("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const database = new gcp.spanner.DatabaseIAMMember("database", { * instance: "your-instance-name", * database: "your-database-name", * role: "roles/compute.networkUser", * member: "user:jane@example.com", * condition: { * title: "My Role", * description: "Grant permissions on my_role", * expression: "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))", * }, * }); * ``` * * ## Import * * > **Custom Roles:** If you're importing a IAM resource with a custom role, make sure to use the * full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. * * For all import syntaxes, the "resource in question" can take any of the following forms: * * * {{project}}/{{instance}}/{{database}} * * {{instance}}/{{database}} (project is taken from provider project) */ class DatabaseIAMMember extends pulumi.CustomResource { /** * Get an existing DatabaseIAMMember resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new DatabaseIAMMember(name, state, { ...opts, id: id }); } /** @internal */ static __pulumiType = 'gcp:spanner/databaseIAMMember:DatabaseIAMMember'; /** * Returns true if the given object is an instance of DatabaseIAMMember. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === DatabaseIAMMember.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["condition"] = state?.condition; resourceInputs["database"] = state?.database; resourceInputs["etag"] = state?.etag; resourceInputs["instance"] = state?.instance; resourceInputs["member"] = state?.member; resourceInputs["project"] = state?.project; resourceInputs["role"] = state?.role; } else { const args = argsOrState; if (args?.database === undefined && !opts.urn) { throw new Error("Missing required property 'database'"); } if (args?.instance === undefined && !opts.urn) { throw new Error("Missing required property 'instance'"); } if (args?.member === undefined && !opts.urn) { throw new Error("Missing required property 'member'"); } if (args?.role === undefined && !opts.urn) { throw new Error("Missing required property 'role'"); } resourceInputs["condition"] = args?.condition; resourceInputs["database"] = args?.database; resourceInputs["instance"] = args?.instance; resourceInputs["member"] = args?.member; resourceInputs["project"] = args?.project; resourceInputs["role"] = args?.role; resourceInputs["etag"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(DatabaseIAMMember.__pulumiType, name, resourceInputs, opts); } } exports.DatabaseIAMMember = DatabaseIAMMember; //# sourceMappingURL=databaseIAMMember.js.map