import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Creates an IAM policy. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as ovh from "@ovhcloud/pulumi-ovh"; * * const account = ovh.Me.getMe({}); * const myGroup = new ovh.me.IdentityGroup("my_group", { * name: "my_group", * description: "my_group created in Terraform", * }); * const manager = new ovh.iam.Policy("manager", { * name: "allow_ovh_manager", * description: "Users are allowed to use the OVH manager", * identities: [myGroup.GroupURN], * resources: [account.then(account => account.AccountURN)], * allows: [ * "account:apiovh:me/get", * "account:apiovh:me/supportLevel/get", * "account:apiovh:me/certificates/get", * "account:apiovh:me/tag/get", * "account:apiovh:services/get", * "account:apiovh:*", * ], * }); * const ipRestrictedProdAccess = new ovh.iam.Policy("ip_restricted_prod_access", { * name: "ip_restricted_prod_access", * description: "Allow access only from a specific IP to resources tagged prod", * identities: [myGroup.GroupURN], * resources: ["urn:v1:eu:resource:vps:*"], * allows: ["vps:apiovh:*"], * conditions: { * operator: "MATCH", * values: { * "resource.Tag(environment)": "prod", * "request.IP": "192.72.0.1", * }, * }, * }); * const workdaysAndIpRestrictedAndExpiring = new ovh.iam.Policy("workdays_and_ip_restricted_and_expiring", { * name: "workdays_and_ip_restricted_and_expiring", * description: "Allow access only on workdays, expires end of 2026", * identities: [myGroup.GroupURN], * resources: ["urn:v1:eu:resource:vps:*"], * allows: ["vps:apiovh:*"], * conditions: { * operator: "AND", * conditions: [ * { * operator: "MATCH", * values: { * "date(Europe/Paris).WeekDay.In": "monday,tuesday,wednesday,thursday,friday", * }, * }, * { * operator: "MATCH", * values: { * "request.IP": "192.72.0.1", * }, * }, * ], * }, * expiredAt: "2026-12-31T23:59:59Z", * }); * ``` * * ## Import * * An IAM policy can be imported using the `id` E.g., * * bash * * ```sh * $ pulumi import ovh:Iam/policy:Policy manager policy_id * ``` */ export declare class Policy extends pulumi.CustomResource { /** * Get an existing Policy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy; /** * Returns true if the given object is an instance of Policy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Policy; /** * List of actions allowed on resources by identities */ readonly allows: pulumi.Output; /** * Conditions restrict permissions based on resource tags, date/time, or request attributes. See Conditions below. */ readonly conditions: pulumi.Output; /** * Creation date of this group. */ readonly createdAt: pulumi.Output; /** * List of actions that will always be denied even if also allowed by this policy or another one. */ readonly denies: pulumi.Output; /** * Description of the policy */ readonly description: pulumi.Output; /** * List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards. */ readonly excepts: pulumi.Output; /** * Expiration date of the policy in RFC3339 format (e.g., `2025-12-31T23:59:59Z`). After this date, the policy will no longer be applied. */ readonly expiredAt: pulumi.Output; /** * List of identities affected by the policy */ readonly identities: pulumi.Output; /** * Name of the policy, must be unique */ readonly name: pulumi.Output; /** * Owner of the policy. */ readonly owner: pulumi.Output; /** * Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group). */ readonly permissionsGroups: pulumi.Output; /** * Indicates that the policy is a default one. */ readonly readOnly: pulumi.Output; /** * List of resources affected by the policy */ readonly resources: pulumi.Output; /** * Date of the last update of this group. */ readonly updatedAt: pulumi.Output; /** * Create a Policy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Policy resources. */ export interface PolicyState { /** * List of actions allowed on resources by identities */ allows?: pulumi.Input[]>; /** * Conditions restrict permissions based on resource tags, date/time, or request attributes. See Conditions below. */ conditions?: pulumi.Input; /** * Creation date of this group. */ createdAt?: pulumi.Input; /** * List of actions that will always be denied even if also allowed by this policy or another one. */ denies?: pulumi.Input[]>; /** * Description of the policy */ description?: pulumi.Input; /** * List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards. */ excepts?: pulumi.Input[]>; /** * Expiration date of the policy in RFC3339 format (e.g., `2025-12-31T23:59:59Z`). After this date, the policy will no longer be applied. */ expiredAt?: pulumi.Input; /** * List of identities affected by the policy */ identities?: pulumi.Input[]>; /** * Name of the policy, must be unique */ name?: pulumi.Input; /** * Owner of the policy. */ owner?: pulumi.Input; /** * Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group). */ permissionsGroups?: pulumi.Input[]>; /** * Indicates that the policy is a default one. */ readOnly?: pulumi.Input; /** * List of resources affected by the policy */ resources?: pulumi.Input[]>; /** * Date of the last update of this group. */ updatedAt?: pulumi.Input; } /** * The set of arguments for constructing a Policy resource. */ export interface PolicyArgs { /** * List of actions allowed on resources by identities */ allows?: pulumi.Input[]>; /** * Conditions restrict permissions based on resource tags, date/time, or request attributes. See Conditions below. */ conditions?: pulumi.Input; /** * List of actions that will always be denied even if also allowed by this policy or another one. */ denies?: pulumi.Input[]>; /** * Description of the policy */ description?: pulumi.Input; /** * List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards. */ excepts?: pulumi.Input[]>; /** * Expiration date of the policy in RFC3339 format (e.g., `2025-12-31T23:59:59Z`). After this date, the policy will no longer be applied. */ expiredAt?: pulumi.Input; /** * List of identities affected by the policy */ identities: pulumi.Input[]>; /** * Name of the policy, must be unique */ name?: pulumi.Input; /** * Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group). */ permissionsGroups?: pulumi.Input[]>; /** * List of resources affected by the policy */ resources: pulumi.Input[]>; }