import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access. * * To get more information about GcpUserAccessBinding, see: * * * [API documentation](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/organizations.gcpUserAccessBindings) * * ## Example Usage * * ### Access Context Manager Gcp User Access Binding Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const group = new gcp.cloudidentity.Group("group", { * displayName: "my-identity-group", * parent: "customers/A01b123xz", * groupKey: { * id: "my-identity-group@example.com", * }, * labels: { * "cloudidentity.googleapis.com/groups.discussion_forum": "", * }, * }); * const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", { * parent: "organizations/123456789", * title: "my policy", * }); * const accessLevelIdForUserAccessBinding = new gcp.accesscontextmanager.AccessLevel("access_level_id_for_user_access_binding", { * parent: pulumi.interpolate`accessPolicies/${access_policy.name}`, * name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/chromeos_no_lock`, * title: "chromeos_no_lock", * basic: { * conditions: [{ * devicePolicy: { * requireScreenLock: true, * osConstraints: [{ * osType: "DESKTOP_CHROME_OS", * }], * }, * regions: ["US"], * }], * }, * }); * const gcpUserAccessBinding = new gcp.accesscontextmanager.GcpUserAccessBinding("gcp_user_access_binding", { * organizationId: "123456789", * groupKey: std.trimprefixOutput({ * input: group.id, * prefix: "groups/", * }).apply(invoke => invoke.result), * accessLevels: accessLevelIdForUserAccessBinding.name, * }); * ``` * * ## Import * * GcpUserAccessBinding can be imported using any of these accepted formats: * * * `{{name}}` * * When using the `pulumi import` command, GcpUserAccessBinding can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:accesscontextmanager/gcpUserAccessBinding:GcpUserAccessBinding default {{name}} * ``` */ export declare class GcpUserAccessBinding extends pulumi.CustomResource { /** * Get an existing GcpUserAccessBinding resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: GcpUserAccessBindingState, opts?: pulumi.CustomResourceOptions): GcpUserAccessBinding; /** * Returns true if the given object is an instance of GcpUserAccessBinding. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is GcpUserAccessBinding; /** * Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" */ readonly accessLevels: pulumi.Output; /** * Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht" */ readonly groupKey: pulumi.Output; /** * Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" */ readonly name: pulumi.Output; /** * Required. ID of the parent organization. */ readonly organizationId: pulumi.Output; /** * Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. * Structure is documented below. */ readonly scopedAccessSettings: pulumi.Output; /** * Optional. The Google Cloud session length (GCSL) policy for the group key. * Structure is documented below. */ readonly sessionSettings: pulumi.Output; /** * Create a GcpUserAccessBinding resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: GcpUserAccessBindingArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering GcpUserAccessBinding resources. */ export interface GcpUserAccessBindingState { /** * Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" */ accessLevels?: pulumi.Input; /** * Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht" */ groupKey?: pulumi.Input; /** * Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" */ name?: pulumi.Input; /** * Required. ID of the parent organization. */ organizationId?: pulumi.Input; /** * Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. * Structure is documented below. */ scopedAccessSettings?: pulumi.Input[]>; /** * Optional. The Google Cloud session length (GCSL) policy for the group key. * Structure is documented below. */ sessionSettings?: pulumi.Input; } /** * The set of arguments for constructing a GcpUserAccessBinding resource. */ export interface GcpUserAccessBindingArgs { /** * Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" */ accessLevels?: pulumi.Input; /** * Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht" */ groupKey: pulumi.Input; /** * Required. ID of the parent organization. */ organizationId: pulumi.Input; /** * Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. * Structure is documented below. */ scopedAccessSettings?: pulumi.Input[]>; /** * Optional. The Google Cloud session length (GCSL) policy for the group key. * Structure is documented below. */ sessionSettings?: pulumi.Input; }